Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure

1,081 views

Published on

Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure

Published in: Technology
  • Login to see the comments

Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure

  1. 1. MICROSOFT AZURE SECURITY OVERVIEW Adrian Corona Azure Security Specialist, Microsoft
  2. 2. Security, Privacy, Control and Compliance in the Cloud Microsoft Azure Adrian Corona Cloud Specialist @coronamsft
  3. 3. Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created by the Internet.1 Total financial losses attributed to security compromises increased 34% in 2014.3 In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past year.2 Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth.4 3
  4. 4. But cloud momentum continues to accelerate “If you’re resisting the cloud because of security concerns, you’re running out of excuses.” “The question is no longer: ‘How do I move to the cloud?’ Instead, it’s ‘Now that I’m in the cloud, how do I make sure I’ve optimized my investment and risk exposure?’” “By 2020 clouds will stop being referred to as ‘public’ and ‘private’. It will simply be the way business is done and IT is provisioned.” 4
  5. 5. 1.2 billion worldwide users2 300+ million users per month5 48 million members in 57 countries4 57% of Fortune 5004 10,000 new subscribers per week2 3.5 million active users4 Online 5.5+ billion worldwide queries each month3 450+ million unique users each month6 The Microsoft Trusted Cloud 200+ cloud services, 1+ million servers, $15B+ infrastructure investment 1 billion customers, 20 million businesses, 90 countries worldwide1 5
  6. 6. Azure Platform Services Security & Management Azure Infrastructure Services Web Apps Mobile Apps API Management API Apps Logic Apps Notification Hubs Content Delivery Network (CDN) Media Services HDInsight Machine Learning Stream Analytics Data Factory Event Hubs Mobile Engagement Active Directory Multi-Factor Authentication Portal Key Vault Biztalk Services Hybrid Connections Service Bus Storage Queues Store / Marketplace Hybrid Operations Backup StorSimple Site Recovery Import/Export SQL Database DocumentDB Redis Cache Search Tables SQL Data Warehouse Azure AD Connect Health AD Privileged Identity Management Operational Insights Cloud Services Batch Remote App Service Fabric Visual Studio Application Insights Azure SDK Team Project VM Image Gallery & VM Depot Azure Security Center Automation
  7. 7. EMPOWERING YOUSECURING THE PLATFORM
  8. 8. Cloud services – shared responsibility Microsoft Azure On-Premises Infrastructure (as a Service) Platform (as a Service) Software (as a Service) Each customer environment is isolated on top of Azure’s Infrastructure Shared Physical Environment Managed by: 8
  9. 9. Prevent and assume breach Prevent breach – A methodical Secure Development Lifecycle and Operational Security minimizes probability of exposure Assume breach – Identifies & addresses potential gaps: • Ongoing live site testing of security response plans improves mean time to detection and recovery • Bug bounty program encourages security researchers in the industry to discover and report vulnerabilities • Reduce exposure to internal attack (once inside, attackers do not have broad access) Latest Threat Intelligence to prevent breaches and to test security response plans State of the art Security Monitoring and Response Prevent and assume breach Security monitoring and response Prevent breach • Secure Development Lifecycle • Operational Security Assume breach • Bug Bounty Program • War game exercises • Live site penetration testing Threat intelligence 9
  10. 10. Operational security Strategy: Employ risk-based, multi-dimensional approach to safeguarding services and data Security Monitoring and Response èThreat Intelligence Feed è Data Protection Access control, encryption, key management Data & Keys Admin Access Identity management, dual-factor authentication, training and awareness, screening, Least and Temporary Privilege User Application Security Access control, monitoring, anti- malware, vulnerability scanning, patch and configuration management Application Host Protection Access control, monitoring, anti- malware, vulnerability scanning, patch and configuration management Host System Network Security Segmentation, intrusion detection, vulnerability scanning Internal Network Network Security Edge ACLs, DOS, intrusion detection, vulnerability scanning Network Perimeter Physical Security Physical controls, video surveillance, access control Facility 10
