SlideShare a Scribd company logo

Azure security and Compliance

Download as PPTX, PDF
K
Karina Matos

Azure security and Compliance

Technology
1 of 28
Unified platform for modern business Azure Regions Compute Data Storage Network Services App Services
Satya Nadella on Customer Security & Privacy
Unified Development Security & Management Data Platform Common Identity Only consistent hybrid cloud Azure Services Azure Security & Management Azure Data Services Azure Active Directory Azure Stack On-premises Infrastructure SQL Server Active Directory
AZURE SECURITY POSTURE ! DETECT Auditing and Certification Live Site Penetration Testing Centralized Logging and Monitoring Fraud and Abuse Detection RESPOND Breach Containment Coordinated Security Response Customer Notification PROTECT Security Development Lifecycle Threat Modeling Code Review Security Testing Network/User/Data/System security LEARN Post-Breach Assessment ASSUME BREACH
Cloud Services Security is a Shared Responsibility The security of your Microsoft cloud service is a partnership between You and Microsoft. Microsoft cloud services are built on a foundation of trust and security. Microsoft provides you security controls and capabilities to help you protect your data and applications You own your data and identities and the responsibility for protecting them, the security of your on- premises resources, and the security of cloud components you control (varies by service Administration Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Managed by Customer Managed by Service Provider IaaSOn Prem PaaS SaaS
Incident Response (MSRC) Establish release criteria & sign-off as part of FSR Guide product teams to meet SDL requirements Administer and track security training Training Requirements Design Implementation Verification Release Response Education Process Accountability Ongoing Process Improvements Security Development Lifecycle Infrastructure security controls Operational security controls Compliance
• Secure Development Lifecycle - https://www.microsoft.com/en-us/sdl/ • Tools to enable writing and releasing secure code Empowering You Secure Code Analysis VSTS Extension (Private Preview) Contact: sdt-vsts@microsoft.com Static Analysis for .NET Roslyn, Security Analyzers Binary Static Analysis Tool [GitHub] provides security and correctness results for Windows portable executables CREDSCAN Detecting creds in source & more Credential Scanner GitHub, VS-IDE Integration Threat Modelling Tool TMT2016 Secure Development Lifecycle
Natural Disasters Intrusion & DDoS Identity Management Administration Console Hardware Management Vulnerability Patching / Monitoring DATA COMPUTE NETWORK STORAGE TRUST Data Protection Physical Access SECURING THE PLATFORM EMPOWERING YOU
Natural Disasters Intrusion & DDoS Administration Console and Identity Management Hardware Management Vulnerability Patching / Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST • Locked down Secure Admin Workstation • Secure Boot, HW security, no admin, restricted browsing, • AppLocker & Device Guard, Software Center, App security review • Dedicated identity and resource forests • Multi-factor authentication with physical or virtual smartcard • Least and Temporarily Privilege, Just in Time elevation • Access Control and Monitoring Securing the Platform • Privileged Access Workstation guidance on TechNet [link] • Multi-factor authentication • AAD Conditional Access (Location, Compliant devices) • Just in Time access to IaaS • AAD Monitoring Empowering You Identity Management Administration Console
Data Protection • Azure Key Vault & internal key management solution • Bitlocker • Access Control with Just In Time elevation and monitoring • Data segregation (multi-tenant) Securing the Platform • Azure Key Vault with Hardware Security Modules (“HSM”) • Virtual machine encryption • Storage encryption • Transparent data layer encryption (“TDLE”) for SQL • Data destruction policy Empowering you Intrusion & DDoS Hardware Management Vulnerability Patching / Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST Identity Management Administration Console Natural Disasters
Vulnerability Patching / Monitoring • Access Control and Monitoring • Baseline configuration • Antimalware • Update monitoring and management • Vulnerability scanning Securing the Platform • Azure Security Center • Antimalware • Baseline configuration monitoring • Update monitoring • Vulnerability scanning (3rd party solution) • Security detections • Web Application Firewall • SIEM integration with Azure Monitor Empowering you Intrusion & DDoS Hardware Management Vulnerability Patching / Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST Identity Management Administration Console Natural Disasters
Incident Response Event Detected Security Team Engaged Security Event Confirmed Event Start DevOps Engaged Incident Assessment Determine Customer Impact Azure Customer Notification Customer Process Step 1 Determine Affected Customers Customer Notification  In-depth 9-step incident response process  Focus on containment & recovery  Makes contractual commitments regarding customer notification + provides forensics Infrastructure security controls Operational security controls Compliance
