Академический Документы
Профессиональный Документы
Культура Документы
AZURE
SECURITY OVERVIEW
Adrian Corona
Azure Security Specialist, Microsoft
Security, Privacy, Control and
Compliance in the Cloud
Microsoft Azure
Adrian Corona
Cloud Specialist
@coronamsft
Cybersecurity concerns persist
Global attacks are increasing and costs are rising
3
But cloud momentum continues to accelerate
“If you’re resisting the “The question is no longer: “By 2020 clouds will stop
cloud because of security ‘How do I move to the being referred to as ‘public’
concerns, you’re running cloud?’ Instead, it’s ‘Now and ‘private’. It will simply
out of excuses.” that I’m in the cloud, how be the way business is done
do I make sure I’ve and IT is provisioned.”
optimized my investment
and risk exposure?’”
4
The Microsoft Trusted Cloud
200+ cloud services,
300+ million
3.5 million
1+ million servers, active users4
users per month5
57%
$15B+ infrastructure
Online
of Fortune 5004
10,000 new subscribers per week2
investment 5.5+ billion
worldwide queries
each month3
1 billion customers,
1.2 billion
20 million businesses, worldwide users2 48 million
450+ million
unique users each month6
members in 57 countries4
90 countries worldwide1
5
Azure Platform Services
Portal Azure AD
Connect Health
Active Batch Mobile Logic Notification
Directory Remote App Team Project Application
Apps Apps Hubs Insights AD Privileged
Identity
Multi-Factor Management
Authentication
Automation Backup
Storage Biztalk
Queues Services
Key Vault HDInsight Machine SQL SQL Data
Learning Database Warehouse Operational
Insights
Microsoft Azure
8
Prevent and assume breach
Prevent and assume breach Prevent breach – A methodical Secure Development
Lifecycle and Operational Security minimizes
probability of exposure
Security monitoring and response
Assume breach – Identifies & addresses potential
Prevent breach gaps:
• Secure Development Lifecycle • Ongoing live site testing of security response plans
improves mean time to detection and recovery
• Operational Security
• Bug bounty program encourages security researchers in
the industry to discover and report vulnerabilities
• Reduce exposure to internal attack (once inside,
Assume breach attackers do not have broad access)
• Bug Bounty Program
Latest Threat Intelligence to prevent breaches and
• War game exercises
to test security response plans
• Live site penetration testing
State of the art Security Monitoring and Response
Threat intelligence
9
Operational security
Strategy: Employ risk-based, multi-dimensional approach to safeguarding services and data
Security Monitoring and Response
è
Network
Data & Keys User Application Host System Internal Network Facility
Perimeter
Data Protection Admin Access Application Security Host Protection Network Security Network Security Physical Security
Access control, Identity management, Access control, Access control, Segmentation, intrusion Edge ACLs, DOS, Physical controls, video
encryption, key dual-factor monitoring, anti- monitoring, anti- detection, vulnerability intrusion detection, surveillance, access
management authentication, training malware, vulnerability malware, vulnerability scanning vulnerability scanning control
and awareness, scanning, patch and scanning, patch and
screening, Least and configuration configuration
Temporary Privilege management management
è
Threat Intelligence Feed
10
Physical security of datacenters
Barriers Fencing
Perimeter
Building
Computer room
11
Architected for more secure multi-tenancy
Azure
End
• Centrally manages the platform and helps isolate Users
customer environments using the
Fabric Controller Microsoft Azure
Customer
• Runs a configuration-hardened version of Windows Admin
Server as the Host OS
• Uses Hyper-V, a battle tested and enterprise Portal Customer 1 Customer 2
SMAPI
proven hypervisor
• Runs Windows Server and Linux on Guest Guest VM Guest VM Guest VM
VMs for platform services Fabric
Controller Hypervisor
Host OS
Customer Azure
Storage
12
Monitoring & alerts
Enable Microsoft Azure AZURE
Monitoring
Agent Customer VMs
• Performs monitoring & alerting on security events for
the platform
• Enables security data collection via Monitoring Agent or
Windows Event Forwarding
Portal
