Enter The Matrix Securing Azure’s Assets

Sponsored & Brought to you by
Enter The Matrix: Securing Azure’s Assets
Mike Martin
http://www.twitter.com/techmike2kx
https://be.linkedin.com/in/techmike2kx

Enter the Matrix.
Securing Azure’s Assets
Mike MARTIN, Architect
Crosspoint Solutions

Mike Martin
Who Am I
View more tips on my blog
http://techmike2kx.wordpress.com
Crosspoint Solutions (part of Cronos)
Where I Work
Architect, Windows Azure MVP,
MEET, Insider
What I Do
@Techmike2kx
Mike.Martin@csps.be
Where To Find Me

Journey to the Cloud
DIFFERENTIATION
AGILITY
COST
SaaS Solutions
Higher-level services
Cloud Infrastructure

AZURE REGIONS
Latest launch was in October 2015-
India – Central, India – South, India – West
GENERALLY AVAILABLE
6 new regions announced: Canada Central, Canada East, Germany Central,
Germany North East, United Kingdom (2 – regions TBD)

Platform Services
Infrastructure Services
Web Apps
Mobile
Apps
API
Management
API Apps
Logic Apps
Notification
Hubs
Content
Delivery
Network (CDN)
Media
Services
BizTalk
Services
Hybrid
Connections
Service Bus
Storage
Queues
Hybrid
Operations
Backup
StorSimple
Azure Site
Recovery
Import/Export
SQL
Database
DocumentDB
Redis
Cache
Azure
Search
Storage
Tables
Data
Warehouse Azure AD
Health Monitoring
AD Privileged
Identity
Management
Operational
Analytics
Cloud
Services
Batch
RemoteApp
Service
Fabric
Visual Studio
App
Insights
Azure
SDK
VS Online
Domain Services
HDInsight Machine
Learning
Stream
Analytics
Data
Factory
Event
Hubs
Mobile
Engagement
Data
Lake
IoT Hub
Data
Catalog
Security &
Management
Azure Active
Directory
Multi-Factor
Authentication
Automation
Portal
Key Vault
Store/
Marketplace
VM Image Gallery
& VM Depot
Azure AD
B2C
Scheduler

The Matrix
Physical Defenses
Azure Edge Defenses
Your defenses
Your App / code

Microsoft Azure
Shared responsibility
REDUCES SECURITY COSTS + MAINTAINS FLEXIBILITY, ACCESS, & CONTROL
Customer Microsoft
On-Premises IaaS PaaS SaaS

Model Realworld
Attacks
• Model Emerging
Threats, Use
Blended Threats
• Exfiltrate &
Leverage
Compromised
Data
• Escape And
Evade /
Persistence
Identify Gaps In
Security Story
• Measure Time To
Compromise
(Mttc) / Pwnage
(Mttp)
• Highlight
Security
Monitoring &
Recovery Gaps
• Improve Incident
Response
Demonstrable
Impact
• Prove Need For
Assume Breach
• Enumerate
Business Risks
• Justify
Resources,
Priorities &
Investment
Needs

Exercises Ability To
Detect & Respond
• Detect Attack &
Penetration
(MTTD)
• Respond &
Recover To Attack
& Penetration
(MTT)
• Practiced Incident
Response
Enhances Situational
Awareness
• Produces
Actionable
Intelligence
• Full Visibility Into
Actual Conditions
Within
Environment
• Data Analysis &
Forensics For
Attack & Breach
Indicators
Measure Readiness
& Impact
• Accurately
Assesses Real-
world Attacks
• Identifies Gaps &
Investment Needs
• Focus On Slowing
Down Attackers &
Speeding Recovery
• Hardening That
Prevents Future
Attacks

Physical data center security
Cameras
24X7 security staff
Barriers
Fencing
Alarms
Two-factor access control:
Biometric readers & card
readers
Security operations center
Days of backup power
Seismic bracing
BuildingPerimeter Computer room

Secure Multi-Tenancy Architecture
• Centrally manages the platform and helps
isolate customer environments using the
Fabric Controller
• Runs a configuration-hardened version of
Windows Server as the Host OS
• Uses Hyper-V, a battle tested and enterprise
proven hypervisor
• Runs Windows Server and Linux on Guest
VMs for platform services
• Manages their environment through service
management interfaces and subscriptions
• Chooses from the gallery or brings their own
OS for their Virtual Machines
Azure
Customer
SQL
Database
Fabric
Controller
Azure
Storage
Guest VM Guest VM
Customer 2
Guest VM
Customer 1
Customer
Admin
Portal
SMAPI
Host OS
Hypervisor
Microsoft Azure
End
Users
25

