SlideShare a Scribd company logo
MICROSOFT AZURE
SECURITY
OVERVIEW
Tom Quinn
Azure Security Specialist, Microsoft
Microsoft Azure
Security and Compliance
Discussion
T
om Quinn
AzureSecuritySpecialist
Microsoft Azure
Topics
• Microsoft and Security
• Shared Responsibility
• How does Microsoft Secure the Platform
• Azure Regions – Azure Gov Cloud
• Securing Customer environment
• Data Security
• Encryption
• Identity
• Network Security
• Network isolation
• First party and third party controls
• Hybrid Cloud - VPN and Express Route Connectivity
• Logging, Monitoring, and Operations
• Azure Security Center and OMS
• Partner Security Solutions
EXPERIENCE
• 1M+ Corporate Machines
protected by enterprise IT security
• Multi-platform cloud-first
hybrid enterprise
• Decades of experience
as a global enterprise
• Runs on multi-tenant
Azure environment,
same as you
VISIBILITY
• Malware largest anti-virus and
antimalware service
• Clients Windows Updates, Error
Reports
• Email Outlook.com, Office 365
• Web content Bing, Azure AD
• Cloud platform Azure IaaS
and PaaS, Azure Security Center
EXPERTISE
• Development Security
established Security Development
Lifecycle (SDL) - ISO/IEC 27034-1
• Operational Security for
Hyper-scale cloud services
• Combatting Cybercrime
in the cloud & partnering with law
enforcement to disrupt malware
• Incident Investigation and
recovery for customers
Visibility
Expertise
Experience
Context
Microsoft industry leading security
capabilities
CONTEXT
• Trillions of URLs indexed
• Hundreds of Billions of
authentications, monthly emails
analyzed
• Billions of daily web pages
scans, Windows devices reporting
• Hundreds of Millions of
reputation look ups
• Millions of daily suspicious files
detonations
Cloud service provider responsibility
Tenant responsibility
Data governance &
rights management
Responsibility SaaS PaaS IaaS On-prem
Client endpoints
Account & access
management
Identity & directory
infrastructure
Application
Network controls
Operating system
Physical network
Physical datacenter
Customer
Microsoft
Physical hosts
Microsoft Cloud Security Practices
Microsoft makes security a priority at every step,
from code development to incident response.
Global, 24x7 incident
response service that
works to mitigate the
effects of attacks and
malicious activity.
Incident
Response
Defense in Depth
Defense in Depth
Approach across all
cloud services from
Physical to app/data
layers.
Security Development
Lifecycle (SDL)
Company-wide,
mandatory development
process that embeds
security into every phase
of development process.
Threat Intelligence
Extensive threat
intelligence gathering,
modelling, analysis and
controls incorporated
into systems.
Identity and Access
Focus on Identity
Controls and tools
including mitigation of
internal threat
throughout stack
including operations.
Dedicated security expert
“red team” that simulate
real-world attacks at
network, platform, and
application layers, testing
the ability of Azure to
detect, protect against, and
recover from breaches.
Assume
Breach
Simulation
42
Azure regions
Achieve global scale, in local regions
Trust
US Gov: US Gov Texas and US Gov Arizona
NEWLY ANNOUNCED:
France: France Central and France South
Africa: South Africa North and South Africa West
Data in Azure
Azure Cloud Storage:
• Object based, durable, massively scalable storage subsystem
• Designed from ground up by Microsoft
• Presents as Blobs, Disks, Tables, Queues and Files
• Accessed via REST APIs, Client Libraries and Tools
• Access control:
• Leverage Symmetric Shared Key Authentication
• Trusted service that owns the storage accounts
• Shared Access Signature (SAS)
Scale:
• More than 25 trillion stored objects
• 2.5+ Million requests/sec on average
Storage System Design and Architecture:
• Architecture and design details published and available “Windows Azure
Storage – A Highly Available Cloud Storage Service with Strong Consistency
Azure Key
Vault
<Keys and Secrets
controlled by
customers in their
key vault>
Authentication
to Key Vault
<Authentication
to Key Vault is
using Azure AD>
Azure Data Encryption - Data at Rest
• BYO Encryption - <.NET Librabries, Leverage on-prem HSM, etc.>
• Always Encrypted
Application Layer
• SQL Database - <Transparent Data Encryption, Always Encrypted>
• HDInsight - <SQL Database>
• Azure Backup Service - <Leverages Azure Disk Encryption>
PaaS Services
• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]>
• Partner Volume Encryption – <CloudLink® SecureVM>
• BYO Encryption – <Customer provided>
Virtual Machine/OS Layer – Windows, Linux
• Azure Storage Service Encryption – <AES-256, Block,
Append, and page Blobs>
Storage System
K
e
y
s
M
a
n
a
g
e
m
e
n
t
Microsoft Azure
Enterprise cloud identity – Azure AD
12
AZURE:
• Provides enterprise cloud identity and
access management
• Enables single sign-on across cloud
applications
• Offers Multi-Factor Authentication for
enhanced security
CUSTOMER:
• Centrally manages users and access to
Azure, O365, and hundreds of pre-
