Microsoft Azure Security Overview
6 likes10,082 views
This document provides an overview of Microsoft Azure security features, including: - Shared responsibility model where Microsoft secures the platform and customers secure their data and applications - Identity and access management, encryption of data at rest and in transit, network security controls, and logging/monitoring capabilities - Security Center provides visibility into threats and advanced analytics to detect attacks - Operations Management Suite allows collecting logs from Azure, on-premises, and other clouds to analyze security events - Microsoft works with partners to provide additional virtual network appliances and security solutions to customers
![Azure Key
Vault
<Keys and Secrets
controlled by
customers in their
key vault>
Authentication
to Key Vault
<Authentication
to Key Vault is
using Azure AD>
Azure Data Encryption - Data at Rest
• BYO Encryption - <.NET Librabries, Leverage on-prem HSM, etc.>
• Always Encrypted
Application Layer
• SQL Database - <Transparent Data Encryption, Always Encrypted>
• HDInsight - <SQL Database>
• Azure Backup Service - <Leverages Azure Disk Encryption>
PaaS Services
• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]>
• Partner Volume Encryption – <CloudLink® SecureVM>
• BYO Encryption – <Customer provided>
Virtual Machine/OS Layer – Windows, Linux
• Azure Storage Service Encryption – <AES-256, Block,
Append, and page Blobs>
Storage System
K
e
y
s
M
a
n
a
g
e
m
e
n
t](https://image.slidesharecdn.com/css2017nycazure2msftazuresecurityoverview-171020192722/85/Microsoft-Azure-Security-Overview-10-320.jpg)
Microsoft Azure Security Overview
- 1. MICROSOFT AZURE SECURITY OVERVIEW Tom Quinn Azure Security Specialist, Microsoft
- 2. Microsoft Azure Security and Compliance Discussion Tom Quinn AzureSecuritySpecialist
- 3. Microsoft Azure Topics • Microsoft and Security • Shared Responsibility • How does Microsoft Secure the Platform • Azure Regions – Azure Gov Cloud • Securing Customer environment • Data Security • Encryption • Identity • Network Security • Network isolation • First party and third party controls • Hybrid Cloud - VPN and Express Route Connectivity • Logging, Monitoring, and Operations • Azure Security Center and OMS • Partner Security Solutions
- 4. EXPERIENCE • 1M+ Corporate Machines protected by enterprise IT security • Multi-platform cloud-first hybrid enterprise • Decades of experience as a global enterprise • Runs on multi-tenant Azure environment, same as you VISIBILITY • Malware largest anti-virus and antimalware service • Clients Windows Updates, Error Reports • Email Outlook.com, Office 365 • Web content Bing, Azure AD • Cloud platform Azure IaaS and PaaS, Azure Security Center EXPERTISE • Development Security established Security Development Lifecycle (SDL) - ISO/IEC 27034-1 • Operational Security for Hyper-scale cloud services • Combatting Cybercrime in the cloud & partnering with law enforcement to disrupt malware • Incident Investigation and recovery for customers Visibility ExpertiseExperience Context Microsoft industry leading security capabilities CONTEXT • Trillions of URLs indexed • Hundreds of Billions of authentications, monthly emails analyzed • Billions of daily web pages scans, Windows devices reporting • Hundreds of Millions of reputation look ups • Millions of daily suspicious files detonations
- 6. Cloud service provider responsibility Tenant responsibility Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts
- 7. Microsoft Cloud Security Practices Microsoft makes security a priority at every step, from code development to incident response. Global, 24x7 incident response service that works to mitigate the effects of attacks and malicious activity. Incident Response Defense in Depth Defense in Depth Approach across all cloud services from Physical to app/data layers. Security Development Lifecycle (SDL) Company-wide, mandatory development process that embeds security into every phase of development process. Threat Intelligence Extensive threat intelligence gathering, modelling, analysis and controls incorporated into systems. Identity and Access Focus on Identity Controls and tools including mitigation of internal threat throughout stack including operations. Dedicated security expert “red team” that simulate real-world attacks at network, platform, and application layers, testing the ability of Azure to detect, protect against, and recover from breaches. Assume Breach Simulation
- 8. 42Azure regions Achieve global scale, in local regions Trust US Gov: US Gov Texas and US Gov Arizona NEWLY ANNOUNCED: France: France Central and France South Africa: South Africa North and South Africa West
- 9. Data in Azure Azure Cloud Storage: • Object based, durable, massively scalable storage subsystem • Designed from ground up by Microsoft • Presents as Blobs, Disks, Tables, Queues and Files • Accessed via REST APIs, Client Libraries and Tools • Access control: • Leverage Symmetric Shared Key Authentication • Trusted service that owns the storage accounts • Shared Access Signature (SAS) Scale: • More than 25 trillion stored objects • 2.5+ Million requests/sec on average Storage System Design and Architecture: • Architecture and design details published and available “Windows Azure Storage – A Highly Available Cloud Storage Service with Strong Consistency
