SlideShare a Scribd company logo

Top Azure security fails and how to avoid them

Karl Ots, profile picture
Karl Ots

The document discusses top Azure security fails and how to avoid them. It begins by introducing the speaker and their experience with Azure security. It then covers common security controls in Azure and the concept of role-based access control (RBAC). The document identifies seven common security fails including giving all users owner permissions, overprivileged service principals, untrusted authentication providers, unprotected public endpoints, misused storage access keys, lack of monitoring and alerting, and missing virtual machine updates. It demonstrates how to avoid these fails using tools like Azure Security Center and the Secure DevOps kit for Azure.

Technology
Related topics:
Information SecurityCloud Computing Insights
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
@fincooper Top Azure security fails and how to avoid them
@fincooper Karl Ots Managing Consultant karl.ots@zure.com • Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
@fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
@fincooper Security controls in Azure Physical Security Network Host Application Admin Data Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring and response, access control and monitoring, file/data integrity, encryption
@fincooper With great power comes great responsibility
@fincooper Role-Based Access Control Subscription Resource Groups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
@fincooper Privileged Identity Management • Requires Azure AD Premium P2 • For all users in the whole AAD Tenant • Identifies users with administrative privileges • Enables on-demand, just-in-time administrative access • Generates reports about administrator access history
@fincooper STRIDE • Azure removes some of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
@fincooper Security fail #1 • Every user is an Owner • …In the Subscription scope • STRIDE threat categorization: • Tampering • Information Disclosure • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner
@fincooper Security fail #2 • Service Principals have too wide privileges • STRIDE threat categorization: • Repudiation • Mitigation: • Service Principal RBAC assignments should follow the least privileged principle • Service Principals should NOT be granted access in the Subscription scope • Service Principals should NOT be granted Owner access in any scope
@fincooper Security fail #3 • Untrusted authorization provider being used • (Microsoft Account, Gmail, unmanaged Azure AD…) • STRIDE threat categorization: • Spoofing • Elevation of Privilege • Mitigation: • Always use trusted Azure AD authentication that is managed by your organization • Monitor Azure Subscription access using AAD PIM
@fincooper Security fail #4 • Unprotected public endpoints • HTTP / RDP / SSH • STRIDE threat categorization: • Information Disclosure • Denial of Service • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints
@fincooper Security fail #5 • Storage access keys used directly • STRIDE threat categorization: • Information Disclosure • Tampering • Repudiation • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
@fincooper Security fail #6 • No monitoring or alerting • STRIDE threat categorization: • Repudiation • Denial of Service • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with with Application Gateway / WAF
@fincooper Security fail #7 • Missing Virtual Machine updates • STRIDE threat categorization: • Information Disclosure • Elevation of Privilege • Mitigation: • Update management • Azure Security Center
@fincooper DEMO “How to avoid them”
@fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
@fincooper Materials • My slides: slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • STRIDE Threat Modeling Lessons from Star Wars: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/
Top Azure security fails and how to avoid them

More Related Content

PDF
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
Karl Ots
 
PDF
Top 18 azure security fails and how to avoid them
Karl Ots
 
PDF
BeyondCorp and Zero Trust
Ivan Dwyer
 
PDF
BeyondCorp Seattle Meetup: Closing the Adherence Gap
Ivan Dwyer
 
PDF
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
PDF
BeyondCorp and Zero Trust
Ivan Dwyer
 
PDF
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
PPTX
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
Karl Ots
 
Top 18 azure security fails and how to avoid them
Karl Ots
 
BeyondCorp and Zero Trust
Ivan Dwyer
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
Ivan Dwyer
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
BeyondCorp and Zero Trust
Ivan Dwyer
 
CSF18 - Implementing Gartners #1 - Whitelisting- Karim El-Melhaoui
NCCOMMS
 
Jason Kent - AppSec Without Additional Tools
centralohioissa
 

What's hot (20)

PPTX
Azure Security Fundamentals
Lorenzo Barbieri
 
PDF
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
PDF
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
PPTX
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
PDF
Global Azure Bootcamp 2018 - Azure Security Center
Scott Hoag
 