integrated cloud applications
• Builds Azure AD into their web and
mobile applications
• Can extend on-premises directories to
Azure AD
End Users
Active Directory
Azure
Active Directory Cloud Apps
Microsoft Azure
Customer 1
Azure Virtual Networking
AZURE:
• Allows customers to create
isolated virtual private
networks
CUSTOMER:
• Creates Virtual Networks with
Subnets and Private IP
addresses
• Enables communications
between their Virtual
Networks
• Can apply security controls
• Can connect to “corpnet” via
VPN or Express Route
Customer 2
INTERNET
Isolated Virtual Networks
Subnet 1 Deployment X Deployment Y
VNET to VNET
Cloud Access RDP Endpoint
(password access)
Client
Subnet 2 Subnet 3
DNS Server
VPN
Microsoft Azure
Corp 1
Isolated Virtual Network
Microsoft Azure
Microsoft Azure
Grouping of network traffic rules as
security group
Security groups associated with virtual
machines or virtual subnets
Controlled access between machines in
subnets
Controlled access to and from the
Internet
Network traffic rules updated
independent of virtual machines
Internet
Front End Subnet Back End Subnet
Virtual Network
NSG
Platform Network Control –
Network Security Groups (NSG)
VM
Application
Gateway
Azure Traffic Manager (DNS Load Balancer)
Internet
Application
Gateway
Application
Gateway
VM
VM VM VM
Application
Gateway
VM VM VM
Azure
Service
What Example
Traffic
Manager
Cross-region
redirection &
availability
http://news.com
 apac.news.com
 emea.news.com
 us.news.com
Azure Load
Balancer
In-region
scalability &
availability
emea.news.com
 AppGw1
 AppGw2
 AppGw2
Azure
Application
Gateway
URL/content-
based routing
& load
balancing
news.com/topnews
news.com/sports
news.com/images
VMs Web Servers
App
Gateway
Typical Tiered Architecture
App
Gateway
User Defined Routing and Virtual Appliances
Internet
Private
WAN
Microsoft Azure 20
Monitoring & logging
AZURE:
• Performs monitoring & alerting on
security events for the platform
• Enables security data collection via
Monitoring Agent or Windows Event
Forwarding
CUSTOMER:
• Configures monitoring
• Exports events to SQL Database,
HDInsight or a SIEM for analysis
• Monitors alerts & reports
• Responds to alerts
Azure
Storage
Customer
Admin
Guest VM Cloud Services
Customer VMs
Portal
SMAPI
Guest VM
Enable Monitoring Agent
Event
s
Extract event information to SIEM
or other Reporting System
Event ID Computer Event Description Severity DateTime
1150 Machine1 Example security event
4 04/29/2014
2002 Machine2 Signature Updated Successfully
4 04/29/2014
5007 Machine3 Configuration Applied
4 04/29/2014
1116 Machine2 Example security event
1 04/29/2014
1117 Machine2 Access attempted
1 04/29/2014
SIEM Admin View
Alerting &
reporting
HDInsight
Microsoft Azure
Azure Security Center
Prevent, detect and respond to threats with increased visibility
and control over the security of your Azure resources and
advanced analytics, which identify attacks that might otherwise
go unnoticed
What is the feature?
Benefits
• Understand the security state of Azure resources
• Take control of cloud security with policies that enable you to
recommend and monitor security configurations
• Make it easy for DevOps to deploy integrated Microsoft and partner
security solutions
• Find threats with advanced analysis of your security-related events
developed using Microsoft’s vast global intelligence assets and expertise
• Respond and recover from incidents faster with real-time security alerts
• Export security events to a SIEM for further analysis
Automatic Log
Collection
Rome Analytics Engine
Analyzes Windows Security
Events, IIS Logs, AV Logs,
Firewall Logs, Syslog, …
Operations Management Suite
Amazon Web
Services
Windows
Server
(VM)
Windows
Server
(VM)
Linux
(VM)
Linux
(VM)
Linux
(VM)
Private clouds
(Azure Stack, Hyper-V, VMware,
OpenStack)
Windows
Server
(VM)
Windows
Server
(VM)
Windows
Server
(VM)
Windows
Server
(VM)
Linux
(VM)
Operations
Management
Suite
Log analytics
Backup & disaster recovery
IT automation
Security & compliance
• Near real time perf. data collection/monitoring
• Linux agents including monitoring integrations
• Mobile Apps in Windows, Android and iOS
• Custom fields
• SOC1 and SOC2 Type 1 Compliant
• Automation DSC
• Source Control support through GitHub for runbooks
• Hybrid support for schedules / test jobs
• PowerShell script support on hybrid workers
• Linux DSC support
• Wire data solution
• Azure network analytics solution
• Malicious IP detection
• Backup >1.6TB support
• ASR integration with SQL Always-On public preview
• ASR CSP and IaaS V2 support
• IaaS v1 & v2 VMs backup
• Azure backup server for application workload backups
Partner Security Solutions
Microsoft is dedicated to working with partners across the ecosystem
enabling customers to augment their security posture
Network Virtual Appliances
Hosted Network Controls – Firewalls,WAF, Ddos, IDS/IPS, DLP
Operations/Management – Monitoring, logging, correlation
Penetration Testing
Vulnerability assessments/Threat Modeling

