A brief intro to Compliance and Azure platform.
Overview of tools available on Azure such as Policies, BluePrints. It has a demo of Azure DevOps Kit (aka azsk PowerShell module) to continuously assure your compliance.
2. @ebrucucen 2019/02/11
WHO AM I?
▸ DevOps Consultant at Contino,
spent 11 years of 16 years of
career in consulting financial
institutions delivering
applications/platforms
Banksoft, AXA, BUPA, Investec,
VanquisBank, LloydsBank
▸ Life time student, with more
questions than answers,
developer in heart, loves APIs,
automation, cloud/hybrid
solutions, vegan, mum…
@ebrucucen 2019/02/11
3. @ebrucucen 2019/02/11
AGENDA
PART I
1. Compliance
2. Compliance On Azure
‣ Data Sources
‣ Metrics/Logs
‣ Monitoring
‣ Log Analytics
PART II
3. Governance on Azure
‣ Security Center
‣ BluePrints
4. AzSK
‣ CI/CD
‣ Customize
4. @ebrucucen 2019/02/11
THIS TALK IS NOT
▸ By a security expert
▸ a personal experience/battles with the Operations/
Security/Risk teams
▸ About saving money
▸ almost every solution will incur cost
6. @ebrucucen 2019/02/11
COMPLIANCE CHALLENGES
▸ Data Protection Compliance
▸ Risk assessment, auditing, operations, technology
▸ Industrial regulations and standards <> tech knowledge
▸ Multi-device/cloud/
▸ Cost:
▸ >200 updates from 750 regulatory bodies
▸ 32% of companies spend >4h/w to create/amend reports
Human effort required for organisational compliance
7. @ebrucucen 2019/02/11
COMPLIANCE ON CLOUD?
▸ Azure Complied with Shared Responsibility Model
▸ Azure
“MORE CERTIFICATIONS THAN ANY OTHER CLOUD PROVIDER”
8. @ebrucucen 2019/02/11
AZURE SUPPORT
▸ Documents
▸ Audit Reports
▸ Data Protection Guides
▸ Azure Security and Compliance BluePrints
https://servicetrust.microsoft.com/ViewPage/BlueprintOverview
http://aka.ms/pciblueprint
https://docs.microsoft.com/en-us/azure/security/blueprints/pcidss-paaswa-overview#compliance-documentation
Government Blueprints
FedRAMP Blueprint
UK OFFICIAL Blueprint
NIST SP 800-171 Blueprint
AU-PROTECTED
Additional Frameworks
Finance Blueprints
FFIEC Blueprint
PCI-DSS Blueprint
Healthcare Blueprints
HIPAA / HITRUST Blueprint
UK NHS Blueprint
Retail Blueprints
PCI-DSS Blueprint
Customer Responsibility Matrix
Reference Architecture
Implementation Matrix
Overview
Threat Model
Data Analytics/Data Warehouse/IAAS/PAAS
12. @ebrucucen 2019/02/11
▸ Are collected at regular intervals
▸ One minute by default
▸ Unique: Category = Metric + Namespace
▸ Stored for 93 days
▸ Multi-dimensional
▸ Properties [up to 10]
▸ Resource
▸ Type of Measurement
▸ Value
▸ Time
DATA SOURCES - METRICS
13. @ebrucucen 2019/02/11
▸ Properties
▸ Irregular
▸ Stored for x days
▸ Metrics -> Logs
▸ Types
▸ Control/Management Plane
▸ Data Plane
▸ Processed Events
DATA SOURCES - LOGS
14. @ebrucucen 2019/02/11
▸ Properties
▸ Irregular
▸ Stored for x days
▸ Metrics -> Logs
▸ Types
▸ Control/Management Plane
▸ Data Plane
▸ Processed Events
DATA SOURCES - LOGS
Audit Logs
Azure Tenant
Metrics
Application
Azure Subscription
Service Health
Activity Logs
Azure Resources
Diagnostic Logs
Monitoring Solutions
Guest OS
Application Insights
Dependency Agent
Log Analytics Agent
Diagnostics Extension
Azure
Custom API
Data Collector API
Non-Azure
Service Configuration
15. @ebrucucen 2019/02/11
AZURE AD LOGS
▸ Editions: Basic, Free, Premium P1, Premium P2
▸ Diagnostics Settings
▸ Audit Logs
▸ Sign-in Logs (PP2)
▸ Security Signals (opt-in IPC)
▸ Users at risk
▸ Risky sign-ins
▸ Activity Data is available 2 hours after turning on reporting
▸ 30 days of retention reports (PP1/PP2)
▸ 30/90 days of retention of security signals (PP1/PP2)
22. @ebrucucen 2019/02/11
▸ Low Latency (min 1 min interval)
▸ Control over metric condition
▸ Combined monitoring of multiple metrics
▸ Modular notification system
▸ Tip: Unify your alerts/sampling intervals for sanity
ALERTS (NEW)
37. @ebrucucen 2019/02/11
RESOURCE GRAPH
where type =~ 'Microsoft.Compute/virtualMachines'
| project name, properties.storageProfile.osDisk.osType
| top 5 by name desc
Search-AzGraph -Query "project tags | summarize buildschema(tags)”
# Use Resource Graph to get all NICs and store in the 'nic' variable
az graph query -q "where type =~ 'Microsoft.Compute/virtualMachines' | project nic =
tostring(properties['networkProfile']['networkInterfaces'][0]['id']) | where isnotempty(nic) | distinct nic |
limit 20" --output table | tail -n +3 > nics.txt
# Review the output of the query stored in 'nics.txt'
cat nics.txt
# Use Resource Graph with the 'nics.txt' file to get all related public IP addresses and store in 'publicIp.txt'
file
az graph query -q="where type =~ 'Microsoft.Network/networkInterfaces' | where id in ('$(awk -vORS="','" '{print
