Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Azure SecurityServices, Features and Options
Ioannis StavrinidesTechnical Evangelist, CEE MC
Agenda for today
• General security features• Encryption• Other security mechanisms
• Azure Active Directory security features• Azure Key Vault• SQL Db security features• Azure Security Center
Securing your services shouldn’t be an afterthought
It should be the foundation of the process
General security features
Encryption
EncryptionData in transit
Strong SSL/TLS cipher suitePerfect Forward SecrecyDatacenter-to-datacenter encryption
Data at restBitLocker disk encryptionPer-file encryption for customer content
Encryption in Transit
AzureEncrypts communication between Azure DatacentersEncrypts transactions through Azure Portal with HTTPSSupports FIPS 140-2
CustomerCan choose HTTPS for REST API (recommended) Configures HTTPS endpoints for application running in AzureEncrypts traffic between Web client and server by implementing TLS on IIS
Encryption at Rest
Provides defense-in-depth against• Offline attacks• Online attacks when keys are used as a secondary AuthZ mechanism
Encryption at-rest is required by certain sovereign laws and certifications
Azure E@R Promises
Control Customers can choose if and when data is encryptedCustomers can choose what encryption keys are used and where they are storedCustomers can decide at anytime to revoke access to the keys and data
TransparencyCustomers have full visibility to the encryption state of their data Customers know at any time where their data is storedCustomers have the ability to view logs at any time related to the stored data and keys
Encryption ModelsEncryption Models
Server Encryption Client Encryption
Server Side Encryption using service managed keys
Server side encryption using customer managed keys in Azure KeyVault
Server side encryption using on-prem customer managed keys
• Azure services can see decrypted data
• Microsoft manages thekeys
• Full cloud functionality
• Azure services can see decrypted data
• Customer controls keys via Azure Key Vault
• Full cloud functionality
• Azure services can see decrypted data
• Customer controls keys On-Prem
• Full cloud functionality
• Azure services cannot see decrypted data
• Customer keep keys on-premises
• REDUCED cloud functionality
Other security mechanisms
Firewall ProtectionGA
Threat DetectionGA
Network Security GroupGA
Role Based Access ControlGA
Azure Active Directory
Integration• Federation for AD integration• Directly from the Portal. No code necessary• Using the Active Directory Authentication Library
(ADAL) for custom scenarios
GA
Azure AD B2C: IdMaaS for Applications
• Azure AD security, availability, and scalability for customer IDM• Adds B2C features to Azure AD
• Social IdPs and “application local accounts”• Self-service sign up, password reset, profile management• Customizable sign in and sign up UI• Same protocols, libraries, and programming model
• Consumption based pricing• Meters for # of users and # of authentications
IN PREVIEW
Azure AD B2CIN PREVIEW
Microsoft account + Azure AD
• Many apps want to sign users in from both Microsoft account and Azure AD
• Working on unified dev experience• Single endpoint, OpenID Connect and OAuth 2.0• Single SDK• Single end user sign in experience• Single streamlined app registration experience, outside of Azure
portal, no Azure subscription required• Works with unified Office business + consumer APIs
GA
Enhanced Device Support
Windows 10 Azure AD Join: sign-in to desktop with Azure AD accountSingle sign on to:
Kerberos-based on-premises applicationsNative applications that use WebAccountManagerWeb apps that support Azure AD sign-in
IN PREVIEW
Multi Factor Authentication
Authenticate the user over a different channel• Text• Call• Authenticator app• Secure Tokens
Username/Password is something you knowSecond factor is something you own/have (device, RSA tokens etc)
GA
Self Service Password Reset
Administrators can create users and know only their initial password• User must change password on first log-in
Users can reset their password without contacting support• Two factor authentication (phone, secondary email)
GA
Rights Management (RMS)
Protect information from unauthorized accessProtect information anywhereAudit and monitor usage
GA
Azure Active DirectoryAdvanced Monitoring Features
Brute Force attack
Sign in from anonymizing network
IP Address:31.172.30.4
Unlikely Travel
[email protected]: Seattle, WATime: 8:29 AM, PST (3:29 PM, UTC)
[email protected]: Somewhere in AsiaTime: 7:54 AM, local time(3:54 PM, UTC)
Tenant spanning activity
IP Address: 199.34.28.10X Bad username
X Bad password
X Bad password
X Bad password
X Bad usernameX Bad username
X Bad username
X Bad password
Sign in from know, infected device
Active Directory Identity ProtectionUsing the aforementioned features:
Compiles risk score of attemptSurfaces data to administrators
Admins can investigate and tend to events manuallyPolicies for automated mitigation
Request 2FABlock request
IN PREVIEW
More AD Security features in Preview
Privileged Identity ManagementDynamic Group MembershipConditional Access PoliciesPassword RolloverSelf-Service Access Requests
Azure Key Vault
GA
Secret management asks from our customers
“My app on Azure has passwords and cryptographic keys…”“I need a safe place to save these in Azure.”“I need to (re)use AD users and groups to manage access to secrets.”“I do NOT want to be in the news for a silly mistake”
Azure Key Vault
An Azure resource provider that lets you• Store & manage SECRETS (esp app config), and release them to authorized apps &
users.• Store & manage KEYS, and perform cryptographic operations in isolated service.