More Related Content

What's hot

Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
K.Mohamed Faizal
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Smartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS CloudSmartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS Cloud
Amazon Web Services
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
Amazon Web Services
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
Karim Hopper
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
Amazon Web Services
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
CloudHesive
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
CloudHesive
 
Barracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWSBarracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWS
Amazon Web Services
 
Automating Compliance Defense in the Cloud - September 2016 Webinar Series
Automating Compliance Defense in the Cloud - September 2016 Webinar SeriesAutomating Compliance Defense in the Cloud - September 2016 Webinar Series
Automating Compliance Defense in the Cloud - September 2016 Webinar Series
Amazon Web Services
 
KMS at Okta - Intermediate Level
KMS at Okta - Intermediate LevelKMS at Okta - Intermediate Level
KMS at Okta - Intermediate Level
Jon Todd
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
Amazon Web Services
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance   wwps pre-day sao paolo - markry1. aws security and compliance   wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
Amazon Web Services LATAM
 

What's hot (20)

Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
Smartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS CloudSmartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS Cloud
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
Barracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWSBarracuda WAF: Scalable Security for Applications on AWS
Barracuda WAF: Scalable Security for Applications on AWS
 
Automating Compliance Defense in the Cloud - September 2016 Webinar Series
Automating Compliance Defense in the Cloud - September 2016 Webinar SeriesAutomating Compliance Defense in the Cloud - September 2016 Webinar Series
Automating Compliance Defense in the Cloud - September 2016 Webinar Series
 
