SlideShare a Scribd company logo

Design Practices for a Secure Azure Solution

Michele Leroux Bustamante
Michele Leroux Bustamante

This document provides guidance on designing secure Azure solutions. It discusses key considerations for infrastructure, topology, identity, authorization, data protection, logging/auditing, key management, and compliance. Specific recommendations are given for securing infrastructure, operating systems, application topology, passwords, access control, encryption, database access, logging, and key vault usage. Compliance with standards like ISO 27001 and audit requirements are also addressed.

Technology
1 of 46
Design Practices for a Secure Azure Solution Michele Leroux Bustamante Cofounder / CIO Solliance Cloud/Security Architect michelebusta@solliance.net
© Michele Leroux Bustamante. All rights reserved. (a few) Cloud Security Considerations  Infrastructure  Topology  Identity  Authorization  Data protection  Logging/audit  Key management  Compliance
© Michele Leroux Bustamante. All rights reserved. Infrastructure
© Michele Leroux Bustamante. All rights reserved. Infrastructure Requirements  DDoS prevention  Packet routing assurances  Network boundaries
Customer Environment Application Tier Logic Tier Database Tier Isolated Virtual Network INTERNET Cloud Access & Firewall Layer THREAT DETECTION: DOS/IDS Layer Network Security Group Clients / End Users Microsoft Azure 443 443 VPN Remote Workers Computers Behind Firewalls ExpressRoute Peer Private fiber connections to access compute, storage and more using ExpressRoute Azure Storage • No internet access by default • Intrusion detection and DOS prevention measures • Customer can deploy additional DOS/IDS measures within their virtual networks • Penetration testing Secure development, operations, and threat mitigation practices provide a trusted foundation. Enables connection from customer sites and remote workers to Azure Virtual Networks using Site-to-Site and Point-to-Site VPNs Azure Platform • Logical isolation for customer environments and data • Centralized management via SMAPI or the Azure Portal Network Security Group Network Security Group
© Michele Leroux Bustamante. All rights reserved. OS Requirements  Virtual Machines  Disabling unused services on VM  I.e., no guest accounts, services run with least privilege  Keep machines patched, up to date  Azure Security Center can help here
© Michele Leroux Bustamante. All rights reserved. OS Requirements  Virtual Machines  Disabling unused services on VM  I.e., no guest accounts, services run with least privilege  Keep machines patched, up to date  Azure Security Center can help here  App Services  Web Apps, Logic Apps, API Apps  Bare bones VMs, stripped for best practices  Automatic patching handled for you
© Michele Leroux Bustamante. All rights reserved. Topology
© Michele Leroux Bustamante. All rights reserved. Topology Requirements  Database should not be accessible from Internet facing applications and services  Internal endpoints for back end APIs
Example Application Topology Backend Web API Browser Java Script Web App Web API Mobile App Mobile App (API) LOGIN API Gateway Partner Web API LOGIN
Virtual Network Subnet1 Web Servers Subnet2 Back End Servers Subnet3 SQL Server / Cluster HTTP/S 80/443 IaaS / Virtual Networks
Virtual Network Subnet1 Subnet2 HTTP/S 80/443 App Service Plan App Service Plan SQL Server / Cluster PaaS / IaaS Virtual Networks
Virtual Network Subnet1 HTTP/S 80/443 App Service Plan App Service Plan All PaaS
Virtual Network Subnet1 Front End Stateless Web / API Services HTTP/S 80/443 Back End Stateless Compute` Stateful Compute Service Fabric / Frond End / Back End
© Michele Leroux Bustamante. All rights reserved. Identity
© Michele Leroux Bustamante. All rights reserved. Password / User Account Policies  Initial password issuance  Password strength  Password reuse  Frequency of change  Admin password special requirements  Hash algorithms / key lengths  Inactivity, login failure, account blocking  Non-obvious account names  Delivery of account/password materials  De-provisioning / access revocation  No sharing of accounts
© Michele Leroux Bustamante. All rights reserved. IDaaS / Azure AD – how can it help?  Initial password issuance  Password strength  Password reuse  Frequency of change  Admin password special requirements  Hash algorithms / key lengths  Inactivity, login failure, account blocking  Non-obvious account names  Delivery of account/password materials  De-provisioning / access revocation  No sharing of accounts ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
© Michele Leroux Bustamante. All rights reserved. Typical Capabilities  Browser Based Authentication  Mobile Device Authentication  Multi-Factor Authentication  Login to your corporate directory  Single Sign On (to SaaS apps)  Social Login
Apps … Apps AppsOn Prem Apps AD Domain Apps Apps AppsCloud Apps Google Facebook Microsoft Account Twitter AAD
