SlideShare a Scribd company logo

Top 18 azure security fails and how to avoid them

Karl Ots, profile picture
Karl Ots

The document discusses the top 18 security failures in Azure and provides guidance on avoiding them, highlighting issues like improper access controls and lack of monitoring. It emphasizes the importance of secure practices, such as using role-based access control and privileged identity management. Additionally, it offers resources and tools to enhance Azure security, including the Secure DevOps Kit for Azure.

Technology
Related topics:
Information SecurityCloud Computing Insights
1 of 14
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
@fincooper Top 18 Azure security fails and how to avoid them
@fincooper Karl Ots Managing Consultant karl.ots@zure.com • Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
@fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
@fincooper Security controls in Azure Physical Security Network Host Application Admin Data Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring and response, access control and monitoring, file/data integrity, encryption
@fincooper With great power comes great responsibility
@fincooper Role-Based Access Control Subscription Resource Groups Resources
@fincooper Privileged Identity Management • Requires Azure AD Premium P2 • For all users in the whole AAD Tenant • Identifies users with administrative privileges • Enables on-demand, just-in-time administrative access • Generates reports about administrator access history
@fincooper STRIDE • Azure removes some of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
@fincooper Top Azure security fails 1. Every user is an Owner • …In the Subscription scope 2. Service Principals have too wide privileges 3. Untrusted authorization provider being used (Microsoft Account, Gmail, unmanaged Azure AD…) 4. No monitoring 5. No alerting • Security Center • SQL Auditing • WAF • Azure Service Health 6. Storage access keys used directly 7. Credentials in code 8. No key rotation 9. Unprotected public endpoints (HTTP/RDP)
@fincooper Top Azure security fails 10. Too short Activity Log retention (if any) 11. Missing VM updates… 12. Enterprise Portal access control fails • Or Azure Sponsorship for Microsoft Startups / BizSpark 13. No Privileged Identity Management, Just-in-time Access or Just-Enough Access 14. No Advanced Threat Protection enabled 15. Azure DevOps access control fails 16. Data Access pane fails 17. Azure Governance fails 18. Network-level fails
@fincooper DEMO
@fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
@fincooper Materials • My slides: slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • STRIDE Threat Modeling Lessons from Star War: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/
Top 18 azure security fails and how to avoid them

More Related Content

PDF
introduction to Azure Sentinel
Robert Crane
 
PDF
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
Karl Ots
 
PDF
Top Azure security fails and how to avoid them
Karl Ots
 
PDF
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
PDF
BeyondCorp and Zero Trust
Ivan Dwyer
 
PPTX
Threat Hunting on AWS using Azure Sentinel
Ashwin Patil, GCIH, GCIA, GCFE
 
PDF
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
PDF
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 
introduction to Azure Sentinel
Robert Crane
 
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
Karl Ots
 
Top Azure security fails and how to avoid them
Karl Ots
 
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
BeyondCorp and Zero Trust
Ivan Dwyer
 
Threat Hunting on AWS using Azure Sentinel
Ashwin Patil, GCIH, GCIA, GCFE
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 

What's hot (20)

PDF
BeyondCorp and Zero Trust
Ivan Dwyer
 
PPTX
Assume breach, layered security in Azure tested and explained
Martyn Coupland
 
PPTX
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
PPTX
MCAS High Level Architecture May 2021
Matt Soseman
 
PDF
BeyondCorp Seattle Meetup: Closing the Adherence Gap
Ivan Dwyer
 
PDF
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
PPTX
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
PPTX
AWS Security Strategy
2nd Sight Lab
 
PDF
BeyondCorp Myths: Busted
Ivan Dwyer
 
PPTX
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
PPTX
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
PPTX
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Zabeel Institute
 
PDF
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Alert Logic
 
PPTX
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
PDF
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
PPTX
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
PPTX
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
PDF
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Jürgen Ambrosi
 
PPTX
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
PDF
Dev week cloud world conf2021
Archana Joshi
 
BeyondCorp and Zero Trust
Ivan Dwyer
 
Assume breach, layered security in Azure tested and explained
Martyn Coupland
 
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
MCAS High Level Architecture May 2021
Matt Soseman
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
Ivan Dwyer
 
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
AWS Security Strategy
2nd Sight Lab
 
BeyondCorp Myths: Busted
Ivan Dwyer
 
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Zabeel Institute
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Alert Logic
 
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Jürgen Ambrosi
 
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
Dev week cloud world conf2021
Archana Joshi
 
Ad

Similar to Top 18 azure security fails and how to avoid them (20)

PDF
Techorama Belgium 2019: top Azure security fails and how to avoid them
Karl Ots
 
PDF
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
PDF
DevSum - Top Azure security fails and how to avoid them
Karl Ots
 
PDF
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
 
PDF
FAUG #9: Azure security architecture and stories from the trenches
Karl Ots
 
PDF
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
PPTX
5 steps to securing your identity infrastructure.pptx
MCont1
 
PPTX
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Forsyte I.T. Solutions
 
PPTX
3 Modern Security - Secure identities to reach zero trust with AAD
Andrew Bettany
 