KMS at Okta - Intermediate Level
KMS at Okta - Intermediate LevelKMS at Okta - Intermediate Level
KMS at Okta - Intermediate Level
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance   wwps pre-day sao paolo - markry1. aws security and compliance   wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
 

Similar to 366864108 azure-security

Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Amazon Web Services
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
Amazon Web Services
 
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
Amazon Web Services Korea
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
AWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the CloudAWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the Cloud
Amazon Web Services
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security Infographic
Microsoft Azure
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
VMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats newVMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats new
VMware
 
KoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginnersKoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginners
Tobias Koprowski
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
Amazon Web Services
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginners
Tobias Koprowski
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
Amazon Web Services
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
Amazon Web Services
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
Amazon Web Services
 

Similar to 366864108 azure-security (20)

Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the CloudAWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the Cloud
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security Infographic
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
VMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats newVMware vRealize Network Insight 3.4 whats new
VMware vRealize Network Insight 3.4 whats new
 
KoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginnersKoprowskiT_session1_SDNEvent_WASDforBeginners
KoprowskiT_session1_SDNEvent_WASDforBeginners
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginnersKoprowskiT_SQLSatMoscow_WASDforBeginners
KoprowskiT_SQLSatMoscow_WASDforBeginners
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 

Recently uploaded

STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
sameer shah
 
一比一原版(UCSF文凭证书)旧金山分校毕业证如何办理
一比一原版(UCSF文凭证书)旧金山分校毕业证如何办理一比一原版(UCSF文凭证书)旧金山分校毕业证如何办理
一比一原版(UCSF文凭证书)旧金山分校毕业证如何办理
nuttdpt
 
在线办理(英国UCA毕业证书)创意艺术大学毕业证在读证明一模一样
在线办理(英国UCA毕业证书)创意艺术大学毕业证在读证明一模一样在线办理(英国UCA毕业证书)创意艺术大学毕业证在读证明一模一样
在线办理(英国UCA毕业证书)创意艺术大学毕业证在读证明一模一样
v7oacc3l
 
Challenges of Nation Building-1.pptx with more important
Challenges of Nation Building-1.pptx with more importantChallenges of Nation Building-1.pptx with more important
Challenges of Nation Building-1.pptx with more important
Sm321
 
Open Source Contributions to Postgres: The Basics POSETTE 2024
Open Source Contributions to Postgres: The Basics POSETTE 2024Open Source Contributions to Postgres: The Basics POSETTE 2024
Open Source Contributions to Postgres: The Basics POSETTE 2024
ElizabethGarrettChri
 
The Building Blocks of QuestDB, a Time Series Database
The Building Blocks of QuestDB, a Time Series DatabaseThe Building Blocks of QuestDB, a Time Series Database
The Building Blocks of QuestDB, a Time Series Database
javier ramirez
 
Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...
Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...
Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...
Aggregage
 
End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024
Lars Albertsson
 
一比一原版(UMN文凭证书)明尼苏达大学毕业证如何办理
一比一原版(UMN文凭证书)明尼苏达大学毕业证如何办理一比一原版(UMN文凭证书)明尼苏达大学毕业证如何办理
一比一原版(UMN文凭证书)明尼苏达大学毕业证如何办理
nyfuhyz
 
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
Social Samosa
 
Experts live - Improving user adoption with AI
Experts live - Improving user adoption with AIExperts live - Improving user adoption with AI
Experts live - Improving user adoption with AI
jitskeb
 
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
Walaa Eldin Moustafa
 
原版一比一利兹贝克特大学毕业证(LeedsBeckett毕业证书)如何办理
原版一比一利兹贝克特大学毕业证(LeedsBeckett毕业证书)如何办理原版一比一利兹贝克特大学毕业证(LeedsBeckett毕业证书)如何办理
原版一比一利兹贝克特大学毕业证(LeedsBeckett毕业证书)如何办理
wyddcwye1
 