PDF
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
PDF
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
PDF
Azure security architecture
Karl Ots
 
PDF
BeyondCorp Myths: Busted
Ivan Dwyer
 
PPTX
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
PDF
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
PDF
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Alert Logic
 
PPTX
CSS 17: NYC - Stories from the SOC
Alert Logic
 
PPTX
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
PPTX
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
PDF
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic
 
PPTX
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
PDF
Getting Started with Azure Security Center
Cheah Eng Soon
 
PPTX
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
PDF
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
Ivan Dwyer
 
Azure Security Fundamentals
Lorenzo Barbieri
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
Global Azure Bootcamp 2018 - Azure Security Center
Scott Hoag
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
Azure security architecture
Karl Ots
 
BeyondCorp Myths: Busted
Ivan Dwyer
 
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Alert Logic
 
CSS 17: NYC - Stories from the SOC
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic
 
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Getting Started with Azure Security Center
Cheah Eng Soon
 
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
BeyondCorp Austin Meetup: BeyondCorp Myths Busted
Ivan Dwyer
 
Ad

Similar to Top Azure security fails and how to avoid them (20)

PDF
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
 
PDF
DevSum - Top Azure security fails and how to avoid them
Karl Ots
 
PDF
Techorama Belgium 2019: top Azure security fails and how to avoid them
Karl Ots
 
PPTX
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
PDF
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
PPTX
Architecting for Security Resilience
Joel Aleburu
 
PDF
Web security uploadv1
Setia Juli Irzal Ismail
 
PDF
Cloud App Security Customer Presentation.pdf
ErikHof4
 
PDF
Let's Discuss Security with SFWelly
Anna Loughnan Colquhoun
 
PPTX
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
PDF
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
mahadikamol123
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PPTX
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson
 
PPTX
Identity and Security in the Cloud
Richard Diver
 
PDF
The What, Why, and How of DevSecOps
Cprime
 
PPTX
Security Design Principles for developing secure application .pptx
azida3
 
PPTX
What Does a Full Featured Security Strategy Look Like?
Precisely
 
PDF
WebApp_to_Container_Security.pdf
Anna Pasupathy, CISSP
 
PPTX
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
 
DevSum - Top Azure security fails and how to avoid them
Karl Ots
 
Techorama Belgium 2019: top Azure security fails and how to avoid them
Karl Ots
 
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
Architecting for Security Resilience
Joel Aleburu
 
Web security uploadv1
Setia Juli Irzal Ismail
 
Cloud App Security Customer Presentation.pdf
ErikHof4
 
Let's Discuss Security with SFWelly
Anna Loughnan Colquhoun
 
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
656704621-Against-Threats-and-Secure-Cloud-Environments-Presentation-Slides-F...
mahadikamol123
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Just Trust Everyone and We Will Be Fine, Right?
Scott Carlson
 
Identity and Security in the Cloud
Richard Diver
 
The What, Why, and How of DevSecOps
Cprime
 
Security Design Principles for developing secure application .pptx
azida3
 
What Does a Full Featured Security Strategy Look Like?
Precisely
 
WebApp_to_Container_Security.pdf
Anna Pasupathy, CISSP
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
Ad

More from Karl Ots (20)

PDF
TechDays Finland 2020: Best practices of securing web applications running on...
Karl Ots
 
PDF
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
PDF
IglooConf 2020: Best practices of securing web applications running on Azure ...
Karl Ots
 
PDF
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
PDF
CloudBurst Malmö: Best practices of securing web applications running on Azur...
Karl Ots
 
PDF
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
Karl Ots
 
PDF
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
PDF
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Karl Ots
 
PDF
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
Karl Ots
 
PDF
FAUG #9: Azure security architecture and stories from the trenches
Karl Ots
 
PDF
Monitoring real-life Azure applications: When to use what and why
Karl Ots
 
PDF
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
PDF
Navigating in the sea of containers in azure when to choose which service and...
Karl Ots
 
