Spiffy, profile picture
Uploaded bySpiffy
PPTX, PDF7,722 views

MS Cloud day - Understanding and implementation on Windows Azure platform security

This document summarizes a session on security challenges and approaches for designing and developing secure applications on the Microsoft Windows Azure platform. It discusses threats that are handled by Windows Azure like physical attacks and those that remain the customer's responsibility like attacks on a customer's tenant. It also outlines various security measures implemented in Windows Azure like certifications, penetration testing, access controls, and role-based access.

Embed presentation

Downloaded 35 times
Microsoft Cloud DayTan ChoonNgeeDirector, aZaaS Pte LtdUnderstanding and implementation Windows Azure platform securityChoonNgee has more than 10 years of IT Sales, Marketing and Consulting experience with leading organizations like JP Morgan and Crimson Logic. He has developed several businesses focussed purely on Microsoft Technologies during this period.This session focuses on the security challenges and recommended approaches to design and develop more secure applications for Microsoft’s Windows Azure platform.
Understanding and implementation Windows Azure platform securityMicrosoft CorporationAuthors Andrew Marshall (Senior Security Program Manager, Security Engineering) Michael Howard (Principal Security Program Manager, Security Engineering) Grant Bugher (Lead Security Program Manager, OSSC) Brian Harden (Security Architect, OSSC) Contributors Charlie Kaufman (Principal Architect) Martin Rues (Director, OSSC) Vittorio Bertocci (Senior Technical Evangelist, Developer and Platform Evangelism
Responsibility for Threat MitigationThere are many threats to a traditional serverThere are some additional threats in the case of cloud computingSome threats are handled by Windows Azure; others remain the responsibility of the customer
Windows Azure Security CertificationsISO/IEC 27001:2005 certificationSAS 70 Type 1 and II attestationsPCI Data Security Standard complianceSarbanes–Oxley Act complianceHealth Insurance Portability and Accountability Act compliance
External Verification Microsoft contracted two top-tier penetration testing firms Conduct security assessments on different elements of the Windows Azure architecture Examined hardened virtualization boundaries and Probed for side-channel or I/O thrashing attacksSix professional penetration testers working over the course of seven weeks were unable to mount a successful attack against this design.
Threats Handled by AzurePhysical AttacksOn ServersCentral AdminUsersCustomer AdminWindows AzureCustomer TenantExternal Web Site
Attacks against Windows AzureA successful attack on the infrastructure could compromise all of our customersWindows Azure must secure its facilities against unauthorized accessWindows Azure must secure its interfaces against attacks over the networkCustomer tenants breaking out of their VMsAttackers successfully impersonating customer administrators or Windows Azure administratorsCustomer administrators affecting other than their own tenantsPhysical AttacksOn ServersUsersCustomer AdminWindows AzureCustomer Tenant
Abuse of Privilege by Windows Azure AdministratorsWindows Azure administrators could make unauthorized access to customer dataProcedures involving customer consent when such access is necessarySeparation of Duty to prevent abuse by a single rogue administratorAuditing to assure that unauthorized access will be discoveredCentral AdminWindows AzureCustomer Tenant
Using Windows Azure as a Platform for Attacking OthersMS will receive complaints of misbehavior by Windows Azure tenantsMS proactively monitor outbound access to detect common cases (port scans, spam)If a good customer’s tenant has been compromised (botted), MS work with the customer to resolve the problemIf a customer intentionally attacks others, MS ban themWindows AzureCustomer TenantExternal Web Site
Defenses Inherited by Windows Azure TenantsSpoofingTampering & DisclosureElevation of PrivilegeDenial of ServiceLoad-balanced InfrastructureNetwork bandwidth throttlingCiscoGuard enabled on Storage nodesConfigurable scale-outVM switch hardeningCertificate ServicesShared-Access SignaturesHTTPS Sidechannel protectionsPartial Trust RuntimeHypervisor custom sandboxingVirtual Service AccountsVLANsTop of Rack SwitchesCustom packet filteringPort Scanning/ Service EnumerationService Definition file, Windows Firewall, VM switch packet filtering
Windows Azure Security Layers18Network ACLs: dedicated VLANS for tenant nodes
How does it work?For Windows Azure Storage and SQL Azure, like any other shared serviceStorage or SQL account owned by some customer who sets access policyAccess policy is enforced by the code that parses and satisfies requestsFor Windows Azure Compute, MS create customer owned VMs, isolated by a hypervisor
Underlying HardwareRack mounted serversEach rack has a collection of identical nodesEach node (currently) has 2 CPU chips with 4 cores each16 Gig of memoryDisks for local storageNetwork Interface to a Top of Rack Switch
Hypervisor & VM SandboxGuest VMGuest VMGuest VMGuest VMGuest VMGuest VMGuest VMRoot VMHypervisorNetwork/DiskAll Guest access to network and disk is mediated by Root VM (via the Hypervisor)
Managing it all through the Fabric Controllers
What does the world look like to a Guest VM?1, 2, 4, or 8 CPUs; up to 14 GB or memoryThree disk drives:C:\ (for temps; initially populated with config file)D:\ (for OS code; initially as supplied by Windows Azure)E:\ (for application code; initially as supplied by customer admin)Network connectivity to Internet via NAT and to other VMs of same tenantGuest agent accepts incoming HTTP/RPC connections from Root OS
Handling Attacks by a TenantNot dependent on the security of WindowsInstead, dependent on the security of the Hypervisor and the exposed network and disk driversC:\, D:\, and E:\ are not really disks. They are VHD files in the root OS’s file system.Attack surface is minimized by accepting few commands and supporting only a few hardware devices
Windows Azure StorageRuns on separate hardware with no network connectivity to compute except (logically) through InternetRequests run over HTTP and optionally over SSL with server authenticationStorage is organized into storage accountsA single customer may have many storage accountsA single secret key controls all access to a storage account
Access ControlSome accommodation to more fine-grained access controls:Some data can be marked as world-readableShared access signatures supports some forms of limited delegationA customer wanting fine-grained access controls can implement a front end compute tenant that has full access to the storage account but mediates access to data items
Windows Azure Storage ScalabilityTo reduce the need for locks when dealing with a conventional file system, Windows Azure storage implements the primitives: blobs, tables, and queues.For backwards compatibility, it also implements an virtual drive with disk semantics for applications that have not been converted.The customer is responsible for coordinating the assignment of virtual drives to VMs. A virtual drive can only be open for write from one VM at a time.
Windows Azure Storage SecurityAccess to data in a specific account is only granted to entities having the secret key for that accountStorage keys are randomly generated when the storage account is created (or later at the request of the customer)A storage account may have two active keys at any given time to support key rolloverStorage keys are used to HMAC sign each access request
SQL AzureAs with storage, runs on separate hardware with no connectivity to compute except (logically) over the InternetDeveloper portal can create databases and set an administrator passwordSQL administrator can create additional user accounts, each authenticated with a password
Threats Customer Still Must Worry AboutUsersCustomer AdminWindows AzureCustomer Tenant
Abuse of Privilege by a Customer AdministratorCustomer administrators are authorized to update the code and access the data belonging to any customer tenantCustomer administrators are authenticated with cryptographic keys that the customer must protectCustomers should implement deployment practices as carefully as they would for applications in their own data centersCustomer AdminWindows AzureCustomer Tenant
Attacks on a Customer’s TenantA tenant is much like a physical server. If there are bugs in its code, it can be compromised over the networkMS can look for symptoms in some cases, but it is ultimately the customer’s responsibilityUsersWindows AzureCustomer Tenant
Securing the Front DoorIdentity Management and Access ControlWindows Identity Foundation Active Directory Federation Services 2.0 Windows Azure AppFabric Access Control Service
Authenticating Users
IdentityProvidersYour ApplicationACSAppFabricACSSAMLSWTBrowser-basedWS-FederationADFS2 . WS-FederationRichClientSAMLWS-TrustADFS2 . WS-TrustServer 2 ServerSWTOAuth WRAP/2.0Service Identities
Gatekeeper Design Pattern
Multi Key Design Pattern
Example of ArchitectureWorker RoleWeb RoleInput Queue (Work Items)Worker RoleWeb RoleStorageQueueWorker RoleWeb RoleWorker Role
Namespace Configuration Issues Avoid using *servicename*.cloudapp.net domain name - use a custom domain name instead. cloudapp.net namespace is inherently less trusted than the domain namespace of a single enterprise Don’t create code that requires users to place cloudapp.net in the trusted sites list in their web browser. Never scope cookies or document.domain to cloudapp.net. Instead, scope to the service subdomain (such as contoso.cloudapp.net, for example or, better, www.contoso.com).
Data SecurityGenerate Shared Access Signatures with the most restrictive set of ACLs possible that still grant the access required by the trusted party. Use the shortest lifetime possible. Use HTTPS in the request URL so the token cannot be snooped on the wire. Remember that these tokens are only used for temporary access to non-public blob storage – as with passwords, it’s a bad idea to use the same ones over and over
Handling Secret Information Encrypt data offsite then upload encrypted payload to blob storageShould not upload the key or any keying material to Windows Azure StorageShould not store private keys associated with SSL/TLS certificates in Windows Azure Storage. Instead, upload them through the Developer Portal and access them via thumbprint references in the Service Configuration. Windows Azure will securely provision them into the certificate stores of the service’s web roles upon boot
Auditing and LoggingEvents are not written to application, security, or audit event logsLogged to Windows Azure Storage through the Monitoring and Diagnostics Agent via trace listeners in web application code. Then stored long-term in Windows Azure Storage via scheduled transfers performed by the Monitoring Agent. Not encrypted - Do not write sensitive information to any events stored in Windows Azure Table Storage Choose HTTP or HTTPS to retrieve logs
Request Throttling / Input Sanitization Developers must do application-level throttling of incoming requests for any kind of complex, time-intensive operation. Fuzz test any new parsers deployed as part of a web service. Fuzz test it to ensure the code can correctly accommodate malformed input. Microsoft currently applies to “boxed-product” software fuzzing requirement : 100,000 iterations of each new format or protocol without crashing, or runs non-stop for 24 hours
Other Security ConsiderationsSecure designAttack surface reduction Defense in depth Principle of least privilege Threat modeling Secure codingCross-site scripting SQL injection Managed code security (transparency, code access security, assembly strong naming, etc.)
Today’s PromotionFREE* for first 5 customers only! Email promotion code “AZURE6M” with your contact details to sales@azaas.com to register.Special package worth S$38006 months of Windows Azure Platform DAE6 months of aZaaS Cloud Application Engine subscription2 man-days of services to create your cloud applicationOffer is only valid till 30 April 2011*Credit card required for sign-up. Any monthly usage in excess of the stated amounts will be charged at the standard rates. After 6 months, all usage will then be charged at the standard rates. Testimonial regarding services from Microsoft and aZaaS will be required.
Microsoft Cloud Day