一比一原版(GWU,GW文凭证书)乔治·华盛顿大学毕业证如何办理
一比一原版(GWU,GW文凭证书)乔治·华盛顿大学毕业证如何办理一比一原版(GWU,GW文凭证书)乔治·华盛顿大学毕业证如何办理
一比一原版(GWU,GW文凭证书)乔治·华盛顿大学毕业证如何办理
bopyb
 
Population Growth in Bataan: The effects of population growth around rural pl...
Population Growth in Bataan: The effects of population growth around rural pl...Population Growth in Bataan: The effects of population growth around rural pl...
Population Growth in Bataan: The effects of population growth around rural pl...
Bill641377
 
06-12-2024-BudapestDataForum-BuildingReal-timePipelineswithFLaNK AIM
06-12-2024-BudapestDataForum-BuildingReal-timePipelineswithFLaNK AIM06-12-2024-BudapestDataForum-BuildingReal-timePipelineswithFLaNK AIM
06-12-2024-BudapestDataForum-BuildingReal-timePipelineswithFLaNK AIM
Timothy Spann
 
Global Situational Awareness of A.I. and where its headed
Global Situational Awareness of A.I. and where its headedGlobal Situational Awareness of A.I. and where its headed
Global Situational Awareness of A.I. and where its headed
vikram sood
 
办(uts毕业证书)悉尼科技大学毕业证学历证书原版一模一样
办(uts毕业证书)悉尼科技大学毕业证学历证书原版一模一样办(uts毕业证书)悉尼科技大学毕业证学历证书原版一模一样
办(uts毕业证书)悉尼科技大学毕业证学历证书原版一模一样
apvysm8
 
Predictably Improve Your B2B Tech Company's Performance by Leveraging Data
Predictably Improve Your B2B Tech Company's Performance by Leveraging DataPredictably Improve Your B2B Tech Company's Performance by Leveraging Data
Predictably Improve Your B2B Tech Company's Performance by Leveraging Data
Kiwi Creative
 
Palo Alto Cortex XDR presentation .......
Palo Alto Cortex XDR presentation .......Palo Alto Cortex XDR presentation .......
Palo Alto Cortex XDR presentation .......
Sachin Paul
 

Recently uploaded (20)

STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...
 
一比一原版(UCSF文凭证书)旧金山分校毕业证如何办理
一比一原版(UCSF文凭证书)旧金山分校毕业证如何办理一比一原版(UCSF文凭证书)旧金山分校毕业证如何办理
一比一原版(UCSF文凭证书)旧金山分校毕业证如何办理
 
在线办理(英国UCA毕业证书)创意艺术大学毕业证在读证明一模一样
在线办理(英国UCA毕业证书)创意艺术大学毕业证在读证明一模一样在线办理(英国UCA毕业证书)创意艺术大学毕业证在读证明一模一样
在线办理(英国UCA毕业证书)创意艺术大学毕业证在读证明一模一样
 
Challenges of Nation Building-1.pptx with more important
Challenges of Nation Building-1.pptx with more importantChallenges of Nation Building-1.pptx with more important
Challenges of Nation Building-1.pptx with more important
 
Open Source Contributions to Postgres: The Basics POSETTE 2024
Open Source Contributions to Postgres: The Basics POSETTE 2024Open Source Contributions to Postgres: The Basics POSETTE 2024
Open Source Contributions to Postgres: The Basics POSETTE 2024
 
The Building Blocks of QuestDB, a Time Series Database
The Building Blocks of QuestDB, a Time Series DatabaseThe Building Blocks of QuestDB, a Time Series Database
The Building Blocks of QuestDB, a Time Series Database
 
Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...
Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...
Beyond the Basics of A/B Tests: Highly Innovative Experimentation Tactics You...
 
End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024End-to-end pipeline agility - Berlin Buzzwords 2024
End-to-end pipeline agility - Berlin Buzzwords 2024
 
一比一原版(UMN文凭证书)明尼苏达大学毕业证如何办理
一比一原版(UMN文凭证书)明尼苏达大学毕业证如何办理一比一原版(UMN文凭证书)明尼苏达大学毕业证如何办理
一比一原版(UMN文凭证书)明尼苏达大学毕业证如何办理
 
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...
 