© Michele Leroux Bustamante. All rights reserved. How else does IDaaS help?  DDOS prevention at the provider, not at your app  User Management  Block suspicious login  Prompt for MFA  Protocol based protection at the app (OpenID Connect / OAuth2)  Centralized user deprovisioning  Audit logs, reports  Compliance
© Michele Leroux Bustamante. All rights reserved. Authorization
© Michele Leroux Bustamante. All rights reserved. Authorization Requirements  Access control requirements across apps  API security  Session lifetime, timeout  Data isolation, tenancy
Application Topology Backend Web API Browser Java Script Web App JS Web API Server Process Mobile App Mobile Web API API Gateway Partner Web API Queues Third Party Apps
Application Topology - Secured Backend Web API Browser Java Script Web App JS Web API Server Process Mobile App Mobile Web API LOGIN API Gateway Partner Web API LOGIN Queues Authorization ServerThird Party Apps LOGIN
OIDC / Implicit Passive Redirect Browser 1 27 OIDC Request 4 3 POST Credentials Set Cookie 6 Web Site IDaaS Authenticate Issue Token 5 Login Page
2 OIDC Request 4 3 POST credentials AS Login Page Browser 16 set Cookie Render token 5 Web App Web API JavaScript calls to Web API (1)
JavaScript calls to Web API (2) Browser Web API HTML /JS token is passed in the Authorization header 1 Validate Token / Authorize Access 2 token is embedded in the page
2 Delegation Request 3 AS 1 Backend Web API 4 Browser Java Script Web App Web API Calling APIs / Act-As
© Michele Leroux Bustamante. All rights reserved. Data protection
© Michele Leroux Bustamante. All rights reserved. Do you ever have to “fix” things in the production db?
© Michele Leroux Bustamante. All rights reserved. Database Access Requirements  Limited to individuals  Application / system accounts  Few admin / read only  All access to data is controlled via applications  Never, never, never log in to the database and fix issues directly with content/data  At least this is the goal  Build tools to solve data problems instead, track repeat offenders
© Michele Leroux Bustamante. All rights reserved. Data Protection Requirements  Encryption in transit, at rest, in use  Crypto  NIST approved  Use code modules with FIPS-140-compliance  Vendor List: http://csrc.nist.gov/cryptval/  No sharing of identifiable information  Identifiers, PII, PHI
Data Encryption Azure Portal Azure Data Center Azure Data Center Encrypts most communications HTTPS Azure provides a number of options for encryption and data protection. Customers can use: • HTTPS to storage • HTTPS all endpoints • TLS web client to server
© Michele Leroux Bustamante. All rights reserved. Ever copy production data for dev/test?
© Michele Leroux Bustamante. All rights reserved. SQL DB Data Masking
© Michele Leroux Bustamante. All rights reserved. Key Management
Blob Storage Keys and SAS Service Public Blob Access create update delete read list Service Private Container read access for limited time with shared access key shared access policy Browser Client Shared Access Signature (SAS) >1 hour requires authentication header in request (no browser)
© Michele Leroux Bustamante. All rights reserved. Key Vault  Store your private keys, shared secrets, other connections, securely  FIPS compliant option HSM storage ($$)  Examples  Private keys, certs, passwords  Connection strings  Secrets and account names for service bus, storage, search, redis, etc.
© Michele Leroux Bustamante. All rights reserved. Logging / Audit
© Michele Leroux Bustamante. All rights reserved. Logging / Audit Requirements  Log access to infrastructure, host environment  Log all admin access  All login, failure, retry, lockout, logout  No PII/PHI in logs  Retention policy 1 year (typically)
© Michele Leroux Bustamante. All rights reserved. Do you review your logs actively?
© Michele Leroux Bustamante. All rights reserved. Azure Security Center  Azure Security Center  Recommend actions to take to secure your VMs  Define policies  Export logs for analysis  Integration with Operations Management System (OMS)
© Michele Leroux Bustamante. All rights reserved. COMPLIANCE in general
© Michele Leroux Bustamante. All rights reserved. Compliance Requirements  Infrastructure  ISO 27001  SAS 70 Type II, SSAE 16  Audit  Third party review / NIST SP 800-53  Third party pen test OWASP or OSSTMM  Third party NESSUS scan http://azure.microsoft.com/en-us/support/trust-center/compliance/
Compliance and Certifications Audit Certified * In Progress Azure’s certification process is ongoing with annual updates and increasing breadth of coverage. Azure manages compliance with: • ISO 27001 • SOC1 / SOC2 • HIPAA BAA • DPA / EU-MC • UK G-Cloud / IL2 • PCI DSS • FedRAMP
© Michele Leroux Bustamante. All rights reserved. About Michele  Michele Leroux Bustamante  michelebusta@solliance.net  @michelebusta  Solliance Cofounder  Cloud / Security Architect  Microsoft Regional Director since 2003  Microsoft MVP – Microsoft Azure  Azure Elite, Azure Insider