More Related Content

PDF
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
byMicrosoft Private Cloud
 
PDF
منصة شليلة
byssuser81f53f
 
PDF
Azure for beginners series session 4
byLalit Rawat
 
PDF
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
byToshiharu Harada, Ph.D
 
PDF
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
byQuest
 
PDF
Active Directory and Virtualization
byAniket Pandey
 
PPTX
BlueHat v17 || Securing Windows Defender Application Guard
byBlueHat Security Conference
 
PPTX
Windows Azure Security Features And Functionality
byvivekbhat
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
byMicrosoft Private Cloud
 
منصة شليلة
byssuser81f53f
 
Azure for beginners series session 4
byLalit Rawat
 
Chained Enforceable Re-authentication Barrier Ensures Really Unbreakable Secu...
byToshiharu Harada, Ph.D
 
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
byQuest
 
Active Directory and Virtualization
byAniket Pandey
 
BlueHat v17 || Securing Windows Defender Application Guard
byBlueHat Security Conference
 
Windows Azure Security Features And Functionality
byvivekbhat
 

What's hot

PDF
Microsoft Azure Security Infographic
byMicrosoft Azure
 
PDF
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
bySymantec
 
PPTX
Scada strange love uwn-stuxnet
byPositive Hack Days
 
PPTX
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
byMongoDB
 
PDF
ReCertifying Active Directory
byWill Schroeder
 
PDF
Intel vmcs-shadowing-paper
byAhmed Sallam
 
PDF
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
byFelipe Prado
 
PPTX
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
PPTX
Cloud security
byinsoonjo
 
PDF
Password Synchronization
byPortalGuard dba PistolStar, Inc.
 
