Security nowadays is just a buzzword. Even so, by joining this session, we discover together what are the most important security best practices from a .NET developer point of view that we need to take into considerations when we develop an application for Microsoft Azure.
2. “If you reveal your secrets to the
wind, you should not blame the
wind for revealing them to the
trees”
Kahlil Gibran
3. 80% OF SECURITY BREACHES INVOLVE
PRIVILEGED CREDENTIALS
h t t p s: / / www. t rip wire . co m / st a t e -o f -se cu rit y/ se curit y -d a t a -pro t ect ion / wh y -p a m-cisos -t o p-p riorit y
4. VEEAM | 200GB | CUSTOMER DATA |
AWS S3
AWS EC2 | PUBLIC IP | UNSECURE
DATABASE
https://www.venafi.com/blog/7 -data-breaches-caused-human-error-did-encryption-play-role
5. 5
Agenda
1. SHARED RESPONSIBILITY MODEL
2. SECRETS AND ACCESS MANAGEMENT
3. REPO AND CLOUD SECRETS
4. APP CONFIGURATION
5. STORAGE
6. AZURE SQL
7. WEB ENDPOINTS
8. SECURITY CENTER AND AZURE ADVISOR
9. CONCLUSION
10. BONUS - RESOURCES
21. Azure RBAC
Azurerole-basedaccesscontrol
Duty segregation within your team
Grant only the amount of access to users that they need to perform their jobs
RBAC
Specific permissions create unneeded complexity and confusion, accumulating into a “legacy”
configuration that’s difficult to fix without fear of breaking something.
!
22. Azure RBAC
Azurerole-basedaccesscontrol
Duty segregation within your team
Grant only the amount of access to users that they need to perform their jobs
RBAC
Specific permissions create unneeded complexity and confusion, accumulating into a “legacy”
configuration that’s difficult to fix without fear of breaking something.
Avoid resource-specific permissions. Instead, use management groups for enterprise-wide permissions
and resource groups for permissions within subscriptions.
Avoid user-specific permissions. Instead, assign access to groups in Azure AD
38. ENCRYPTION | FIREWALL | IP FW RULES
AUTHENTICATION USING IAM
TLS TDA
ENABLE THREAT DETECTION
39. COLUMN-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 2000 OFFICE SSE
2 RADU 07433423 CLUJ 32 1300 BORSEC JSE
3 IOAN 0775432 CLUJ 30 4000 BORSEC SDO
4 PAUL 0792321 CLUJ 39 3400 OFFICE LES
5 GITA 0784234 ORADEA 30 1400 OFFICE SSE
6 OANA 0712343 ORADEA 32 2200 BORSEC LES
7 ALEX 0742932 ORADEA 29 2000 OFFICE SUX
40. COLUMN-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 0 OFFICE SSE
2 RADU 07433423 CLUJ 32 0 BORSEC JSE
3 IOAN 0775432 CLUJ 30 0 BORSEC SDO
4 PAUL 0792321 CLUJ 39 0 OFFICE LES
5 GITA 0784234 ORADEA 30 0 OFFICE SSE
6 OANA 0712343 ORADEA 32 0 BORSEC LES
7 ALEX 0742932 ORADEA 29 0 OFFICE SUX
41. CELL-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 2000 OFFICE SSE
2 RADU 07433423 CLUJ 32 1300 BORSEC JSE
3 IOAN 0775432 CLUJ 30 4000 BORSEC SDO
4 PAUL 0792321 CLUJ 39 3400 OFFICE LES
5 GITA 0784234 ORADEA 30 1400 OFFICE SSE
6 OANA 0712343 ORADEA 32 2200 BORSEC LES
7 ALEX 0742932 ORADEA 29 2000 OFFICE SUX
42. CELL-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 0 OFFICE SSE
2 RADU 07433423 CLUJ 32 1300 BORSEC JSE
3 IOAN 0775432 CLUJ 30 4000 BORSEC SDO
4 PAUL 0792321 CLUJ 39 0 OFFICE LES
5 GITA 0784234 ORADEA 30 0 OFFICE SSE
6 OANA 0712343 ORADEA 32 2200 BORSEC LES
7 ALEX 0742932 ORADEA 29 0 OFFICE SUX
54. Definitive Guide to Azure Security
1. Security policy
Ensure the following are set to on for virtual machines:
•‘OS vulnerabilities’ is set to on.
