Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TechDays Finland 2020: Azuren tietoturva haltuun!

111 views

Published on



Azure-ratkaisujen suunnittelu, rakentaminen ja operointi tietoturvallisesti ei ole lainkaan suoraviivaista. Sekä käytettävissä olevista tietoturvakontrolleista että ohjeistuksesta on niin laaja ylitarjonta, että alkuun on hankala päästä, parhaiden käytäntöjen käytöstä puhumattakaan.

Tätä haastetta ei lainkaan helpota se, että organisaatioiden olemassa oleva tietoturvaosaaminen on harvoin siellä, missä ketterien digitaalisten sovellusten rakentaminen on. Miten voimme saada Azuren palveluista hyödyt irti, jos digisovellusten ja tietoturvavaatimusten maailmat eivät kohtaa?

Tässä esityksessä Karl käy käytännönläheisesti läpi työkalut ja prosessit, joilla suojataan Azure-sovellukset ja -infrastruktuuri, suunnittelupöydältä tuotantoon vientiin asti. Esityksen jälkeen kuulija tuntee Azuressa käytössä olevat tietoturvakontrollit sekä niiden vaikutuksen tietoturvaan, sovelluskehitystehokkuuteen ja kustannuksiin. Kuulijalla osaa myös soveltaa oppimaansa päivittääkseen oman organisaationsa tietoturvavaatimukset Azure-aikaan.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

TechDays Finland 2020: Azuren tietoturva haltuun!

