Embed Size (px)
Citation preview
MICROSOFTAZURESECURITYOVERVIEW
AdrianCoronaAzureSecuritySpecialist,Microsoft
Security,Privacy,ControlandComplianceintheCloudMicrosoftAzureAdrianCoronaCloudSpecialist@coronamsft
CybersecurityconcernspersistGlobalattacksareincreasingandcostsarerising
Cybercrimeextractsbetween15%and20%ofthevaluecreatedbytheInternet.1
Totalfinanciallossesattributedtosecuritycompromisesincreased34%in2014.3
IntheUK,81%oflargecorporationsand60%ofsmallbusinessesreportedacyberbreachinthepastyear.2
Impactofcyberattackscouldbeasmuchas$3trillioninlostproductivityandgrowth.4
3
Butcloudmomentumcontinuestoaccelerate
“Ifyou’reresistingthecloudbecauseofsecurityconcerns,you’re running out of excuses.”
“Thequestionisnolonger:‘HowdoImovetothecloud?’Instead,it’s‘NowthatI’minthecloud,howdoImakesureI’veoptimizedmyinvestmentandriskexposure?’”
“By2020cloudswillstopbeingreferredtoas‘public’and‘private’.ItwillsimplybethewaybusinessisdoneandITisprovisioned.”
4
1.2billionworldwideusers2
300+millionuserspermonth5
48millionmembersin57countries4
57%ofFortune5004
10,000newsubscribersperweek2
3.5millionactiveusers4
Online
5.5+billionworldwidequeries
eachmonth3
450+millionuniqueuserseachmonth6
TheMicrosoftTrustedCloud200+cloudservices,1+millionservers,$15B+infrastructureinvestment
1billioncustomers,20millionbusinesses,90countriesworldwide1
5
AzurePlatformServices
Security&Management
AzureInfrastructureServices
WebApps
MobileApps
APIManagement
APIApps
LogicApps
NotificationHubs
ContentDeliveryNetwork(CDN)
MediaServices
HDInsight MachineLearning
StreamAnalytics
DataFactory
EventHubs
MobileEngagement
ActiveDirectory
Multi-FactorAuthentication
Portal
KeyVault
BiztalkServices
HybridConnections
ServiceBus
StorageQueues
Store/Marketplace
HybridOperations
Backup
StorSimple
SiteRecovery
Import/Export
SQLDatabase
DocumentDB
RedisCache Search
Tables
SQLDataWarehouse
AzureADConnectHealth
ADPrivilegedIdentityManagement
OperationalInsights
CloudServices
Batch RemoteApp
ServiceFabric VisualStudio
ApplicationInsights
AzureSDK
TeamProject
VMImageGallery&VMDepot
AzureSecurityCenter
Automation
EMPOWERINGYOUSECURINGTHEPLATFORM
Cloudservices– sharedresponsibility
MicrosoftAzure
On-Premises Infrastructure(asaService)
Platform(asaService)
Software(asaService)
EachcustomerenvironmentisisolatedontopofAzure’sInfrastructure
SharedPhysicalEnvironment
Managedby:
8
PreventandassumebreachPrevent breach – AmethodicalSecureDevelopmentLifecycleandOperationalSecurityminimizesprobabilityofexposureAssume breach – Identifies&addressespotentialgaps:• Ongoinglivesitetestingofsecurityresponseplans
improvesmeantimetodetectionandrecovery• Bugbountyprogramencouragessecurityresearchersin
theindustrytodiscoverandreportvulnerabilities• Reduceexposuretointernalattack(onceinside,
attackersdonothavebroadaccess)
LatestThreat Intelligence topreventbreachesandtotestsecurityresponseplansStateoftheartSecurity Monitoring and Response
Preventandassumebreach
Security monitoring and response
Prevent breach• SecureDevelopmentLifecycle• OperationalSecurity
Assume breach• BugBountyProgram• Wargameexercises• Livesitepenetrationtesting
Threat intelligence
9
OperationalsecurityStrategy:Employrisk-based,multi-dimensionalapproachtosafeguardingservicesanddata
SecurityMonitoringandResponse
èThreatIntelligenceFeed
è
Data ProtectionAccesscontrol,encryption,keymanagement
Data & Keys
Admin Access Identitymanagement,dual-factorauthentication,trainingandawareness,screening,LeastandTemporaryPrivilege
User
Application Security Accesscontrol,monitoring,anti-malware,vulnerabilityscanning,patchandconfigurationmanagement