PDF
Identifying and analyzing security threats to virtualized cloud computing inf...
byIBM222
 
PDF
1.3. (In)security Software
bydefconmoscow
 
PDF
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTING
byijcsit
 
PPT
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
byBlueHat Security Conference
 
PPT
Common WSUS Errors Codes - Decoded and Resolved
bySolarWinds
 
PPTX
Windows Malware Techniques
byLee C
 
PPTX
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
byPaula Januszkiewicz
 
PDF
Atc ny friday-talk_slides_20080808
byTodd Deshane
 
PPTX
Virtualization concepts in cloud computing
byIntegral university, India
 
PDF
Certified Pre-Owned
byWill Schroeder
 
Microsoft Azure Security Infographic
byMicrosoft Azure
 
Best Practices for Running Symantec Endpoint Protection 12.1 on Microsoft Azure
bySymantec
 
Scada strange love uwn-stuxnet
byPositive Hack Days
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
byMongoDB
 
ReCertifying Active Directory
byWill Schroeder
 
Intel vmcs-shadowing-paper
byAhmed Sallam
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
byFelipe Prado
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
byBlueHat Security Conference
 
Cloud security
byinsoonjo
 
Password Synchronization
byPortalGuard dba PistolStar, Inc.
 
Identifying and analyzing security threats to virtualized cloud computing inf...
byIBM222
 
1.3. (In)security Software
bydefconmoscow
 
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTING
byijcsit
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
byBlueHat Security Conference
 
Common WSUS Errors Codes - Decoded and Resolved
bySolarWinds
 
Windows Malware Techniques
byLee C
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
byPaula Januszkiewicz
 
Atc ny friday-talk_slides_20080808
byTodd Deshane
 
Virtualization concepts in cloud computing
byIntegral university, India
 
Certified Pre-Owned
byWill Schroeder
 

Similar to MS Cloud day - Understanding and implementation on Windows Azure platform security

PPTX
Enter The Matrix Securing Azure’s Assets
byBizTalk360
 
PPTX
Azure security
byLalit Rawat
 
PPTX
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
byEuropean Collaboration Summit
 
PPTX
Simplify hybrid data integration at an enterprise scale. Integrate all your d...
byvaranasisatyanvesh
 
PDF
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
byMSAdvAnalytics
 
PDF
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
byTobias Koprowski
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
byAlert Logic
 
PPTX
Windows Azure
byJohn Alioto
 
PDF
366864108 azure-security
byober64
 
PPTX
Security on Windows Azure
byHaddy El-Haggan
 
PDF
Microsoft Azure Security Overview
byAlert Logic
 
PDF
Major Cloud Providers - Azure.pdf new doc
byVaradhaB
 
PPTX
Azure Security Overview
byAllen Brokken
 
PDF
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
byNCCOMMS
 
PDF
azure-security-overview-slideshare-180419183626.pdf
byBenAissaTaher1
 
PPTX
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
byLorenzo Barbieri
 
PDF
AZ900-AzureFundamentals-part-11.pdf
byssuser2dbaee
 
PDF
Microsoft Azure Cloud Services
byDavid J Rosenthal
 
PDF
7.habits.every.azure.admin.must.have.v082020
byWim Matthyssen
 
PPTX
Cloud computing & windows azure intro
byHaddy El-Haggan
 
Enter The Matrix Securing Azure’s Assets
byBizTalk360
 
Azure security
byLalit Rawat
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
byEuropean Collaboration Summit
 
Simplify hybrid data integration at an enterprise scale. Integrate all your d...
byvaranasisatyanvesh
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
byMSAdvAnalytics
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
byTobias Koprowski
 
CSS17: Houston - Azure Shared Security Model Overview
byAlert Logic
 
Windows Azure
byJohn Alioto
 
366864108 azure-security
byober64
 
Security on Windows Azure
byHaddy El-Haggan
 
Microsoft Azure Security Overview
byAlert Logic
 
Major Cloud Providers - Azure.pdf new doc
byVaradhaB
 
Azure Security Overview
byAllen Brokken
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
byNCCOMMS
 
azure-security-overview-slideshare-180419183626.pdf
byBenAissaTaher1
 
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
byLorenzo Barbieri
 
AZ900-AzureFundamentals-part-11.pdf
byssuser2dbaee
 
Microsoft Azure Cloud Services
byDavid J Rosenthal
 
7.habits.every.azure.admin.must.have.v082020
byWim Matthyssen
 
Cloud computing & windows azure intro
byHaddy El-Haggan
 

More from Spiffy

PDF
01 server manager spiffy
bySpiffy
 
PDF
Active Directory Upgrade
bySpiffy
 
PDF
Checking the health of your active directory enviornment
bySpiffy
 
PPTX
Agile in Action - Act 2: Development
bySpiffy
 
PDF
Agile in Action - Act 3: Testing
bySpiffy
 
PPTX
Agile in Action - Keynote: Becoming and Being Agile - What Does This Mean?
bySpiffy
 
PPTX
Agile in Action - Act 1 (Set Up, Planning, Requirements and Architecture)
bySpiffy
 
PDF
MS TechDays 2011 - WCF Web APis There's a URI for That
bySpiffy
 
PDF
MS TechDays 2011 - NUI, Gooey and Louie
bySpiffy
 
PDF
MS TechDays 2011 - Mango, Mango! Developing for Windows Phone 7
bySpiffy
 
PDF
MS TechDays 2011 - Generate Revenue on Azure
bySpiffy
 
PDF
MS TechDays 2011 - HTML 5 All the Awesome Bits
bySpiffy
 
PDF
MS TechDays 2011 - Cloud Computing with the Windows Azure Platform
bySpiffy
 
PDF
MS TechDays 2011 - Simplified Converged Infrastructure Solutions
bySpiffy
 
PDF
MS TechDays 2011 - SCDPM 2012 The New Feature of Data Protection
bySpiffy
 
PDF
MS TechDays 2011 - Microsoft Exchange Server and Office 365 Hybrid Deployment
bySpiffy
 
PDF
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
bySpiffy
 
PDF
MS TechDays 2011 - Cloud Management with System Center Application Controller
bySpiffy
 
PDF
MS TechDays 2011 - Virtualization Solutions to Optimize Performance
bySpiffy
 
PDF
MS TechDays 2011 - Automating Your Infrastructure System Center Orchestrator ...
bySpiffy
 