Guest VM Guest VM Cloud Services
SMAPI
Customer
Admin
Events
Azure
HDInsight
CUSTOMER
storage
• Configures monitoring
Extract event information to SIEM or • Exports events to SQL Database, HDInsight or a SIEM for
other reporting system analysis
• Monitors alerts & reports
• Responds to alerts
Alerting &
! reporting
13
Threat detection
Azure
• Performs big data analysis of logs for
intrusion detection & prevention for the
platform
• Employs denial of service attack prevention
measures for the platform
• Regularly performs penetration testing
Customer
• Can add extra layers of protection by
deploying additional controls, including DOS,
IDS, web application firewalls
• Conducts authorized penetration testing of
their application
14
DDoS system overview
SUPPORTED DDOS ATTACK PROFILES
Internet
• TCP SYN
• UDP/ICMP/TCP Flood
Routing Updates Profile DB
MSFT Routing Layer
Flow Data
DETECTION PROCESS
Detection Pipeline
• Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded,
Attack Traffic and analyzed in real time to determine attack behavior
Scrubbed Traffic
Scrubbing Array
MITIGATION PROCESS
SLB
• Traffic is re-routed to scrubbers via dynamic routing updates
• Traffic is SYN auth. and rate limited
Application
15
Firewalls
AZURE
Internet Client • Restricts access from the Internet, permits traffic only to
endpoints, and provides load balancing and NAT at the Cloud
Access Layer
Microsoft Azure
• Isolates traffic and provides intrusion defense through a
Cloud Access
distributed firewall
443
Customer 1
Virtual Network
443
Corp CUSTOMER
Firewall Application tier
VPN
• Applies corporate firewall using site-to-site VPN
• Configures endpoints
Logic tier
• Defines access controls between tiers and provides additional
protection via the OS firewall
Database tier
16
Network protection
17
Virtual networks
Azure INTERNET Client
Customer 1 Customer 2
Deployment X Deployment Y
• Creates Virtual Networks with Subnets and Subnet 1 Subnet 2 Subnet 3
Virtual Networks
• Can bring their own DNS
• Can domain join their Virtual Machines
DNS Server
Isolated Virtual Networks
Isolated Virtual Network
18
VPN connections
Azure Microsoft Azure
• Enables connection from customer sites Customer 1
and remote workers to Azure Virtual Deployment X
Networks using Site-to-Site and Point-to-
Site VPNs Customer Site
Site-to-Site VPN
• Offers forced tunneling capabilities to
enable customers to mandate all internet-
bound traffic to go through the Site-to-Site VPN
tunnel
Point-to-Site
VPN
Customer Computers
Behind Firewall
19
ExpressRoute connections
AZURE
CUSTOMER
• Can establish connections to Azure at an ExpressRoute location
(Exchange Provider facility)
WAN • Can directly connect to Azure from your existing WAN network
Site 2 (such as an MPLS VPN) provided by a network service provider
• Can now authorize other Azure accounts to use a common
Isolated Virtual
Network
ExpressRoute circuit
• Manages certificates, policies, and user access
20
Identity & access management
AZURE
• Uses Azure AD to govern access to the management portal with
granular access controls for users and groups on subscription or
resource groups
• Provides enterprise cloud identity and access management for
end users
Azure • Enables single sign-on across cloud applications
Active Directory Cloud apps
• Offers Multi-Factor Authentication for enhanced security
CUSTOMER
• Centrally manages users and access to Azure, O365, and
hundreds of pre-integrated cloud applications
• Builds Azure AD into their web and mobile applications
Active End Users & • Can extend on-premises directories to Azure AD
Directory Administrators
21
Azure incident response
22
New! Azure Security Center
ü Gain visibility and control
Set Policy &
Monitor ü Integrated security, monitoring,
Understand Deploy
policy management
Current
State
Integrated
Solutions Continue
ü Built in threat detections and alerts
learning
ü Works with broad ecosystem of
Deploy &
Visibility &
Detect security solutions
Control
Find threats
that might Respond &
go recover faster
unnoticed
Control over
Customers choose data location and replication options.
data location
Control over access Strong authentication, carefully logged “just in time” support
to data access, and regular audits.