Application
Host Protection Accesscontrol,monitoring,anti-malware,vulnerabilityscanning,patchandconfigurationmanagement
Host System
Network Security Segmentation,intrusiondetection,vulnerabilityscanning
Internal Network
Network Security EdgeACLs,DOS,intrusiondetection,vulnerabilityscanning
Network Perimeter
Physical Security Physicalcontrols,videosurveillance,accesscontrol
Facility
10
Physicalsecurityofdatacenters
Perimeter
Computer room
Building
Seismicbracing
Security operations center
24X7 security staff
Days of backup power
Cameras Alarms Two-factor access control: Biometric readers & card readers
Barriers Fencing
11
Architectedformoresecuremulti-tenancy
• CentrallymanagestheplatformandhelpsisolatecustomerenvironmentsusingtheFabricController
• Runsaconfiguration-hardenedversionofWindowsServerastheHostOS
• UsesHyper-V,abattletestedandenterpriseprovenhypervisor
• RunsWindowsServerandLinuxonGuestVMsforplatformservices
• Managestheirenvironmentthroughservicemanagementinterfacesandsubscriptions
• ChoosesfromthegalleryorbringstheirownOSfortheirVirtualMachines
Azure
CustomerSQL
Database
FabricController
Azure Storage
Guest VM Guest VM
Customer 2
Guest VM
Customer 1
CustomerAdmin
PortalSMAPI
HostOS
Hypervisor
Microsoft Azure
EndUsers
12
Monitoring&alerts
• Performsmonitoring&alertingonsecurityeventsfortheplatform
• EnablessecuritydatacollectionviaMonitoringAgentorWindowsEventForwarding
AZURE
• Configuresmonitoring• ExportseventstoSQLDatabase,HDInsightoraSIEMforanalysis
• Monitorsalerts&reports• Respondstoalerts
CUSTOMER
Customer VMs
MicrosoftAzure
!
EnableMonitoringAgent
Extract event information to SIEM or other reporting system
CustomerAdmin
PortalSMAPI
Events
Guest VM Guest VM Cloud Services
HDInsightAzurestorage
Alerting &reporting
13
Threatdetection
• Performsbigdataanalysisoflogsforintrusiondetection&preventionfortheplatform
• Employsdenialofserviceattackpreventionmeasuresfortheplatform
• Regularlyperformspenetrationtesting
• Canaddextralayersofprotectionbydeployingadditionalcontrols,includingDOS,IDS,webapplicationfirewalls
• Conductsauthorizedpenetrationtestingoftheirapplication
Azure
Customer
14
DDoSsystemoverview
MSFTRoutingLayer
Detection Pipeline
Profile DB
Scrubbing Array
SLB
Application
Attack Traffic
Scrubbed Traffic
Flow Data
Routing Updates
Internet
• Trafficisre-routedtoscrubbersviadynamicroutingupdates• TrafficisSYNauth.andratelimited
MITIGATION PROCESS
• Traffictoagiven/32VIPInboundorOutboundistracked,recorded,andanalyzedinrealtimetodetermineattackbehavior
DETECTION PROCESS
• TCPSYN• UDP/ICMP/TCPFlood
SUPPORTED DDOS ATTACK PROFILES
15
Firewalls
16
• RestrictsaccessfromtheInternet,permitstrafficonlytoendpoints,andprovidesloadbalancingandNATattheCloudAccessLayer
• Isolatestrafficandprovidesintrusiondefensethroughadistributedfirewall
AZURE
• Appliescorporatefirewallusingsite-to-siteVPN• Configuresendpoints• DefinesaccesscontrolsbetweentiersandprovidesadditionalprotectionviatheOSfirewall
CUSTOMERVPN
Corp Firewall
Internet Client
Cloud Access
MicrosoftAzure
Customer 1
Application tier
443
Logic tier
Database tier
Virtual Network
443
16
Networkprotection
Virtual NetworksCustomerscanconnectoneormorecloudservicesusingprivateIPaddresses.
Network Security GroupsCustomerscancontrolovernetworktrafficflowinginandoutofcustomerservicesinAzure.
VPN Customerscansecurelyconnecttoavirtualnetworkfromanywhere.
ExpressRouteCustomerscancreateprivateconnectionsbetweenAzuredatacentersandinfrastructurethat’sonyourpremisesorinacolocationenvironment.