01 server manager spiffy
bySpiffy
 
Active Directory Upgrade
bySpiffy
 
Checking the health of your active directory enviornment
bySpiffy
 
Agile in Action - Act 2: Development
bySpiffy
 
Agile in Action - Act 3: Testing
bySpiffy
 
Agile in Action - Keynote: Becoming and Being Agile - What Does This Mean?
bySpiffy
 
Agile in Action - Act 1 (Set Up, Planning, Requirements and Architecture)
bySpiffy
 
MS TechDays 2011 - WCF Web APis There's a URI for That
bySpiffy
 
MS TechDays 2011 - NUI, Gooey and Louie
bySpiffy
 
MS TechDays 2011 - Mango, Mango! Developing for Windows Phone 7
bySpiffy
 
MS TechDays 2011 - Generate Revenue on Azure
bySpiffy
 
MS TechDays 2011 - HTML 5 All the Awesome Bits
bySpiffy
 
MS TechDays 2011 - Cloud Computing with the Windows Azure Platform
bySpiffy
 
MS TechDays 2011 - Simplified Converged Infrastructure Solutions
bySpiffy
 
MS TechDays 2011 - SCDPM 2012 The New Feature of Data Protection
bySpiffy
 
MS TechDays 2011 - Microsoft Exchange Server and Office 365 Hybrid Deployment
bySpiffy
 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
bySpiffy
 
MS TechDays 2011 - Cloud Management with System Center Application Controller
bySpiffy
 
MS TechDays 2011 - Virtualization Solutions to Optimize Performance
bySpiffy
 
MS TechDays 2011 - Automating Your Infrastructure System Center Orchestrator ...
bySpiffy
 

Recently uploaded

PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
apidays New York 2025 | AI in Application Security
byapidays
 
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
AI in the Real World: From University to Industry
byDarvan Shvan
 
Workflow and decision Automation with Flowable
bychakib ch
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 

MS Cloud day - Understanding and implementation on Windows Azure platform security