Intrusion and DDoS • Segmentation • Access Control Lists • Intrusion Detection • Host firewall • Edge vulnerability scanning • DDoS protection Securing the Platform • Host firewall (IaaS) • Virtual Networks (private IP space for your services) • Network Security Groups • Virtual Private Networks • Just-in-Time VM access (Azure Security Center) • Network access rules in AAD Empowering you Intrusion & DDoS Hardware Management Vulnerability Patching / Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST Identity Management Administration Console Natural Disasters
Data Center Security • Multiple layers of physical security • 24/7/365 surveillance and protection • Vehicle and individual access checkpoints • Multi-factor biometric entry point • Metal detectors • State-of-the-art fire suppression systems Securing the Platform Intrusion & DDoS Hardware Management Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST Identity Management Administration Console Natural Disasters
RED team vs. BLUE team ExfiltrateElevateMovePersistFootholdDeliveryRecon ExecutePlanContextTriageAlertDetectGather Red Team • Dedicated adversary performing targeted and persistent attacks against our Microsoft Online Services. • Attack and penetrate environments using the same steps adversary’s kill chain • Mean Time to Compromise (MTTC) + Mean Time to Privilege Escalation (MTTP) Blue Team • Dedicated set of security responders or members from across the Security Incident Response, Engineering and Operations organizations. • Estimated Time to Detection (ETTD) + Estimated Time to Recovery (ETTR)
USGovGlobalRegionalIndustry  ISO 27001:2013  ISO 27017:2015  ISO 27018:2014  ISO 22301:2012  ISO 9001:2015  ISO 20000-1:2011  SOC 1 Type 2  SOC 2 Type 2  SOC 3  CSA STAR Certification  CSA STAR Attestation  CSA STAR Self-Assessment  WCAG 2.0 (ISO 40500:2012)  FedRAMP High  FedRAMP Moderate  EAR  DoE 10 CFR Part 810  NIST SP 800-171  NIST CSF  Section 508 VPATs  FIPS 140-2  ITAR  CJIS  IRS 1075  PCI DSS Level 1  GLBA  FFIEC  Shared Assessments  FISC (Japan)  APRA (Australia)  FCA (UK)  MAS + ABS (Singapore)  23 NYCRR 500  HIPAA BAA  HITRUST  21 CFR Part 11 (GxP)  MARS-E  NHS IG Toolkit (UK)  NEN 7510:2011 (Netherlands)  FERPA  CDSA  MPAA  DPP (UK)  FACT (UK)  SOX  Argentina PDPA  Australia CCSL / IRAP  Canada Privacy Laws  China GB 18030:2005  China DJCP (MLPS) Level 3  Singapore MTCS Level 3  Spain ENS  Spain DPA  UK Cyber Essentials Plus  UK G-Cloud  UK PASF  China TRUCS / CCCPPF  EN 301 549  EU ENISA IAF  EU Model Clauses  EU – US Privacy Shield  Germany C5  DFARS  DoD DISA SRG Level 5  DoD DISA SRG Level 4  DoD DISA SRG Level 2  Germany IT-Grundschutz workbook  India MeitY  Japan CS Mark Gold  Japan My Number Act  Netherlands BIR 2012  New Zealand Gov CC Framework https://aka.ms/AzureCompliance Azure is a market leader in compliance coverage
Compliance Control Microsoft Trust Center
Azure Security Documentation Azure Security Documentation
 Protection through best practices  Detect threats and attacks  Remediate issues Azure Security Center
Demo
Applications Clients Infrastructure Management Databases & middleware App frameworks & tools DevOps PaaS & DevOps Azure is an open and flexible cloud Any language and any data source in any operating system for any device
Identity & Access: Azure AD Overview Azure Active Directory (AAD) offers identity and access management in the cloud w/ federation to enterprise AD Enterprise Cloud Strong authentication adds an extra layer of security for user logins. Multi-Factor Authentication Developers can integrate their app with Azure AD for single sign-on functionality Azure AD: Single Sign-on Security reports monitor access patterns that help identify potential threats. Security Monitoring Role-based access; grant least privilege required for task Role Based Access Control Manage, control and monitor access to Azure AD and O365 resources thru membership in built-in admin roles. Privileged Identity Mgmt
 Review reports and mitigate potential threats  Can enable Multi-Factor Authentication PCs and devices Microsoft apps Non-MS cloud-based apps Custom LOB apps ISV/CSV apps Other Directories Active Directory Identity & Access: Single Sign-On Scenario
Data protection Data segregation Logical isolation segregates each customer’s data from that of others. In-transit data protection Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication datacenters. At-rest data protection Customers can implement a range of encryption options for virtual machines and storage. Encryption Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data destruction When customers delete data or leave Azure, Microsoft follows procedures to render the previous customer’s data inaccessible. 26
• Monitor 100,000+ vulnerability reports • Sourced from customers & worldwide network of security researchers • Reviews and tests all changes • Prioritize critical updates • Monthly OS releases with patches • Reconciliation report • Resolution summary • Scanning & reporting of all Azure VMs • Track & remediate any findings AZURE:  Apply patch management as a service  Rigorously reviews & tests all changes CUSTOMER:  Applies similar patch management strategies for their Virtual Machines Update Management MONTHLY MSRC PATCH REVIEW PATCHING ROLLOUT SCANNING AUDIT VALIDATION Encryption Secure Networking Partner Solutions
Visualizing the security layers or Public IPs

