Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure Azure Deployment Patterns

1,191 views

Published on

Microsoft has provided an almost unlimited number of ways for you to securely deploy Azure resources; but people continue to make simple mistakes. In 2017 many organisations had breaches due to poor cloud deployment practices.

In this session, you’ll learn how to use Azure Resource Manager (ARM) templates to deploy resources in a secure manner. This session will look at Azure Storage, App Services, SQL, Virtual Machines and Virtual Networks. I'll discuss the costs, benefits and trade-offs of different design patterns and how you can secure your deployment pipelines.

Published in: Technology
  • Be the first to comment

Secure Azure Deployment Patterns

  1. 1. Secure Azure Deployment Patterns
  2. 2. Kieran Jacobsen Microsoft MVP – Head of Information Technology @ Readify
  3. 3. A Big Thanks To Our Sponsors: Global Sponsors › Microsoft › CloudMonix › myGet › Cerebrata › Opsgility › JetBrains › ServiceBus 360 Melbourne Sponsors › AGL › Readify › Kloud › SixPivot › PTGR
  4. 4. “Flying by the seat of the pants must have been a great experience for the magnificent men in the flying machines of days gone by, but no one would think of taking that risk with the lives of 500 passengers on a modern aircraft.”
  5. 5. A Typical Web App Full of lies and security vulnerabilities
  6. 6. The Web App › Azure App Service › Azure SQL › Azure Storage
  7. 7. Demo – A Typical Deployment
  8. 8. Securing Azure SQL Protect the data!
  9. 9. Admin Password
  10. 10. Azure AD Authentication
  11. 11. Transparent Data Encryption
  12. 12. Auditing and Threat Detection
  13. 13. Vulnerability Assessment
  14. 14. Other Considerations › Data Discovery and Classification › Dynamic Data masking › Failover Groups & Geo-Replication › Long-term backup retention
  15. 15. Azure App Gateway Filtering out the bad web stuff
  16. 16. App Gateway › HTTP/HTTPS load balancer › Web Application Firewall (WAF) › SSL offload › Traffic Manager integration
  17. 17. Deployment Models › PaaS › IaaS
  18. 18. Demo – Azure App Gateway
  19. 19. App Service Environments A very private App Service experience
  20. 20. Why use ASE? › Virtual Network connectivity › Private App Services › Static outbound IP and filtering › Massive Scaling › Separation and isolation
  21. 21. ASE Concepts App Service Plan App Service Environment App Service App Service Plan App Service App Service Azure
  22. 22. Demo – App Service Environment
  23. 23. Restricting Inbound Access Let’s build a wall
  24. 24. 13,324,335 Public IPv4 addresses in Azure
  25. 25. 392,192 Australia East + Australia Southeast 129,531 China East + China North
  26. 26. Virtual Network Endpoints › Azure resources can be secured to your virtual network › Optimised traffic routing › Less management overhead › No changes to applications
  27. 27. Beware › Endpoints don’t work for App Services over point-to-site connections › Some services will stop when removing “Allow all Azure Services”
  28. 28. Demo – Virtual Network Endpoints
  29. 29. Restricting Network Flows You can’t escape from here
  30. 30. Restricting Network Flows › Define NSGs per subnet › Map traffic flows › Define what is required › Add deny all rule › Microsoft provides rules on what is required per service.
  31. 31. VM Mgmt Connections › RDP and SSH are widely scanned for and attacked services › Credentials will be brute-forced › You are not smart just because you changed the port number
  32. 32. ARM Templates Not just about deploying resources
  33. 33. ARM Templates › Git configuration database › CI/CD deployment and drift control › Git log change history › Git blame who broke it? › Pull Requests review process
  34. 34. Credentials and ARM Templates › Define sensitive parameters as securestring › Never store securestring parameters in azuredeploy.parameters.json
  35. 35. THANKS! Any questions? You can find me at: @kjacobsen · poshsecurity.com

×