  • 1.
    Microsoft Cloud DayTanChoonNgeeDirector, aZaaS Pte LtdUnderstanding and implementation Windows Azure platform securityChoonNgee has more than 10 years of IT Sales, Marketing and Consulting experience with leading organizations like JP Morgan and Crimson Logic. He has developed several businesses focussed purely on Microsoft Technologies during this period.This session focuses on the security challenges and recommended approaches to design and develop more secure applications for Microsoft’s Windows Azure platform.
  • 2.
    Understanding and implementationWindows Azure platform securityMicrosoft CorporationAuthors Andrew Marshall (Senior Security Program Manager, Security Engineering) Michael Howard (Principal Security Program Manager, Security Engineering) Grant Bugher (Lead Security Program Manager, OSSC) Brian Harden (Security Architect, OSSC) Contributors Charlie Kaufman (Principal Architect) Martin Rues (Director, OSSC) Vittorio Bertocci (Senior Technical Evangelist, Developer and Platform Evangelism
  • 10.
    Responsibility for ThreatMitigationThere are many threats to a traditional serverThere are some additional threats in the case of cloud computingSome threats are handled by Windows Azure; others remain the responsibility of the customer
  • 11.
    Windows Azure SecurityCertificationsISO/IEC 27001:2005 certificationSAS 70 Type 1 and II attestationsPCI Data Security Standard complianceSarbanes–Oxley Act complianceHealth Insurance Portability and Accountability Act compliance
  • 12.
    External Verification Microsoftcontracted two top-tier penetration testing firms Conduct security assessments on different elements of the Windows Azure architecture Examined hardened virtualization boundaries and Probed for side-channel or I/O thrashing attacksSix professional penetration testers working over the course of seven weeks were unable to mount a successful attack against this design.
  • 13.
    Threats Handled byAzurePhysical AttacksOn ServersCentral AdminUsersCustomer AdminWindows AzureCustomer TenantExternal Web Site
  • 14.
    Attacks against WindowsAzureA successful attack on the infrastructure could compromise all of our customersWindows Azure must secure its facilities against unauthorized accessWindows Azure must secure its interfaces against attacks over the networkCustomer tenants breaking out of their VMsAttackers successfully impersonating customer administrators or Windows Azure administratorsCustomer administrators affecting other than their own tenantsPhysical AttacksOn ServersUsersCustomer AdminWindows AzureCustomer Tenant
  • 15.
    Abuse of Privilegeby Windows Azure AdministratorsWindows Azure administrators could make unauthorized access to customer dataProcedures involving customer consent when such access is necessarySeparation of Duty to prevent abuse by a single rogue administratorAuditing to assure that unauthorized access will be discoveredCentral AdminWindows AzureCustomer Tenant
  • 16.
    Using Windows Azureas a Platform for Attacking OthersMS will receive complaints of misbehavior by Windows Azure tenantsMS proactively monitor outbound access to detect common cases (port scans, spam)If a good customer’s tenant has been compromised (botted), MS work with the customer to resolve the problemIf a customer intentionally attacks others, MS ban themWindows AzureCustomer TenantExternal Web Site
  • 17.
    Defenses Inherited byWindows Azure TenantsSpoofingTampering & DisclosureElevation of PrivilegeDenial of ServiceLoad-balanced InfrastructureNetwork bandwidth throttlingCiscoGuard enabled on Storage nodesConfigurable scale-outVM switch hardeningCertificate ServicesShared-Access SignaturesHTTPS Sidechannel protectionsPartial Trust RuntimeHypervisor custom sandboxingVirtual Service AccountsVLANsTop of Rack SwitchesCustom packet filteringPort Scanning/ Service EnumerationService Definition file, Windows Firewall, VM switch packet filtering
  • 18.
    Windows Azure SecurityLayers18Network ACLs: dedicated VLANS for tenant nodes
  • 19.
    How does itwork?For Windows Azure Storage and SQL Azure, like any other shared serviceStorage or SQL account owned by some customer who sets access policyAccess policy is enforced by the code that parses and satisfies requestsFor Windows Azure Compute, MS create customer owned VMs, isolated by a hypervisor
  • 20.
    Underlying HardwareRack mountedserversEach rack has a collection of identical nodesEach node (currently) has 2 CPU chips with 4 cores each16 Gig of memoryDisks for local storageNetwork Interface to a Top of Rack Switch
  • 21.
    Hypervisor & VMSandboxGuest VMGuest VMGuest VMGuest VMGuest VMGuest VMGuest VMRoot VMHypervisorNetwork/DiskAll Guest access to network and disk is mediated by Root VM (via the Hypervisor)
  • 22.
    Managing it allthrough the Fabric Controllers
  • 23.
    What does theworld look like to a Guest VM?1, 2, 4, or 8 CPUs; up to 14 GB or memoryThree disk drives:C:\ (for temps; initially populated with config file)D:\ (for OS code; initially as supplied by Windows Azure)E:\ (for application code; initially as supplied by customer admin)Network connectivity to Internet via NAT and to other VMs of same tenantGuest agent accepts incoming HTTP/RPC connections from Root OS
  • 24.
    Handling Attacks bya TenantNot dependent on the security of WindowsInstead, dependent on the security of the Hypervisor and the exposed network and disk driversC:\, D:\, and E:\ are not really disks. They are VHD files in the root OS’s file system.Attack surface is minimized by accepting few commands and supporting only a few hardware devices
  • 25.
    Windows Azure StorageRunson separate hardware with no network connectivity to compute except (logically) through InternetRequests run over HTTP and optionally over SSL with server authenticationStorage is organized into storage accountsA single customer may have many storage accountsA single secret key controls all access to a storage account
  • 26.
    Access ControlSome accommodationto more fine-grained access controls:Some data can be marked as world-readableShared access signatures supports some forms of limited delegationA customer wanting fine-grained access controls can implement a front end compute tenant that has full access to the storage account but mediates access to data items
  • 27.
    Windows Azure StorageScalabilityTo reduce the need for locks when dealing with a conventional file system, Windows Azure storage implements the primitives: blobs, tables, and queues.For backwards compatibility, it also implements an virtual drive with disk semantics for applications that have not been converted.The customer is responsible for coordinating the assignment of virtual drives to VMs. A virtual drive can only be open for write from one VM at a time.
  • 28.
    Windows Azure StorageSecurityAccess to data in a specific account is only granted to entities having the secret key for that accountStorage keys are randomly generated when the storage account is created (or later at the request of the customer)A storage account may have two active keys at any given time to support key rolloverStorage keys are used to HMAC sign each access request
  • 29.
    SQL AzureAs withstorage, runs on separate hardware with no connectivity to compute except (logically) over the InternetDeveloper portal can create databases and set an administrator passwordSQL administrator can create additional user accounts, each authenticated with a password
  • 30.
    Threats Customer StillMust Worry AboutUsersCustomer AdminWindows AzureCustomer Tenant
  • 31.
    Abuse of Privilegeby a Customer AdministratorCustomer administrators are authorized to update the code and access the data belonging to any customer tenantCustomer administrators are authenticated with cryptographic keys that the customer must protectCustomers should implement deployment practices as carefully as they would for applications in their own data centersCustomer AdminWindows AzureCustomer Tenant
  • 32.
    Attacks on aCustomer’s TenantA tenant is much like a physical server. If there are bugs in its code, it can be compromised over the networkMS can look for symptoms in some cases, but it is ultimately the customer’s responsibilityUsersWindows AzureCustomer Tenant
  • 33.
    Securing the FrontDoorIdentity Management and Access ControlWindows Identity Foundation Active Directory Federation Services 2.0 Windows Azure AppFabric Access Control Service
  • 34.
  • 35.
    IdentityProvidersYour ApplicationACSAppFabricACSSAMLSWTBrowser-basedWS-FederationADFS2 .WS-FederationRichClientSAMLWS-TrustADFS2 . WS-TrustServer 2 ServerSWTOAuth WRAP/2.0Service Identities
  • 36.
  • 37.
  • 38.
    Example of ArchitectureWorkerRoleWeb RoleInput Queue (Work Items)Worker RoleWeb RoleStorageQueueWorker RoleWeb RoleWorker Role
  • 39.
    Namespace Configuration IssuesAvoid using *servicename*.cloudapp.net domain name - use a custom domain name instead. cloudapp.net namespace is inherently less trusted than the domain namespace of a single enterprise Don’t create code that requires users to place cloudapp.net in the trusted sites list in their web browser. Never scope cookies or document.domain to cloudapp.net. Instead, scope to the service subdomain (such as contoso.cloudapp.net, for example or, better, www.contoso.com).
  • 40.
    Data SecurityGenerate SharedAccess Signatures with the most restrictive set of ACLs possible that still grant the access required by the trusted party. Use the shortest lifetime possible. Use HTTPS in the request URL so the token cannot be snooped on the wire. Remember that these tokens are only used for temporary access to non-public blob storage – as with passwords, it’s a bad idea to use the same ones over and over
  • 41.
    Handling Secret InformationEncrypt data offsite then upload encrypted payload to blob storageShould not upload the key or any keying material to Windows Azure StorageShould not store private keys associated with SSL/TLS certificates in Windows Azure Storage. Instead, upload them through the Developer Portal and access them via thumbprint references in the Service Configuration. Windows Azure will securely provision them into the certificate stores of the service’s web roles upon boot
  • 42.
    Auditing and LoggingEventsare not written to application, security, or audit event logsLogged to Windows Azure Storage through the Monitoring and Diagnostics Agent via trace listeners in web application code. Then stored long-term in Windows Azure Storage via scheduled transfers performed by the Monitoring Agent. Not encrypted - Do not write sensitive information to any events stored in Windows Azure Table Storage Choose HTTP or HTTPS to retrieve logs
  • 43.
    Request Throttling /Input Sanitization Developers must do application-level throttling of incoming requests for any kind of complex, time-intensive operation. Fuzz test any new parsers deployed as part of a web service. Fuzz test it to ensure the code can correctly accommodate malformed input. Microsoft currently applies to “boxed-product” software fuzzing requirement : 100,000 iterations of each new format or protocol without crashing, or runs non-stop for 24 hours
  • 44.
    Other Security ConsiderationsSecuredesignAttack surface reduction Defense in depth Principle of least privilege Threat modeling Secure codingCross-site scripting SQL injection Managed code security (transparency, code access security, assembly strong naming, etc.)
  • 45.
    Today’s PromotionFREE* forfirst 5 customers only! Email promotion code “AZURE6M” with your contact details to sales@azaas.com to register.Special package worth S$38006 months of Windows Azure Platform DAE6 months of aZaaS Cloud Application Engine subscription2 man-days of services to create your cloud applicationOffer is only valid till 30 April 2011*Credit card required for sign-up. Any monthly usage in excess of the stated amounts will be charged at the standard rates. After 6 months, all usage will then be charged at the standard rates. Testimonial regarding services from Microsoft and aZaaS will be required.
  • 47.

