MICROSOFT

AZURE
SECURITY OVERVIEW

Adrian Corona
Azure Security Specialist, Microsoft
Security, Privacy, Control and
Compliance in the Cloud
Microsoft Azure
Adrian Corona
Cloud Specialist
@coronamsft
Cybersecurity concerns persist
Global attacks are increasing and costs are rising

Cybercrime extracts between 15% and 20% of the value

created by the Internet.1

In the UK, 81% of large corporations and 60% of small

businesses reported a cyberbreach in the
past year.2

Total financial losses attributed to security compromises

increased 34% in 2014.3

Impact of cyber attacks could be as much as $3 trillion in

lost productivity and growth.4

3
But cloud momentum continues to accelerate
“If you’re resisting the “The question is no longer: “By 2020 clouds will stop
cloud because of security ‘How do I move to the being referred to as ‘public’
concerns, you’re running cloud?’ Instead, it’s ‘Now and ‘private’. It will simply
out of excuses.” that I’m in the cloud, how be the way business is done
do I make sure I’ve and IT is provisioned.”
optimized my investment
and risk exposure?’”

4
The Microsoft Trusted Cloud
200+ cloud services,
300+ million
3.5 million
1+ million servers, active users4
users per month5

57%
$15B+ infrastructure
Online
of Fortune 5004
10,000 new subscribers per week2
investment 5.5+ billion
worldwide queries
each month3

1 billion customers,
1.2 billion
20 million businesses, worldwide users2 48 million
450+ million
unique users each month6
members in 57 countries4
90 countries worldwide1

5
 Azure Platform Services

Security & Hybrid

Management Cloud Service
Operations
Web Apps API API
Services Fabric Apps Management Visual Studio Azure SDK

Portal Azure AD
Connect Health
Active Batch Mobile Logic Notification
Directory Remote App Team Project Application
Apps Apps Hubs Insights AD Privileged
Identity
Multi-Factor Management
Authentication

Automation Backup

Storage Biztalk
Queues Services
Key Vault HDInsight Machine SQL SQL Data
Learning Database Warehouse Operational
Insights

VM Image Gallery Hybrid Service

& VM Depot Connections Bus
Data Event Redis Import/Export
Cache Search
Factory Hubs
Azure Security
Center
Site
Stream Mobile Recovery
DocumentDB Tables
Analytics Engagement
Store / Media Content Delivery
Marketplace Services Network (CDN) StorSimple

Azure Infrastructure Services

SECURING THE PLATFORM EMPOWERING YOU
Cloud services – shared responsibility
On-Premises Infrastructure Platform Software
(as a Service) (as a Service) (as a Service)
Each customer
environment is
isolated on top of
Azure’s
Infrastructure
Shared Physical
Environment
Managed by:

Microsoft Azure
8
Prevent and assume breach
Prevent and assume breach Prevent breach – A methodical Secure Development
Security monitoring and response
Prevent breach
• Secure Development Lifecycle
• Operational Security
Assume breach
• Bug Bounty Program
• War game exercises
• Live site penetration testing
Threat intelligence
Lifecycle and Operational Security minimizes
probability of exposure
Assume breach – Identifies & addresses potential
gaps:
• Ongoing live site testing of security response plans
improves mean time to detection and recovery
• Bug bounty program encourages security researchers in
the industry to discover and report vulnerabilities
• Reduce exposure to internal attack (once inside,
attackers do not have broad access)
Latest Threat Intelligence to prevent breaches and
to test security response plans
State of the art Security Monitoring and Response
9
Operational security
Strategy: Employ risk-based, multi-dimensional approach to safeguarding services and data
Security Monitoring and Response

è
Network
Data & Keys User Application Host System Internal Network Facility
Perimeter

Data Protection Admin Access Application Security Host Protection Network Security Network Security Physical Security
Access control, Identity management, Access control, Access control, Segmentation, intrusion Edge ACLs, DOS, Physical controls, video
encryption, key dual-factor monitoring, anti- monitoring, anti- detection, vulnerability intrusion detection, surveillance, access
management authentication, training malware, vulnerability malware, vulnerability scanning vulnerability scanning control
and awareness, scanning, patch and scanning, patch and
screening, Least and configuration configuration
Temporary Privilege management management