‘Endpoint protection’ is set to on.
‘Jit network access’ is set to on.
2. Identify and access management
•Ensure that for all users, multi-factor authentication is enabled.
Ensure that users can consent to apps accessing company data on their behalf’ is set to no.
Ensure that ‘restrict access to azure ad administration portal’ is set to yes.
3. Storage accounts
Ensure the following are set to enabled:
•‘Secure transfer required’ is set to enabled.
‘Storage service encryption’ is set to enabled.
4. SQL services
On SQL database or servers, ensure the following are set to on:
•‘Auditing’ is set to on.
‘Threat detection’ is set to on.
‘Transparent data encryption’ is set to on.
5. Networking
Ensure the following are disabled on network security groups from internet:
•Disable RDP.
Disable ssh.
Disable telnet (port 23).
6. Virtual machines
•Install endpoint protection for virtual machines.
Enable latest os patch updates for virtual machines.
Enforce disk encryption on virtual machines.
7. Miscellaneous
•Secure the subscription.
Minimize the number of admins/owners.
Do not grant permissions to external accounts (i.E., Accounts outside the native directory for the subscription).
https://www.skyhighnetworks.com/cloud -security-blog/73-azure-security-best-practices/
55. Security Best Practices for Azure solutions
1. Security policy
Ensure the following are set to on for virtual machines:
•‘OS vulnerabilities’ is set to on.
‘Endpoint protection’ is set to on.
‘Jit network access’ is set to on.
2. Identify and access management
•Ensure that for all users, multi-factor authentication is enabled.
Ensure that users can consent to apps accessing company data on their behalf’ is set to no.
Ensure that ‘restrict access to azure ad administration portal’ is set to yes.
3. Storage accounts
Ensure the following are set to enabled:
•‘Secure transfer required’ is set to enabled.
‘Storage service encryption’ is set to enabled.
4. SQL services
On SQL database or servers, ensure the following are set to on:
•‘Auditing’ is set to on.
‘Threat detection’ is set to on.
‘Transparent data encryption’ is set to on.
5. Networking
Ensure the following are disabled on network security groups from internet:
•Disable RDP.
Disable ssh.
Disable telnet (port 23).
6. Virtual machines
•Install endpoint protection for virtual machines.
Enable latest os patch updates for virtual machines.
Enforce disk encryption on virtual machines.
7. Miscellaneous
•Secure the subscription.
Minimize the number of admins/owners.
Do not grant permissions to external accounts (i.E., Accounts outside the native directory for the subscription).
https://azure.microsoft.com/en-us/resources/security-best-practices-for-azure-solutions/
Veeam—Customer records compromised by unprotected database Near the end of August 2018, the Shodan search engine indexed an Amazon-hosted IP. Bob Diachenko, director of cyber risk research at Hacken.io, came across the IP on 5 September and quickly determined that the IP resolved to a database left unprotected by the lack of a password. The exposed database contained 200 gigabytes worth of data belonging to Veeam, a backup and data recovery company. Among that data were customer records including names, email addresses and some IP addresses.
How encryption may become a factor in scenarios like this: User names and passwords are a relatively weak way of securing private access. Plus, if an organization does not maintain complete control of the private keys that govern access for internal systems, attackers have a better chance of gaining access.
Impact: Within three hours of learning about the exposure, Veeam took the server offline. The company also reassured TechCrunch that it would “conduct a deeper investigation and… take appropriate actions based on our findings.”
Agenda
General Template Guidance: Information to help you make good presentations.
Standard / Static Slides: Some key Endava slides/lockups that, in general, should only be modified by marketing.
Template Slides: A selection of template slides for use in Endava presentations.
Larger Format Template Slides: Template slides with larger content.
Icon Library: A selection of hundreds of icons to use in Endava presentations.
General Template Guidance
Information to help you make good presentations
General Template Guidance
Information to help you make good presentations
Spring Boot
spring cloud config server
General Template Guidance
Information to help you make good presentations
General Template Guidance
Information to help you make good presentations
General Template Guidance
Information to help you make good presentations
General Template Guidance
Information to help you make good presentations
General Template Guidance
Information to help you make good presentations
General Template Guidance
Information to help you make good presentations
General Template Guidance
Information to help you make good presentations
General Template Guidance
Information to help you make good presentations