Editor's Notes

  • #3 Twitter template
  • #12 As a service provider, Microsoft must comply with regulatory requirements of the governmental entities within whose jurisdictions Azure operates, along with industry regulations that cover many companies in specific fields. Microsoft's compliance framework is designed to address this challenge. The security for Microsoft's cloud infrastructure is managed by the Online Services Security and Compliance team, which maintains the security control framework and develops policies and programs for ensuring compliance and managing security risks.The Microsoft cloud undergoes annual audits for PCI DSS, SOX and HIPAA compliance, as well as internal assessments throughout the year. The Microsoft cloud has obtained ISO/IEC 27001:2005 certification and SAS 70 Type 1 and II attestations. Note:ISO/EC 27001:2005 is a standard that specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System. You can find out more about it here.Note #2:Statement on Auditing Standards (SAS) 70 is an auditing standard developed by the American Institute of Certified Public Accountants, which provides guidance for independent auditors to issue an opinion on a service or organization’s disclosure of its control of activities and processes. Find out more about it here.
  • #18 Spoofing identity. An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password.Tampering with data. Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet.Repudiation. Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Nonrepudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package. Information disclosure. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers.Denial of service. Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability.Elevation of privilege. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed.Port Scanning/ Service EnumerationThe only ports open and addressable (internally or externally) on a Windows Azure VM are those explicitly defined in the Service Definition file. Windows Firewall is enabled on each VM in addition to enhanced VM switch packet filtering, which blocks unauthorized traffic Denial of Service Windows Azure’s load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out. On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs). VIP traffic is routed through Windows Azure’s load-balancing infrastructure. Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.Windows Azure is also reviewing additional Distributed Denial of Service (DDoS) solutions available from Microsoft Global Foundation Services to help further protect against Denial of Service attacks.SpoofingVLANs are used to partition the internal network and segment it in a way that prevents compromised nodes from impersonating trusted systems such as the Fabric Controller. At the Hypervisor VM Switch, additional filters are in place to block broadcast and multicast traffic, with the exception of what is needed to maintain DHCP leases. Furthermore, the channel used by the Root OS to communicate with the Fabric Controller is encrypted and mutually authenticated over an HTTPS connection, and it provides a secure transfer path for configuration and certificate information that cannot be intercepted.Eavesdropping / Packet SniffingThe Hypervisor’s Virtual Switch prevents sniffer-based attacks against other VMs on the same physical host. Top-of-rack switches will be used to restrict which IP and MAC addresses can be used by the VMs and therefore mitigate spoofing attacks on internal networks. To sniff the wire inside the Windows Azure cloud environment, an attacker would first need to compromise a VM tenant in a way that elevated the attacker to an administrator on the VM, then use a vulnerability in the hypervisor to break into the physical machine root OS and obtain system account privileges. At that point the attacker would only be able to see traffic inbound to the compromised host destined for the dynamic IP addresses of the VM guests controlled by the hypervisor. Multi-tenant hosting and side-channel attacksInformation disclosure attacks (such as sniffing) are less severe than other forms of attack inside the Windows Azure datacenter because virtual machines are inherently untrusted by the Root OS Hypervisor. Microsoft has done a great deal of analysis to determine susceptibility to side-channel attacks. Timing attacks are the most difficult to mitigate. With timing attacks, an application carefully measures how long it takes some operations to complete and infers what is happening on another processor. By detecting cache misses, an attacker can figure out which cache lines are being accessed in code. With certain crypto implementations involving lookups from large tables, knowing the pattern of memory accesses - even at the granularity of cache lines - can reveal the key being used for encryption. While seemingly far-fetched, such attacks have been demonstrated under controlled conditions. There are a number of reasons why side-channel attacks are unlikely to succeed in Windows Azure: An attack works best in the context of hyper-threading, where the two threads share all of their caches. Many current CPUs implement fully independent cores, each with a substantial private cache. The CPU chips that Windows Azure runs on today have four cores per chip and share caches only in the third tier.Windows Azure runs on nodes containing pairs of quad-core CPUs, so there are three other CPUs sharing the cache, and seven CPUs sharing the memory bus. This level of sharing leads to a great deal of noise in any signal from one CPU to another because actions of multiple CPUs tend to obfuscate the signal.Windows Azure generally dedicates CPUs to particular VMs. Any system that takes advantage of the fact that few servers keep their CPUs busy all the time, and implements more logical CPUs than physical CPUs, might open the possibility of context switches exposing cache access patterns. Windows Azure operates differently. VMs can migrate from one CPU to another, but are unlikely to do so frequently enough to offer an attacker any information.
  • #19 Services are isolated from other servicesCan only access resources declared in the service model .Local node resources – temp storageNetwork end-pointsIsolation using multiple mechanismsMuch of the traditional infrastructure security moves to the platform and application layersNetwork Access Control Lists and Firewalls become host packet filters and virtual firewallsMultiple, privileged accounts become pre-defined agent accounts controlled by the systemPlatform and network level encryption will still play a role, but the application developer becomes more responsible for defining how encryption is used end-to-endServices are isolated from other servicesCan only access resources declared in the service model .Local node resources – temp storageNetwork end-pointsIsolation using multiple mechanismsAutomatic application of windows security patchesRolling operating system image upgrades