$0}' nics.txt | sed 's/,$//')') | project publicIp = tostring(properties['ipConfigurations'][0]['properties']
['publicIPAddress']['id']) | where isnotempty(publicIp) | distinct publicIp" --output table | tail -n +3 > ips.txt
# Review the output of the query stored in 'ips.txt'
cat ips.txt
# Use Resource Graph with the 'ips.txt' file to get the IP address of the public IP address resources
az graph query -q="where type =~ 'Microsoft.Network/publicIPAddresses' | where id in ('$(awk -vORS="','" '{print
$0}' ips.txt | sed 's/,$//')') | project ip = tostring(properties['ipAddress']) | where isnotempty(ip) | distinct
ip" --output table
ALL VM PUBLIC IPS: (AZ CLI)
ALL TAG NAMES: (POWERSHELL)
FIRST 5 VM OS TYPES: (KUSTO QUERY*)
https://docs.microsoft.com/en-us/azure/kusto/query/index
55. @ebrucucen 2019/02/11
EXTRAS: WEB APP - BEST PRACTICES
▸ Use Certs
▸ Authenticate users (with)
▸ Advanced auth
▸ Configure TLS mutual auth
▸ Managed Identity
▸ Reference secrets from Key Vault
▸ Restrict IPs
▸ Turn on Web Server/Application Logging
▸ Automate Backups
https://docs.microsoft.com/en-us/azure/app-service/web-sites-purchase-ssl-web-site
56. @ebrucucen 2019/02/11
EXTRAS: HARDENING VM
▸ Control VM access
▸ Reduce variability in your setup and
deployment of VMs
▸ Secure privileged access
▸ Use multiple VMs for better availability
▸ Protect against malware
▸ Keep VMs current
▸ Deploy and test a backup solution
▸ Encrypt your virtual hard disk files
https://docs.microsoft.com/en-us/azure/security/azure-security-iaas
57. @ebrucucen 2019/02/11
EXTRAS: HARDENING IDENTITY MANAGEMENT
Protect privileged accounts with MFA
1. Strengthen your credentials.
2. Reduce your attack surface area.
3. Automate threat response.
4. Increase your awareness of auditing
and monitoring.
5. Enable more predictable and complete
end-user security with self-help
https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps
58. @ebrucucen 2019/02/11
EXTRAS: IDENTITY MANAGEMENT BEST PRACTICES
1. Treat Identity as the primary security perimeter
2. Centralise Identity Management
3. Enable SSO
4. Turn on Conditional Access
5. Enforce MFA
6. Use RBAC
7. Lower exposure of privileged accounts (JIT, 2 EmergencyAccess)
8. Actively monitor for suspicious activities
59. @ebrucucen 2019/02/11
EXTRAS: NETWORK SECURITY BEST PRACTICES
1. Logically segment subnets
2. Control routing behaviour
3. Enable forced tunnelling
4. Use virtual network appliances
5. Deploy perimeter network for security zones
6. Avoid exposure to Internet with dedicated WAN links
7. Optimise uptime and performance
8. Disable RDP/SSH to VMs
60. @ebrucucen 2019/02/11
EXTRAS: THREAT MODELLING
Threat Security property Potential Azure platform mitigation
Spoofing Authentication Require HTTPS connections.
Tampering Integrity
Validate SSL/TLS certificates.Applications that use SSL/TLS must fully
verify the X.509 certificates of the entities they connect to. Use Azure
Key Vault certificates to manage your x509 certificates.
Repudiation Non-repudiation Enable Azure monitoring and diagnostics.
Information
Disclosure
Confidentiality Encrypt sensitive data at rest and in transit.
Denial of
Service
Availability
Monitor performance metrics for potential denial of service conditions.
Implement connection filters. Azure DDoS protection combined with
application design best practices provides defense against DDoS
attacks.
Elevation of
Privilege
Authorization Use Azure Active Directory Privileged Identity Management.
61. @ebrucucen 2019/02/11
REFERENCES - BOOKS
▸ Microsoft Security Center
https://www.amazon.co.uk/Microsoft-Azure-Security-Center-Practices-ebook/
dp/B07D5J97JV
▸ Pentesting Azure Applications
https://www.amazon.co.uk/Pentesting-Azure-Definitive-Attack-Defense/dp/
1593278632
▸ Deep dive Presentation:
https://www.sans.org/cyber-security-summit/archives/file/summit-
archive-1540308627.pdf
▸ AZSK:
https://github.com/azsk/DevOpsKit-docs
▸ Security White Papers
https://docs.microsoft.com/en-us/azure/security/security-white-papers
62. @ebrucucen 2019/02/11
BRK3062 - Architecting Security and Governance Across your Azure Subscriptions
THR2291 - Secure architecting for Azure
BRK2368 - Practical guide for using Azure Security Center to protect hybrid cloud environment
BRK3384 - Best practices for protecting modern cloud application architectures
BRK2021 - Azure security & management
THR3085 - The wizarding world of Microsoft CloudApp Security
GS008 - Microsoft security: How the cloud helps us all be more secure
REFERENCES - VIDEOS IGNITE/2018
63. @ebrucucen 2019/02/11
SO AS A SUMMARY
▸ Enable Security Center
▸ Enable all the logs you can
▸ Automate your policy management: Think AZSK!
▸ Give AppDevs freedom on the ring fenced cloud!