è
Threat Intelligence Feed
10
Physical security of datacenters
Barriers Fencing

Perimeter

Seismic Security 24X7 Days of

bracing operations center security staff backup power

Building

Two-factor access control:

Cameras Alarms
Biometric readers & card readers

Computer room
11
Architected for more secure multi-tenancy
Azure
End
• Centrally manages the platform and helps isolate Users
customer environments using the
Fabric Controller Microsoft Azure
Customer
• Runs a configuration-hardened version of Windows Admin
Server as the Host OS
• Uses Hyper-V, a battle tested and enterprise Portal Customer 1 Customer 2
SMAPI
proven hypervisor
• Runs Windows Server and Linux on Guest Guest VM Guest VM Guest VM
VMs for platform services Fabric
Controller Hypervisor

Host OS

Customer Azure
Storage

• Manages their environment through service SQL

management interfaces and subscriptions Database

• Chooses from the gallery or brings their own OS for

their Virtual Machines

12
Monitoring & alerts
Enable Microsoft Azure AZURE
Monitoring
Agent Customer VMs
• Performs monitoring & alerting on security events for
the platform
• Enables security data collection via Monitoring Agent or
Windows Event Forwarding
Portal
Guest VM Guest VM Cloud Services
SMAPI

Customer
Admin
Events
Azure
HDInsight
CUSTOMER
storage

• Configures monitoring
Extract event information to SIEM or • Exports events to SQL Database, HDInsight or a SIEM for
other reporting system analysis
• Monitors alerts & reports
• Responds to alerts
Alerting &
! reporting

13
Threat detection
Azure
• Performs big data analysis of logs for
intrusion detection & prevention for the
platform
• Employs denial of service attack prevention
measures for the platform
• Regularly performs penetration testing

Customer
• Can add extra layers of protection by
deploying additional controls, including DOS,
IDS, web application firewalls
• Conducts authorized penetration testing of
their application

14
DDoS system overview
SUPPORTED DDOS ATTACK PROFILES
Internet
• TCP SYN
• UDP/ICMP/TCP Flood
Routing Updates Profile DB
MSFT Routing Layer
Flow Data
DETECTION PROCESS
Detection Pipeline
• Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded,
Attack Traffic and analyzed in real time to determine attack behavior
Scrubbed Traffic

Scrubbing Array
MITIGATION PROCESS
SLB
• Traffic is re-routed to scrubbers via dynamic routing updates
• Traffic is SYN auth. and rate limited
Application

15
Firewalls
AZURE

Internet Client • Restricts access from the Internet, permits traffic only to
endpoints, and provides load balancing and NAT at the Cloud
Access Layer
Microsoft Azure
• Isolates traffic and provides intrusion defense through a
Cloud Access
distributed firewall
443

Customer 1
Virtual Network
443

Corp CUSTOMER
Firewall Application tier
VPN
• Applies corporate firewall using site-to-site VPN
• Configures endpoints
Logic tier
• Defines access controls between tiers and provides additional
protection via the OS firewall

Database tier

16
Network protection

Virtual Networks Network Security Groups VPN ExpressRoute

Customers can connect one Customers can control over Customers can securely Customers can create
or more cloud services network traffic flowing in connect to a virtual private connections
using private IP addresses. and out of customer services network from anywhere. between Azure datacenters
in Azure. and infrastructure that’s on
your premises or in a
colocation environment.

17
Virtual networks
Azure INTERNET Client

• Allows customers to create isolated virtual

private networks
Microsoft Azure
RDP Endpoint
Cloud Access
Customer
(password access)

Customer 1 Customer 2
Deployment X Deployment Y
• Creates Virtual Networks with Subnets and Subnet 1 Subnet 2 Subnet 3

Private IP addresses Corp 1 VPN

• Enables communications between their VNET to VNET

Virtual Networks
• Can bring their own DNS
• Can domain join their Virtual Machines
DNS Server
Isolated Virtual Networks
Isolated Virtual Network

18
VPN connections
Azure Microsoft Azure
• Enables connection from customer sites Customer 1
and remote workers to Azure Virtual Deployment X
Networks using Site-to-Site and Point-to-
Site VPNs Customer Site
Site-to-Site VPN
• Offers forced tunneling capabilities to
enable customers to mandate all internet-
bound traffic to go through the Site-to-Site VPN
tunnel
Point-to-Site
VPN