Encryption key Customers have the flexibility to generate and manage their
management own encryption keys.
Control over When customers delete data or leave Azure, Microsoft follows procedures
data deletion to render the previous customer’s data inaccessible.
24
Choice of Data Location & Replication
AZURE:
ü Provides 3 copies of data
in each datacenter
ü Offers geo-replication in a
datacenter 400+ miles
away
CUSTOMER:
ü Chooses where data
resides
26
Data segregation
Storage Isolation
End • Access is through Storage account keys and Shared Access Signature
Users (SAS) keys
• Storage blocks are hashed by the hypervisor to separate accounts
Customer Microsoft Azure
Admin
Fabric
Guest VM Guest VM Guest VM
• SQL Database isolates separate databases using SQL accounts
Controller Hypervisor
Host OS
Azure
Storage
Access
SQL
Database
Network Isolation
Control
• VM switch at the host level blocks inter-tenant communication
27
Microsoft Azure Key Vault
Key Vault offers an easy, cost-effective way
to safeguard keys and other secrets used by Microsoft Azure
cloud apps and services using HSMs.
HSM
Encryption in transit
Azure
• Encrypts most communication between
Azure datacenters
• Encrypts transactions through Azure Portal
Azure
using HTTPS Datacenter
• Supports FIPS 140-2
Azure
Portal
Customer Azure
Datacenter
• Can choose HTTPS for REST
API (recommended)
• Configures HTTPS endpoints for
application running in Azure
• Encrypts traffic between Web client and
server by implementing TLS on IIS
29
Encryption at rest
Virtual Machines
• Data drives – full disk encryption using BitLocker
• Boot drives – BitLocker and partner solutions
• SQL Server – Transparent Data and Column Level Encryption
Virtual
SQL TDE BitLocker Partners
• Files & folders – EFS in Windows Server
Machines EFS
Storage
• BitLocker encryption of drives using Azure Import/Export service
Storage
BitLocker StorSimple • StorSimple with AES-256 encryption
• Server-side encryption of Blob Storage using AES-256
• Client-side encryption w/.NET and Java support
Applications
Applications .NET Crypto RMS SDK
• Client Side encryption through .NET Crypto API
• RMS Service and SDK for file encryption by your applications
30
Data encryption
31
Data destruction
Data Deletion Disk Handling
• Index immediately removed from primary • NIST 800-88 compliant processes are
location used for destruction of defective disks
• Geo-replicated copy of the data (index)
removed asynchronously
• Customers can only read from disk space
they have written to
32
Extensive experience and credentials
CSA Cloud
Controls
Matrix HIPAA/
HITECH
AU IRAP Singapore
SOC UK G-Cloud OFFICIAL Accreditation MCTS CDSA
SOC 2 CJIS
1
Microsoft maintains a team Compliance strategy helps Ongoing verification by Microsoft shares audit Prescriptive guidance on
of experts focused on customers address business third-party audit firms. report findings and securing data, apps, and
ensuring that Azure meets objectives and industry compliance packages with infrastructure in Azure
its own compliance standards & regulations, customers. makes it easier for
obligations, which helps including ongoing customers to achieve
customers meet their own evaluation and adoption of compliance.
compliance requirements. emerging standards and
practices.
34
Security partners
In addition to the robust security capabilities built into Azure, the Azure Marketplace offers
a rich array of additional security products built by our partners for Azure.
Networking Monitoring Messaging Application
Antimalware Encryption Authentication
security and alerts Security Security
Virtual machines • Alert Logic • CloudLink • Alert Logic • Kaspersky • Waratek • Login People
• Kaspersky • aiScaler • Townsend Security • Derdack • Barracuda
• Trend Micro • Barracuda • Nagios • Trend Micro
Active Directory • Check Point
integrations
• Riverbed
• Symantec
• McAfee • Cohesive
Networks
35