  11. 11. Physical security of datacenters Perimeter Computer room Building Seismic bracing Security operations center 24X7 security staff Days of backup power Cameras Alarms Two-factor access control: Biometric readers & card readers Barriers Fencing 11
  12. 12. Architected for more secure multi-tenancy • Centrally manages the platform and helps isolate customer environments using the Fabric Controller • Runs a configuration-hardened version of Windows Server as the Host OS • Uses Hyper-V, a battle tested and enterprise proven hypervisor • Runs Windows Server and Linux on Guest VMs for platform services • Manages their environment through service management interfaces and subscriptions • Chooses from the gallery or brings their own OS for their Virtual Machines Azure Customer SQL Database Fabric Controller Azure Storage Guest VM Guest VM Customer 2 Guest VM Customer 1 Customer Admin Portal SMAPI Host OS Hypervisor Microsoft Azure End Users 12
  13. 13. Monitoring & alerts • Performs monitoring & alerting on security events for the platform • Enables security data collection via Monitoring Agent or Windows Event Forwarding AZURE • Configures monitoring • Exports events to SQL Database, HDInsight or a SIEM for analysis • Monitors alerts & reports • Responds to alerts CUSTOMER Customer VMs Microsoft Azure ! Enable Monitoring Agent Extract event information to SIEM or other reporting system Customer Admin Portal SMAPI Events Guest VM Guest VM Cloud Services HDInsight Azure storage Alerting & reporting 13
  14. 14. Threat detection • Performs big data analysis of logs for intrusion detection & prevention for the platform • Employs denial of service attack prevention measures for the platform • Regularly performs penetration testing • Can add extra layers of protection by deploying additional controls, including DOS, IDS, web application firewalls • Conducts authorized penetration testing of their application Azure Customer 14
  15. 15. DDoS system overview MSFT Routing Layer Detection Pipeline Profile DB Scrubbing Array SLB Application Attack Traffic Scrubbed Traffic Flow Data Routing Updates Internet • Traffic is re-routed to scrubbers via dynamic routing updates • Traffic is SYN auth. and rate limited MITIGATION PROCESS • Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded, and analyzed in real time to determine attack behavior DETECTION PROCESS • TCP SYN • UDP/ICMP/TCP Flood SUPPORTED DDOS ATTACK PROFILES 15
  16. 16. Firewalls 16 • Restricts access from the Internet, permits traffic only to endpoints, and provides load balancing and NAT at the Cloud Access Layer • Isolates traffic and provides intrusion defense through a distributed firewall AZURE • Applies corporate firewall using site-to-site VPN • Configures endpoints • Defines access controls between tiers and provides additional protection via the OS firewall CUSTOMER VPN Corp Firewall Internet Client Cloud Access Microsoft Azure Customer 1 Application tier 443 Logic tier Database tier Virtual Network 443 16
  17. 17. Network protection Virtual Networks Customers can connect one or more cloud services using private IP addresses. Network Security Groups Customers can control over network traffic flowing in and out of customer services in Azure. VPN Customers can securely connect to a virtual network from anywhere. ExpressRoute Customers can create private connections between Azure datacenters and infrastructure that’s on your premises or in a colocation environment. 17
  18. 18. Virtual networks Azure • Allows customers to create isolated virtual private networks Customer • Creates Virtual Networks with Subnets and Private IP addresses • Enables communications between their Virtual Networks • Can bring their own DNS • Can domain join their Virtual Machines Customer 1 Customer 2 Isolated Virtual Networks Deployment X Deployment Y VNET to VNET Cloud Access RDP Endpoint (password access) VPNCorp 1 Subnet 1 Subnet 2 Subnet 3 DNS Server Isolated Virtual Network INTERNET Microsoft Azure Client 18
  19. 19. VPN connections Customer • Configures the VPN client in Windows • Manages certificates, policies, and user access Azure • Enables connection from customer sites and remote workers to Azure Virtual Networks using Site-to-Site and Point-to- Site VPNs • Offers forced tunneling capabilities to enable customers to mandate all internet- bound traffic to go through the Site-to-Site tunnel Microsoft Azure Customer 1 Isolated Virtual Network Deployment X Customer Site VPN Computers Behind Firewall Remote Workers Site-to-Site VPN Point-to-Site VPN 19