Recommended

Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to AzureRobert Crane
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overviewgjuljo
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 

Recommended

Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to AzureRobert Crane
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overviewgjuljo
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
Introduction to Azure monitor
Introduction to Azure monitorIntroduction to Azure monitor
Introduction to Azure monitorPraveen Nair
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and ManagementAllen Brokken
 
Azure migration
Azure migrationAzure migration
Azure migrationArnon Rotem-Gal-Oz
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
Azure Hybid
Azure HybidAzure Hybid
Azure HybidThomas Treml
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architectureKarl Ots
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Mastering Azure Monitor
Mastering Azure MonitorMastering Azure Monitor
Mastering Azure MonitorRichard Conway
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinelarnaudlh
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
Azure key vault
Azure key vaultAzure key vault
Azure key vaultRahul Nath
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 MasterclassAmazon Web Services
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3CCG
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 

More Related Content

What's hot

Introduction to Azure monitor
Introduction to Azure monitorIntroduction to Azure monitor
Introduction to Azure monitorPraveen Nair
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and ManagementAllen Brokken
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architectureKarl Ots
 
Mastering Azure Monitor
Mastering Azure MonitorMastering Azure Monitor
Mastering Azure MonitorRichard Conway
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinelarnaudlh
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
Azure key vault
Azure key vaultAzure key vault
Azure key vaultRahul Nath
 

What's hot (20)

Introduction to Azure monitor
Introduction to Azure monitorIntroduction to Azure monitor
Introduction to Azure monitor
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
 
Azure migration
Azure migrationAzure migration
Azure migration
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
Azure Hybid
Azure HybidAzure Hybid
Azure Hybid
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Mastering Azure Monitor
Mastering Azure MonitorMastering Azure Monitor
Mastering Azure Monitor
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinel
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
 
Azure key vault
Azure key vaultAzure key vault
Azure key vault
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Amazon S3 Masterclass
Amazon S3 MasterclassAmazon S3 Masterclass
Amazon S3 Masterclass
 