Experts live - Improving user adoption with AI
Experts live - Improving user adoption with AIExperts live - Improving user adoption with AI
Experts live - Improving user adoption with AI
 
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data Lake
 
原版一比一利兹贝克特大学毕业证(LeedsBeckett毕业证书)如何办理
原版一比一利兹贝克特大学毕业证(LeedsBeckett毕业证书)如何办理原版一比一利兹贝克特大学毕业证(LeedsBeckett毕业证书)如何办理
原版一比一利兹贝克特大学毕业证(LeedsBeckett毕业证书)如何办理
 
一比一原版(GWU,GW文凭证书)乔治·华盛顿大学毕业证如何办理
一比一原版(GWU,GW文凭证书)乔治·华盛顿大学毕业证如何办理一比一原版(GWU,GW文凭证书)乔治·华盛顿大学毕业证如何办理
一比一原版(GWU,GW文凭证书)乔治·华盛顿大学毕业证如何办理
 
Population Growth in Bataan: The effects of population growth around rural pl...
Population Growth in Bataan: The effects of population growth around rural pl...Population Growth in Bataan: The effects of population growth around rural pl...
Population Growth in Bataan: The effects of population growth around rural pl...
 
06-12-2024-BudapestDataForum-BuildingReal-timePipelineswithFLaNK AIM
06-12-2024-BudapestDataForum-BuildingReal-timePipelineswithFLaNK AIM06-12-2024-BudapestDataForum-BuildingReal-timePipelineswithFLaNK AIM
06-12-2024-BudapestDataForum-BuildingReal-timePipelineswithFLaNK AIM
 
Global Situational Awareness of A.I. and where its headed
Global Situational Awareness of A.I. and where its headedGlobal Situational Awareness of A.I. and where its headed
Global Situational Awareness of A.I. and where its headed
 
办(uts毕业证书)悉尼科技大学毕业证学历证书原版一模一样
办(uts毕业证书)悉尼科技大学毕业证学历证书原版一模一样办(uts毕业证书)悉尼科技大学毕业证学历证书原版一模一样
办(uts毕业证书)悉尼科技大学毕业证学历证书原版一模一样
 
Predictably Improve Your B2B Tech Company's Performance by Leveraging Data
Predictably Improve Your B2B Tech Company's Performance by Leveraging DataPredictably Improve Your B2B Tech Company's Performance by Leveraging Data
Predictably Improve Your B2B Tech Company's Performance by Leveraging Data
 
Palo Alto Cortex XDR presentation .......
Palo Alto Cortex XDR presentation .......Palo Alto Cortex XDR presentation .......
Palo Alto Cortex XDR presentation .......
 