Data Segregation
Storage isolation:
• Access is through Storage account keys and Shared
Access Signature (SAS) keys
• Storage blocks are hashed by the hypervisor to
separate accounts
SQL isolation:
• SQL Database isolates separate databases using
SQL accounts
Network isolation:
• VM switch at the host level blocks inter-tenant
communication
• Design same principles for multi-tenancy
Azure
Customer
26
Fabric
Controller
Customer
Admin
Guest VM Guest VM
Customer 2
Guest VM
Customer 1Portal
SMAPI
End
Users
Host OS
Hypervisor
Microsoft Azure
Azure
Storage
SQL
Database
Access
Control

Azure platform services infrastructure protection
1. Azure Protection
Layer A: The Network Access Layer
Layer B: Azure’s DDoS/DOS/IDS Layer
Layer C: Host firewalls protect all the hosts, and the
VLANs
Layer D: Conformance with security and privacy
requirements includes two-factor authentication for
operators.
2. Customer protection:
Layers 1-2: The distributed firewall isolates customer’s
Layer 3: The virtual network can be managed similar to an
on-premises private network.
i. Inside the VM: Firewalls, IDS, and DoS
solutions.
ii. Virtual network appliances

DDoS System Protection Overview
MSFT Routing Layer
Detection Pipeline
Profile DB
Scrubbing Array
SLB
Application
Attack Traffic
Scrubbed Traffic
Flow Data
Routing Updates
Internet
• Traffic is re-routed to scrubbers via dynamic routing updates
• Traffic is SYN auth. and rate limited
MITIGATION PROCESS
• Traffic to a given /32 VIP Inbound or Outbound is tracked,
recorded, and analyzed in real time to determine attack
behavior
DETECTION PROCESS
• TCP SYN
• UDP/ICMP/TCP Flood
SUPPORTED DDOS ATTACK PROFILES
30

Threat Protection
• Performs big data analysis of logs for
intrusion detection & prevention for the
platform
• Employs denial of service attack
prevention measures for the platform
• Regularly performs penetration testing
• Can add extra layers of protection by
deploying additional controls, including
DOS, IDS, web application firewalls
• Conducts authorized penetration testing
of their application
Azure
Customer
Customer Environment
Cloud Access & Firewall
Virtual network
Application tier
Logic tier
Database tier
VPN
Corp 1
Internet End Users
443
443
Microsoft Azure
THREAT DETECTION: DOS/IDS Capabilities
32

Customer 2
INTERNET
Isolated Virtual
Networks
Customer 1
Isolated Virtual
Network
Deployment X Deployment X Deployment Y
Portal
Smart API
Customer
Admin
VNET to VNET
Cloud Access
Layer
Web Endpoint
(public access)
RDP Endpoint
(password access)
Client Client
VPN
Corp 1
Microsoft Azure
Portal
SMAPI

Azure Active Directory 2FA Mandatory
Active Directory
Microsoft Azure
Active Directory
• Secure access management requires strong, centralized,
identity management.
• Active Directory (AD) helps you with that on-premises.
• Azure Active Directory (AAD) helps you in Azure…and in
Office 365, and in 1200+ apps.
• AD and AAD are tightly integrated, to enable single sign-
on, a single directory, and centralized management.
• AD and AAD help address your compliance requirements.
Azure Active Directory (AAD) integration
• Two Factor Authentication can be implemented with
Phone Factor or with AD on-premises.
Use Two Factor Authentication or DevOPs
to access your production services
35

Threat Protection
• Uses password hashes for synchronization
• Offers security reporting that tracks inconsistent traffic
patterns, including:
• Sign ins from unknown sources
• Multiple failed sign ins
• Sign ins from multiple geographies in short
timeframes
• Sign ins from suspicious IP addresses and
suspicious devices
• Reviews reports and mitigates potential
threats
• Can enable Multi-Factor Authentication
Azure
Customer
User Non-user

Transparency & independent verification
AIDS CUSTOMERS IN MEETING SECURITY & COMPLIANCE OBLIGATIONS
Best practices
and guidance
Third-party
verification
Cloud Security
Alliance
Security
Intelligence
report
Compliance
packages
Trust
Center
Access to
audit reports
Security Response
Center progress
report

Global datacenter footprint
100+ Datacenters in over 40 countries

and
• Public preview now available globally!
RMS SDK.NET Crypto
SQL TDE Bitlocker Partners EFS
Bitlocker StorSimple

