The document discusses the benefits of Platform as a Service (PaaS) architecture, highlighting its ease of management and built-in high availability features. It emphasizes the importance of securing applications and databases through authentication, authorization, and encryption, while also addressing potential security risks such as data exfiltration. Real-world scenarios are used to illustrate key points and best practices for implementing security measures in Azure environments.

1. #datasatpn
February 27th, 2021
Data Saturday #1
Securing a full-PaaS architecture
Marco Obinu - @OmegaMadLab

2. Marco Obinu
• Advisory Engineer @
• Geek to the 🦴😁
• 💘Azure and SQL Server
ABOUTME.OMEGAMADLAB.COM

3. Why PaaS?
IaaS
MANAGED
BY
VENDOR
APPLICATION
HYPERVISOR
OS
RUNTIME
DATA
STORAGE
NETWORK
YOU
MANAGE
SERVERS
MANAGED
BY
VENDOR
APPLICATION
HYPERVISOR
OS
RUNTIME
DATA
STORAGE
NETWORK
PaaS
YOU
MANAGE
SERVERS
LESS
DUTIES

4. Why PaaS?
LESS
DUTIES
EASIER
TO SIZE
Azure Storage
(remote storage)
Virtualization host
OsDisk DataDisk DataDisk
VM
VM NIC vSwitch Host
NIC
BlobCache (local storage)
TempDisk
RAM cache
SSD cache
CACHED
THROUGHPUT UNCACHEDTHROUGHPUT
Standard HDD
Standard SSD
Premium SSD
Ultra disks

5. Why PaaS?
Less
duties
Easier
to size
Built-
in HA
SQL CLUSTER IP
SQL CLUSTER IP
PREMIUM FILE SHARE
S2D
STORAGE REPLICATION
SQL CLUSTER IP
DATABASE REPLICATION
LISTENER

6. Why PaaS?
LESS
DUTIES
EASIER
TO SIZE
BUILT-IN
HA
SCALABLE

7. Why PaaS?
LESS
DUTIES
EASIER
TO SIZE
BUILT-IN
HA
SCALABLE
COOL
FEATURES

8. Why PaaS?
LESS
DUTIES
EASIER TO
SIZE
BUILT-IN
HA
SCALABLE
COOL
FEATURES
ADOPTION
SPEED

9. Any risk?
Less control over the infrastructure
Who did what?
Usually outside of your network boundaries
• Can be an issue with security policies
• What about data exfiltration?

10. How to mitigate?
Enforce authentication and authorization
Protect your data at rest, in transit, in use
Secure your network

11. How to mitigate?
IT Team
• Define guidelines
• Enforce rules
• Monitor the environment
Dev Team
• Don't be shy with the architecture
• Follow the best practices

12. A real-world scenario
Users WebApp
Azure SQL DB
ADF
Blob
Console VM
VNET
managementSubnet
Azure Hosted IR

13. A real-world scenario: week points
Users WebApp
Azure SQL DB
Blob
Console VM
VNET
managementSubnet
Auth? TLS?
WAF?
IP Restriction?
Auth?
Encryption?
Firewall?
Traffic flow?
Auth?
Encryption?
Firewall?
Data
exfiltration?
ADF
Azure Hosted IR

14. Securing the webapp

15. Disable anonymous access

16. Disable anonymous access

17. Enforce HTTPS

18. Enforce HTTPS

19. Introduce a Web Application Firewall

20. Introduce a Web Application Firewall
Users WebApp

21. Introduce a Web Application Firewall
Users WebApp
WAF
Vnet
Public IP

22. Introduce a Web Application Firewal

23. Introduce a Web Application Firewal

24. Apply IP Restrictions

25. Disable anonymous access

26. Disable anonymous access

27. Disable anonymous access

28. Disable anonymous access

29. A real-world scenario: week points
Users WebApp Azure SQL DB Blob
Console VM
VNET
managementSubnet
Auth? TLS?
WAF?
IP Restriction?
Auth?
Encryption?
Firewall?
Traffic flow?
Auth?
Encryption?
Firewall?
Data
exfiltration?
ADF
Azure Hosted IR
WAF
wafSubnet
Public IP

30. Securing the database

31. Azure AD integration

32. Azure AD integration
Server=tcp:sqlsrv-secure-jecptzwgjjo7o.database.windows.net,1433;Initial
Catalog=DemoDB;Persist Security Info=False;User
ID=*************;Password=**************;MultipleActiveResultSets=False;Encrypt=
True;TrustServerCertificate=False;Connection Timeout=30;

33. Azure AD integration

34. Azure AD integration

35. Azure AD integration

36. Azure AD integration

37. Azure AD integration

38. Azure AD integration

39. Azure AD integration
Server=tcp:sqlsrv-secure-jecptzwgjjo7o.database.windows.net,1433;Initial
Catalog=DemoDB;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=Fa
lse;Connection Timeout=30;