Backed by Hardware Security Modules• All secrets and keys are protected at rest with key chain terminating in HSMs.• Keys marked as ‘HSM-protected’ are protected even at runtime with HSMs.
Key Vault ≠ customer’s dedicated HSM• Azure Key Vault is a multi-tenant service backed by Microsoft-managed HSMs.
Your ORG is in control via Active Directory
Users and apps authenticate to your key vaults using your organization’s Azure AD
Benefits for organizations:Organizations can centrally revoke access to ALL key vaults in their organization.
If a user leaves, they instantly lose access to ALL key vaults in the organization.
Organizations can customize authentication via the options in Azure AD.
Azure do not have ANY default access to customer key vault for disk encryption feature
Azure SQL Db
Transparent Data Encryption
Regulatory ComplianceTDE is a requirement for HIPAA, PCI, SOX etc
SimplicityOn by default (V12)Protects database, backups and logsKeys managed by the service
TransparentNo changes needed from the app
GA
Row-Level Security
Fine-grained Access ControlMulti-tenant databases allow by definition access to it by different customersRLS allows to secure access to customer data from only the specific customer
Application TransparencyNo change needed for queries
Centralized Security LogicLogic in the databaseSchema-bound to the protected tableHigher security, reduced app maintenance and complexity
GA
Dynamic Data Masking
Limit sensitive data exposureOn the fly obfuscation
Policy drivenMultiple OOB functions availableDefine privileged usersRecommends fields to mask
Azure DB
Table.CreditCardNo
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
DynamicMasking
IN PREVIEW
Always Encrypted
Client-side encryption for Azure SQL DbData transparently encrypted inside a client driverClient manages keys
Encrypted data is queryableSensitive data remains encrypted at all times (never (!) decrypted)
IN PREVIEW
Threat Detection
Detects anomalous database activities indicating potential security threats to the database
SQL InjectionLogging of suspicious, anomalous behavior
IN PREVIEW
Azure Security Center
IN PREVIEW
Azure Security Center
PreventDetectRespond
Integrated monitoring across subscriptionsBroad ecosystem
Azure Security Center
PreventionMonitor security stateDefine policies and provides recommendationsRapid deployment of security services
Azure Security Center
DetectionCollection and analysis of security dataLeverage global threat intelligence dataAdvance analytics (Machine learning, Behavioral analysis)
Azure Security Center
RespondPrioritize security incidents/alertsInsights to source of attacks and impacted resourcesSuggestions to stop attack and prevent future attacks
Links
Encryption in TransitEncryption at RestAzure IaaS FirewallAzure NetSec WhitepaperAzure NSGsAzure RBACAzure ADAAD B2C
Microsoft Account + AADAzure AD Domain ServicesAzure AD MFAAzure AD Self-Service Pass ResetAzure RMSAzure AD Identity ProtectionAzure Key VaultAzure SQL Db TDE
Links
Azure SQL Db Row-Level SecurityAzure SQL Db Dynamic Data MaskingAzure SQL Db Always EncryptedAzure SQL Db Threat DetectionAzure Security Center
Questions?
Thank you