Recommended

Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric World
Michele Leroux Bustamante
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
Michele Leroux Bustamante
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Amazon Web Services
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
Aidan Finn
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with Zos
Shiu-Fun Poon
 

Recommended

Pricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric WorldPricing and Revenue Projection in a Cloud-Centric World
Pricing and Revenue Projection in a Cloud-Centric World
Michele Leroux Bustamante
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
Michele Leroux Bustamante
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Amazon Web Services
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
Aidan Finn
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with Zos
Shiu-Fun Poon
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
Shiu-Fun Poon
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
Brian Huff
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File Servers
Aidan Finn
 
AWS Security
AWS Security AWS Security
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
Amazon Web Services
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
Maarten Smeets
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Microservices Technology Stack
Microservices Technology StackMicroservices Technology Stack
Microservices Technology Stack
Eberhard Wolff
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
Allen Brokken
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
Jeroen Niesen
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
Jerod Brennen
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
Jagadish Vemugunta
 
Iplanet
IplanetIplanet
Iplanet
Roshan Karunarathna
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
Alert Logic
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
DevOps in Azure : Puppetize the Cloud
DevOps in Azure : Puppetize the CloudDevOps in Azure : Puppetize the Cloud
DevOps in Azure : Puppetize the Cloud
Utkarsh Pandey
 
DevOps for Azure
DevOps for AzureDevOps for Azure
DevOps for Azure
Michele Leroux Bustamante
 

More Related Content

What's hot

Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
Maarten Smeets
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
Jerod Brennen
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
 

What's hot (20)

Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Digitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File ServersDigitally Transform (And Keep) Your On-Premises File Servers
Digitally Transform (And Keep) Your On-Premises File Servers
 
AWS Security
AWS Security AWS Security
AWS Security
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
Microservices Technology Stack
Microservices Technology StackMicroservices Technology Stack
Microservices Technology Stack
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
 
Iplanet
IplanetIplanet
Iplanet
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 

Viewers also liked

Azure Securtity Pro
Azure Securtity ProAzure Securtity Pro
Azure Securtity Pro
John Horn
 