Azure 101
Azure 101Azure 101
Azure 101
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 

Similar to Azure security and Compliance

Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3CCG
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceMSAdvAnalytics
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxGenericName6
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyMicrosoft Österreich
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...PlatformSecurityManagement
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft CloudEuropean Collaboration Summit
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionAmazon Web Services
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-securityober64
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceVignesh Ganesan I Microsoft MVP
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
BRK2122 IOT - From the cloud to the edge
BRK2122 IOT - From the cloud to the edgeBRK2122 IOT - From the cloud to the edge
BRK2122 IOT - From the cloud to the edgeAxel Dittmann
 
Tour to Azure Security Center
Tour to Azure Security CenterTour to Azure Security Center
Tour to Azure Security CenterLalit Rawat
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreJoel Oleson
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud ServicesDavid J Rosenthal
 

Similar to Azure security and Compliance (20)

Azure Fundamentals Part 3
Azure Fundamentals Part 3Azure Fundamentals Part 3
Azure Fundamentals Part 3
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud Adoption
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-security
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
Azure security
Azure securityAzure security
Azure security
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Secure the modern Enterprise
Secure the modern EnterpriseSecure the modern Enterprise
Secure the modern Enterprise
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
BRK2122 IOT - From the cloud to the edge
BRK2122 IOT - From the cloud to the edgeBRK2122 IOT - From the cloud to the edge
BRK2122 IOT - From the cloud to the edge
 
Tour to Azure Security Center
Tour to Azure Security CenterTour to Azure Security Center
Tour to Azure Security Center
 
Securely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure ScoreSecurely Harden Microsoft 365 with Secure Score
Securely Harden Microsoft 365 with Secure Score
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
 

More from Karina Matos

Cases for Financial Market
Cases for Financial MarketCases for Financial Market
Cases for Financial MarketKarina Matos
 
Data Estate Modernization
Data Estate ModernizationData Estate Modernization
Data Estate ModernizationKarina Matos
 
Microsoft Azure update
Microsoft Azure updateMicrosoft Azure update
Microsoft Azure updateKarina Matos
 
DEMO: Digital transformations in real life
DEMO: Digital transformations in real lifeDEMO: Digital transformations in real life
DEMO: Digital transformations in real lifeKarina Matos
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Karina Matos
 
Session: Modern Data WareHouse
Session: Modern Data WareHouseSession: Modern Data WareHouse
Session: Modern Data WareHouseKarina Matos
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application ModernizationKarina Matos
 

More from Karina Matos (7)

Cases for Financial Market
Cases for Financial MarketCases for Financial Market
Cases for Financial Market
 
Data Estate Modernization
Data Estate ModernizationData Estate Modernization
Data Estate Modernization
 
Microsoft Azure update
Microsoft Azure updateMicrosoft Azure update
Microsoft Azure update
 
DEMO: Digital transformations in real life
DEMO: Digital transformations in real lifeDEMO: Digital transformations in real life
DEMO: Digital transformations in real life
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Session: Modern Data WareHouse
Session: Modern Data WareHouseSession: Modern Data WareHouse
Session: Modern Data WareHouse
 
Azure Application Modernization
Azure Application ModernizationAzure Application Modernization
Azure Application Modernization
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 

