Karl Ots, profile picture
Uploaded byKarl Ots
PDF, PPTX252 views

Top Azure security fails and how to avoid them

The document discusses top Azure security fails and how to avoid them. It begins by introducing the speaker and their experience with Azure security. It then covers common security controls in Azure and the concept of role-based access control (RBAC). The document identifies seven common security fails including giving all users owner permissions, overprivileged service principals, untrusted authentication providers, unprotected public endpoints, misused storage access keys, lack of monitoring and alerting, and missing virtual machine updates. It demonstrates how to avoid these fails using tools like Azure Security Center and the Secure DevOps kit for Azure.

Embed presentation

Download as PDF, PPTX
@fincooper Top Azure security fails and how to avoid them
@fincooper Karl Ots Managing Consultant karl.ots@zure.com • Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
@fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
@fincooper Security controls in Azure Physical Security Network Host Application Admin Data Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring and response, access control and monitoring, file/data integrity, encryption
@fincooper With great power comes great responsibility
@fincooper Role-Based Access Control Subscription Resource Groups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
@fincooper Privileged Identity Management • Requires Azure AD Premium P2 • For all users in the whole AAD Tenant • Identifies users with administrative privileges • Enables on-demand, just-in-time administrative access • Generates reports about administrator access history
@fincooper STRIDE • Azure removes some of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
@fincooper Security fail #1 • Every user is an Owner • …In the Subscription scope • STRIDE threat categorization: • Tampering • Information Disclosure • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner
@fincooper Security fail #2 • Service Principals have too wide privileges • STRIDE threat categorization: • Repudiation • Mitigation: • Service Principal RBAC assignments should follow the least privileged principle • Service Principals should NOT be granted access in the Subscription scope • Service Principals should NOT be granted Owner access in any scope
@fincooper Security fail #3 • Untrusted authorization provider being used • (Microsoft Account, Gmail, unmanaged Azure AD…) • STRIDE threat categorization: • Spoofing • Elevation of Privilege • Mitigation: • Always use trusted Azure AD authentication that is managed by your organization • Monitor Azure Subscription access using AAD PIM
@fincooper Security fail #4 • Unprotected public endpoints • HTTP / RDP / SSH • STRIDE threat categorization: • Information Disclosure • Denial of Service • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints
@fincooper Security fail #5 • Storage access keys used directly • STRIDE threat categorization: • Information Disclosure • Tampering • Repudiation • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
@fincooper Security fail #6 • No monitoring or alerting • STRIDE threat categorization: • Repudiation • Denial of Service • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with with Application Gateway / WAF
@fincooper Security fail #7 • Missing Virtual Machine updates • STRIDE threat categorization: • Information Disclosure • Elevation of Privilege • Mitigation: • Update management • Azure Security Center
@fincooper DEMO “How to avoid them”
@fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
@fincooper Materials • My slides: slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • STRIDE Threat Modeling Lessons from Star Wars: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/
Top Azure security fails and how to avoid them

More Related Content

PDF
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
byKarl Ots
 
PDF
Top 18 azure security fails and how to avoid them
byKarl Ots
 
PDF
BeyondCorp and Zero Trust
byIvan Dwyer
 
PDF
BeyondCorp Seattle Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
byKarl Ots
 
PDF
BeyondCorp and Zero Trust
byIvan Dwyer
 
PDF
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
byNCCOMMS
 
PPTX
Jason Kent - AppSec Without Additional Tools
bycentralohioissa
 
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
byKarl Ots
 
Top 18 azure security fails and how to avoid them
byKarl Ots
 
BeyondCorp and Zero Trust
byIvan Dwyer
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
byIvan Dwyer
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
byKarl Ots
 
BeyondCorp and Zero Trust
byIvan Dwyer
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
byNCCOMMS
 
Jason Kent - AppSec Without Additional Tools
bycentralohioissa
 

What's hot

PPTX
Azure Security Fundamentals
byLorenzo Barbieri
 
PDF
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
byAlert Logic
 
PDF
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
PPTX
#ALSummit: Live Cyber Hack Demonstration
byAlert Logic
 
PDF
Global Azure Bootcamp 2018 - Azure Security Center
byScott Hoag
 
PDF
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
byAlert Logic
 
PDF
BeyondCorp New York Meetup: Closing the Adherence Gap
byIvan Dwyer
 
PDF
Azure security architecture
byKarl Ots
 
PDF
BeyondCorp Myths: Busted
byIvan Dwyer
 
PPTX
#ALSummit: Cyber Resiliency: Surviving the Breach
byAlert Logic
 
PDF
[OWASP Poland Day] Embedding security into SDLC + GDPR
byOWASP
 
PDF
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
byAlert Logic
 
PPTX
CSS 17: NYC - Stories from the SOC
byAlert Logic
 
PPTX
CSS 17: NYC - Realities of Security in the Cloud
byAlert Logic
 
PPTX
#ALSummit: Architecting Security into your AWS Environment
byAlert Logic
 
PDF
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
byAlert Logic
 
PPTX
Integrate Security into DevOps - SecDevOps
byUlf Mattsson
 
PDF
Getting Started with Azure Security Center
byCheah Eng Soon
 
PPTX
Azure Security Center- Zero to Hero
byKasun Rajapakse
 
PDF
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
byIvan Dwyer
 
Azure Security Fundamentals
byLorenzo Barbieri
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
byAlert Logic
 