Windows Azure Virtual Networks
Windows Azure Virtual NetworksWindows Azure Virtual Networks
Windows Azure Virtual Networks
Önder Değer
 
Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013
sqlserver.co.il
 
Devops the Microsoft Way
Devops the Microsoft WayDevops the Microsoft Way
Devops the Microsoft Way
Patrick Chanezon
 

Viewers also liked (20)

DevOps in Azure : Puppetize the Cloud
DevOps in Azure : Puppetize the CloudDevOps in Azure : Puppetize the Cloud
DevOps in Azure : Puppetize the Cloud
 
DevOps for Azure
DevOps for AzureDevOps for Azure
DevOps for Azure
 
Azure AD and Office 365 - Deja Vu All Over Again
Azure AD and Office 365 - Deja Vu All Over AgainAzure AD and Office 365 - Deja Vu All Over Again
Azure AD and Office 365 - Deja Vu All Over Again
 
DevOps With Chef and Azure
DevOps With Chef and AzureDevOps With Chef and Azure
DevOps With Chef and Azure
 
Achieve True Hybrid Cloud with Azure - Built for Scale, Security and Interope...
Achieve True Hybrid Cloud with Azure - Built for Scale, Security and Interope...Achieve True Hybrid Cloud with Azure - Built for Scale, Security and Interope...
Achieve True Hybrid Cloud with Azure - Built for Scale, Security and Interope...
 
Azure DevOps Presentation
Azure DevOps PresentationAzure DevOps Presentation
Azure DevOps Presentation
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
 
End to End Security with MVC and Web API
End to End Security with MVC and Web APIEnd to End Security with MVC and Web API
End to End Security with MVC and Web API
 
Nimbo/Alert Logic - Azure in the Cloud
Nimbo/Alert Logic - Azure in the CloudNimbo/Alert Logic - Azure in the Cloud
Nimbo/Alert Logic - Azure in the Cloud
 
Azure Securtity Pro
Azure Securtity ProAzure Securtity Pro
Azure Securtity Pro
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
 
Tips and Tricks For Faster Asp.NET and MVC Applications
Tips and Tricks For Faster Asp.NET and MVC ApplicationsTips and Tricks For Faster Asp.NET and MVC Applications
Tips and Tricks For Faster Asp.NET and MVC Applications
 
Security in windows azure
Security in windows azureSecurity in windows azure
Security in windows azure
 
Azure vnet connectivity solutions
Azure vnet connectivity solutionsAzure vnet connectivity solutions
Azure vnet connectivity solutions
 
Windows Azure Virtual Networks
Windows Azure Virtual NetworksWindows Azure Virtual Networks
Windows Azure Virtual Networks
 
Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security Infographic
 
Devops the Microsoft Way
Devops the Microsoft WayDevops the Microsoft Way
Devops the Microsoft Way
 
Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365Integrating your on-premises Active Directory with Azure and Office 365
Integrating your on-premises Active Directory with Azure and Office 365
 

Similar to Design Practices for a Secure Azure Solution

Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010
Michael Noel
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
Akana
 

Similar to Design Practices for a Secure Azure Solution (20)

ObserveIT Remote Access Monitoring Software - Corporate Presentation
ObserveIT Remote Access Monitoring Software - Corporate PresentationObserveIT Remote Access Monitoring Software - Corporate Presentation
ObserveIT Remote Access Monitoring Software - Corporate Presentation
 
Web application security (eng)
Web application security (eng)Web application security (eng)
Web application security (eng)
 
Share Point Server Security with Joel Oleson
Share Point Server Security with Joel OlesonShare Point Server Security with Joel Oleson
Share Point Server Security with Joel Oleson
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010Planning Extranet Environments with SharePoint 2010
Planning Extranet Environments with SharePoint 2010
 