Azure security and Compliance

  • 1.
  • 2. Unified platform for modern business Azure Regions Compute Data Storage Network Services App Services
  • 3. Satya Nadella on Customer Security & Privacy
  • 4. Unified Development Security & Management Data Platform Common Identity Only consistent hybrid cloud Azure Services Azure Security & Management Azure Data Services Azure Active Directory Azure Stack On-premises Infrastructure SQL Server Active Directory
  • 5. AZURE SECURITY POSTURE ! DETECT Auditing and Certification Live Site Penetration Testing Centralized Logging and Monitoring Fraud and Abuse Detection RESPOND Breach Containment Coordinated Security Response Customer Notification PROTECT Security Development Lifecycle Threat Modeling Code Review Security Testing Network/User/Data/System security LEARN Post-Breach Assessment ASSUME BREACH
  • 6. Cloud Services Security is a Shared Responsibility The security of your Microsoft cloud service is a partnership between You and Microsoft. Microsoft cloud services are built on a foundation of trust and security. Microsoft provides you security controls and capabilities to help you protect your data and applications You own your data and identities and the responsibility for protecting them, the security of your on- premises resources, and the security of cloud components you control (varies by service Administration Applications Data Runtime Middleware O/S Virtualization Servers Storage Networking Managed by Customer Managed by Service Provider IaaSOn Prem PaaS SaaS
  • 7. Incident Response (MSRC) Establish release criteria & sign-off as part of FSR Guide product teams to meet SDL requirements Administer and track security training Training Requirements Design Implementation Verification Release Response Education Process Accountability Ongoing Process Improvements Security Development Lifecycle Infrastructure security controls Operational security controls Compliance
  • 8. • Secure Development Lifecycle - https://www.microsoft.com/en-us/sdl/ • Tools to enable writing and releasing secure code Empowering You Secure Code Analysis VSTS Extension (Private Preview) Contact: sdt-vsts@microsoft.com Static Analysis for .NET Roslyn, Security Analyzers Binary Static Analysis Tool [GitHub] provides security and correctness results for Windows portable executables CREDSCAN Detecting creds in source & more Credential Scanner GitHub, VS-IDE Integration Threat Modelling Tool TMT2016 Secure Development Lifecycle
  • 9. Natural Disasters Intrusion & DDoS Identity Management Administration Console Hardware Management Vulnerability Patching / Monitoring DATA COMPUTE NETWORK STORAGE TRUST Data Protection Physical Access SECURING THE PLATFORM EMPOWERING YOU
  • 10. Natural Disasters Intrusion & DDoS Administration Console and Identity Management Hardware Management Vulnerability Patching / Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST • Locked down Secure Admin Workstation • Secure Boot, HW security, no admin, restricted browsing, • AppLocker & Device Guard, Software Center, App security review • Dedicated identity and resource forests • Multi-factor authentication with physical or virtual smartcard • Least and Temporarily Privilege, Just in Time elevation • Access Control and Monitoring Securing the Platform • Privileged Access Workstation guidance on TechNet [link] • Multi-factor authentication • AAD Conditional Access (Location, Compliant devices) • Just in Time access to IaaS • AAD Monitoring Empowering You Identity Management Administration Console
  • 11. Data Protection • Azure Key Vault & internal key management solution • Bitlocker • Access Control with Just In Time elevation and monitoring • Data segregation (multi-tenant) Securing the Platform • Azure Key Vault with Hardware Security Modules (“HSM”) • Virtual machine encryption • Storage encryption • Transparent data layer encryption (“TDLE”) for SQL • Data destruction policy Empowering you Intrusion & DDoS Hardware Management Vulnerability Patching / Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST Identity Management Administration Console Natural Disasters
  • 12. Vulnerability Patching / Monitoring • Access Control and Monitoring • Baseline configuration • Antimalware • Update monitoring and management • Vulnerability scanning Securing the Platform • Azure Security Center • Antimalware • Baseline configuration monitoring • Update monitoring • Vulnerability scanning (3rd party solution) • Security detections • Web Application Firewall • SIEM integration with Azure Monitor Empowering you Intrusion & DDoS Hardware Management Vulnerability Patching / Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST Identity Management Administration Console Natural Disasters
  • 13. Incident Response Event Detected Security Team Engaged Security Event Confirmed Event Start DevOps Engaged Incident Assessment Determine Customer Impact Azure Customer Notification Customer Process Step 1 Determine Affected Customers Customer Notification  In-depth 9-step incident response process  Focus on containment & recovery  Makes contractual commitments regarding customer notification + provides forensics Infrastructure security controls Operational security controls Compliance