  • #35 let's introduce another architectural role, the federation provider. The FP is, like the IP, implemented with an STS; however instead of authenticating users this STS transforms input tokens in output tokens. AN FP is typically placed on boundaries, so that it can decouple applications from the IPs and vice versa. The application can be configured to only accept tokens issued by the FP, which in turn will accept tokens form the actual IPs. As we will see, this arrangement brings great advantages to the application developer. Let's run through the scenario with this new element.<click>the blue user accesses the application, a nd this time there are no longer any doubts: <click> he gets redirected to the intermediary. It is now the FP's responsibility to handle the HDR problem <click>. The user picks his one IP <click> authenticates and sends the resulting token to the FP. Here the FP processes the token, applying whatever transformation to it and reissuing the results in a new token <click>. Note that in the easiest case there are no transformations and the input values are rewritten in output as is.The new token is then returned to the client <click> which sends it to the application.Let's run through the other IP. The user gets to the app <click>, get redirected to the FP <click> get prompted for the HDR <click> pick its onw and authenticates <click>, get the token and send it to the FP <click>.This time the FP transforms the incoming token, normalizing its claim types to match the other token <click>. The token gets back to the user <click> and is sent to the application <click>. As you can see, the application is no longer on point to account for differences between tokens: the FP took care of normalizing it, decoupling the app from changes.One way in which you can implement a FP is by using the access control service. the ACS can host an STS for you and allows you to specify your trust relationships and transformation logic via an easy portal or a comprehensive set of management APIs. ACS also helps you with the HDR problem, both by automatically generating pages for the explicit selection or by offering more subtle mechanisms such as extracting the domain form the email of the user and redirecting to the appropriate IP without having to list all the possible options. You already heard about this in the AppFabric introduction, hence I am going straight to a demonstration.
  • #36 The ACS would deserve multiple sessions on its own right to be properly covered, here I'm just giving you a quick sampler.What we have seen so far is just a small part of its surface. The schema here shows the ws-federation subsystem, what is normally used for browser-based, session-oriented application types. We've been playing only with ADFS IP types, but in fact <click> there are many out of the box popular IPs you can use right away with your application sticking to the same protocol <click> and a browser<click>.ACS can also do WS-Trust, a high-security protocol for SOAP web services, accepting identities from ADFS2 ws-trust endpoints or bare credentials registered in ACS for management purposes.<click> the same sources can be used within OAuth2.0 calls. OAuth is the current state of the art for securing REST calls: it is still in draft state, hence expect changes, but you can already experiment with it.<click> Both protocols can be used for rich client application types and in general <click> server 2 server interactions.Not shown here there are the management endpoints, the other portion of ACS' development surface, which can be used instead or alongside the portal for managing the namespace.
  • #37 Isolate web roles and separate duties of individual roles in order to maximize the use of Windows Azure Partial Trust. The Trust Levels Appendix C illustrates a subset of Partial Trust Policy Restrictions. The complete listing of restrictions is available in “Windows Azure Partial Trust Policy Reference.” The impact of these security restrictions illustrates the value of using Windows Azure Partial Trust to help secure Windows Azure services, especially externally-facing web roles. Most access to the local environment variables, file system and registry is restricted. Socket and Web connection permissions are also locked down. Use the “Gatekeeper” design pattern to separate role duties and isolate privileged access A Gatekeeper is a design pattern in which access to storage is brokered so as to minimize the attack surface of privileged roles by limiting their interaction to communication over private internal channels and only to other web/worker roles. These roles are deployed on separate VMs. In the event of a successful attack on a web role, privileged key material is not compromised. The pattern can best be illustrated by the following example which uses two roles:  The GateKeeper – this is a web role that services requests from the Internet. Since these requests are potentially malicious, the Gatekeeper is not trusted with any duties other than validating the input it receives. The GateKeeper is implemented in managed code and runs with Windows Azure Partial Trust. The service configuration settings for this role do not contain any Shared Key information for use with Windows Azure Storage.  The KeyMaster – this is a privileged backend worker role that only takes inputs from the Gatekeeper and does so over a secured channel (an internal endpoint, or queue storage – either of which can be secured with HTTPS). The KeyMaster handles storage requests fed to it by the GateKeeper, and assumes that the requests have been sanitized to some degree. The KeyMaster, as the name implies, is configured with Windows Azure Storage account information from the service configuration to enableretrieval of data from Blob or Table storage. Data can then be relayed back to the requesting client. Nothing about this design requires Full Trust or Native Code, but it offers the flexibility of running the KeyMaster in a higher privilege level if necessary.
  • #38 Use multiple storage keys to restrict access to privileged information where the Gatekeeper pattern does not apply. In scenarios where a partial-trust Gatekeeper cannot be placed in front of a full-trust role, a multi-key design pattern can be used to protect trusted storage data. An example case of this scenario might be when a PHP web role is acting as a front-end web role, and placing a partial trust Gatekeeper in front of it may degrade performance to an unacceptable level. Up to five storage keys can be assigned to one Windows Azure subscription. This diversity can be used to minimize exposure of a particular key to theft by placing lower-trust keys on lower-trust roles and higher-trust keys on higher-trust roles. ”Untrusted web role A” in the figure below has access to only one storage account, and it is not trusted to do anything but parse incoming requests and log them to storage account „A‟. “Trusted Role B” (in the background) has the account keys for both storage „A‟ and „B‟, but is not exposed to potentially-malicious, malformed inputs. “Trusted Role B” processes and filters requests from the untrusted role via storage „A,‟ but expects a specific structure or format. „B‟ never fully trusts „A,‟ allowing for the “real” storage key of value (account „B‟) to be protected even in the event of a fully compromised, externally-facing, untrusted role. As with the Gatekeeper pattern, the trusted role should not provide unfettered access to the trusted store on behalf of Web Role „A.‟ Instead, only a subset of legitimate commands should be serviced (such as read, but not create/update/delete in certain cases). The multi-key design pattern has some advantages over the Gatekeeper/KeyMaster pattern:  Providing separation of duty for storage accounts. In the event of Web Role A‟s compromise; only the untrusted storage account and associated key are lost.  No internal service endpoints need to be specified. Multiple storage accounts are used instead.  Windows Azure Partial Trust is not required for the externally-facing untrusted web role. Since PHP does not support partial trust, the Gatekeeper configuration is not an option for PHP hosting.
  • #40 Avoid using *servicename*.cloudapp.net domain name - use a custom domain name instead. An important distinction between the enterprise and the cloud is that the cloudapp.net namespace is shared among all Azure customers while the namespace Microsoft.com is wholly-owned and controlled by Microsoft. This means that the cloudapp.net namespace is inherently less trusted than the domain namespace of a single enterprise because one customer of Windows Azure does not automatically trust all other customers in that domain namespace. Don‟t create code that requires users to place cloudapp.net in the trusted sites list in their web browser. Never scope cookies or document.domain to cloudapp.net. Instead, scope to the service subdomain (such as contoso.cloudapp.net, for example or, better, www.contoso.com). For most content, only interactions with content from the same domain are allowed. For example, a typical page on www.microsoft.com can freely script content on any other page on www.microsoft.com, but it cannot script to pages that are located on a different Web domain. The DHTML Object Model uses the document.domain property to enforce this restriction. Only pages with identical domain properties are allowed free interaction. The protocol of the URL must also match. For example, an HTTP page cannot access HTTPS content. Important: Any attempt to broaden document.domain access can leave a service open to scripting attacks from the entire cloudapp.net domain namespace. IIS7 sets document.domain to the full subdomain by default (like contoso.cloudapp.net or www.microsoft.com), but the scoping is so often changed by web developers that it warrants mention.