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
TechEd Africa 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)Webinar: ForgeRock Identity Platform Preview (Dec 2015)
Webinar: ForgeRock Identity Platform Preview (Dec 2015)
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares Oauth Nightmares Abstract OAuth Nightmares
Oauth Nightmares Abstract OAuth Nightmares
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
 
Solving Single-Sign-On
Solving Single-Sign-OnSolving Single-Sign-On
Solving Single-Sign-On
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
Azure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protectionsAzure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protections
 

More from Michele Leroux Bustamante

.NET Developer Days - Launching Patterns for Containers
.NET Developer Days - Launching Patterns for Containers.NET Developer Days - Launching Patterns for Containers
.NET Developer Days - Launching Patterns for Containers
Michele Leroux Bustamante
 
The Ultimate Logging Architecture - You KNOW you want it!
The Ultimate Logging Architecture - You KNOW you want it!The Ultimate Logging Architecture - You KNOW you want it!
The Ultimate Logging Architecture - You KNOW you want it!
Michele Leroux Bustamante
 

More from Michele Leroux Bustamante (13)

So Many Docker Platforms...so little time
So Many Docker Platforms...so little timeSo Many Docker Platforms...so little time
So Many Docker Platforms...so little time
 
Surviving Microservices - v2
Surviving Microservices - v2Surviving Microservices - v2
Surviving Microservices - v2
 
.NET Developer Days - Launching Patterns for Containers
.NET Developer Days - Launching Patterns for Containers.NET Developer Days - Launching Patterns for Containers
.NET Developer Days - Launching Patterns for Containers
 
.NET Developer Days - So many Docker platforms, so little time...
.NET Developer Days - So many Docker platforms, so little time....NET Developer Days - So many Docker platforms, so little time...
.NET Developer Days - So many Docker platforms, so little time...
 
The Ultimate Logging Architecture - You KNOW you want it!
The Ultimate Logging Architecture - You KNOW you want it!The Ultimate Logging Architecture - You KNOW you want it!
The Ultimate Logging Architecture - You KNOW you want it!
 
The Power of Social Login
The Power of Social LoginThe Power of Social Login
The Power of Social Login
 
Unleash Your Inner Startup (Sweden, Dev Sum)
Unleash Your Inner Startup (Sweden, Dev Sum)Unleash Your Inner Startup (Sweden, Dev Sum)
Unleash Your Inner Startup (Sweden, Dev Sum)
 
Social Login
Social LoginSocial Login
Social Login
 
Surviving the Azure Avalanche
Surviving the Azure AvalancheSurviving the Azure Avalanche
Surviving the Azure Avalanche
 
Windows Azure Essentials V3
Windows Azure Essentials V3Windows Azure Essentials V3
Windows Azure Essentials V3
 
Channel Your Inner Startup and Go For It!
Channel Your Inner Startup and Go For It!Channel Your Inner Startup and Go For It!
Channel Your Inner Startup and Go For It!
 
Global Windows Azure Bootcamp - San Diego
Global Windows Azure Bootcamp - San DiegoGlobal Windows Azure Bootcamp - San Diego
Global Windows Azure Bootcamp - San Diego
 
Windows Azure Essentials
Windows Azure EssentialsWindows Azure Essentials
Windows Azure Essentials
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Design Practices for a Secure Azure Solution

