Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure

1. MICROSOFT AZURE
SECURITY OVERVIEW
Adrian Corona
Azure Security Specialist, Microsoft

2. Security, Privacy, Control and
Compliance in the Cloud
Microsoft Azure
Adrian Corona
Cloud Specialist
@coronamsft

3. Cybersecurity concerns persist
Global attacks are increasing and costs are rising
Cybercrime extracts between 15% and 20% of the value
created by the Internet.1
Total financial losses attributed to security compromises
increased 34% in 2014.3
In the UK, 81% of large corporations and 60% of small
businesses reported a cyberbreach in the
past year.2
Impact of cyber attacks could be as much as $3 trillion in
lost productivity and growth.4
3

4. But cloud momentum continues to accelerate
“If you’re resisting the
cloud because of security
concerns, you’re running
out of excuses.”
“The question is no longer:
‘How do I move to the
cloud?’ Instead, it’s ‘Now
that I’m in the cloud, how
do I make sure I’ve
optimized my investment
and risk exposure?’”
“By 2020 clouds will stop
being referred to as ‘public’
and ‘private’. It will simply
be the way business is done
and IT is provisioned.”
4

5. 1.2 billion
worldwide users2
300+ million
users per month5
48 million
members in 57 countries4
57%
of Fortune 5004
10,000 new subscribers per week2
3.5 million
active users4
Online
5.5+ billion
worldwide queries
each month3
450+ million
unique users each month6
The Microsoft Trusted Cloud
200+ cloud services,
1+ million servers,
$15B+ infrastructure
investment
1 billion customers,
20 million businesses,
90 countries worldwide1
5

6. Azure Platform Services
Security &
Management
Azure Infrastructure Services
Web Apps
Mobile
Apps
API
Management
API
Apps
Logic
Apps
Notification
Hubs
Content Delivery
Network (CDN)
Media
Services
HDInsight Machine
Learning
Stream
Analytics
Data
Factory
Event
Hubs
Mobile
Engagement
Active
Directory
Multi-Factor
Authentication
Portal
Key Vault
Biztalk
Services
Hybrid
Connections
Service
Bus
Storage
Queues
Store /
Marketplace
Hybrid
Operations
Backup
StorSimple
Site
Recovery
Import/Export
SQL
Database
DocumentDB
Redis
Cache Search
Tables
SQL Data
Warehouse
Azure AD
Connect Health
AD Privileged
Identity
Management
Operational
Insights
Cloud
Services
Batch Remote App
Service
Fabric Visual Studio
Application
Insights
Azure SDK
Team Project
VM Image Gallery
& VM Depot
Azure Security
Center
Automation

7. EMPOWERING YOUSECURING THE PLATFORM

8. Cloud services – shared responsibility
Microsoft Azure
On-Premises Infrastructure
(as a Service)
Platform
(as a Service)
Software
(as a Service)
Each customer
environment is
isolated on top of
Azure’s
Infrastructure
Shared Physical
Environment
Managed by:
8

9. Prevent and assume breach
Prevent breach – A methodical Secure Development
Lifecycle and Operational Security minimizes
probability of exposure
Assume breach – Identifies & addresses potential
gaps:
• Ongoing live site testing of security response plans
improves mean time to detection and recovery
• Bug bounty program encourages security researchers in
the industry to discover and report vulnerabilities
• Reduce exposure to internal attack (once inside,
attackers do not have broad access)
Latest Threat Intelligence to prevent breaches and
to test security response plans
State of the art Security Monitoring and Response
Prevent and assume breach
Security monitoring and response
Prevent breach
• Secure Development Lifecycle
• Operational Security
Assume breach
• Bug Bounty Program
• War game exercises
• Live site penetration testing
Threat intelligence
9

10. Operational security
Strategy: Employ risk-based, multi-dimensional approach to safeguarding services and data
Security Monitoring and Response
èThreat Intelligence Feed
è
Data Protection
Access control,
encryption, key
management
Data & Keys
Admin Access
Identity management,
dual-factor
authentication, training
and awareness,
screening, Least and
Temporary Privilege
User
Application Security
Access control,
monitoring, anti-
malware, vulnerability
scanning, patch and
configuration
management
Application
Host Protection
Access control,
monitoring, anti-
malware, vulnerability
scanning, patch and
configuration
management
Host System
Network Security
Segmentation, intrusion
detection, vulnerability
scanning
Internal Network
Network Security
Edge ACLs, DOS,
intrusion detection,
vulnerability scanning
Network
Perimeter
Physical Security
Physical controls, video
surveillance, access
control
Facility
10