366864108 azure-security

  • 1. MICROSOFT AZURE SECURITY OVERVIEW Tom Quinn Azure Security Specialist, Microsoft
  • 2. Microsoft Azure Security and Compliance Discussion T om Quinn AzureSecuritySpecialist
  • 3. Microsoft Azure Topics • Microsoft and Security • Shared Responsibility • How does Microsoft Secure the Platform • Azure Regions – Azure Gov Cloud • Securing Customer environment • Data Security • Encryption • Identity • Network Security • Network isolation • First party and third party controls • Hybrid Cloud - VPN and Express Route Connectivity • Logging, Monitoring, and Operations • Azure Security Center and OMS • Partner Security Solutions
  • 4. EXPERIENCE • 1M+ Corporate Machines protected by enterprise IT security • Multi-platform cloud-first hybrid enterprise • Decades of experience as a global enterprise • Runs on multi-tenant Azure environment, same as you VISIBILITY • Malware largest anti-virus and antimalware service • Clients Windows Updates, Error Reports • Email Outlook.com, Office 365 • Web content Bing, Azure AD • Cloud platform Azure IaaS and PaaS, Azure Security Center EXPERTISE • Development Security established Security Development Lifecycle (SDL) - ISO/IEC 27034-1 • Operational Security for Hyper-scale cloud services • Combatting Cybercrime in the cloud & partnering with law enforcement to disrupt malware • Incident Investigation and recovery for customers Visibility Expertise Experience Context Microsoft industry leading security capabilities CONTEXT • Trillions of URLs indexed • Hundreds of Billions of authentications, monthly emails analyzed • Billions of daily web pages scans, Windows devices reporting • Hundreds of Millions of reputation look ups • Millions of daily suspicious files detonations
  • 5.
  • 6. Cloud service provider responsibility Tenant responsibility Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter Customer Microsoft Physical hosts
  • 7. Microsoft Cloud Security Practices Microsoft makes security a priority at every step, from code development to incident response. Global, 24x7 incident response service that works to mitigate the effects of attacks and malicious activity. Incident Response Defense in Depth Defense in Depth Approach across all cloud services from Physical to app/data layers. Security Development Lifecycle (SDL) Company-wide, mandatory development process that embeds security into every phase of development process. Threat Intelligence Extensive threat intelligence gathering, modelling, analysis and controls incorporated into systems. Identity and Access Focus on Identity Controls and tools including mitigation of internal threat throughout stack including operations. Dedicated security expert “red team” that simulate real-world attacks at network, platform, and application layers, testing the ability of Azure to detect, protect against, and recover from breaches. Assume Breach Simulation
  • 8. 42 Azure regions Achieve global scale, in local regions Trust US Gov: US Gov Texas and US Gov Arizona NEWLY ANNOUNCED: France: France Central and France South Africa: South Africa North and South Africa West
  • 9. Data in Azure Azure Cloud Storage: • Object based, durable, massively scalable storage subsystem • Designed from ground up by Microsoft • Presents as Blobs, Disks, Tables, Queues and Files • Accessed via REST APIs, Client Libraries and Tools • Access control: • Leverage Symmetric Shared Key Authentication • Trusted service that owns the storage accounts • Shared Access Signature (SAS) Scale: • More than 25 trillion stored objects • 2.5+ Million requests/sec on average Storage System Design and Architecture: • Architecture and design details published and available “Windows Azure Storage – A Highly Available Cloud Storage Service with Strong Consistency
  • 10. Azure Key Vault <Keys and Secrets controlled by customers in their key vault> Authentication to Key Vault <Authentication to Key Vault is using Azure AD> Azure Data Encryption - Data at Rest • BYO Encryption - <.NET Librabries, Leverage on-prem HSM, etc.> • Always Encrypted Application Layer • SQL Database - <Transparent Data Encryption, Always Encrypted> • HDInsight - <SQL Database> • Azure Backup Service - <Leverages Azure Disk Encryption> PaaS Services • Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]> • Partner Volume Encryption – <CloudLink® SecureVM> • BYO Encryption – <Customer provided> Virtual Machine/OS Layer – Windows, Linux • Azure Storage Service Encryption – <AES-256, Block, Append, and page Blobs> Storage System K e y s M a n a g e m e n t
  • 11. Microsoft Azure Enterprise cloud identity – Azure AD 12 AZURE: • Provides enterprise cloud identity and access management • Enables single sign-on across cloud applications • Offers Multi-Factor Authentication for enhanced security CUSTOMER: • Centrally manages users and access to Azure, O365, and hundreds of pre- integrated cloud applications • Builds Azure AD into their web and mobile applications • Can extend on-premises directories to Azure AD End Users Active Directory Azure Active Directory Cloud Apps