Operations
Security
Assurance
HIPAA/
HITECH
CJISSOC 1
201220112010
SOC 2
FedRAMP
P-ATO
FISMA
ATO
UK G-Cloud OFFICIAL
2013 2014 2015
ISO/IEC
27001:2005
CSA Cloud
Controls
Matrix
PCI DSS
Level 1
AU IRAP
Accreditation
Singapore
MCTS
ISO/IEC
27018
EU Data
Protection
Directive
CDSA

Data Deletion
Data destruction
• Wiping is NIST 800-88 compliant
• Defective disks are destroyed
• Index immediately removed from primary location
• Geo-replicated copy of the data (index) removed
asynchronously
• Customers can only read from disk space they have written to
Disk Handling

Data use policies
Azure does not share
data with its advertiser-
supported services
Azure does not mine
Customer Data for
advertising
Read the fine print of other cloud service
provider’s privacy statements

• Portal access
• Uses Live ID (Microsoft Account)
• Go to http://manage.windowsazure.com
• Role: Service Administrator or Co-Administrator
• Uses special REST API without providing certificate
• Management certificate
• Certificate can be self-signed
• Does not check certificate expiration
• Used by PowerShell
• Used by REST API
• Storage access
• Uses secret key
• Or anonymous share access
• RDP VM access
• Uses username/password
Authentication and Access (4x)

• Portal access
• Uses Live ID (Microsoft Account) –> Better have AAD / Org ID +
MFA
• Implement RBAC  JEA principle
• Management certificate
• ARE EVIL !!!!!
• Only Use them in a management solution when that is the ONLY
option!
• Storage access
• I’v got the key … I’ve got ALL your Secrets
• If needed? IMPLEMENT KEY VAULT!
• RDP VM access
• Harden from the outside , and access through GW / S2S / ER
• Better implement SSH / PoSh Remoting over SSL
Authentication and Access … BUT…!

• Network Security Groups
• Firewalls before the
Gateways
• ACL’s
• inside the guest OS firewall
• Network ACLs on public IP
addresses
• Network ACLs at the corporate
firewall
• IPsec inside the guest OS
• Network Isolation
Network Security

Role Based Access in Azure – aka RBAC
• Role
• Collection of actions
• Role Assignment
• Access is granted to AAD
users and services role
assignment on the resources.
• Azure AD Security Principals
• Roles can be assigned to the
following types of Azure AD
security principals:
• Users
• Groups
• Service principals

RBAC in Azure
•Portal Management •Powershell
foreach ($roledef in Get-AzureRMRoleDefinition) {
Write-Host 'Role: '$roledef.Name
Write-Host 'Actions'
(Get-AzureRMRoleDefinition -Name $roledef.Name).Actions
Write-Host 'NoActions'
(Get-AzureRoleRMDefinition -Name $roledef.Name).NoActions
Write-Host ([Environment]::NewLine)
}

Microsoft Azure
IaaS SaaSPaaS
Microsoft Azure Key Vault
Import
keys
HSM
KeyVault
Safeguard cryptographic keys and
other secrets used by cloud apps
and services
• Increase security and control over keys and
passwords
• Create and import encryption keys in minutes
• Applications have no direct access to keys
• Use FIPS 140-2 Level 2 certified HSMs
• Reduce latency with cloud scale and global
redundancy

Applying to Azure - Infrastructure
• Port scanning: the only open ports are those defined by us!
• Denial of service:
• External: depends on our settings, but the Fabric Controller
tries to identify the attacks
• Internal: all DOS attacks initiated from internal VMs will result in
removing those VMs from the network
• Spoofing: compromised machines cannot impersonate VMs
from the Fabric Controller (broadcast and multicast are
blocked, https between VMs and FC)
• Sniffing: the Hyper-V switch prevents sniffing from a VM to
another VM on the same host; racks switches block it to
other VMs
• VMs are untrusted by the Root OS Hypervisor

•Endpoints
•Antimalwae extensions
•Storage access
•Bitlocker Support on Disks
VM Security

Configuring Virtual Machine Security
• Firewall rules
• Leveraging public/private/domain profiles
• Access control lists (ACL)
• Controls port access through at subnet level
• IP address blacklisting
• VM endpoint rules (up to 50 per endpoint)
• Rule ordering
• Encryption
• DPAPI not supported for cloud service
• Secure key data with encryption keys
• CloudLink

Endpoint ACL’s
Using Network ACLs, you can do the following:
• Selectively permit or deny incoming traffic based on remote
subnet IPv4 address range to a virtual machine input endpoint.
• Blacklist IP addresses
• Create multiple rules per virtual machine endpoint
• Specify up to 50 ACL rules per virtual machine endpoint
• Use rule ordering to ensure the correct set of rules are applied
on a given virtual machine endpoint (lowest to highest)
• Specify an ACL for a specific remote subnet IPv4 address.