Customer Computers
Behind Firewall

• Configures the VPN client in Windows Isolated Virtual Network

• Manages certificates, policies, and user
access
Remote Workers

19
ExpressRoute connections
AZURE

Microsoft Azure • Offers private fiber connections via ExpressRoute

• Enables access to Compute, Storage, and other Azure services
Customer 1
ExpressRoute
Site 1 Peer Deployment X

CUSTOMER
• Can establish connections to Azure at an ExpressRoute location
(Exchange Provider facility)
WAN • Can directly connect to Azure from your existing WAN network
Site 2 (such as an MPLS VPN) provided by a network service provider
• Can now authorize other Azure accounts to use a common
Isolated Virtual
Network
ExpressRoute circuit
• Manages certificates, policies, and user access

20
Identity & access management
AZURE
• Uses Azure AD to govern access to the management portal with
granular access controls for users and groups on subscription or
resource groups
• Provides enterprise cloud identity and access management for
end users
Azure • Enables single sign-on across cloud applications
Active Directory Cloud apps
• Offers Multi-Factor Authentication for enhanced security

CUSTOMER
• Centrally manages users and access to Azure, O365, and
hundreds of pre-integrated cloud applications
• Builds Azure AD into their web and mobile applications
Active End Users & • Can extend on-premises directories to Azure AD
Directory Administrators

21
Azure incident response

• Leverages a 9-step incident

response process
DevOps
Engaged
Security • Focuses on containment & recovery
Team
Event
Engaged • Analyzes logs and VHD images in
Detected
the event of platform-level incident
Incident
Security Customer Customer and provides forensics information
Event Assessment
Start
Event
Confirmed
Notification Process
Step 1
to customers when needed
• Makes contractual commitments
Determine
Affected
Determine
Azure
regarding customer notification
Customers Customer Impact
Customer
Notification

22
New! Azure Security Center
ü Gain visibility and control
Set Policy &
Monitor ü Integrated security, monitoring,
Understand Deploy
policy management
Current
State
Integrated
Solutions Continue
ü Built in threat detections and alerts
learning
ü Works with broad ecosystem of
Deploy &
Visibility &
Detect security solutions
Control

Find threats
that might Respond &
go recover faster
unnoticed

Encryption Secure Networking Partner Solutions

Customer data
When a customer utilizes Azure, they own their data.

Control over
Customers choose data location and replication options.
data location

Control over access Strong authentication, carefully logged “just in time” support
to data access, and regular audits.

Encryption key Customers have the flexibility to generate and manage their
management own encryption keys.

Control over When customers delete data or leave Azure, Microsoft follows procedures
data deletion to render the previous customer’s data inaccessible.

24
Choice of Data Location & Replication
AZURE:
ü Provides 3 copies of data
in each datacenter

ü Offers geo-replication in a
datacenter 400+ miles
away

CUSTOMER:
ü Chooses where data
resides

ü Configures data replication

options
Data protection

Data segregation At-rest data protection

Logical isolation segregates each customer’s data Customers can implement a range of encryption
from that of others. options for virtual machines and storage.

In-transit data protection Encryption

Industry-standard protocols encrypt data in transit Data encryption in storage or in transit can be
to/from outside components, as well as data in deployed by the customer to align with best
transit internally by default. practices for ensuring confidentiality and integrity
of data.

Data redundancy Data destruction

Customers have multiple options for replicating When customers delete data or leave Azure,
data, including number of copies and number and Microsoft follows procedures to render the
location of replication datacenters. previous customer’s data inaccessible.

26
Data segregation
Storage Isolation
End • Access is through Storage account keys and Shared Access Signature
Users (SAS) keys
• Storage blocks are hashed by the hypervisor to separate accounts
Customer Microsoft Azure
Admin

Portal Customer 1 Customer 2

SMAPI SQL Isolation

Fabric
Guest VM Guest VM Guest VM
• SQL Database isolates separate databases using SQL accounts
Controller Hypervisor
Host OS

Azure
Storage

Access
SQL
Database
Network Isolation
Control
• VM switch at the host level blocks inter-tenant communication

27
Microsoft Azure Key Vault
Key Vault offers an easy, cost-effective way
to safeguard keys and other secrets used by Microsoft Azure
cloud apps and services using HSMs.