PPTX
Azure Fundamentals Part 3
CCG
 
PDF
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
PDF
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
PDF
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
Karl Ots
 
PPTX
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
PPTX
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
PPTX
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Kasun Kodagoda
 
PPTX
Azure security and Compliance
Karina Matos
 
PPTX
Introduction to basic governance in Azure - #GABDK
Peter Selch Dahl
 
PDF
Application Security - 28 Nov 2018
Cheah Eng Soon
 
PDF
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
Techorama Belgium 2019: top Azure security fails and how to avoid them
Karl Ots
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
DevSum - Top Azure security fails and how to avoid them
Karl Ots
 
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
 
FAUG #9: Azure security architecture and stories from the trenches
Karl Ots
 
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
5 steps to securing your identity infrastructure.pptx
MCont1
 
Identity-Driven Security with Forsyte I.T. Solutions - Demos and Discovery
Forsyte I.T. Solutions
 
3 Modern Security - Secure identities to reach zero trust with AAD
Andrew Bettany
 
Azure Fundamentals Part 3
CCG
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
Karl Ots
 
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Kasun Kodagoda
 
Azure security and Compliance
Karina Matos
 
Introduction to basic governance in Azure - #GABDK
Peter Selch Dahl
 
Application Security - 28 Nov 2018
Cheah Eng Soon
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
Ad

More from Karl Ots (19)

PDF
TechDays Finland 2020: Best practices of securing web applications running on...
Karl Ots
 
PDF
IglooConf 2020: Best practices of securing web applications running on Azure ...
Karl Ots
 
PDF
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
PDF
CloudBurst Malmö: Best practices of securing web applications running on Azur...
Karl Ots
 
PDF
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
Karl Ots
 
PDF
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
PDF
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Karl Ots
 
PDF
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
Karl Ots
 
PDF
Monitoring real-life Azure applications: When to use what and why
Karl Ots
 
PDF
Navigating in the sea of containers in azure when to choose which service and...
Karl Ots
 
PDF
Kubernetes in Azure
Karl Ots
 
PDF
Azure security architecture
Karl Ots
 
PDF
Azure security architecture / FAUG JKL 15.2.2018
Karl Ots
 
PDF
Securing Azure Infrastructure
Karl Ots
 
PDF
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Karl Ots
 
PDF
Building globally scalable media solutions with Azure Media Services part 2
Karl Ots
 
PDF
Security + DevOps + Azure = Awesomeness
Karl Ots
 
PPTX
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
Karl Ots
 
PPTX
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
Karl Ots
 
TechDays Finland 2020: Best practices of securing web applications running on...
Karl Ots
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
Karl Ots
 
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
Karl Ots
 
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
Karl Ots
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Karl Ots
 
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
Karl Ots
 
Monitoring real-life Azure applications: When to use what and why
Karl Ots
 
Navigating in the sea of containers in azure when to choose which service and...
Karl Ots
 
Kubernetes in Azure
Karl Ots
 
Azure security architecture
Karl Ots
 
Azure security architecture / FAUG JKL 15.2.2018
Karl Ots
 
Securing Azure Infrastructure
Karl Ots
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Karl Ots
 
Building globally scalable media solutions with Azure Media Services part 2
Karl Ots
 
Security + DevOps + Azure = Awesomeness
Karl Ots
 
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
Karl Ots
 
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
Karl Ots
 

Recently uploaded (20)

PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
A Presentation on Artificial Intelligence
memembruh336
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Top 18 azure security fails and how to avoid them

  • 1. @fincooper Top 18 Azure security fails and how to avoid them
  • 2. @fincooper Karl Ots Managing Consultant karl.ots@zure.com • Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
  • 3. @fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
  • 4. @fincooper Security controls in Azure Physical Security Network Host Application Admin Data Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring and response, access control and monitoring, file/data integrity, encryption
  • 5. @fincooper With great power comes great responsibility
  • 7. @fincooper Privileged Identity Management • Requires Azure AD Premium P2 • For all users in the whole AAD Tenant • Identifies users with administrative privileges • Enables on-demand, just-in-time administrative access • Generates reports about administrator access history
  • 8. @fincooper STRIDE • Azure removes some of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
  • 9. @fincooper Top Azure security fails 1. Every user is an Owner • …In the Subscription scope 2. Service Principals have too wide privileges 3. Untrusted authorization provider being used (Microsoft Account, Gmail, unmanaged Azure AD…) 4. No monitoring 5. No alerting • Security Center • SQL Auditing • WAF • Azure Service Health 6. Storage access keys used directly 7. Credentials in code 8. No key rotation 9. Unprotected public endpoints (HTTP/RDP)
  • 10. @fincooper Top Azure security fails 10. Too short Activity Log retention (if any) 11. Missing VM updates… 12. Enterprise Portal access control fails • Or Azure Sponsorship for Microsoft Startups / BizSpark 13. No Privileged Identity Management, Just-in-time Access or Just-Enough Access 14. No Advanced Threat Protection enabled 15. Azure DevOps access control fails 16. Data Access pane fails 17. Azure Governance fails 18. Network-level fails
  • 12. @fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
  • 13. @fincooper Materials • My slides: slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • STRIDE Threat Modeling Lessons from Star War: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/