Network Security Groups (NSG)
• Enables network segmentation & DMZ
scenarios
• Access Control List
• Filter conditions with allow/deny
• Individual addresses, address prefixes,
wildcards
• Associate with VMs or subnets
• ACLs can be updated independent of
VMs
Virtual Network
Backend
10.3/16
Mid-tier
10.2/16
Frontend
10.1/16
VPN
GW
Internet
On Premises 10.0/16
S2S
VPNs
Internet

DMZ in a Virtual Network
Web Proxy
App Servers
Database
DMZ
DNS Servers
NSG
NSG
NSG
NSG

Security considerations when using NSG
•Endpoint ACLs and Network Security Groups don’t
work together
•Multi-NIC : for now the Network Security Group
rules apply only to the traffic in primary NIC
•For RDP endpoints for VM’s and Network Security
Group : NSG does not allow access to any port from
Internet, you have to create a specific rule to allow
RDP traffic.

Azure Application Gateway
 Azure-managed, first
party virtual appliances
 HTTP routing based on
app-level policies
 Cookies affinity
 URL hash
 SSL termination and
caching

ARM/PS
cmdlets
HOST
1. Customer opt into enabling disk encryption
2. Customer provide identity and other encryption
configuration to Azure Portal/API to provision
encryption key material* in their key vault
3. Azure service management updates service model
with encryption and key vault configuration and
Azure platform push the encryption extension on
the VM
4. Encryption extension initiate encryption on the VM
5. VM is encrypted
* Key Material – BitLocker Encryption Keys [Windows],
Passphrase [Linux]
Azure
Active
Directory
Azure Storage
Customer Key
Vault
Virtual Machine
Service
Management
Encryption
Extension
Encrypted
Disks
Encryption
Configuration

Applying to Azure - applications
• Use custom domains instead of myapp.cloudapp.net
and scope cookies to your custom domain; scripting!
• Access to Azure Storage using Shared Access
Signatures; attention to REST query injection
• SQL Database: pay attention to SQL Injection; no TDE
• Auditing -> Azure Tables
• Authentication using Azure’s ACS, Azure AD, Windows
Identity Foundation -> rely on existing patterns and
user stores!

Your identity goes with you
3rd party clouds/hosting
Azure AD
You

Self-service Single
sign on
•••••••••••
Username
Identity as the control plane
Simple
connection
Cloud
SaaS
Azure
Office 365Public
cloud
Other
Directories
Windows Server
Active Directory
On-premises Microsoft Azure Active Directory

Microsoft Azure Active Directory
Cloud App Discovery
10x
Source: Help Net Security 2014
as many Cloud apps are in use
than IT estimates
• SaaS app category
• Number of users
• Utilization volume
Comprehensive
reporting
Discover all SaaS apps in use within your organization

Azure Active Directory Connect*
Microsoft Azure
Active Directory
Other Directories
PowerShell
LDAP v3
SQL (ODBC)
Web Services
( SOAP, JAVA, REST)
*

B2B: cross-organization collaboration
“I need to let my partners access my company’s apps using their own credentials.”
Share without complex
configuration or duplicate
users.
A user at a large partner may log into
my company’s apps with their Active
Directory usernames and passwords.
A user at a smaller partner may log
into my company’s apps with their
Office 365 usernames and passwords.
Admin configures sharing for
cloud apps.
“I can’t email my 25 MB file and need
to share it with a partner using
Box.com.”
Seamlessly provide Azure
Active Directory to customers
& partners
For example, a user at a partner can
set up everyone in their company.
Users can bring their own email-based
or social identities.

Azure Active Directory B2C offering is tailored for enterprises who serve large populations (100’s of
thousands to millions) of individual customers, and whose business success depends upon consumer
adoption of web applications for improving customer satisfaction and reducing operational costs.
Azure Active Directory B2C(Business-to-Consumer )
AzureActiveDirectoryB2Cwill include:
Self-Service User registration
Login with Social IdP or create your own credentials
Optional MFA
Bulk user import tools
SSO to multiple web sites
User interface customization