PDF
Kubernetes in Azure
Karl Ots
 
PDF
Azure security architecture / FAUG JKL 15.2.2018
Karl Ots
 
PDF
Securing Azure Infrastructure
Karl Ots
 
PDF
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
Karl Ots
 
PDF
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Karl Ots
 
PDF
Building globally scalable media solutions with Azure Media Services part 2
Karl Ots
 
PDF
Security + DevOps + Azure = Awesomeness
Karl Ots
 
TechDays Finland 2020: Best practices of securing web applications running on...
Karl Ots
 
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
Karl Ots
 
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
Karl Ots
 
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
Karl Ots
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Karl Ots
 
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
Karl Ots
 
FAUG #9: Azure security architecture and stories from the trenches
Karl Ots
 
Monitoring real-life Azure applications: When to use what and why
Karl Ots
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
Navigating in the sea of containers in azure when to choose which service and...
Karl Ots
 
Kubernetes in Azure
Karl Ots
 
Azure security architecture / FAUG JKL 15.2.2018
Karl Ots
 
Securing Azure Infrastructure
Karl Ots
 
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
Karl Ots
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Karl Ots
 
Building globally scalable media solutions with Azure Media Services part 2
Karl Ots
 
Security + DevOps + Azure = Awesomeness
Karl Ots
 

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
A Presentation on Artificial Intelligence
memembruh336
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Approach and Philosophy of On baking technology
30anthuong17
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Teaching material agriculture food technology
LiaRayya
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 

Top Azure security fails and how to avoid them

  • 1. @fincooper Top Azure security fails and how to avoid them
  • 2. @fincooper Karl Ots Managing Consultant karl.ots@zure.com • Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
  • 3. @fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
  • 4. @fincooper Security controls in Azure Physical Security Network Host Application Admin Data Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti-malware Account management, training and awareness, screening Threat and vulnerability management, security monitoring and response, access control and monitoring, file/data integrity, encryption
  • 5. @fincooper With great power comes great responsibility
  • 6. @fincooper Role-Based Access Control Subscription Resource Groups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
  • 7. @fincooper Privileged Identity Management • Requires Azure AD Premium P2 • For all users in the whole AAD Tenant • Identifies users with administrative privileges • Enables on-demand, just-in-time administrative access • Generates reports about administrator access history
  • 8. @fincooper STRIDE • Azure removes some of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
  • 9. @fincooper Security fail #1 • Every user is an Owner • …In the Subscription scope • STRIDE threat categorization: • Tampering • Information Disclosure • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner
  • 10. @fincooper Security fail #2 • Service Principals have too wide privileges • STRIDE threat categorization: • Repudiation • Mitigation: • Service Principal RBAC assignments should follow the least privileged principle • Service Principals should NOT be granted access in the Subscription scope • Service Principals should NOT be granted Owner access in any scope
  • 11. @fincooper Security fail #3 • Untrusted authorization provider being used • (Microsoft Account, Gmail, unmanaged Azure AD…) • STRIDE threat categorization: • Spoofing • Elevation of Privilege • Mitigation: • Always use trusted Azure AD authentication that is managed by your organization • Monitor Azure Subscription access using AAD PIM
  • 12. @fincooper Security fail #4 • Unprotected public endpoints • HTTP / RDP / SSH • STRIDE threat categorization: • Information Disclosure • Denial of Service • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints
  • 13. @fincooper Security fail #5 • Storage access keys used directly • STRIDE threat categorization: • Information Disclosure • Tampering • Repudiation • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
  • 14. @fincooper Security fail #6 • No monitoring or alerting • STRIDE threat categorization: • Repudiation • Denial of Service • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with with Application Gateway / WAF
  • 15. @fincooper Security fail #7 • Missing Virtual Machine updates • STRIDE threat categorization: • Information Disclosure • Elevation of Privilege • Mitigation: • Update management • Azure Security Center
  • 17. @fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
  • 18. @fincooper Materials • My slides: slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • STRIDE Threat Modeling Lessons from Star Wars: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/