  • 1. Design Practices for a Secure Azure Solution Michele Leroux Bustamante Cofounder / CIO Solliance Cloud/Security Architect michelebusta@solliance.net
  • 2. © Michele Leroux Bustamante. All rights reserved. (a few) Cloud Security Considerations  Infrastructure  Topology  Identity  Authorization  Data protection  Logging/audit  Key management  Compliance
  • 3. © Michele Leroux Bustamante. All rights reserved. Infrastructure
  • 4. © Michele Leroux Bustamante. All rights reserved. Infrastructure Requirements  DDoS prevention  Packet routing assurances  Network boundaries
  • 5. Customer Environment Application Tier Logic Tier Database Tier Isolated Virtual Network INTERNET Cloud Access & Firewall Layer THREAT DETECTION: DOS/IDS Layer Network Security Group Clients / End Users Microsoft Azure 443 443 VPN Remote Workers Computers Behind Firewalls ExpressRoute Peer Private fiber connections to access compute, storage and more using ExpressRoute Azure Storage • No internet access by default • Intrusion detection and DOS prevention measures • Customer can deploy additional DOS/IDS measures within their virtual networks • Penetration testing Secure development, operations, and threat mitigation practices provide a trusted foundation. Enables connection from customer sites and remote workers to Azure Virtual Networks using Site-to-Site and Point-to-Site VPNs Azure Platform • Logical isolation for customer environments and data • Centralized management via SMAPI or the Azure Portal Network Security Group Network Security Group
  • 6. © Michele Leroux Bustamante. All rights reserved. OS Requirements  Virtual Machines  Disabling unused services on VM  I.e., no guest accounts, services run with least privilege  Keep machines patched, up to date  Azure Security Center can help here
  • 7. © Michele Leroux Bustamante. All rights reserved. OS Requirements  Virtual Machines  Disabling unused services on VM  I.e., no guest accounts, services run with least privilege  Keep machines patched, up to date  Azure Security Center can help here  App Services  Web Apps, Logic Apps, API Apps  Bare bones VMs, stripped for best practices  Automatic patching handled for you
  • 8. © Michele Leroux Bustamante. All rights reserved. Topology
  • 9. © Michele Leroux Bustamante. All rights reserved. Topology Requirements  Database should not be accessible from Internet facing applications and services  Internal endpoints for back end APIs
  • 10. Example Application Topology Backend Web API Browser Java Script Web App Web API Mobile App Mobile App (API) LOGIN API Gateway Partner Web API LOGIN
  • 11. Virtual Network Subnet1 Web Servers Subnet2 Back End Servers Subnet3 SQL Server / Cluster HTTP/S 80/443 IaaS / Virtual Networks
  • 14. Virtual Network Subnet1 Front End Stateless Web / API Services HTTP/S 80/443 Back End Stateless Compute` Stateful Compute Service Fabric / Frond End / Back End
  • 15. © Michele Leroux Bustamante. All rights reserved. Identity
  • 16. © Michele Leroux Bustamante. All rights reserved. Password / User Account Policies  Initial password issuance  Password strength  Password reuse  Frequency of change  Admin password special requirements  Hash algorithms / key lengths  Inactivity, login failure, account blocking  Non-obvious account names  Delivery of account/password materials  De-provisioning / access revocation  No sharing of accounts
  • 17. © Michele Leroux Bustamante. All rights reserved. IDaaS / Azure AD – how can it help?  Initial password issuance  Password strength  Password reuse  Frequency of change  Admin password special requirements  Hash algorithms / key lengths  Inactivity, login failure, account blocking  Non-obvious account names  Delivery of account/password materials  De-provisioning / access revocation  No sharing of accounts ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
  • 18. © Michele Leroux Bustamante. All rights reserved. Typical Capabilities  Browser Based Authentication  Mobile Device Authentication  Multi-Factor Authentication  Login to your corporate directory  Single Sign On (to SaaS apps)  Social Login
  • 20. © Michele Leroux Bustamante. All rights reserved. How else does IDaaS help?  DDOS prevention at the provider, not at your app  User Management  Block suspicious login  Prompt for MFA  Protocol based protection at the app (OpenID Connect / OAuth2)  Centralized user deprovisioning  Audit logs, reports  Compliance
  • 21. © Michele Leroux Bustamante. All rights reserved. Authorization