Cloud Domain Join makes it possible to connect work-owned
Windows devices to your company’s Azure Active Directory
tenancy in the cloud. Users can sign-in to Windows with their
cloud-hosted work credentials and enjoy modern Windows
experiences.
Cloud Domain
Joined Devices
EnterprisecompliantServices
RoamingSettings,Windowsbackup/Restore,Storeaccess…
DatastoredinenterprisecompliantbackendservicesonAzure.
NoneedtoaddapersonalMicrosoftaccount.
SSOfromthedesktoptoorg resources
SSOfromdesktoptoOffice365and1,000’sofenterpriseapps,websites
andresources.
Accessenterprise-curatedStoreandinstallappsusingaworkaccount.
Management
AutomaticMDMenrollmentduringfirst-runexperience.
Supportfor hybrid environments
TraditionalDomainJoinedPCsalsobenefitfromCloudDomainJoin
functionalitywhentheon-premActiveDirectoryisconnectedwithan
AzureActiveDirectoryinthecloud.
Cloud Domain Join

Azure AD : Identity driven security
SSO + MFA
Conditional access
Cloud App Discovery
Advanced security reporting
Privileged Identity Management

Log Management – Collect, correlate and visualize all your machine data
OMS Log Analytics
Machine data
from
on-premises and
Cloud
Insights
OperationalInsights
AZURE
BLOB
SEARCH
SERVICE
PORTAL
DATA
PROCESSING
ENGINE
Troubleshooting
 Correlate & Search data from
multiple sources
 Collect custom data types
 Build dashboards powered by
search queries
Operation
Insights
 Forecast future capacity needs
and pinpoint performance
bottlenecks
 Check your update and malware
protection status
Security Intelligence
 Identify security breaches
 Meet compliance requirements
for auditing
 Analyze security data
REAL TIME
DASHBOARDS
& REPORTING SCALABLESEARCH
READY MADE
INTELLIGENCE
Key Benefits:
Event Logs | IIS Logs | Security Logs
Performance Counters | Syslog | & many more
Machine Data
Windows &
Linux
Server
Servers
forwarding
data through
SCOM
Windows &
Linux
Server
Servers
directly
forwarding
data
Cloud
VMs

OMS Agent For Linux
What sorts of data can I collect?
•Syslog: Collect your choice of syslog events from rsyslog and syslog-ng
•Performance Metrics: We can collect 70+ performance metrics at a 30 second
granularity using our new. Get metrics from the following objects: System,
Processor, Memory & Swap space, Process, Logical Disk (File System) and Physical
Disk. Full list of Performance Counters.
•Docker container logs, metrics & inventory: We show information about where your
containers and container hosts are, which containers are running or failed, and
Docker dameon and container logs sent to stdout and stderr. We also show
performance metrics such as CPU, memory, network and storage for the container
and hosts to help you troubleshoot and find noisy neighbor containers. We support
Docker version 1.8+.
•Alerts from Nagios + Zabbix: The agent can collect alerts from your most popular
monitoring tools. This allows you to view all your alerts from all your tools in a single
pain of glass! Combine this with our existing support for collection of alerts from
Operations Manager. We currently support Nagios 3+ and Zabbix 2.x.
•Apache & MySQL performance metrics: Collect performance metrics about your
MySQL/MariaDB server performance and databases and Apache HTTP Servers and
Virtual Hosts.

How Data Flows to OMS
Microsoft
Operations Management Suite
Your Environment
Portal
‘multiple’ mgmt groups
https://preview.systemcenteradvisor.com/Content/AdvisorCore/Resources/Security.pdf

Unified view of all security related information,
relevant threats and recommendations
Central management of security policies, network
configuration, virtual machine baselines, etc.
Integrated security event logging and
monitoring, including events from partner solutions

Define policies for your Azure subscriptions
according to your company security needs
Security recommendations guide resource
owners through the process of implementing
required controls
Rapidly deploy security services and appliances
from Microsoft and partners, like firewalls and
endpoint protection

Constantly collects, analyzes, and fuses
security events from your Azure resources, the
network, and integrated partner solutions
Leverages global threat intelligence from
Microsoft products and services, Digital Crime and
Incident Response Centers, and third party feeds
Creates prioritized security alerts with insight
into the attack and recommendations on how to
remediate

Staying connected
http://azure.microsoft.com/en-us/support/trust-center/
http://blogs.msdn.com/b/azuresecurity/
https://azure.microsoft.com/en-us/blog/microsoft-azure-network-security-
whitepaper-version-3-is-now-available/

Enter The Matrix Securing Azure’s Assets

More Related Content

What's hot (20)

Similar to Enter The Matrix Securing Azure’s Assets (20)

More from BizTalk360 (20)

Recently uploaded (20)

Enter The Matrix Securing Azure’s Assets