Class Project: Security in Microsoft Azure

Pace University
IT 612 – Web Server Setup
Configuration & Security
Student: Yao, Chung-Hui
Professor: Dr. Hevel Jean-Baptiste
Date: May, 2014
Security in Microsoft Azure
6/10/2014 Enter Your Main Title Here 1

IT 612 – Web Server Setup,
Abstract:
Microsoft Azure is a cloud computing platform and
infrastructure created by Microsoft. It’s said that 54% of
Fortune 500 companies already use Azure. This project will
look at the potential threat/attack web applications will
face when hosting on Microsoft Azure platform and some
of the best practice for secure environment.
6/10/2014 2

IT 612 – Web Server Setup, Configuration
& Security
Introduction:
Hosting application, services, and website on
Microsoft Azure means the physical infrastructure is left in
the hands of cloud provider. Since we no longer need to
secure the network or the host, it is up to the developer to
secure the application.
We will exam how security is handled differently in
cloud platform by reviewing OWASP Top 10 Vulnerabilities
from 2013. we will also highlight unique feature in Microsoft
Azure help mitigate vulnerabilities.
6/10/2014 3

IT 612 – Web Sever Setup
Background of your study:
This topic idea began when I had the opportunity
to compare the two different cloud platforms: Amazon
Web Service (AWS) and Microsoft Azure. At that time,
someone told me that the cloud provider will take care of
everything so we do not need to implement any security
measure. After learning more about web and internet
security from another class, I am interested to explore if
we need to apply different security baseline when our
web application is hosted on Microsoft Azure
6/10/2014 4

Analysis:
OWASP Top 10
• Injection
• Broken Authentication and Session
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
6/10/2014 5

• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery
• Using Components with Known Vulnerabilities
• Unvalidated Redirect and Forwards
Notable mention
• Distributed Denial-of-Service (DDoS)
6/10/2014 6

& Security
Injection
• Azure will patch SQL
• Avoid building connection strings using string
concatenation, use SqlConnectionStringBuilder
class instead.
• Implement “escaping” to validate input
• Run SQL query with least privilege possible
6/10/2014 7

& Security
Broken Authentication and Session
• SSL connection to management portal
• Assign random port number for RDP and
Powershell to manage VM
• Access Control Service (ACS)
 authenticate with existing, mature account service
such as Google, Yahoo, Facebook account.
 developer need to follow recommendation
6/10/2014 8

& Security
Cross-Site Scripting (XSS)
• Follow same security practice within Azure
environment
• Validate and sanitize user input
• Protect session authentication cookie
6/10/2014 9

& Security
Insecure Direct Object References
• Isolation
 VM to VM within deployment
 different deployment within subscription cannot
communicate unless assigned to same virtual
network
• Private IP ACL and Public IP ACL
6/10/2014 10

& Security
Security Misconfiguration
• VM provisioned from template with strict security
baseline
• Block inbound connection from internet by default
• Have to specifically open ports
• Azure Active Directory with Access Control Service
fine-tune permission
6/10/2014 11

& Security
Sensitive Data Exposure
• Encrypt database content or database itself
• Built-in firewall in Azure SQL database
• Enable encrypted connection (SSL) to Azure
SQL Database
• Encrypt connection from web server to client
• Encrypt session cookies on client side
6/10/2014 12

& Security
Missing Function Level Access Control
• Azure Active Directory Control
 Provide group based or role based entitlement
• Microsoft Azure Dashboard
 access to logs and status for auditing
• Third Party App to audit application workflow
 Cerebrata Azure Management Studio
6/10/2014 13

& Security
Cross-Site Request Forgery
• Follow traditional practice
 Set shorter session time
 Prevent user from submitting form data multiple
times
 Implement CAPTCHA before submits
6/10/2014 14

& Security
Using Components with Known Vulnerabilities
• Azure handle OS Update and Software Patches
• Monitor vulnerabilities through public database
such as NVD and CVE
• NVD listed vulnerability in Azure SDK v 1.3
which has since updated.
6/10/2014 15

& Security
Unvalidated Redirect and Forwards
• Avoid using redirect and forwards
• Validate redirect and forward request
• Microsoft Azure isolation restrict destination
• Developer should use mapped value within
application instead of URL
6/10/2014 16

& Security
Distributed Denial-of-Service (DDoS)
• Azure has built-in defense against DDoS
- limit rate and connection
- drop offending VM within environment
• Deploy application firewall(Ex. Barracuda)
• Windows Azure Traffic Manager; load balance
• High-Availability; deploy more instance in case
of attack
6/10/2014 17

IT 612 – Web Server Setup
Diagram and others:
6/10/2014 18

Conclusion and other researches:
After reviewing OWASP Top 10 vulnerabilities from
2013 and Distributed Denial-of-Service attack, we see that
Microsoft Azure does have certain unique features that
mitigate some of the vulnerabilities such as Windows Azure
Traffic Manager and Access Control Service. We don’t need
to worry about securing network or securing the host. But
Developers have more responsibility now and need to
concentrate on securing the application itself. Code review
and code analyze become very important in the cloud
platform since now the environment is as secure as the
application it host.
6/10/2014 19

IT 612 – Web Server Setup Configuration
& Security
Q&A
6/10/2014 20

Class Project: Security in Microsoft Azure

More Related Content

What's hot (20)

Viewers also liked (16)

Similar to Class Project: Security in Microsoft Azure (20)

Recently uploaded (20)

Class Project: Security in Microsoft Azure