  • 14. Intrusion and DDoS • Segmentation • Access Control Lists • Intrusion Detection • Host firewall • Edge vulnerability scanning • DDoS protection Securing the Platform • Host firewall (IaaS) • Virtual Networks (private IP space for your services) • Network Security Groups • Virtual Private Networks • Just-in-Time VM access (Azure Security Center) • Network access rules in AAD Empowering you Intrusion & DDoS Hardware Management Vulnerability Patching / Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST Identity Management Administration Console Natural Disasters
  • 15. Data Center Security • Multiple layers of physical security • 24/7/365 surveillance and protection • Vehicle and individual access checkpoints • Multi-factor biometric entry point • Metal detectors • State-of-the-art fire suppression systems Securing the Platform Intrusion & DDoS Hardware Management Monitoring Data Protection Physical Access DATA COMPUTE BANDWIDTH RELIABILITY TRUST Identity Management Administration Console Natural Disasters
  • 16.
  • 17. RED team vs. BLUE team ExfiltrateElevateMovePersistFootholdDeliveryRecon ExecutePlanContextTriageAlertDetectGather Red Team • Dedicated adversary performing targeted and persistent attacks against our Microsoft Online Services. • Attack and penetrate environments using the same steps adversary’s kill chain • Mean Time to Compromise (MTTC) + Mean Time to Privilege Escalation (MTTP) Blue Team • Dedicated set of security responders or members from across the Security Incident Response, Engineering and Operations organizations. • Estimated Time to Detection (ETTD) + Estimated Time to Recovery (ETTR)
  • 18. USGovGlobalRegionalIndustry  ISO 27001:2013  ISO 27017:2015  ISO 27018:2014  ISO 22301:2012  ISO 9001:2015  ISO 20000-1:2011  SOC 1 Type 2  SOC 2 Type 2  SOC 3  CSA STAR Certification  CSA STAR Attestation  CSA STAR Self-Assessment  WCAG 2.0 (ISO 40500:2012)  FedRAMP High  FedRAMP Moderate  EAR  DoE 10 CFR Part 810  NIST SP 800-171  NIST CSF  Section 508 VPATs  FIPS 140-2  ITAR  CJIS  IRS 1075  PCI DSS Level 1  GLBA  FFIEC  Shared Assessments  FISC (Japan)  APRA (Australia)  FCA (UK)  MAS + ABS (Singapore)  23 NYCRR 500  HIPAA BAA  HITRUST  21 CFR Part 11 (GxP)  MARS-E  NHS IG Toolkit (UK)  NEN 7510:2011 (Netherlands)  FERPA  CDSA  MPAA  DPP (UK)  FACT (UK)  SOX  Argentina PDPA  Australia CCSL / IRAP  Canada Privacy Laws  China GB 18030:2005  China DJCP (MLPS) Level 3  Singapore MTCS Level 3  Spain ENS  Spain DPA  UK Cyber Essentials Plus  UK G-Cloud  UK PASF  China TRUCS / CCCPPF  EN 301 549  EU ENISA IAF  EU Model Clauses  EU – US Privacy Shield  Germany C5  DFARS  DoD DISA SRG Level 5  DoD DISA SRG Level 4  DoD DISA SRG Level 2  Germany IT-Grundschutz workbook  India MeitY  Japan CS Mark Gold  Japan My Number Act  Netherlands BIR 2012  New Zealand Gov CC Framework https://aka.ms/AzureCompliance Azure is a market leader in compliance coverage
  • 20. Azure Security Documentation Azure Security Documentation
  • 21.  Protection through best practices  Detect threats and attacks  Remediate issues Azure Security Center
  • 22. Demo
  • 23. Applications Clients Infrastructure Management Databases & middleware App frameworks & tools DevOps PaaS & DevOps Azure is an open and flexible cloud Any language and any data source in any operating system for any device
  • 24. Identity & Access: Azure AD Overview Azure Active Directory (AAD) offers identity and access management in the cloud w/ federation to enterprise AD Enterprise Cloud Strong authentication adds an extra layer of security for user logins. Multi-Factor Authentication Developers can integrate their app with Azure AD for single sign-on functionality Azure AD: Single Sign-on Security reports monitor access patterns that help identify potential threats. Security Monitoring Role-based access; grant least privilege required for task Role Based Access Control Manage, control and monitor access to Azure AD and O365 resources thru membership in built-in admin roles. Privileged Identity Mgmt
  • 25.  Review reports and mitigate potential threats  Can enable Multi-Factor Authentication PCs and devices Microsoft apps Non-MS cloud-based apps Custom LOB apps ISV/CSV apps Other Directories Active Directory Identity & Access: Single Sign-On Scenario
  • 26. Data protection Data segregation Logical isolation segregates each customer’s data from that of others. In-transit data protection Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication datacenters. At-rest data protection Customers can implement a range of encryption options for virtual machines and storage. Encryption Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data destruction When customers delete data or leave Azure, Microsoft follows procedures to render the previous customer’s data inaccessible. 26
  • 27. • Monitor 100,000+ vulnerability reports • Sourced from customers & worldwide network of security researchers • Reviews and tests all changes • Prioritize critical updates • Monthly OS releases with patches • Reconciliation report • Resolution summary • Scanning & reporting of all Azure VMs • Track & remediate any findings AZURE:  Apply patch management as a service  Rigorously reviews & tests all changes CUSTOMER:  Applies similar patch management strategies for their Virtual Machines Update Management MONTHLY MSRC PATCH REVIEW PATCHING ROLLOUT SCANNING AUDIT VALIDATION Encryption Secure Networking Partner Solutions
  • 28. Visualizing the security layers or Public IPs