  • 12. Microsoft Azure Customer 1 Azure Virtual Networking AZURE: • Allows customers to create isolated virtual private networks CUSTOMER: • Creates Virtual Networks with Subnets and Private IP addresses • Enables communications between their Virtual Networks • Can apply security controls • Can connect to “corpnet” via VPN or Express Route Customer 2 INTERNET Isolated Virtual Networks Subnet 1 Deployment X Deployment Y VNET to VNET Cloud Access RDP Endpoint (password access) Client Subnet 2 Subnet 3 DNS Server VPN Microsoft Azure Corp 1 Isolated Virtual Network
  • 13. Microsoft Azure Microsoft Azure Grouping of network traffic rules as security group Security groups associated with virtual machines or virtual subnets Controlled access between machines in subnets Controlled access to and from the Internet Network traffic rules updated independent of virtual machines Internet Front End Subnet Back End Subnet Virtual Network NSG Platform Network Control – Network Security Groups (NSG)
  • 14. VM Application Gateway Azure Traffic Manager (DNS Load Balancer) Internet Application Gateway Application Gateway VM VM VM VM Application Gateway VM VM VM Azure Service What Example Traffic Manager Cross-region redirection & availability http://news.com  apac.news.com  emea.news.com  us.news.com Azure Load Balancer In-region scalability & availability emea.news.com  AppGw1  AppGw2  AppGw2 Azure Application Gateway URL/content- based routing & load balancing news.com/topnews news.com/sports news.com/images VMs Web Servers
  • 17. User Defined Routing and Virtual Appliances
  • 19. Microsoft Azure 20 Monitoring & logging AZURE: • Performs monitoring & alerting on security events for the platform • Enables security data collection via Monitoring Agent or Windows Event Forwarding CUSTOMER: • Configures monitoring • Exports events to SQL Database, HDInsight or a SIEM for analysis • Monitors alerts & reports • Responds to alerts Azure Storage Customer Admin Guest VM Cloud Services Customer VMs Portal SMAPI Guest VM Enable Monitoring Agent Event s Extract event information to SIEM or other Reporting System Event ID Computer Event Description Severity DateTime 1150 Machine1 Example security event 4 04/29/2014 2002 Machine2 Signature Updated Successfully 4 04/29/2014 5007 Machine3 Configuration Applied 4 04/29/2014 1116 Machine2 Example security event 1 04/29/2014 1117 Machine2 Access attempted 1 04/29/2014 SIEM Admin View Alerting & reporting HDInsight Microsoft Azure
  • 20. Azure Security Center Prevent, detect and respond to threats with increased visibility and control over the security of your Azure resources and advanced analytics, which identify attacks that might otherwise go unnoticed What is the feature? Benefits • Understand the security state of Azure resources • Take control of cloud security with policies that enable you to recommend and monitor security configurations • Make it easy for DevOps to deploy integrated Microsoft and partner security solutions • Find threats with advanced analysis of your security-related events developed using Microsoft’s vast global intelligence assets and expertise • Respond and recover from incidents faster with real-time security alerts • Export security events to a SIEM for further analysis Automatic Log Collection Rome Analytics Engine Analyzes Windows Security Events, IIS Logs, AV Logs, Firewall Logs, Syslog, …
  • 21. Operations Management Suite Amazon Web Services Windows Server (VM) Windows Server (VM) Linux (VM) Linux (VM) Linux (VM) Private clouds (Azure Stack, Hyper-V, VMware, OpenStack) Windows Server (VM) Windows Server (VM) Windows Server (VM) Windows Server (VM) Linux (VM) Operations Management Suite Log analytics Backup & disaster recovery IT automation Security & compliance • Near real time perf. data collection/monitoring • Linux agents including monitoring integrations • Mobile Apps in Windows, Android and iOS • Custom fields • SOC1 and SOC2 Type 1 Compliant • Automation DSC • Source Control support through GitHub for runbooks • Hybrid support for schedules / test jobs • PowerShell script support on hybrid workers • Linux DSC support • Wire data solution • Azure network analytics solution • Malicious IP detection • Backup >1.6TB support • ASR integration with SQL Always-On public preview • ASR CSP and IaaS V2 support • IaaS v1 & v2 VMs backup • Azure backup server for application workload backups
  • 22. Partner Security Solutions Microsoft is dedicated to working with partners across the ecosystem enabling customers to augment their security posture Network Virtual Appliances Hosted Network Controls – Firewalls,WAF, Ddos, IDS/IPS, DLP Operations/Management – Monitoring, logging, correlation Penetration Testing Vulnerability assessments/Threat Modeling