![Governance – a definition
Establishment of policies, and
continuous monitoring of their
proper implementation, by the
members of the governing body of
an organization[…]1
1Source: BusinessDictionary](https://image.slidesharecdn.com/azureinfrasec-191214120012/85/Cloudbrew-2019-Azure-Security-10-320.jpg)
![Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
Contributor
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Authorization/*/Delete"
"Authorization/*/Write"
"Authorization/elevateAccess/Action"
],
"dataActions": [
],
"notDataActions": [
],
}
],](https://image.slidesharecdn.com/azureinfrasec-191214120012/85/Cloudbrew-2019-Azure-Security-19-320.jpg)
![Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
3. Scope = MG, subscription, RG, resource
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
Contributor
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Authorization/*/Delete"
"Authorization/*/Write"
"Authorization/elevateAccess/Action"
],
"dataActions": [
],
"notDataActions": [
],
}
],
Azure
subscription
Resource
group
Management Group](https://image.slidesharecdn.com/azureinfrasec-191214120012/85/Cloudbrew-2019-Azure-Security-20-320.jpg)
![Role-based access control – Role assignment
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
"actions": [
"*"
],
"notActions": [
"Auth/*/Delete"
"Auth/*/Write"
"Auth/elevate…
],
Azure
subscription
Resource
group
Management Group
DevOps Group
Contributor
DevOps Resource
Group
Role Assignment](https://image.slidesharecdn.com/azureinfrasec-191214120012/85/Cloudbrew-2019-Azure-Security-21-320.jpg)
![Resource Tags
Name:Value, e.g. CostCenter:ProdIT, ResourceOwner:Tom
Help to define responsibility and view consolidated billing
Always tag RGs
• Owner
• Dept
• CostCenter
• […]
Tag resources as needed
Define tags in advance](https://image.slidesharecdn.com/azureinfrasec-191214120012/85/Cloudbrew-2019-Azure-Security-24-320.jpg)
Cloudbrew 2019 - Azure Security
- 2. welcome.
- 3. Innovative technology consulting for business. Azure Infrastructure SecurityUltimate security in the cloud era Tom Janetscheck, Principal Cloud Security Architect & Microsoft MVP
- 4. about me. Tom Janetscheck Principal Cloud Security Architect @ Devoteam Alegri Focused on Azure Identity, Security, Governance, and Infrastructure Community Lead of Azure Meetup Saarbrücken Co-organizer of Azure Saturday Tech blogger and book author @azureandbeyond https://blog.azureandbeyond.com
- 5. ● Cloud security challenges Why is cloud security so difficult and identity security so important? ● Azure Governance Define your guardrails to enable security ● Azure Security Center Improve your hybrid cloud security posture ● Microsoft Intelligent Security Graph Unique insights, informed by trillions of signals ● Best practices ● Demo agenda.
- 6. Federal criminal agency – 2018 cybercrime situation report 87.000 cases of cybercrime in 2018 60.000.000 € amount of damage with an immense dark figure Estimated amount of damage according to Bitcom: 100.000.000.000 (!) € per yearSource: BKA - 2018 Cybercrime situation report
- 7. Today‘s cloud security challenges Increasingly sophisticated attacks It’s both, a strength and a challenge of the cloud. How do you make sure that ever-changing services are up to your security standards? Attack automation and evasion techniques are evolving along multiple dimensions We need human expertise, adaptability, and creativity to combat human threat actors.
- 8. Office 365 Modernizing the security perimeter • • + =
- 9. Cloud Security is a Shared Responsibility Securing and managing the cloud foundation JOINT RESPONSIBILITYMICROSOFT COMMITMENT Physical assets Datacenter operations Cloud infrastructure Securing and managing your cloud resources Virtual machines Applications & workloads Data
- 10. Governance – a definition Establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization[…]1 1Source: BusinessDictionary
- 11. 5 tips and best practices Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources
- 13. 5 tips and best practices Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources
- 14. 5 tips and best practices Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources Common Sense
- 15. Identity protection is essential! uuuuuuu uu$$$$$$$$$$$uu uu$$$$$$$$$$$$$$$$$uu u$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$" "$$$" "$$$$$$u "$$$$" u$u $$$$" $$$u u$u u$$$ $$$u u$$$u u$$$ "$$$$uu$$$ $$$uu$$$$" "$$$$$$$" "$$$$$$$" u$$$$$$$u$$$$$$$u u$"$"$"$"$"$"$u uuu $$u$ $ $ $ $u$$ uuu u$$$$ $$$$$u$u$u$$$ u$$$$ $$$$$uu "$$$$$$$$$" uu$$$$$$ u$$$$$$$$$$$uu """"" uuuu$$$$$$$$$$ $$$$"""$$$$$$$$$$uuu uu$$$$$$$$$"""$$$" """ ""$$$$$$$$$$$uu ""$""" uuuu ""$$$$$$$$$$uuu u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$ $$$$$$$$$$"""" ""$$$$$$$$$$$" "$$$$$" ""$$$$"" $$$" $$$$" 88 88 88 88 88 88 88 88 88 88,dPPYba, ,adPPYYba, ,adPPYba, 88 ,d8 ,adPPYba, ,adPPYb,88 88P' "8a "" `Y8 a8" "" 88 ,a8" a8P_____88 a8" `Y88 88 88 ,adPPPPP88 8b 8888[ 8PP""""""" 8b 88 88 88 88, ,88 "8a, ,aa 88`"Yba, "8b, ,aa "8a, ,d88 88 88 `"8bbdP"Y8 `"Ybbd8"' 88 `Y8a `"Ybbd8"' `"8bbdP"Y8 Implement multi- factor authentication Adhere to the principle of least privilege Establish privileged identity/access management (PIM/PAM) Enable conditional access policies Use passphrases rather than (complex) passwords or go password-less