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
#ALSummit: Live Cyber Hack Demonstration
byAlert Logic
 
Global Azure Bootcamp 2018 - Azure Security Center
byScott Hoag
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
byAlert Logic
 
BeyondCorp New York Meetup: Closing the Adherence Gap
byIvan Dwyer
 
Azure security architecture
byKarl Ots
 
BeyondCorp Myths: Busted
byIvan Dwyer
 
#ALSummit: Cyber Resiliency: Surviving the Breach
byAlert Logic
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
byOWASP
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
byAlert Logic
 
CSS 17: NYC - Stories from the SOC
byAlert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
byAlert Logic
 
#ALSummit: Architecting Security into your AWS Environment
byAlert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
byAlert Logic
 
Integrate Security into DevOps - SecDevOps
byUlf Mattsson
 
Getting Started with Azure Security Center
byCheah Eng Soon
 
Azure Security Center- Zero to Hero
byKasun Rajapakse
 
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
byIvan Dwyer
 

Similar to Top Azure security fails and how to avoid them

PDF
Techorama Belgium 2019: top Azure security fails and how to avoid them
byKarl Ots
 
PDF
DevSum - Top Azure security fails and how to avoid them
byKarl Ots
 
PDF
IT Camp 19: Top Azure security fails and how to avoid them
byKarl Ots
 
PDF
IglooConf 2019 Secure your Azure applications like a pro
byKarl Ots
 
PDF
FAUG #9: Azure security architecture and stories from the trenches
byKarl Ots
 
PDF
TechDays Finland 2020: Azuren tietoturva haltuun!
byKarl Ots
 
PPTX
Make your Azure PaaS Deployment More Safe
byThuan Ng
 
PPTX
Shared Security Responsibility for the Azure Cloud
byAlert Logic
 
PPTX
Azure Fundamentals Part 3
byCCG
 
PDF
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
byMicrosoft Private Cloud
 
PPTX
5 steps to securing your identity infrastructure.pptx
byMCont1
 
PPTX
Azure security basics
byStas Lebedenko
 
PPT
Application Threat Modeling
byMarco Morana
 
PDF
ScotSecure Cyber Security Summit 2025 Edinburgh
byRay Bugg
 
PDF
Experts Live Norway - Azure Infrastructure Security
byTom Janetscheck
 
PDF
Microsoft Zero Trust
byDavid J Rosenthal
 
PPTX
DevSecOps: Securing Applications with DevOps
byWouter de Kort
 
PPTX
Start Secure, Stay Secure: Full-Lifecycle Application Security with Azure
byDinusha Kumarasiri
 
PPTX
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
byForsyte I.T. Solutions
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
byAlert Logic
 
Techorama Belgium 2019: top Azure security fails and how to avoid them
byKarl Ots
 
DevSum - Top Azure security fails and how to avoid them
byKarl Ots
 
IT Camp 19: Top Azure security fails and how to avoid them
byKarl Ots
 
IglooConf 2019 Secure your Azure applications like a pro
byKarl Ots
 
FAUG #9: Azure security architecture and stories from the trenches
byKarl Ots
 
TechDays Finland 2020: Azuren tietoturva haltuun!
byKarl Ots
 
Make your Azure PaaS Deployment More Safe
byThuan Ng
 
Shared Security Responsibility for the Azure Cloud
byAlert Logic
 
Azure Fundamentals Part 3
byCCG
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
byMicrosoft Private Cloud
 
5 steps to securing your identity infrastructure.pptx
byMCont1
 
Azure security basics
byStas Lebedenko
 
Application Threat Modeling
byMarco Morana
 
ScotSecure Cyber Security Summit 2025 Edinburgh
byRay Bugg
 
Experts Live Norway - Azure Infrastructure Security
byTom Janetscheck
 
Microsoft Zero Trust
byDavid J Rosenthal
 
DevSecOps: Securing Applications with DevOps
byWouter de Kort
 
Start Secure, Stay Secure: Full-Lifecycle Application Security with Azure
byDinusha Kumarasiri
 
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
byForsyte I.T. Solutions
 
CSS17: Houston - Azure Shared Security Model Overview
byAlert Logic
 

More from Karl Ots

PDF
TechDays Finland 2020: Best practices of securing web applications running on...
byKarl Ots
 
PDF
IglooConf 2020: Best practices of securing web applications running on Azure ...
byKarl Ots
 