  • #41 Data Security When designing Web Role interactions with Windows Azure Storage, Shared Access Signatures can be a powerful tool. Shared Access Signatures are effectively access tokens that bestow a set of rights against a blob or blob container that normally would not be set public. Since web applications are responsible for generating these tokens, they are also responsible for securely distributing them. In the event that one of these tokens is compromised, developers can either update the blob/container metadata to invalidate the token, or simply create a new container for the blob data. However, this is still a reactive measure taken after damage could have already been done. Outlined, below are guidelines for minimizing risk while using Shared Access Signatures.  Generate Shared Access Signatures with the most restrictive set of ACLs possible that still grant the access required by the trusted party.  Use the shortest lifetime possible.  Use HTTPS in the request URL so the token cannot be snooped on the wire.  Remember that these tokens are only used for temporary access to non-public blob storage – as with passwords, it‟s a bad idea to use the same ones over and over. Windows Azure table storage provides a simple structured storage environment and is not SQL-based, so common SQL injection vulnerabilities do not apply to an application that uses it. However, applications using SQL Azure or other relational database services still need to mitigate traditional SQL injection threats. Table storage requests are either made directly, using HTTP GET and POST requests, or they are translated into these requests by the SDK and LINQ. Since HTTP requests are text, if this request string were constructed based on data gathered from users, then the user‟s strings could possibly change the semantics of the request (e.g. by inserting carriage returns or & characters.) To avoid injection attacks, do not base any container names, blob names, blocks, block IDs, or table names on data gathered from users. When constructing a REST query that involves user data, help ensure the data‟s safety by URL encoding before concatenating it into the query.
  • #42 Handling Secret Information Currently there is no support for Data Protection API (DPAPI)-like persistence of secret data in Windows Azure Storage. If a service must encrypt secret data at rest within Windows Azure Storage, then it needs to encrypt that data offsite, and before uploading the encrypted payload to blob storage. This can be done easily with an AES key generated on a client machine or elsewhere within the enterprise. Also, developers should not upload the key or any keying material to Windows Azure Storage, regardless of how careful they are about hiding it. If any computer or storage services were compromised, it could lead to encryption keys being exposed. Microsoft recommends using 256-bit AES keys for symmetric encryption. Developers also should not store private keys associated with SSL/TLS certificates in Windows Azure Storage. Instead, upload them through the Developer Portal and access them via thumbprint references in the Service Configuration. Windows Azure will not only store these certificates encrypted at all times, but also securely provision them into the certificate stores of the service‟s web roles upon boot. Developers should not attempt to store certificates anywhere on their own as these actions would constitute re-inventing a protection already supplied by the platform. Sample code that shows how to install certificates in Windows Azure is available at http://blogs.msdn.com/jnak/archive/2010/01/29/installing-certificates-in-windows-azure-vms.aspx.
  • #43 Auditing and Logging Local VM disk access by Windows Azure roles should be considered temporary and not reliable for anything more than temp files and caching. On Windows Azure, events are not written to application, security, or audit event logs as they are on Windows servers. Instead, events data is logged to Windows Azure Storage through the Monitoring and Diagnostics Agent via trace listeners in web application code. The logs are then stored long-term in Windows Azure Storage via scheduled transfers performed by the Monitoring Agent. Windows Azure Table Storage is used to log certain types of events, including Windows Event and Diagnostics Logs, Windows Azure Logs and performance counters. Windows Azure does not currently support encryption-at-rest of table storage information, so developers should not write sensitive information to any events stored in Windows Azure Table Storage. Refer to “Handling Secret Information” on page 8 for more information about encrypting sensitive data. Developers must decide to use HTTP or HTTPS depending on the contents of the logs. If an application is logging a large amount of data that won‟t be of interest to outside parties or eavesdroppers, then HTTP can be used for a faster transfer. However, Microsoft recommends protecting all log data in transit to Windows Azure Storage by using HTTPS.
  • #44 Request Throttling / Input Sanitization Developers must do application-level throttling of incoming requests for any kind of complex, time-intensive operation. It is also important to fuzz test any new parsers deployed as part of a web service. The Microsoft Security Development Lifecycle (SDL) portal at http://www.microsoft.com/sdl provides resources on fuzzing parsers. If a service is parsing a proprietary file or request format (perhaps encapsulated inside HTTP), then fuzz test it to ensure the code can correctly accommodate malformed input. Generally speaking, an automated fuzzing framework that fuzzes 100,000 iterations of each new format or protocol without crashing, or runs non-stop for 24 hours, will give developers a good indication of threat resistance. This is the fuzzing requirement that Microsoft currently applies to “boxed-product” software.
  • #45 Attack surface reduction The basic strategies of attack surface reduction are to reduce the amount of code running, reduce entry points available to untrusted users, reduce privilege levels as much as possible, and eliminate services requested by relatively few users.Defense in depth Defense in depth is an information assurance (IA) strategy in which multiple layers of defense are placed throughout an information technology (IT) system. It addresses security vulnerabilities in personnel, technology and operations for the duration of the system's life cycle.Principle of least privilegegiving a user only those privileges which are absolutely essential to do his/her workThreat modeling define many separate threat models for one computer system. Each model defines a narrow set of possible attacks to focus on. A threat model can help to assess the probability, the potential harm, the priority etc., of attacks, and thus help to minimize or eradicate the threats. Cross-site scripting (XSS) is a type of computer securityvulnerability typically found in web applications that enables malicious attackers to injectclient-side script into web pages viewed by other usersDevelopers must mitigate cross-site scripting attacks by encoding and validating inputs to their services with the Microsoft Anti-Cross-Site-Scripting library or other similar libraries, especially if that input is displayed back to the user in a web page. Cross-site request forgery (CSRF) attacks must also be mitigated by setting a hidden session token in client requests and setting Page.ViewStateUserKey to the current session ID. SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literalescape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.[
  • #47 Twitter template
  • #48 Speakers template