- 16. Identity protection is essential! oooo$$$$$$$$$$$$oooo oo$$$$$$$$$$$$$$$$$$$$$$$$o oo$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o o$ $$ o$ o $ oo o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o $$ $$ $$o$ oo $ $ "$ o$$$$$$$$$ $$$$$$$$$$$$$ $$$$$$$$$o $$$o$$o$ "$$$$$$o$ o$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$o $$$$$$$$ $$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$ $$$$$$$$$$$$$$ """$$$ "$$$""""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$ $$$ o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$o o$$" $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$o $$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" "$$$$$$ooooo$$$$o o$$$oooo$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ o$$$$$$$$$$$$$$$$$ $$$$$$$$"$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$"""""""" """" $$$$ "$$$$$$$$$$$$$$$$$$$$$$$$$$$$" o$$$ "$$$o """$$$$$$$$$$$$$$$$$$"$$" $$$ $$$o "$$""$$$$$$"""" o$$$ $$$$o oo o$$$" "$$$$o o$$$$$$o"$$$$o o$$$$ "$$$$$oo ""$$$$o$$$$$o o$$$$"" ""$$$$$oooo "$$$o$$$$$$$$$""" ""$$$$$$$oo $$$$$$$$$$ """"$$$$$$$$$$$ $$$$$$$$$$$$ $$$$$$$$$$" "$$$""""
- 17. Role-based access control 1. Security principal = user, group, service principal
- 18. Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom
- 19. Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom Contributor "permissions": [ { "actions": [ "*" ], "notActions": [ "Authorization/*/Delete" "Authorization/*/Write" "Authorization/elevateAccess/Action" ], "dataActions": [ ], "notDataActions": [ ], } ],
- 20. Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights 3. Scope = MG, subscription, RG, resource Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom Contributor "permissions": [ { "actions": [ "*" ], "notActions": [ "Authorization/*/Delete" "Authorization/*/Write" "Authorization/elevateAccess/Action" ], "dataActions": [ ], "notDataActions": [ ], } ], Azure subscription Resource group Management Group
- 21. Role-based access control – Role assignment Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom "actions": [ "*" ], "notActions": [ "Auth/*/Delete" "Auth/*/Write" "Auth/elevate… ], Azure subscription Resource group Management Group DevOps Group Contributor DevOps Resource Group Role Assignment
- 22. 5 tips and best practices Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources Common Sense
- 23. 5 tips and best practices Use tags and policies Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC
- 24. Resource Tags Name:Value, e.g. CostCenter:ProdIT, ResourceOwner:Tom Help to define responsibility and view consolidated billing Always tag RGs • Owner • Dept • CostCenter • […] Tag resources as needed Define tags in advance
- 25. Resource Policies Rule enforcements on MG, subscription or RG level Initiative definitions vs. Policy definitions Effect types: • Append • Deny • Audit
- 26. 5 tips and best practices Use tags and policies Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC
- 27. 5 tips and best practices Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies
- 29. 5 tips and best practices Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies
- 30. 5 tips and best practices Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network
- 32. Microsoft Azure Security Center Security Center assesses your environment and enables you to understand the status of your resources, and whether they are secure. Enable actionable, adaptive protections that identify and mitigate risk to reduce exposure to attacks Use advanced analytics and Microsoft Intelligent Security Graph to rapidly detect and respond to evolving cyber threats
- 33. Strengthen your security posture Identify shadow IT subscriptions Optimize and improve resource security Continous assessments
- 34. Microsoft Azure Security Center Security Center assesses your environment and enables you to understand the status of your resources, and whether they are secure. Enable actionable, adaptive protections that identify and mitigate risk to reduce exposure to attacks Use advanced analytics and Microsoft Intelligent Security Graph to rapidly detect and respond to evolving cyber threats
- 35. Adaptive threat prevention Advanced Threat Protection Native integration with Microsoft Defender ATP for Windows machines Advanced Threat Detection for Linux machines
- 36. Microsoft Azure Security Center Security Center assesses your environment and enables you to understand the status of your resources, and whether they are secure. Enable actionable, adaptive protections that identify and mitigate risk to reduce exposure to attacks Use advanced analytics and Microsoft Intelligent Security Graph to rapidly detect and respond to evolving cyber threats
- 37. Microsoft Intelligent Security Graph
- 38. Inside the Intelligent Security Graph Microsoft Trust Center
- 39. Protect your cloud storage/networkin g! Data leaks in the cloud often refer to unprotected/publicly available storage accounts or configuration issues in both, platform and infrastructure services.
- 40. Protect your identities! Most of today’s cyber attacks are identity-focused. Keep that in mind when planning your security strategy.
- 41. Have your governance ready! You need to define rules as guardrails to avoid shadow IT and other security issues.
- 42. Monitor the heck out of everything! You need to know what’s going on in your environment. Massive telemetry is necessary!
- 43. Repeat! Cloud security is an ongoing process. Make sure you regularly assess your current configuration by leveraging automation tools.
- 44. Witness on-stage live attacks, see adaptive identity protection, passwordless signins and MFA, and learn how Azure Security Center can help you to protect your hybrid cloud environment. demo.