The document outlines a session on Azure security for developers, emphasizing that security goes beyond just tools and involves obtaining security certification through audits. It details a security maturity model developed by the Industrial Internet Consortium, along with Azure Security Benchmark guidelines for improving the security of workloads and services on Azure. Additionally, it provides resources and links for further exploration of security practices and frameworks in the context of Azure.

1. MVP Unplugged #5
Sofia, Oct 28th 2021
Azure Security for Developers

2. It is Never
Just the Security Tools

3. Security Certification (A Story)
• We have own product and wish to obtain security certification badge
• Contacted Microsoft officials from Nordics, Germany and US (10+ people)
with a question:
“Please propose an organization from your network that:
Can perform audit of a platform solution in Azure
Issue label/badge to verify compliance”

4. Typical Security Schemes
• L1 – Basic security requirements
(checklist self-declaration)
• L2 – L1 + Security-by-Design
• L3 – L2 + Static code analysis, 3rd party
scanning binaries for vulnerabilities
• L4 – L3 + Structured pentest from
approved 3rd party lab

5. Internet Security at its Best

6. IoT Security Maturity Model
• Developed by the Industrial Internet Consortium IIC (250+ companies
across 30 countries, incl. Microsoft)
• Guide organizations in security practices
• Objectives
o Foster collaboration - business stakeholders vs tech experts
o Define framework for defining security target
o Define performance indicators
o Guiding the process of maturing
• Primary Authors
o Sandy Carielli - Entrust Datacard
o Matthew Eble - Praetorian
o Frederick Hirsch - Fujitsu
o Ekaterina Rudina - Kaspersky Lab
o Ron Zahavi - Microsoft Azure IoT

7. Azure Security Benchmark
• Security Benchmark
o Best practices and recommendations to help improve the security of workloads, data, and services on Azure.
• Currently v2 is released
o V1: https://docs.microsoft.com/en-us/security/benchmark/azure/overview-v1
o V2: https://docs.microsoft.com/en-us/security/benchmark/azure/overview
• Security Controls – high level description of feature to be addressed
• Security Baselines – benchmark implementation of individual AZ service
o Network Security
o Identity Management
o Privileged Access
o Data Protection
o Asset Management
o Logging and Threat Detection
o Incident Response
o Posture and Vulnerability Management
o Endpoint Security
o Backup and Recovery

8. Azure Security Baselines
• Improve security through tools, tracking and security features
• Security Baselines (from around 100)
o App Service
o Web Application Firewall
o API Management
o SQL Database Security
o Service bus
o Logic apps
o Storage
o Event Hub
o Event Grid

9. Takeaways
Azure Security Benchmark
• https://docs.microsoft.com/en-us/security/benchmark/azure/
Security Benchmarks Docs
• https://github.com/MicrosoftDocs/SecurityBenchmarks
Security Maturity Model
• https://www.iiconsortium.org/smm.htm
• https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_V1.2.pdf
Microsoft Cloud Adoption Framework for Azure (Security)
• https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/
• https://github.com/microsoft/CloudAdoptionFramework

10. Upcoming Events
jsTalks (Bulgaria), 2021
November 19-20
http://jstalks.net/