Security nowadays is just a buzzword. Even so, by joining this session, we discover together what are the most important security best practices from a .NET developer point of view that we need to take into considerations when we develop an application for Microsoft Azure.

1. RADU VUNVULEA
Top 13 best security practices for
Azure

2. “If you reveal your secrets to the
wind, you should not blame the
wind for revealing them to the
trees”
Kahlil Gibran

3. 80% OF SECURITY BREACHES INVOLVE
PRIVILEGED CREDENTIALS
h t t p s: / / www. t rip wire . co m / st a t e -o f -se cu rit y/ se curit y -d a t a -pro t ect ion / wh y -p a m-cisos -t o p-p riorit y

4. VEEAM | 200GB | CUSTOMER DATA |
AWS S3
AWS EC2 | PUBLIC IP | UNSECURE
DATABASE
https://www.venafi.com/blog/7 -data-breaches-caused-human-error-did-encryption-play-role

5. 5
Agenda
1. SHARED RESPONSIBILITY MODEL
2. SECRETS AND ACCESS MANAGEMENT
3. REPO AND CLOUD SECRETS
4. APP CONFIGURATION
5. STORAGE
6. AZURE SQL
7. WEB ENDPOINTS
8. SECURITY CENTER AND AZURE ADVISOR
9. CONCLUSION
10. BONUS - RESOURCES

6. 1
Shared Responsibility Model
6

7. SECURE FOUNDATION
PHYSICAL
ASSETS
DATACENTER
OPERATIONS
CLOUD INFRASTRUCTURE
AND FABRIC
CLOUD PROVIDER PROVIDES BUILT-IN
CONTROLS
VM AND NETWORKS
APPS AND
WORKLOADS
DATA

8. APPLICATION
STORAGE COMPUTE
OPERATION
IAM
NETWORKING
DATA
MONITORING
CLOUD
PLATFORM
API CI/CD

9. 2
Secrets and Access Management
9

10. ACCESS KEYS | CONNECTION STRING
CONFIGURATION
ACCESS KEYS | CONNECTION STRING

11. AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM

12. AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING

13. AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING
CERTIFICATES

14. AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING
CERTIFICATES
KEYS

15. AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING
CERTIFICATES
KEYS
SECRETS

16. AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING
CERTIFICATES
KEYS
CERT | KEYS | SECRETS

18. OS ENVIRONMENTAL VARIABLES
SETX AZURE_CLIENT_ID 866CA31F-84AD-4F37-B90C-
381002C0878E
SETX AZURE_CLIENT_SECRET 378093A5-E2A4-465F-84B4-
D22C1351A63A
SETX AZURE_TENANT_ID DF0DA57D-3F3F-425C-BCB0-
63450109D642
SETX KEY_VAULT_NAME ITCAMP
STRING KEYVAULTNAME =
SYSTEM.GETENV("KEY_VAULT_NAME");
STRING KVURI = "HTTPS://" + KEYVAULTNAME +
".VAULT.AZURE.NET";
SECRETCLIENT SECRETCLIENT = NEW
SECRETCLIENTBUILDER()
.VAULTURL(KVURI)
.CREDENTIAL(NEW
DEFAULTAZURECREDENTIALBUILDER().BUILD())
.BUILDCLIENT();
SECRETCLIENT.SETSECRET(NEW
KEYVAULTSECRET("EVENT", "ITCAMP"));
KEYVAULTSECRET RETRIEVEDSECRET =
SECRETCLIENT.GETSECRET("EVENT");

19. Azure
RBAC
Azure
role-based
access
control
User Group Service
Principal
Managed
Identity
Security Principal
Role
Operation type (R/W/C/D)
Scope
Management Group
Subscription
Resource Group
Resource
Role assignment
Assign a security principal
Assign a scope
Assign a role
Development Group
Contributor
Dev and Playground Resource Group

20. Azure RBAC
Azurerole-basedaccesscontrol
Duty segregation within your team
Grant only the amount of access to users that they need to perform their jobs

21. Azure RBAC
Azurerole-basedaccesscontrol
Duty segregation within your team
Grant only the amount of access to users that they need to perform their jobs
RBAC
Specific permissions create unneeded complexity and confusion, accumulating into a “legacy”
configuration that’s difficult to fix without fear of breaking something.
!