40. Encryption at rest

41. Encryption at rest

42. Encryption in transit

43. Encryption in transit

44. Encryption in use

45. Encryption in use
Always Encripted
Row Level Security
Dynamic Data Masking

46. Network security

47. Network security
VPN GW
VM
VNET
Public endpoint Public endpoint
On-prem IP
Azure Svcs
1 2

48. Network security
VPN GW
VM
VNET
Public endpoint Public endpoint
On-prem IP
Subnet 1
1 2
Subnet 2

49. Network security
VPN GW
VM
VNET
Public endpoint Public endpoint
1 2
Private
link

51. A real-world scenario: week points
Users WebApp Azure SQL DB Blob
Console VM
VNET
managementSubnet
Auth? TLS?
WAF?
IP Restriction?
Auth?
Encryption?
Firewall?
Traffic flow?
Auth?
Encryption?
Firewall?
Data
exfiltration?
ADF
Azure Hosted IR
WAF
wafSubnet IntSubnet privateLinkSubnet
Public IP

52. Securing the storage account
Encryption at rest

53. Encryption in transit

54. Encryption in transit

55. Azure AD integration

56. Azure AD integration

57. Azure AD integration

58. Azure AD integration

59. Azure AD integration

60. Network security

61. Network Security

62. Network Security

63. A real-world scenario: week points
Users WebApp
Azure SQL DB
Blob
Console VM
VNET
managementSubnet
Auth? TLS?
WAF?
IP Restriction?
Auth?
Encryption?
Firewall?
Traffic flow?
Auth?
Encryption?
Firewall?
Data
exfiltration?
ADF
Azure Hosted IR
WAF
wafSubnet IntSubnet privateLinkSubnet
Public IP

64. What about Data Factory?
Azure AD integration
Resource connectivity

65. What about Data Factory?
Azure AD integration
Resource connectivity
VNET
Azure Hosted IR

66. What about Data Factory?
Azure AD integration
Resource connectivity
VNET
Azure Hosted IR
ADF Managed VNET
(Preview)

68. What about Data Factory?
Azure AD integration
Resource connectivity
VNET
Self Hosted IR

69. A real-world scenario: week points
Users
WebApp Blob
Azure SQL DB
Console VM
ADF
WAF
wafSubnet
Public IP
VNET
IntSubnet managementSubnet
Self-hosted IR
adfSubnet
privateLinkSubnet
Auth? TLS?
WAF?
IP Restriction?
Auth?
Encryption?
Firewall?
Traffic flow?
Auth?
Encryption?
Firewall?
Data
exfiltration?

70. Limiting the exposure to data exfiltration
Users
WebApp Blob
Azure SQL DB
Console VM
ADF
WAF
wafSubnet
Public IP
VNET
IntSubnet managementSubnet
Self-hosted IR
adfSubnet
privateLinkSubnet

71. Limiting the exposure to data exfiltration
Users
WebApp Blob
Azure SQL DB
Console VM
ADF
WAF
wafSubnet
Public IP
VNET
IntSubnet managementSubnet
Self-hosted IR
adfSubnet
privateLinkSubnet
NSG
Outbound traffic
Priority Source Destination Action
100 ConsoleVM IP, any port AzSQLDB private IP, 1433 Allow
110 ConsoleVM IP, any port AzSQLDB Service Tag
120 ConsoleVM IP, any port AzStorage Service Tag

72. A real-world scenario: a good starting point
Users
WebApp Blob
Azure SQL DB
Console VM
ADF
WAF
wafSubnet
Public IP
VNET
IntSubnet managementSubnet
Self-hosted IR
adfSubnet
privateLinkSubnet
NSG
NSG
NSG

73. A different approach
Users
Blob
Console VM
ADF
WAF
wafSubnet
Public IP
VNET
AseSubnet managementSubnet
Self-hosted IR
adfSubnet
privateLinkSubnet
ASE
sqlmiSubnet
Az SQL MI
NSG
NSG
NSG NSG

74. Checking for any blind spot
Azure SQL Database
• Label sensitive data
• Enable audit
Azure Security Center
• Check your security posture (free tier)
• Integrate with Defender for SQL, App Service, Storage
(former standard tier)

75. Some useful resources
• What is Azure Private Link? | Microsoft Docs
• Managed virtual network & managed private endpoints - Azure Data
Factory | Microsoft Docs
• Tutorial: Access data with managed identity - Azure App Service |
Microsoft Docs
• Manage traffic to multi-tenant apps using the portal - Azure
Application Gateway | Microsoft Docs

76. Let’s keep
in touch!
ABOUTME.OMEGAMADLAB.COM