This document provides guidance on designing secure Azure solutions. It discusses key considerations for infrastructure, topology, identity, authorization, data protection, logging/auditing, key management, and compliance. Specific recommendations are given for securing infrastructure, operating systems, application topology, passwords, access control, encryption, database access, logging, and key vault usage. Compliance with standards like ISO 27001 and audit requirements are also addressed.
5. Customer Environment
Application Tier
Logic Tier
Database Tier
Isolated Virtual Network
INTERNET
Cloud Access & Firewall Layer
THREAT DETECTION: DOS/IDS Layer
Network Security Group
Clients /
End Users
Microsoft Azure
443
443
VPN
Remote Workers
Computers
Behind Firewalls
ExpressRoute
Peer
Private fiber connections to
access compute, storage and
more using ExpressRoute
Azure
Storage
• No internet access by default
• Intrusion detection and DOS prevention
measures
• Customer can deploy additional DOS/IDS
measures within their virtual networks
• Penetration testing
Secure development, operations,
and threat mitigation practices
provide a trusted foundation.
Enables connection from
customer sites and remote
workers to Azure Virtual
Networks using Site-to-Site
and Point-to-Site VPNs
Azure Platform
• Logical isolation for customer environments and data
• Centralized management via SMAPI or the Azure Portal
Network Security Group
Network Security Group
24. Application Topology - Secured
Backend
Web API
Browser
Java
Script
Web App
JS
Web API
Server
Process
Mobile
App
Mobile
Web API
LOGIN
API Gateway
Partner
Web API
LOGIN
Queues
Authorization
ServerThird Party Apps
LOGIN
25. OIDC / Implicit Passive Redirect
Browser
1 27
OIDC
Request
4
3
POST
Credentials
Set
Cookie
6
Web Site IDaaS
Authenticate
Issue Token
5
Login
Page
27. JavaScript calls to Web API (2)
Browser
Web API
HTML
/JS
token is passed in the
Authorization header
1
Validate Token /
Authorize Access
2
token is embedded in the
page
33. Data Encryption
Azure
Portal
Azure
Data Center
Azure
Data Center
Encrypts most
communications
HTTPS
Azure provides a
number of options
for encryption and
data protection.
Customers can use:
• HTTPS to storage
• HTTPS all endpoints
• TLS web client to server
37. Blob Storage Keys and SAS
Service
Public Blob
Access
create
update
delete
read
list
Service
Private
Container
read
access
for
limited
time
with
shared
access
key
shared
access
policy
Browser Client
Shared Access
Signature (SAS)
>1 hour
requires
authentication
header in request
(no browser)
Design Practices for a Secure Azure Solution
When companies endeavor to move their applications and services to the cloud, they tend to worry more about security up front. Interestingly, platforms such as Azure provide an even more secure environment than most self-managed co-location facilities can hope to offer, not to mention the plethora of features on the platform that help you secure your solutions end to end. In this session Michele will review the mini-avalanche that comprises Azure security across features. Taking the architect's view of the platform (with demos) she’ll cover best practices for securing Azure solutions end to end and discuss the tangential benefits of moving to Azure and how it can help you with checking the boxes on those pesky security surveys.
Customers worry about cloud security
But the truth is, the cloud can also improve the security of your solution in some ways
The remaining issues, are probably issues whether you are in the cloud, or not
When you think about security for a solution, what do you think about?
From a high level…list…
In this session, I want to take you through the types of questions I frequently encounter helping customers “prove their security” to their customers
We will review the topics listed here and within each some of the key questions I see on questionnaires that ask people for proof of trust
In the process, I’ll draw from the special sauce Azure provides in terms of features for data protection, key management, identity, networking and generally secure solution design and implementation
Easy win, if you word it right
Do you have DDOS protection measures in place?
Do you have appropriate isolation? Assurance of packet routing to correct tenant?
Do you have appropriate network boundaries to protect data/assets? (this is on you)
Azure fabric provides 3 layers of DOS prevention before it reaches your servers
You can further secure your VMs with sw firewalls, appliances, IDS (specific client rules not just packet patterns)
Add networking tiers, VPN and dedicated express route if you have $
Azure part of hacking challenge; constantly pen testing looking for holes, practicing recovery
Also related to infrastructure, VM security
Do you keep patched?
Do you remove guest accounts?
Least privilege for services?
Access to logs for forensic study?
Will show ASC and OMS later
Patch a machine with Resource Manager (get RM, update something, redeploy)
Portal tour
Also related to infrastructure, VM security
Do you keep patched?
Do you remove guest accounts?
Least privilege for services?
Access to logs for forensic study?
Will show ASC and OMS later
Patch a machine with Resource Manager (get RM, update something, redeploy)
Good practice topology to check that box
There are other ways to be secure calling db, defense in depth, ip restrictions, protected account creds, roles and separation of tables
For example you may build a multi-tier IaaS deployment
Use subnets and network security groups to ensure appropriate restrictions to subnet 2, 3
Can also achieve this with PaaS using app service environment
In this case, azure only access to sql otherwise firewall rules
Can still shield behind API to public access and call from inside your azure services
Service fabric endpionts can’t be reached without http endpoint exposed so the physical tier only needed if you have compliance requirement
Only the cluster has access
Still may need token flow, however
From a checklist perspective, a lot of requests for proof of recommended practices for password and user account management
Password writeback
Multifactor auth
Password writeback
Multifactor auth
Seems obvious but these are also important questions that pop up
FIDO on Windows 10
Many features for encryption
OOB in transit all HTTPS within azure
Only bitlocker encrypted vhd uploaded
SQL server TDE, SQL masking
What should you do?
At minimum, using dynamic data masking; after copying, for all PII
Ideally, do not copy; mask it on the way: maskme.net