PDF
Building an Enterprise-Grade Azure Governance Model
byKarl Ots
 
PDF
CloudBurst Malmö: Best practices of securing web applications running on Azur...
byKarl Ots
 
PDF
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
byKarl Ots
 
PDF
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
byKarl Ots
 
PDF
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
byKarl Ots
 
PDF
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
byKarl Ots
 
PDF
Monitoring real-life Azure applications: When to use what and why
byKarl Ots
 
PDF
Azure Saturday: Security + DevOps + Azure = Awesomeness
byKarl Ots
 
PDF
Navigating in the sea of containers in azure when to choose which service and...
byKarl Ots
 
PDF
Kubernetes in Azure
byKarl Ots
 
PDF
Azure security architecture / FAUG JKL 15.2.2018
byKarl Ots
 
PDF
Securing Azure Infrastructure
byKarl Ots
 
PDF
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
byKarl Ots
 
PDF
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
byKarl Ots
 
PDF
Building globally scalable media solutions with Azure Media Services part 2
byKarl Ots
 
PDF
Security + DevOps + Azure = Awesomeness
byKarl Ots
 
PPTX
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
byKarl Ots
 
PPTX
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
byKarl Ots
 
TechDays Finland 2020: Best practices of securing web applications running on...
byKarl Ots
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
byKarl Ots
 
Building an Enterprise-Grade Azure Governance Model
byKarl Ots
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
byKarl Ots
 
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
byKarl Ots
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
byKarl Ots
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
byKarl Ots
 
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
byKarl Ots
 
Monitoring real-life Azure applications: When to use what and why
byKarl Ots
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
byKarl Ots
 
Navigating in the sea of containers in azure when to choose which service and...
byKarl Ots
 
Kubernetes in Azure
byKarl Ots
 
Azure security architecture / FAUG JKL 15.2.2018
byKarl Ots
 
Securing Azure Infrastructure
byKarl Ots
 
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
byKarl Ots
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
byKarl Ots
 
Building globally scalable media solutions with Azure Media Services part 2
byKarl Ots
 
Security + DevOps + Azure = Awesomeness
byKarl Ots
 
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
byKarl Ots
 
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
byKarl Ots
 

Recently uploaded

PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Workflow and decision Automation with Flowable
bychakib ch
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 

Top Azure security fails and how to avoid them

  • 1.
    @fincooper Top Azure securityfails and how to avoid them
  • 2.
    @fincooper Karl Ots Managing Consultant karl.ots@zure.com •Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
  • 3.
    @fincooper What to expectin this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
  • 4.
    @fincooper Security controls inAzure Physical Security Network Host Application Admin Data Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring and response, access control and monitoring, file/data integrity, encryption
  • 5.
    @fincooper With great powercomes great responsibility
  • 6.
    @fincooper Role-Based Access Control Subscription ResourceGroups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
  • 7.
    @fincooper Privileged Identity Management •Requires Azure AD Premium P2 • For all users in the whole AAD Tenant • Identifies users with administrative privileges • Enables on-demand, just-in-time administrative access • Generates reports about administrator access history
  • 8.
    @fincooper STRIDE • Azure removessome of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
  • 9.
    @fincooper Security fail #1 •Every user is an Owner • …In the Subscription scope • STRIDE threat categorization: • Tampering • Information Disclosure • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner
  • 10.
    @fincooper Security fail #2 •Service Principals have too wide privileges • STRIDE threat categorization: • Repudiation • Mitigation: • Service Principal RBAC assignments should follow the least privileged principle • Service Principals should NOT be granted access in the Subscription scope • Service Principals should NOT be granted Owner access in any scope
  • 11.
    @fincooper Security fail #3 •Untrusted authorization provider being used • (Microsoft Account, Gmail, unmanaged Azure AD…) • STRIDE threat categorization: • Spoofing • Elevation of Privilege • Mitigation: • Always use trusted Azure AD authentication that is managed by your organization • Monitor Azure Subscription access using AAD PIM
  • 12.
    @fincooper Security fail #4 •Unprotected public endpoints • HTTP / RDP / SSH • STRIDE threat categorization: • Information Disclosure • Denial of Service • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints
  • 13.
    @fincooper Security fail #5 •Storage access keys used directly • STRIDE threat categorization: • Information Disclosure • Tampering • Repudiation • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
  • 14.
    @fincooper Security fail #6 •No monitoring or alerting • STRIDE threat categorization: • Repudiation • Denial of Service • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with with Application Gateway / WAF
  • 15.
    @fincooper Security fail #7 •Missing Virtual Machine updates • STRIDE threat categorization: • Information Disclosure • Elevation of Privilege • Mitigation: • Update management • Azure Security Center
  • 16.
  • 17.
    @fincooper Secure DevOps kitfor Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
  • 18.
    @fincooper Materials • My slides:slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • STRIDE Threat Modeling Lessons from Star Wars: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/