  1. 1. Azuren tietoturva haltuun KARL OTS
  2. 2. @fincooper The balance of enterprise cloud security
  3. 3. @fincooper How can we agree on cloud security policies that keep us both competitive & secure?
  4. 4. @fincooper Security in the cloud adoption journey Cloud Strategy Governance model Security Guidelines • Implementation guidelines • Reference architecture
  5. 5. @fincooper Key cloud security decisions ACCESS CONTROL MONITORING AZURE PLATFORM SECURITY CONTROLS
  6. 6. @fincooper Key cloud security decisions ACCESS CONTROL MONITORING AZURE PLATFORM SECURITY CONTROLS
  7. 7. @fincooper Understanding Azure Role-Based Access Control Scope Azure AD Identity Role RBAC Assignment
  8. 8. Contributor Owner User Access Administrator
  9. 9. @fincooper Reader
  10. 10. @fincooper Contributor
  11. 11. @fincooper RBAC Scope • Role-Based Access Control assignments are inherited! • Minimize Subscription-scope assignments • Prefer Resource Group assignments
  12. 12. @fincooper Authentication considerations • How does Azure access control relate to existing identity management processes? • Separate admin credentials? • Separate Azure AD, such as ContosoAzureAdmins.com? • What about B2B guests?
  13. 13. @fincooper Access control guidelines, sample RBAC Role Scope Impact Recommendation Owner Resource Group Access to create new resources and to delete resources from the Resource Group. Can assign access to Resource Group. Users must have an account in Contoso’s Azure Active Directory. The account should be provisioned per standard Admin user policies. This is the appropriate role when developing new services.
  14. 14. @fincooper Access control guidelines, sample RBAC Role Scope Impact Recommendation Owner Resource Group Access to create new resources and to delete resources from the Resource Group. Can assign access to Resource Group. Users must have an account in Contoso’s Azure Active Directory. The account should be provisioned per standard Admin user policies. This is the appropriate role when developing new services. Contributor Resource Group Access to create new resources and to delete resources from the Resource Group. Users must have an account in Contoso’s Azure Active Directory. In case of external partners, the account should be provisioned per standard Contoso policies for external accounts. This is the appropriate partner RBAC role when developing new services.
  15. 15. @fincooper Access control guidelines, sample RBAC Role Scope Impact Recommendation Owner Resource Group Access to create new resources and to delete resources from the Resource Group. Can assign access to Resource Group. Users must have an account in Contoso’s Azure Active Directory. The account should be provisioned per standard Admin user policies. This is the appropriate role when developing new services. Contributor Resource Group Access to create new resources and to delete resources from the Resource Group. Users must have an account in Contoso’s Azure Active Directory. In case of external partners, the account should be provisioned per standard Contoso policies for external accounts. This is the appropriate partner RBAC role when developing new services. Contributor Individual Resource(s) directly Access to edit and modify resource. No access to create new resources. Appropriate partner RBAC role when partner is responsible for operating and managing the service. Partner users may be invited as Azure AD B2B Guests to Contoso Azure AD.
  16. 16. @fincooper Other Access control considerations • Break-the-glass account • Central accounts • Continuous Deployment access • Azure AD roles
  17. 17. @fincooper Key cloud security decisions ACCESS CONTROL MONITORING AZURE PLATFORM SECURITY CONTROLS
  18. 18. @fincooper Metrics Logs
  19. 19. @fincooper Azure Service Health
  20. 20. @fincooper Advanced Threat Protection
  21. 21. @fincooper Azure Activity Logs • Contain lowest level audit trail for all Azure Resource Manager events • Configure Activity log retention from the default 90 days • Beware of noise level!
  22. 22. @fincooper Activity log noise – example from prod Activity Log severity Weekly log events Informational 13 000 Warning 30 Error 99 Critical 2
  23. 23. @fincooper Custom Activity Log alerts • Data pane access key usage • Key Vault access policy changes • Kubernetes cluster credentials listing
  24. 24. @fincooper Security Center – advanced threat protection Management pane access from unusual location Windows VM event log was cleared A new user was added to the sudoers group Web fingerprinting detected New high privileges role detected in AKS Potential malware uploaded to a storage account Suspicious incoming RDP network activity Unusual operation pattern in a Key Vault Unusual amount of data extracted from a Cosmos DB account
  25. 25. @fincooper Audit logging • Enable Audit logging for Azure-native security services, such as Key Vault and Web Application Firewall • Decide on log store strategy – distributed and / or centralized?
  26. 26. @fincooper Central log collection Azure Security Center EventHub Azure Account 1 Azure Account 2 Azure Account 3 SOC Application Host Infrastructure Platform Azure Security Center Application Insight Azure Monitor Azure Health Backup Activity Logs Application Host Infrastructure Platform Azure Security Center Application Insight Azure Monitor Azure Health Backup Activity Logs Application Host Infrastructure Platform Azure Security Center Application Insight Azure Monitor Azure Health Backup Activity Logs
  27. 27. @fincooper Key cloud security decisions ACCESS CONTROL MONITORING AZURE PLATFORM SECURITY CONTROLS
  28. 28. @fincooper Azure platform security controls Subscriptions and Resource Groups AAD and RBAC ARM Templates, Policies and Locks Logging, Alerting & Auditing Data Encryption Backups & Disaster Recovery Privacy & Compliance Network security
  29. 29. @fincooper Azure Policy Azure Resource Manager Create, Read, Update, Delete
  30. 30. @fincooper Azure Policy • Complements Azure Role-Based Access Control • Enforces security controls • Enables monitoring
  31. 31. @fincooper Key Azure Policy decisions • Customize Security Center default Security policies • Usage of dynamic Compliance policies?
  32. 32. @fincooper
  33. 33. @fincooper Build your own security policy
  34. 34. @fincooper Key Azure Policy decisions • Customize Security Center default Security policies • Usage of dynamic Compliance policies? • Use custom Security policies, and if yes, which?
  35. 35. @fincooper
  36. 36. @fincooper Key Vault Security Policies • Prevent self-signed certificate usage • Flag expiring certificates • Manage encryption requirements, such as minimum key size or requirement for HSM-backed keys
  37. 37. @fincooper Azure SQL Database Security Policies • Do not use SQL Authentication. Use AAD-authentication instead • Enable SQL Server threat detection with email admins option.
  38. 38. @fincooper Azure Kubernetes Service Security Policies • Pod Security Policies should be defined on Kubernetes Services • Authorized IP ranges should be defined on Kubernetes Services • Enforce HTTPS ingress in Kubernetes Service
  39. 39. @fincooper Your network in Azure Internet Cross premises Connectivity Virtual Network Virtual Network Virtual Network Virtual Network
  40. 40. @fincooper Securing PaaS services
  41. 41. @fincooper Materials • These slides. Zure.ly/karl/slides • Security compass: • aka.ms/AzureSecurityCompass • CIS Foundation controls for Azure: azure.microsoft.com/en-us/resources/cis-microsoft-azure-foundations-security- benchmark/ • Secure DevOps Kit for Azure: • azsk.azurewebsites.net/ • LinkedIn Learning:

×