11. Physical security of datacenters
Perimeter
Computer room
Building
Seismic
bracing
Security
operations center
24X7
security staff
Days of
backup power
Cameras Alarms
Two-factor access control:
Biometric readers & card readers
Barriers Fencing
11

12. Architected for more secure multi-tenancy
• Centrally manages the platform and helps isolate
customer environments using the
Fabric Controller
• Runs a configuration-hardened version of Windows
Server as the Host OS
• Uses Hyper-V, a battle tested and enterprise
proven hypervisor
• Runs Windows Server and Linux on Guest
VMs for platform services
• Manages their environment through service
management interfaces and subscriptions
• Chooses from the gallery or brings their own OS for
their Virtual Machines
Azure
Customer
SQL
Database
Fabric
Controller
Azure
Storage
Guest VM Guest VM
Customer 2
Guest VM
Customer 1
Customer
Admin
Portal
SMAPI
Host OS
Hypervisor
Microsoft Azure
End
Users
12

13. Monitoring & alerts
• Performs monitoring & alerting on security events for
the platform
• Enables security data collection via Monitoring Agent or
Windows Event Forwarding
AZURE
• Configures monitoring
• Exports events to SQL Database, HDInsight or a SIEM for
analysis
• Monitors alerts & reports
• Responds to alerts
CUSTOMER
Customer VMs
Microsoft Azure
!
Enable
Monitoring
Agent
Extract event information to SIEM or
other reporting system
Customer
Admin
Portal
SMAPI
Events
Guest VM Guest VM Cloud Services
HDInsight
Azure
storage
Alerting &
reporting
13

14. Threat detection
• Performs big data analysis of logs for
intrusion detection & prevention for the
platform
• Employs denial of service attack prevention
measures for the platform
• Regularly performs penetration testing
• Can add extra layers of protection by
deploying additional controls, including DOS,
IDS, web application firewalls
• Conducts authorized penetration testing of
their application
Azure
Customer
14

15. DDoS system overview
MSFT Routing Layer
Detection Pipeline
Profile DB
Scrubbing Array
SLB
Application
Attack Traffic
Scrubbed Traffic
Flow Data
Routing Updates
Internet
• Traffic is re-routed to scrubbers via dynamic routing updates
• Traffic is SYN auth. and rate limited
MITIGATION PROCESS
• Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded,
and analyzed in real time to determine attack behavior
DETECTION PROCESS
• TCP SYN
• UDP/ICMP/TCP Flood
SUPPORTED DDOS ATTACK PROFILES
15

16. Firewalls
16
• Restricts access from the Internet, permits traffic only to
endpoints, and provides load balancing and NAT at the Cloud
Access Layer
• Isolates traffic and provides intrusion defense through a
distributed firewall
AZURE
• Applies corporate firewall using site-to-site VPN
• Configures endpoints
• Defines access controls between tiers and provides additional
protection via the OS firewall
CUSTOMER
VPN
Corp
Firewall
Internet Client
Cloud Access
Microsoft Azure
Customer 1
Application tier
443
Logic tier
Database tier
Virtual Network
443
16

17. Network protection
Virtual Networks
Customers can connect one
or more cloud services
using private IP addresses.
Network Security Groups
Customers can control over
network traffic flowing in
and out of customer services
in Azure.
VPN
Customers can securely
connect to a virtual
network from anywhere.
ExpressRoute
Customers can create
private connections
between Azure datacenters
and infrastructure that’s on
your premises or in a
colocation environment.
17

18. Virtual networks
Azure
• Allows customers to create isolated virtual
private networks
Customer
• Creates Virtual Networks with Subnets and
Private IP addresses
• Enables communications between their
Virtual Networks
• Can bring their own DNS
• Can domain join their Virtual Machines
Customer 1 Customer 2
Isolated Virtual Networks
Deployment X Deployment Y
VNET to VNET
Cloud Access
RDP Endpoint
(password access)
VPNCorp 1
Subnet 1 Subnet 2 Subnet 3
DNS Server
Isolated Virtual Network
INTERNET
Microsoft Azure
Client
18