- 10. Azure Key Vault <Keys and Secrets controlled by customers in their key vault> Authentication to Key Vault <Authentication to Key Vault is using Azure AD> Azure Data Encryption - Data at Rest • BYO Encryption - <.NET Librabries, Leverage on-prem HSM, etc.> • Always Encrypted Application Layer • SQL Database - <Transparent Data Encryption, Always Encrypted> • HDInsight - <SQL Database> • Azure Backup Service - <Leverages Azure Disk Encryption> PaaS Services • Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]> • Partner Volume Encryption – <CloudLink® SecureVM> • BYO Encryption – <Customer provided> Virtual Machine/OS Layer – Windows, Linux • Azure Storage Service Encryption – <AES-256, Block, Append, and page Blobs> Storage System K e y s M a n a g e m e n t
- 11. Microsoft Azure Enterprise cloud identity – Azure AD 12 AZURE: • Provides enterprise cloud identity and access management • Enables single sign-on across cloud applications • Offers Multi-Factor Authentication for enhanced security CUSTOMER: • Centrally manages users and access to Azure, O365, and hundreds of pre- integrated cloud applications • Builds Azure AD into their web and mobile applications • Can extend on-premises directories to Azure AD End Users Active Directory Azure Active Directory Cloud Apps
- 12. Microsoft Azure Customer 1 Azure Virtual Networking AZURE: • Allows customers to create isolated virtual private networks CUSTOMER: • Creates Virtual Networks with Subnets and Private IP addresses • Enables communications between their Virtual Networks • Can apply security controls • Can connect to “corpnet” via VPN or Express Route Customer 2 INTERNET Isolated Virtual Networks Subnet 1 Deployment X Deployment Y VNET to VNET Cloud Access RDP Endpoint (password access) Client Subnet 2 Subnet 3 DNS Server VPN Microsoft Azure Corp 1 Isolated Virtual Network
- 13. Microsoft Azure Microsoft Azure Grouping of network traffic rules as security group Security groups associated with virtual machines or virtual subnets Controlled access between machines in subnets Controlled access to and from the Internet Network traffic rules updated independent of virtual machines Internet Front End Subnet Back End Subnet Virtual Network NSG Platform Network Control – Network Security Groups (NSG)
- 14. VM Application Gateway Azure Traffic Manager (DNS Load Balancer) Internet Application Gateway Application Gateway VMVM VM VM Application Gateway VM VM VM Azure Service What Example Traffic Manager Cross-region redirection & availability http://news.com apac.news.com emea.news.com us.news.com Azure Load Balancer In-region scalability & availability emea.news.com AppGw1 AppGw2 AppGw2 Azure Application Gateway URL/content- based routing & load balancing news.com/topnews news.com/sports news.com/images VMs Web Servers
- 15. App Gateway
- 17. User Defined Routing and Virtual Appliances
- 19. Microsoft Azure 20 Monitoring & logging AZURE: • Performs monitoring & alerting on security events for the platform • Enables security data collection via Monitoring Agent or Windows Event Forwarding CUSTOMER: • Configures monitoring • Exports events to SQL Database, HDInsight or a SIEM for analysis • Monitors alerts & reports • Responds to alerts Azure Storage Customer Admin Guest VM Cloud Services Customer VMs Portal SMAPI Guest VM Enable Monitoring Agent Event s Extract event information to SIEM or other Reporting System Event ID Computer Event Description Severity DateTime 1150 Machine1 Example security event 4 04/29/2014 2002 Machine2 Signature Updated Successfully 4 04/29/2014 5007 Machine3 Configuration Applied 4 04/29/2014 1116 Machine2 Example security event 1 04/29/2014 1117 Machine2 Access attempted 1 04/29/2014 SIEM Admin View Alerting & reporting HDInsight Microsoft Azure
- 20. Azure Security Center Prevent, detect and respond to threats with increased visibility and control over the security of your Azure resources and advanced analytics, which identify attacks that might otherwise go unnoticed What is the feature? Benefits • Understand the security state of Azure resources • Take control of cloud security with policies that enable you to recommend and monitor security configurations • Make it easy for DevOps to deploy integrated Microsoft and partner security solutions • Find threats with advanced analysis of your security-related events developed using Microsoft’s vast global intelligence assets and expertise • Respond and recover from incidents faster with real-time security alerts • Export security events to a SIEM for further analysis Automatic Log Collection Rome Analytics Engine Analyzes Windows Security Events, IIS Logs, AV Logs, Firewall Logs, Syslog, …
- 21. Operations Management Suite Amazon Web Services Windows Server (VM) Windows Server (VM) Linux (VM) Linux (VM) Linux (VM) Private clouds (Azure Stack, Hyper-V, VMware, OpenStack) Windows Server (VM) Windows Server (VM) Windows Server (VM) Windows Server (VM) Linux (VM) Operations Management Suite Log analytics Backup & disaster recovery IT automation Security & compliance • Near real time perf. data collection/monitoring • Linux agents including monitoring integrations • Mobile Apps in Windows, Android and iOS • Custom fields • SOC1 and SOC2 Type 1 Compliant • Automation DSC • Source Control support through GitHub for runbooks • Hybrid support for schedules / test jobs • PowerShell script support on hybrid workers • Linux DSC support • Wire data solution • Azure network analytics solution • Malicious IP detection • Backup >1.6TB support • ASR integration with SQL Always-On public preview • ASR CSP and IaaS V2 support • IaaS v1 & v2 VMs backup • Azure backup server for application workload backups
- 22. Partner Security Solutions Microsoft is dedicated to working with partners across the ecosystem enabling customers to augment their security posture Network Virtual Appliances Hosted Network Controls – Firewalls,WAF, Ddos, IDS/IPS, DLP Operations/Management – Monitoring, logging, correlation Penetration Testing Vulnerability assessments/Threat Modeling