  • 22. © Michele Leroux Bustamante. All rights reserved. Authorization Requirements  Access control requirements across apps  API security  Session lifetime, timeout  Data isolation, tenancy
  • 23. Application Topology Backend Web API Browser Java Script Web App JS Web API Server Process Mobile App Mobile Web API API Gateway Partner Web API Queues Third Party Apps
  • 24. Application Topology - Secured Backend Web API Browser Java Script Web App JS Web API Server Process Mobile App Mobile Web API LOGIN API Gateway Partner Web API LOGIN Queues Authorization ServerThird Party Apps LOGIN
  • 25. OIDC / Implicit Passive Redirect Browser 1 27 OIDC Request 4 3 POST Credentials Set Cookie 6 Web Site IDaaS Authenticate Issue Token 5 Login Page
  • 27. JavaScript calls to Web API (2) Browser Web API HTML /JS token is passed in the Authorization header 1 Validate Token / Authorize Access 2 token is embedded in the page
  • 29. © Michele Leroux Bustamante. All rights reserved. Data protection
  • 30. © Michele Leroux Bustamante. All rights reserved. Do you ever have to “fix” things in the production db?
  • 31. © Michele Leroux Bustamante. All rights reserved. Database Access Requirements  Limited to individuals  Application / system accounts  Few admin / read only  All access to data is controlled via applications  Never, never, never log in to the database and fix issues directly with content/data  At least this is the goal  Build tools to solve data problems instead, track repeat offenders
  • 32. © Michele Leroux Bustamante. All rights reserved. Data Protection Requirements  Encryption in transit, at rest, in use  Crypto  NIST approved  Use code modules with FIPS-140-compliance  Vendor List: http://csrc.nist.gov/cryptval/  No sharing of identifiable information  Identifiers, PII, PHI
  • 33. Data Encryption Azure Portal Azure Data Center Azure Data Center Encrypts most communications HTTPS Azure provides a number of options for encryption and data protection. Customers can use: • HTTPS to storage • HTTPS all endpoints • TLS web client to server
  • 34. © Michele Leroux Bustamante. All rights reserved. Ever copy production data for dev/test?
  • 35. © Michele Leroux Bustamante. All rights reserved. SQL DB Data Masking
  • 36. © Michele Leroux Bustamante. All rights reserved. Key Management
  • 37. Blob Storage Keys and SAS Service Public Blob Access create update delete read list Service Private Container read access for limited time with shared access key shared access policy Browser Client Shared Access Signature (SAS) >1 hour requires authentication header in request (no browser)
  • 38. © Michele Leroux Bustamante. All rights reserved. Key Vault  Store your private keys, shared secrets, other connections, securely  FIPS compliant option HSM storage ($$)  Examples  Private keys, certs, passwords  Connection strings  Secrets and account names for service bus, storage, search, redis, etc.
  • 39. © Michele Leroux Bustamante. All rights reserved. Logging / Audit
  • 40. © Michele Leroux Bustamante. All rights reserved. Logging / Audit Requirements  Log access to infrastructure, host environment  Log all admin access  All login, failure, retry, lockout, logout  No PII/PHI in logs  Retention policy 1 year (typically)
  • 41. © Michele Leroux Bustamante. All rights reserved. Do you review your logs actively?
  • 42. © Michele Leroux Bustamante. All rights reserved. Azure Security Center  Azure Security Center  Recommend actions to take to secure your VMs  Define policies  Export logs for analysis  Integration with Operations Management System (OMS)
  • 43. © Michele Leroux Bustamante. All rights reserved. COMPLIANCE in general
  • 44. © Michele Leroux Bustamante. All rights reserved. Compliance Requirements  Infrastructure  ISO 27001  SAS 70 Type II, SSAE 16  Audit  Third party review / NIST SP 800-53  Third party pen test OWASP or OSSTMM  Third party NESSUS scan http://azure.microsoft.com/en-us/support/trust-center/compliance/
  • 45. Compliance and Certifications Audit Certified * In Progress Azure’s certification process is ongoing with annual updates and increasing breadth of coverage. Azure manages compliance with: • ISO 27001 • SOC1 / SOC2 • HIPAA BAA • DPA / EU-MC • UK G-Cloud / IL2 • PCI DSS • FedRAMP
  • 46. © Michele Leroux Bustamante. All rights reserved. About Michele  Michele Leroux Bustamante  michelebusta@solliance.net  @michelebusta  Solliance Cofounder  Cloud / Security Architect  Microsoft Regional Director since 2003  Microsoft MVP – Microsoft Azure  Azure Elite, Azure Insider