Editor's Notes

  1. Slide script: Thank you for taking the time today to walk through an end-to-end tour of Azure Security- the intensive and extensive work we’re doing to deliver a cloud you can trust. We’ll focus first on the work we do to secure the platform, and then we’ll cover all of the options we provide to empower you to meet your security requirements.
  2. Topline point: hard and fast rule – every software team goes through this, every release – it’s also embedded in our internal governance. Slide script: The Microsoft Security Development Lifecycle (SDL) is a set of processes and tools designed to minimize the number and severity of vulnerabilities in software products. It encompasses education of development personnel, secure development processes, and accountability of individuals and product teams, all for the building of more consistently secure software. Azure uses the SDL to systematically address security threats throughout the development process: through threat modeling during the design process; following development best practices and code security standards during coding; and requiring the use of various tools for testing and verification before deployment. These proactive checks during development make software less vulnerable to potential threats after release, and the SDL provides a structured and consistent methodology through which to apply them. These methodologies, which are supported by an executive commitment to security, have helped Microsoft develop more secure software.
  3. Slide script: The security controls and risk management processes Microsoft has in place to secure the cloud infrastructure reduce the risk of security incidents, but in the event an incident occurs, the Security Incident Management (SIM) team within the Microsoft Online Security Services & Compliance (OSSC) team is ready 24 hours a day, every day to respond. SIM’s mission is to quickly and accurately assess and mitigate computer security incidents involving Microsoft's Online Services, while managing the necessary internal and customer communications. When events are detected, a 9-step process is kicked off that focuses first on containment and recovery. Customers notification is a key part of this process. Customers notification is a key part of this process. Microsoft Azure provides coordination of forensic analysis, evaluation of logs, and VHD images in the event of platform-level incident. Azure also works with customers to provide log data to help them respond to threats. AZURE: Leverages a 9-step incident response process Focuses on containment & recovery Analyzes logs and VHD images in the event of platform-level incident and provides forensics information to customers when needed Makes contractual commitments regarding customer notification
  4. 72 certificates as of Jan 2018
  5. Microsoft Trust Center: https://www.microsoft.com/en-us/trustcenter
  6. Azure Security Documentation: https://aka.ms/myASIS
  7. P2
  8. Slide title: Data protection Slide objectives: Provide an overview of Azure data protection. Slide script: Both technological safeguards, such as encrypted communications, and operation processes help keep customer data secure. Customers have the flexibility to implement additional encryption and manage their own keys. Data isolation. Azure is a multi-tenant service, meaning that multiple customers’ deployments and virtual machines are stored on the same physical hardware. Azure uses logical isolation to segregate each customer’s data from that of others. This provides the scale and economic benefits of multitenant services while rigorously preventing customers from accessing one another’s data. Data at rest. Customers are responsible for ensuring that data stored in Azure is encrypted in accordance with their standards. Azure offers a wide range of encryption capabilities, giving customers the flexibility to choose the solution that best meets their needs. Data in transit. For data in transit, customers can enable encryption for traffic between their own VMs and end users. Azure protects data in transit to or from outside components, as well as data in transit internally, such as between two virtual networks. Azure uses industry standard transport protocols such as TLS between user devices and Microsoft datacenters, and