  20. 20. ExpressRoute connections • Offers private fiber connections via ExpressRoute • Enables access to Compute, Storage, and other Azure services AZURE • Can establish connections to Azure at an ExpressRoute location (Exchange Provider facility) • Can directly connect to Azure from your existing WAN network (such as an MPLS VPN) provided by a network service provider • Can now authorize other Azure accounts to use a common ExpressRoute circuit • Manages certificates, policies, and user access CUSTOMER Isolated Virtual Network Deployment XSite 1 ExpressRoute Peer Site 2 WAN Customer 1 Microsoft Azure 20
  21. 21. Identity & access management Cloud apps End Users & Administrators Azure Active Directory Active Directory • Uses Azure AD to govern access to the management portal with granular access controls for users and groups on subscription or resource groups • Provides enterprise cloud identity and access management for end users • Enables single sign-on across cloud applications • Offers Multi-Factor Authentication for enhanced security AZURE • Centrally manages users and access to Azure, O365, and hundreds of pre-integrated cloud applications • Builds Azure AD into their web and mobile applications • Can extend on-premises directories to Azure AD CUSTOMER 21
  22. 22. Incident Assessment Customer Notification DevOps Engaged Event Detected Security Team Engaged Event Start Determine Customer Impact Customer Process Step 1 Determine Affected Customers Security Event Confirmed Azure Customer Notification • Leverages a 9-step incident response process • Focuses on containment & recovery • Analyzes logs and VHD images in the event of platform-level incident and provides forensics information to customers when needed • Makes contractual commitments regarding customer notification Azure incident response 22
  23. 23. Visibility & Control Deploy & Detect Set Policy & Monitor Understand Current State Deploy Integrated Solutions Respond & recover faster Find threats that might go unnoticed Continue learning ü Gain visibility and control ü Integrated security, monitoring, policy management ü Built in threat detections and alerts ü Works with broad ecosystem of security solutions New! Azure Security Center Encryption Secure Networking Partner Solutions
  24. 24. Customer data When a customer utilizes Azure, they own their data. Control over data location Customers choose data location and replication options. Control over access to data Strong authentication, carefully logged “just in time” support access, and regular audits. Encryption key management Customers have the flexibility to generate and manage their own encryption keys. Control over data deletion When customers delete data or leave Azure, Microsoft follows procedures to render the previous customer’s data inaccessible. 24
  25. 25. AZURE: ü Provides 3 copies of data in each datacenter ü Offers geo-replication in a datacenter 400+ miles away CUSTOMER: ü Chooses where data resides ü Configures data replication options Choice of Data Location & Replication
  26. 26. Data protection Data segregation Logical isolation segregates each customer’s data from that of others. In-transit data protection Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication datacenters. At-rest data protection Customers can implement a range of encryption options for virtual machines and storage. Encryption Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data destruction When customers delete data or leave Azure, Microsoft follows procedures to render the previous customer’s data inaccessible. 26
  27. 27. Data segregation SQL Database Fabric Controller Azure Storage Guest VM Guest VM Customer 2 Guest VM Customer 1 Customer Admin Portal SMAPI End Users Host OS Hypervisor Microsoft Azure Access Control • Access is through Storage account keys and Shared Access Signature (SAS) keys • Storage blocks are hashed by the hypervisor to separate accounts Storage Isolation • SQL Database isolates separate databases using SQL accounts SQL Isolation Network Isolation • VM switch at the host level blocks inter-tenant communication 27