19. VPN connections
Customer
• Configures the VPN client in Windows
• Manages certificates, policies, and user
access
Azure
• Enables connection from customer sites
and remote workers to Azure Virtual
Networks using Site-to-Site and Point-to-
Site VPNs
• Offers forced tunneling capabilities to
enable customers to mandate all internet-
bound traffic to go through the Site-to-Site
tunnel
Microsoft Azure
Customer 1
Isolated Virtual Network
Deployment X
Customer Site
VPN
Computers
Behind Firewall
Remote Workers
Site-to-Site VPN
Point-to-Site
VPN
19

20. ExpressRoute connections
• Offers private fiber connections via ExpressRoute
• Enables access to Compute, Storage, and other Azure services
AZURE
• Can establish connections to Azure at an ExpressRoute location
(Exchange Provider facility)
• Can directly connect to Azure from your existing WAN network
(such as an MPLS VPN) provided by a network service provider
• Can now authorize other Azure accounts to use a common
ExpressRoute circuit
• Manages certificates, policies, and user access
CUSTOMER
Isolated Virtual
Network
Deployment XSite 1
ExpressRoute
Peer
Site 2
WAN
Customer 1
Microsoft Azure
20

21. Identity & access management
Cloud apps
End Users &
Administrators
Azure
Active Directory
Active
Directory
• Uses Azure AD to govern access to the management portal with
granular access controls for users and groups on subscription or
resource groups
• Provides enterprise cloud identity and access management for
end users
• Enables single sign-on across cloud applications
• Offers Multi-Factor Authentication for enhanced security
AZURE
• Centrally manages users and access to Azure, O365, and
hundreds of pre-integrated cloud applications
• Builds Azure AD into their web and mobile applications
• Can extend on-premises directories to Azure AD
CUSTOMER
21

22. Incident
Assessment
Customer
Notification
DevOps
Engaged
Event
Detected
Security
Team
Engaged
Event
Start
Determine
Customer Impact
Customer
Process
Step 1
Determine
Affected
Customers
Security
Event
Confirmed
Azure
Customer
Notification
• Leverages a 9-step incident
response process
• Focuses on containment & recovery
• Analyzes logs and VHD images in
the event of platform-level incident
and provides forensics information
to customers when needed
• Makes contractual commitments
regarding customer notification
Azure incident response
22

23. Visibility &
Control
Deploy &
Detect
Set Policy &
Monitor
Understand
Current
State
Deploy
Integrated
Solutions
Respond &
recover faster
Find threats
that might
go
unnoticed
Continue
learning
ü Gain visibility and control
ü Integrated security, monitoring,
policy management
ü Built in threat detections and alerts
ü Works with broad ecosystem of
security solutions
New! Azure Security Center
Encryption Secure Networking Partner Solutions

24. Customer data
When a customer utilizes Azure, they own their data.
Control over
data location
Customers choose data location and replication options.
Control over access
to data
Strong authentication, carefully logged “just in time” support
access, and regular audits.
Encryption key
management
Customers have the flexibility to generate and manage their
own encryption keys.
Control over
data deletion
When customers delete data or leave Azure, Microsoft follows procedures
to render the previous customer’s data inaccessible.
24

25. AZURE:
ü Provides 3 copies of data
in each datacenter
ü Offers geo-replication in a
datacenter 400+ miles
away
CUSTOMER:
ü Chooses where data
resides
ü Configures data replication
options
Choice of Data Location & Replication

26. Data protection
Data segregation
Logical isolation segregates each customer’s data
from that of others.
In-transit data protection
Industry-standard protocols encrypt data in transit
to/from outside components, as well as data in
transit internally by default.
Data redundancy
Customers have multiple options for replicating
data, including number of copies and number and
location of replication datacenters.
At-rest data protection
Customers can implement a range of encryption
options for virtual machines and storage.
Encryption
Data encryption in storage or in transit can be
deployed by the customer to align with best
practices for ensuring confidentiality and integrity
of data.
Data destruction
When customers delete data or leave Azure,
Microsoft follows procedures to render the
previous customer’s data inaccessible.
26

27. Data segregation
SQL
Database
Fabric
Controller
Azure
Storage
Guest VM Guest VM
Customer 2
Guest VM
Customer 1
Customer
Admin
Portal
SMAPI
End
Users
Host OS
Hypervisor
Microsoft Azure
Access
Control
• Access is through Storage account keys and Shared Access Signature
(SAS) keys
• Storage blocks are hashed by the hypervisor to separate accounts
Storage Isolation
• SQL Database isolates separate databases using SQL accounts
SQL Isolation
Network Isolation
• VM switch at the host level blocks inter-tenant communication
27