22. Azure RBAC
Azurerole-basedaccesscontrol
Duty segregation within your team
Grant only the amount of access to users that they need to perform their jobs
RBAC
Specific permissions create unneeded complexity and confusion, accumulating into a “legacy”
configuration that’s difficult to fix without fear of breaking something.
Avoid resource-specific permissions. Instead, use management groups for enterprise-wide permissions
and resource groups for permissions within subscriptions.
Avoid user-specific permissions. Instead, assign access to groups in Azure AD

23. 3
Repo and Cloud Secrets
24

24. Premium Media
content
Dev Hero
Media Token
(SAS)
Storage
Account key
Repository
(e.g. GitHub
Application Repo
CI/CD Machine(s)
Infrastructure Repo
Pipelines Repo
Pipeline Dev
Pipeline Testing
Pipeline Production
Storage
Account Key

25. Premium Media
content
Dev Hero
Media Token
(SAS)
Storage
Account key
Repository
(e.g. GitHub
Application Repo
CI/CD Machine(s)
Infrastructure Repo
Pipelines Repo
Pipeline Dev
Pipeline Testing
Pipeline Production
Storage
Account Key
git-secrets
git-secrets

26. Premium Media
content
Dev Hero
Media Token
(SAS)
Storage
Account key
Repository
(e.g. GitHub
Application Repo
CI/CD Machine(s)
Infrastructure Repo
Pipelines Repo
Pipeline Dev
Pipeline Testing
Pipeline Production
Storage
Account Key
git-secrets
git-secrets

27. Secrets scanning
Protectingyourcode,yoursecrets,youridentity
Scan commits before a push
(1)Placegit-secretssomewhereinthePATHtobeeasilyaccessiblebygit
(2)./install.ps1|Commandtoinstallgit-secretsonaWindowsmachine
(3)cd/path/RaduVRepo/IoTHome|Navigatetotherepothatyouwanttoprotect.You
needtodothisactionforeachrepositorythatyouwanttosecure
(4)gitsecretsinstall|Installthetool
(5)gitsecrets-register-azure|RegistertheAzureplugin
(6)gitsecrets-register-aws|RegistertheAWSplugin
(7)gitsecrets-register-gcp|RegistertheGCPplugin

28. Secrets scanning
Protectingyourcode,yoursecrets,youridentity
Scan commits before a push
> Reject commits when secrets are detected
Pipeline integration
> Build fail
> Remove secrets
Nightly scan
> Remove secrets
> Repository and Pipelines freeze

29. 4
App Configuration
30

32. API APP
BACKEND
APP
ETL
RECURRE
NT
JOB
ADMIN
DUPLICATED
SHARED CROSS ROLES & TEAMS
HARD TO MAINTAIN
CENTRAL SETTINGS REPO

33. AZURE APP
CONFIGURATI
ON
AWS CONFIG
AWS
APPCONFIG
API APP
BACKEND
APP
ETL
RECURRE
NT
JOB
ADMIN

34. 5
Storage
36

35. Defaultendpointsprotocol=https;accountname=itcamp2020webstorage;acc
ountkey=sbgvtx1ynetie5jg78pks7xns8r4nvpumycvrvwf3w5e6xs4txkmyk/pl
hev4a1mhozfii1kqoate4ec0ndfzt==;endpointsuffix=core.Windows.Net

36. IAM POLICIES
AZURE AD RBAC
AWS SIGNATURE
AZURE SAS
LIMIT ANONYMOUS PUBLIC READ ACCESS
ENABLE FIREWALL RULES

37. 6
Azure SQL
40

38. ENCRYPTION | FIREWALL | IP FW RULES
AUTHENTICATION USING IAM
TLS TDA
ENABLE THREAT DETECTION

39. COLUMN-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 2000 OFFICE SSE
2 RADU 07433423 CLUJ 32 1300 BORSEC JSE
3 IOAN 0775432 CLUJ 30 4000 BORSEC SDO
4 PAUL 0792321 CLUJ 39 3400 OFFICE LES
5 GITA 0784234 ORADEA 30 1400 OFFICE SSE
6 OANA 0712343 ORADEA 32 2200 BORSEC LES
7 ALEX 0742932 ORADEA 29 2000 OFFICE SUX

40. COLUMN-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 0 OFFICE SSE
2 RADU 07433423 CLUJ 32 0 BORSEC JSE
3 IOAN 0775432 CLUJ 30 0 BORSEC SDO
4 PAUL 0792321 CLUJ 39 0 OFFICE LES
5 GITA 0784234 ORADEA 30 0 OFFICE SSE
6 OANA 0712343 ORADEA 32 0 BORSEC LES
7 ALEX 0742932 ORADEA 29 0 OFFICE SUX

41. CELL-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 2000 OFFICE SSE
2 RADU 07433423 CLUJ 32 1300 BORSEC JSE
3 IOAN 0775432 CLUJ 30 4000 BORSEC SDO
4 PAUL 0792321 CLUJ 39 3400 OFFICE LES
5 GITA 0784234 ORADEA 30 1400 OFFICE SSE
6 OANA 0712343 ORADEA 32 2200 BORSEC LES
7 ALEX 0742932 ORADEA 29 2000 OFFICE SUX