  28. 28. Microsoft Azure IaaS SaaSPaaS Microsoft Azure Key Vault Key Vault offers an easy, cost-effective way to safeguard keys and other secrets used by cloud apps and services using HSMs. ü You manage your keys and secrets ü Applications get high performance access to your keys and secrets… on your terms Import keys HSM KeyVault
  29. 29. Encryption in transit Azure • Encrypts most communication between Azure datacenters • Encrypts transactions through Azure Portal using HTTPS • Supports FIPS 140-2 Customer • Can choose HTTPS for REST API (recommended) • Configures HTTPS endpoints for application running in Azure • Encrypts traffic between Web client and server by implementing TLS on IIS Azure Datacenter Azure Datacenter Azure Portal 29
  30. 30. Encryption at rest • Data drives – full disk encryption using BitLocker • Boot drives – BitLocker and partner solutions • SQL Server – Transparent Data and Column Level Encryption • Files & folders – EFS in Windows Server Virtual Machines • BitLocker encryption of drives using Azure Import/Export service • StorSimple with AES-256 encryption • Server-side encryption of Blob Storage using AES-256 • Client-side encryption w/.NET and Java support Storage Applications • Client Side encryption through .NET Crypto API • RMS Service and SDK for file encryption by your applications 30 RMS SDK.NET Crypto SQL TDE BitLocker Partners EFS BitLocker StorSimple Virtual Machines Applications Storage
  31. 31. Application • .NET encryption API Managed by customer .NET Cryptography documentation • RMS SDK – encrypt data by using RMS SDK Managed by customer via on-prem RMS key management service or RMS online RMS SDK documentation Platform • SQL TDE/CLE on SQL server on Azure IAAS servers Managed by customers SQL TDE/CLE documentation • SQL Azure TDE and Column Encryption features in progress Managed by customers • StorSimple – provides primary, backup, archival Managed by customers Supports AES-256 to encrypt data in StorSimple StorSimple link and documentation System • BitLocker support for data volumes • Partner solutions for system volume encryption • BitLocker support Managed by customers BitLocker for fixed or removable volumes BitLocker commandline tool Others • Import/Export of xstore data onto drives can be protected by BitLocker Managed by customers Import/export step by step blog Layer Encryption support Key Management Comments Data encryption 31
  32. 32. Data destruction Data Deletion • Index immediately removed from primary location • Geo-replicated copy of the data (index) removed asynchronously • Customers can only read from disk space they have written to • NIST 800-88 compliant processes are used for destruction of defective disks Disk Handling 32
  33. 33. Extensive experience and credentials Operations Security Assurance HIPAA/ HITECH CJIS SOC 1 201220112010 SOC 2 FedRAMP P-ATO FISMA ATO UK G-Cloud OFFICIAL 2013 2014 2015 ISO/IEC 27001:2005 CSA Cloud Controls Matrix PCI DSS Level 1 AU IRAP Accreditation Singapore MCTS ISO/IEC 27018 EU Data Protection Directive CDSA
  34. 34. Compliance framework Microsoft maintains a team of experts focused on ensuring that Azure meets its own compliance obligations, which helps customers meet their own compliance requirements. Compliance certifications Compliance strategy helps customers address business objectives and industry standards & regulations, including ongoing evaluation and adoption of emerging standards and practices. Continual evaluation, benchmarking, adoption, test & audit Ongoing verification by third-party audit firms. Independent verification Microsoft shares audit report findings and compliance packages with customers. Access to audit reports Prescriptive guidance on securing data, apps, and infrastructure in Azure makes it easier for customers to achieve compliance. Best practices 34
  35. 35. Virtual machines • Kaspersky • Trend Micro Active Directory integrations • Symantec • McAfee Antimalware • Alert Logic • aiScaler • Barracuda • Check Point • Riverbed • Cohesive Networks Networking security • CloudLink • Townsend Security Encryption • Alert Logic • Derdack • Nagios Monitoring and alerts • Kaspersky • Barracuda • Trend Micro Messaging Security • Waratek Application Security • Login People Authentication Security partners In addition to the robust security capabilities built into Azure, the Azure Marketplace offers a rich array of additional security products built by our partners for Azure. 35

×