Editor's Notes

  1. Design Practices for a Secure Azure Solution When companies endeavor to move their applications and services to the cloud, they tend to worry more about security up front. Interestingly, platforms such as Azure provide an even more secure environment than most self-managed co-location facilities can hope to offer, not to mention the plethora of features on the platform that help you secure your solutions end to end. In this session Michele will review the mini-avalanche that comprises Azure security across features. Taking the architect's view of the platform (with demos) she’ll cover best practices for securing Azure solutions end to end and discuss the tangential benefits of moving to Azure and how it can help you with checking the boxes on those pesky security surveys.
  2. Customers worry about cloud security But the truth is, the cloud can also improve the security of your solution in some ways The remaining issues, are probably issues whether you are in the cloud, or not
  3. When you think about security for a solution, what do you think about? From a high level…list… In this session, I want to take you through the types of questions I frequently encounter helping customers “prove their security” to their customers We will review the topics listed here and within each some of the key questions I see on questionnaires that ask people for proof of trust In the process, I’ll draw from the special sauce Azure provides in terms of features for data protection, key management, identity, networking and generally secure solution design and implementation
  4. Easy win, if you word it right Do you have DDOS protection measures in place? Do you have appropriate isolation? Assurance of packet routing to correct tenant? Do you have appropriate network boundaries to protect data/assets? (this is on you)
  5. Azure fabric provides 3 layers of DOS prevention before it reaches your servers You can further secure your VMs with sw firewalls, appliances, IDS (specific client rules not just packet patterns) Add networking tiers, VPN and dedicated express route if you have $ Azure part of hacking challenge; constantly pen testing looking for holes, practicing recovery
  6. Also related to infrastructure, VM security Do you keep patched? Do you remove guest accounts? Least privilege for services? Access to logs for forensic study? Will show ASC and OMS later Patch a machine with Resource Manager (get RM, update something, redeploy)
  7. Portal tour
  8. Also related to infrastructure, VM security Do you keep patched? Do you remove guest accounts? Least privilege for services? Access to logs for forensic study? Will show ASC and OMS later Patch a machine with Resource Manager (get RM, update something, redeploy)
  9. Good practice topology to check that box There are other ways to be secure calling db, defense in depth, ip restrictions, protected account creds, roles and separation of tables
  10. For example you may build a multi-tier IaaS deployment Use subnets and network security groups to ensure appropriate restrictions to subnet 2, 3
  11. Can also achieve this with PaaS using app service environment
  12. In this case, azure only access to sql otherwise firewall rules Can still shield behind API to public access and call from inside your azure services Service fabric endpionts can’t be reached without http endpoint exposed so the physical tier only needed if you have compliance requirement
  13. Only the cluster has access Still may need token flow, however
  14. From a checklist perspective, a lot of requests for proof of recommended practices for password and user account management
  15. Password writeback Multifactor auth
  16. Password writeback Multifactor auth
  17. Seems obvious but these are also important questions that pop up
  18. FIDO on Windows 10
  19. Many features for encryption OOB in transit all HTTPS within azure Only bitlocker encrypted vhd uploaded SQL server TDE, SQL masking
  20. What should you do? At minimum, using dynamic data masking; after copying, for all PII Ideally, do not copy; mask it on the way: maskme.net
  21. Server=tcp:snapboarddemo.database.windows.net,1433;Database=SnapboardTdeCopy;User ID=snapadmin@snapboarddemo;Password={your_password_here};Encrypt=True;TrustServerCertificate=False;Connection Timeout=30; Sn@pB0rdDemo