Securing Azure Infrastructure
1 like144 views
This document summarizes Karl Ots's presentation on securing Azure infrastructure. It discusses: 1. Karl Ots's background working with Azure customers on security projects since 2011. 2. The multi-layered security of Azure datacenters, including physical security, network security, and server environment security. 3. Ways to secure an Azure environment, including identity and access management, encryption, securing hosts and networking, and third-party solutions. 4. Features of Azure Security Center for unified security management, monitoring, and recommendations.
Securing Azure Infrastructure
- 1. SECURING AZURE INFRASTRUCTURE FAUG # 7 12.12.2017
- 2. KARL OTS @ KOMPOZURE • Co-organizer of Finland Azure User Group and IglooConf • Working on Azure since 2011 • Patented inventor • Worked with tens of different customers on full-scale Azure projects, from startups to Fortune 500 enterprises Managing Consultant, Kompozure Ltd Karl.ots@kompozure.com
- 4. 2 Mil kilometers intra-datacenter fiber 72+ Tb per second Backbone 100+ datacenters 42 Azure regions Millions of servers ACCESS APPROVAL Background check System check PERIMETER One defined access point Video coverage Perimeter fencing BUILDING Two-factor authentication with biometrics 24x7x365 security operations Verified single person entry SERVER ENVIRONMENT Employee & contractor vetting Inability to identify location of specific customer data Secure destruction bins Rest assured with layered datacenter security
- 5. SECURE YOUR AZURE ENVIRONMENT Identity & access Encryption Secure hosts & networking 3rd party solutions Unified security management ✓ RBAC ✓ Strong Authentication ✓ Monitoring and Alerting ✓ Encryption Key Management ✓ Encryption at Rest and In Transit ✓ Host AV & monitoring ✓ Virtual Networks ✓ Traffic Rules ✓ Secure Connectivity ✓ Antimalware ✓ Network Appliances ✓ Encryption ✓ Monitoring ✓ Application Security ✓ Authentication ✓ Security Policy ✓ Monitoring ✓ Recommendati ons ✓ Threat Detection
- 6. ENCRYPTION • At Rest o Storage: SSE o VM Disks: ADE o Azure SQL: TDE • In Transit o All traffic between Azure datacenters encrypted o We can enforce HTTPS connection to Storage
- 7. AZURE SECURITY CENTER • Gain visibility and control • Integrated security, monitoring, policy management • Built in threat detections and alerts • Leverages global threat intelligence from Microsoft products and services, Digital Crime and Incident Response Centers, and third party feeds
- 10. VNET SUPPORT FOR PAAS • App Service Web Apps (VNET Integration, ASE and Isolated) • API Management (Premium) • Storage Firewall (NEW) • Azure SQL Managed Instance (NEW)
- 11. RESOURCES • Azure Trust Center o https://www.microsoft.com/en-us/TrustCenter/ • Microsoft Azure Security - Getting Started (free Pluralsight course): o https://www.pluralsight.com/courses/microsoft-azure-security-getting- started?twoid=43eb6e26-b9fd-4aa0-b88f-2604b82e810f • PCI-DSS Compliant PaaS Blueprint o aka.ms/pciblueprints
- 12. DDOS PROTECTION • Protection against o Volumetric attacks (e.g. UDP floods) o Protocol attacks (e.g. SYN floods) o Application layer attacks (SQL injections, XSS) • Simulations available from Azure Networking team
- 13. DMZ BETWEEN AZURE AND INTERNET
- 14. SO IS AZURE BETTER THAN MY DC? • “My apps automatically become fully compliant when I run them on Azure”