ü You manage your keys and secrets IaaS PaaS SaaS

ü Applications get high performance Key Vault

access to your keys and secrets… on
your terms
Import
keys

HSM
Encryption in transit
Azure
• Encrypts most communication between
Azure datacenters
• Encrypts transactions through Azure Portal
Azure
using HTTPS Datacenter
• Supports FIPS 140-2

Azure
Portal
Customer Azure
Datacenter
• Can choose HTTPS for REST
API (recommended)
• Configures HTTPS endpoints for
application running in Azure
• Encrypts traffic between Web client and
server by implementing TLS on IIS

29
Encryption at rest
Virtual Machines
• Data drives – full disk encryption using BitLocker
• Boot drives – BitLocker and partner solutions
• SQL Server – Transparent Data and Column Level Encryption
Virtual
SQL TDE BitLocker Partners
• Files & folders – EFS in Windows Server
Machines EFS

Storage
• BitLocker encryption of drives using Azure Import/Export service
Storage
BitLocker StorSimple • StorSimple with AES-256 encryption
• Server-side encryption of Blob Storage using AES-256
• Client-side encryption w/.NET and Java support

Applications
Applications .NET Crypto RMS SDK
• Client Side encryption through .NET Crypto API
• RMS Service and SDK for file encryption by your applications

30
Data encryption

Layer Encryption support Key Management Comments

• .NET encryption API Managed by customer .NET Cryptography documentation

Application • RMS SDK – encrypt data by using RMS Managed by customer via on-prem RMS
RMS SDK documentation
SDK key management service or RMS online
• SQL TDE/CLE on SQL server on Azure
Managed by customers SQL TDE/CLE documentation
IAAS servers
• SQL Azure TDE and Column Encryption
Managed by customers
Platform features in progress
Supports AES-256 to encrypt data in
• StorSimple – provides primary, backup,
Managed by customers StorSimple
archival
StorSimple link and documentation
• BitLocker support for data volumes
BitLocker for fixed or removable
• Partner solutions for system volume
System Managed by customers volumes
encryption
BitLocker commandline tool
• BitLocker support
• Import/Export of xstore data onto
Others Managed by customers Import/export step by step blog
drives can be protected by BitLocker

31
Data destruction
Data Deletion Disk Handling
• Index immediately removed from primary • NIST 800-88 compliant processes are
location used for destruction of defective disks
• Geo-replicated copy of the data (index)
removed asynchronously
• Customers can only read from disk space
they have written to

32
Extensive experience and credentials
CSA Cloud
Controls
Matrix HIPAA/
HITECH
AU IRAP Singapore
SOC UK G-Cloud OFFICIAL Accreditation MCTS CDSA
SOC 2 CJIS
1

2010 2011 2012 2013 2014 2015

ISO/IEC FISMA FedRAMP ISO/IEC

EU Data PCI DSS
27001:2005 ATO P-ATO 27018
Protection Level 1
Operations Directive
Security
Assurance
Compliance framework
Continual evaluation,
Compliance certifications benchmarking, adoption, Independent verification Access to audit reports Best practices
test & audit

Microsoft maintains a team Compliance strategy helps Ongoing verification by Microsoft shares audit Prescriptive guidance on
of experts focused on customers address business third-party audit firms. report findings and securing data, apps, and
ensuring that Azure meets objectives and industry compliance packages with infrastructure in Azure
its own compliance standards & regulations, customers. makes it easier for
obligations, which helps including ongoing customers to achieve
customers meet their own evaluation and adoption of compliance.
compliance requirements. emerging standards and
practices.

34
Security partners
In addition to the robust security capabilities built into Azure, the Azure Marketplace offers
a rich array of additional security products built by our partners for Azure.
Networking Monitoring Messaging Application
Antimalware Encryption Authentication
security and alerts Security Security

Virtual machines • Alert Logic • CloudLink • Alert Logic • Kaspersky • Waratek • Login People
• Kaspersky • aiScaler • Townsend Security • Derdack • Barracuda
• Trend Micro • Barracuda • Nagios • Trend Micro
Active Directory • Check Point
integrations
• Riverbed
• Symantec
• McAfee • Cohesive
Networks

35