within datacenters themselves. Encryption management. Encryption of data in storage and in transit can be used by Azure customers align with best practices for ensuring confidentiality and integrity of data. It is straightforward for customers to configure their Azure cloud services to use SSL to protect communications from the Internet and even between their Azure hosted VMs. Data redundancy. Microsoft ensures data is protected in the event of a cyberattack or physical damage to a datacenter. Customers may opt for in-country storage for compliance or latency considerations or out-of-country storage for security or disaster recovery purposes. Data may be replicated within a selected geographic area for redundancy, but will not be transmitted outside it. When you create your storage account, you must select one of the following replication options: •Locally redundant storage (LRS). Locally redundant storage maintains three copies of your data. LRS is replicated three times within a single facility in a single region. LRS protects your data from normal hardware failures, but not from the failure of a single facility. •Zone-redundant storage (ZRS). Zone-redundant storage maintains three copies of your data. ZRS is replicated three times across two to three facilities, either within a single region or across two regions, providing higher durability than LRS. ZRS ensures that your data is durable within a single region. •Geo-redundant storage (GRS). Geo-redundant storage is enabled for your storage account by default when you create it. GRS maintains six copies of your data. With GRS, your data is replicated three times within the primary region, and is also replicated three times in a secondary region hundreds of miles away from the primary region, providing the highest level of durability. In the event of a failure at the primary region, Azure Storage will failover to the secondary region. GRS ensures that your data is durable in two separate regions. Data destruction. When customers delete data or leave Azure, Microsoft follows strict standards for overwriting storage resources before reuse, as well physical destruction of decommissioned hardware. Microsoft executes a complete deletion of data on customer request and on contract termination.
  9. Key point – patch management as a service – this gets done for you! Slide script: Security patches help protect systems from known vulnerabilities. Integrated deployment systems manage the distribution and installation of security updates for the Azure service. Customers can apply similar update management processes for virtual machines (VMs) deployed on Azure. AZURE: Microsoft Azure works with MSRC to identify when patch releases are required, and applies patches immediately or during a scheduled release to the Microsoft Azure environment based on the severity. Microsoft Azure is notified by the Microsoft Security Response Center (MSRC) and Microsoft Online Security Services & Compliance (OSSC) teams upon identification of updates applicable to Azure environment. This includes the notification of the latest patches released. Microsoft Azure works with MSRC and evaluates patch releases to determine applicability and impact to the Microsoft Azure environment and customers. The applicable security patches are released through the periodic OS release cycle in accordance with change and release management procedures. Emergency out-of-band security patches (e.g., Software Security Incident Response Process (SSIRP) patches) are expedited for more immediate release. The patches are automatically applied to the customers’ Guest VMs unless the customer has configured the VM for manual upgrades. In this case, the customer is responsible for patching.   Microsoft Azure follows a change process to modify the underlying OS within the platform. All changes are reviewed and tested, at a minimum, for their quality, performance, impact on other systems, recovery objectives and security features before they are moved into production using the Microsoft Azure Release process. Microsoft Azure has established test windows for reviewing and testing of new features, changes to existing features and patches.   CUSTOMERS: Customers apply patches to their Virtual Machines using Systems Center or whatever other processes they use on-premises.