42. CELL-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 0 OFFICE SSE
2 RADU 07433423 CLUJ 32 1300 BORSEC JSE
3 IOAN 0775432 CLUJ 30 4000 BORSEC SDO
4 PAUL 0792321 CLUJ 39 0 OFFICE LES
5 GITA 0784234 ORADEA 30 0 OFFICE SSE
6 OANA 0712343 ORADEA 32 2200 BORSEC LES
7 ALEX 0742932 ORADEA 29 0 OFFICE SUX

43. 7
Web endpoints
46

44. VALIDATE
PARAMETERIZED
ENCODE

45. STRING USERNAME = REQUEST.QUERYSTRING["USERNAME"];
…
...
STRING QUERY = "SELECT * FROM [DBO].[USERS] WHERE USERNAME =
'" + USERNAME + "'";
CREATE PROCEDURE SP_FINDUSER
(
@USERNAME VARCHAR(50)
)
SELECT * FROM [DBO].[USERS] WHERE USERNAME = @USERNAME

46. OWASP (CRS RULES)
XSS
SQL INJECTION

47. 8
Security Center and Azure Advisor
50

48. Azure
Security
Center
Discover
and
assess
the
security
of
your
workloads
Secure Score
Overall secure score
Security controls
Compliance
Azure CIS
PCI DSS 3.2
ISO 2007
SOC TSP
Custom definition
Azure Defender
Security Alerts
Advance Thread
Protection
Vulnerability
assessment and mng
On-premises and
Azure protection
Inventory
Explore, filter and
enhanced your
resources

49. Azure Advisor
Proactive,actionable,andpersonalizedbestpracticesrecommendations
Reliability
Security
Performance
Cost
Operational Excellence

50. 9
Conclusion
54

53. 10
Bonus
57

54. Definitive Guide to Azure Security
1. Security policy
Ensure the following are set to on for virtual machines:
•‘OS vulnerabilities’ is set to on.
‘Endpoint protection’ is set to on.
‘Jit network access’ is set to on.
2. Identify and access management
•Ensure that for all users, multi-factor authentication is enabled.
Ensure that users can consent to apps accessing company data on their behalf’ is set to no.
Ensure that ‘restrict access to azure ad administration portal’ is set to yes.
3. Storage accounts
Ensure the following are set to enabled:
•‘Secure transfer required’ is set to enabled.
‘Storage service encryption’ is set to enabled.
4. SQL services
On SQL database or servers, ensure the following are set to on:
•‘Auditing’ is set to on.
‘Threat detection’ is set to on.
‘Transparent data encryption’ is set to on.
5. Networking
Ensure the following are disabled on network security groups from internet:
•Disable RDP.
Disable ssh.
Disable telnet (port 23).
6. Virtual machines
•Install endpoint protection for virtual machines.
Enable latest os patch updates for virtual machines.
Enforce disk encryption on virtual machines.
7. Miscellaneous
•Secure the subscription.
Minimize the number of admins/owners.
Do not grant permissions to external accounts (i.E., Accounts outside the native directory for the subscription).
https://www.skyhighnetworks.com/cloud -security-blog/73-azure-security-best-practices/

55. Security Best Practices for Azure solutions
1. Security policy
Ensure the following are set to on for virtual machines:
•‘OS vulnerabilities’ is set to on.
‘Endpoint protection’ is set to on.
‘Jit network access’ is set to on.
2. Identify and access management
•Ensure that for all users, multi-factor authentication is enabled.
Ensure that users can consent to apps accessing company data on their behalf’ is set to no.
Ensure that ‘restrict access to azure ad administration portal’ is set to yes.
3. Storage accounts
Ensure the following are set to enabled:
•‘Secure transfer required’ is set to enabled.
‘Storage service encryption’ is set to enabled.
4. SQL services
On SQL database or servers, ensure the following are set to on:
•‘Auditing’ is set to on.
‘Threat detection’ is set to on.
‘Transparent data encryption’ is set to on.
5. Networking
Ensure the following are disabled on network security groups from internet:
•Disable RDP.
Disable ssh.
Disable telnet (port 23).
6. Virtual machines
•Install endpoint protection for virtual machines.
Enable latest os patch updates for virtual machines.
Enforce disk encryption on virtual machines.
7. Miscellaneous
•Secure the subscription.
Minimize the number of admins/owners.
Do not grant permissions to external accounts (i.E., Accounts outside the native directory for the subscription).
https://azure.microsoft.com/en-us/resources/security-best-practices-for-azure-solutions/

56. THANK YOU