28. Microsoft Azure
IaaS SaaSPaaS
Microsoft Azure Key Vault
Key Vault offers an easy, cost-effective way
to safeguard keys and other secrets used by
cloud apps and services using HSMs.
ü You manage your keys and secrets
ü Applications get high performance
access to your keys and secrets… on
your terms
Import
keys
HSM
KeyVault

29. Encryption in transit
Azure
• Encrypts most communication between
Azure datacenters
• Encrypts transactions through Azure Portal
using HTTPS
• Supports FIPS 140-2
Customer
• Can choose HTTPS for REST
API (recommended)
• Configures HTTPS endpoints for
application running in Azure
• Encrypts traffic between Web client and
server by implementing TLS on IIS
Azure
Datacenter
Azure
Datacenter
Azure
Portal
29

30. Encryption at rest
• Data drives – full disk encryption using BitLocker
• Boot drives – BitLocker and partner solutions
• SQL Server – Transparent Data and Column Level Encryption
• Files & folders – EFS in Windows Server
Virtual Machines
• BitLocker encryption of drives using Azure Import/Export service
• StorSimple with AES-256 encryption
• Server-side encryption of Blob Storage using AES-256
• Client-side encryption w/.NET and Java support
Storage
Applications
• Client Side encryption through .NET Crypto API
• RMS Service and SDK for file encryption by your applications
30
RMS SDK.NET Crypto
SQL TDE BitLocker Partners EFS
BitLocker StorSimple
Virtual
Machines
Applications
Storage

31. Application
• .NET encryption API Managed by customer .NET Cryptography documentation
• RMS SDK – encrypt data by using RMS
SDK
Managed by customer via on-prem RMS
key management service or RMS online
RMS SDK documentation
Platform
• SQL TDE/CLE on SQL server on Azure
IAAS servers
Managed by customers SQL TDE/CLE documentation
• SQL Azure TDE and Column Encryption
features in progress
Managed by customers
• StorSimple – provides primary, backup,
archival
Managed by customers
Supports AES-256 to encrypt data in
StorSimple
StorSimple link and documentation
System
• BitLocker support for data volumes
• Partner solutions for system volume
encryption
• BitLocker support
Managed by customers
BitLocker for fixed or removable
volumes
BitLocker commandline tool
Others
• Import/Export of xstore data onto
drives can be protected by BitLocker
Managed by customers Import/export step by step blog
Layer Encryption support Key Management Comments
Data encryption
31

32. Data destruction
Data Deletion
• Index immediately removed from primary
location
• Geo-replicated copy of the data (index)
removed asynchronously
• Customers can only read from disk space
they have written to
• NIST 800-88 compliant processes are
used for destruction of defective disks
Disk Handling
32

33. Extensive experience and credentials
Operations
Security
Assurance
HIPAA/
HITECH
CJIS
SOC
1
201220112010
SOC 2
FedRAMP
P-ATO
FISMA
ATO
UK G-Cloud OFFICIAL
2013 2014 2015
ISO/IEC
27001:2005
CSA Cloud
Controls
Matrix
PCI DSS
Level 1
AU IRAP
Accreditation
Singapore
MCTS
ISO/IEC
27018
EU Data
Protection
Directive
CDSA

34. Compliance framework
Microsoft maintains a team
of experts focused on
ensuring that Azure meets
its own compliance
obligations, which helps
customers meet their own
compliance requirements.
Compliance certifications
Compliance strategy helps
customers address business
objectives and industry
standards & regulations,
including ongoing
evaluation and adoption of
emerging standards and
practices.
Continual evaluation,
benchmarking, adoption,
test & audit
Ongoing verification by
third-party audit firms.
Independent verification
Microsoft shares audit
report findings and
compliance packages with
customers.
Access to audit reports
Prescriptive guidance on
securing data, apps, and
infrastructure in Azure
makes it easier for
customers to achieve
compliance.
Best practices
34

35. Virtual machines
• Kaspersky
• Trend Micro
Active Directory
integrations
• Symantec
• McAfee
Antimalware
• Alert Logic
• aiScaler
• Barracuda
• Check Point
• Riverbed
• Cohesive
Networks
Networking
security
• CloudLink
• Townsend Security
Encryption
• Alert Logic
• Derdack
• Nagios
Monitoring
and alerts
• Kaspersky
• Barracuda
• Trend Micro
Messaging
Security
• Waratek
Application
Security
• Login People
Authentication
Security partners
In addition to the robust security capabilities built into Azure, the Azure Marketplace offers
a rich array of additional security products built by our partners for Azure.
35