17
Virtualnetworks
Azure• Allowscustomerstocreateisolatedvirtual
privatenetworks
Customer• CreatesVirtualNetworkswithSubnetsand
PrivateIPaddresses• Enablescommunicationsbetweentheir
VirtualNetworks• CanbringtheirownDNS• CandomainjointheirVirtualMachines
Customer1 Customer2
Isolated Virtual Networks
Deployment X Deployment Y
VNETtoVNET
Cloud Access RDPEndpoint(passwordaccess)
VPNCorp 1
Subnet 1 Subnet 2 Subnet 3
DNS Server
Isolated Virtual Network
INTERNET
MicrosoftAzure
Client
18
VPNconnections
Customer• ConfigurestheVPNclientinWindows• Managescertificates,policies,anduser
access
Azure• Enablesconnectionfromcustomersites
andremoteworkerstoAzureVirtualNetworksusingSite-to-SiteandPoint-to-SiteVPNs
• Offersforcedtunnelingcapabilitiestoenablecustomerstomandateallinternet-boundtraffictogothroughtheSite-to-Sitetunnel
MicrosoftAzureCustomer 1
Isolated Virtual Network
Deployment X
Customer Site
VPN
Computers Behind Firewall
Remote Workers
Site-to-Site VPN
Point-to-SiteVPN
19
ExpressRouteconnections
• OffersprivatefiberconnectionsviaExpressRoute• EnablesaccesstoCompute,Storage,andotherAzureservices
AZURE
• CanestablishconnectionstoAzureatanExpressRoutelocation(ExchangeProviderfacility)
• CandirectlyconnecttoAzurefromyourexistingWANnetwork(suchasanMPLSVPN)providedbyanetworkserviceprovider
• CannowauthorizeotherAzureaccountstouseacommonExpressRoutecircuit
• Managescertificates,policies,anduseraccess
CUSTOMER
Isolated Virtual Network
Deployment XSite 1ExpressRoute
Peer
Site 2WAN
Customer 1
MicrosoftAzure
20
Identity&accessmanagement
Cloud apps
End Users & Administrators
Azure Active Directory
Active Directory
• UsesAzureADtogovernaccesstothemanagementportalwithgranularaccesscontrolsforusersandgroupsonsubscriptionorresourcegroups
• Providesenterprisecloudidentityandaccessmanagementforendusers
• Enablessinglesign-onacrosscloudapplications• OffersMulti-FactorAuthenticationforenhancedsecurity
AZURE
• CentrallymanagesusersandaccesstoAzure,O365,andhundredsofpre-integratedcloudapplications
• BuildsAzureADintotheirwebandmobileapplications• Canextendon-premisesdirectoriestoAzureAD
CUSTOMER
21
Incident Assessment
Customer Notification
DevOps Engaged
Event Detected
Security TeamEngaged
EventStart
Determine Customer Impact
Customer ProcessStep 1
Determine Affected
Customers
Security Event Confirmed
Azure CustomerNotification
• Leveragesa9-stepincidentresponseprocess
• Focusesoncontainment&recovery• AnalyzeslogsandVHDimagesintheeventofplatform-levelincidentandprovidesforensicsinformationtocustomerswhenneeded
• Makescontractualcommitmentsregardingcustomernotification
Azureincidentresponse
22
Visibility & Control
Deploy & Detect
Set Policy & Monitor
UnderstandCurrent State
Deploy Integrated Solutions
Respond & recover faster
Find threats that might go unnoticed
Continue learning
ü Gain visibility and controlü Integrated security, monitoring,
policy managementü Built in threat detections and alertsü Works with broad ecosystem of
security solutions
New!AzureSecurityCenter
Encryption SecureNetworking PartnerSolutions
Customerdata
WhenacustomerutilizesAzure,theyowntheirdata.
Control over data location Customerschoosedatalocationandreplicationoptions.
Control over access to data
Strongauthentication,carefullylogged“justintime”supportaccess,andregularaudits.
Encryption key management
Customershavetheflexibilitytogenerateandmanagetheirownencryptionkeys.
Control over data deletion
WhencustomersdeletedataorleaveAzure,Microsoftfollowsprocedurestorenderthepreviouscustomer’sdatainaccessible.
24
AZURE:ü Provides3copiesofdata
ineachdatacenter
ü Offersgeo-replicationinadatacenter400+milesaway
CUSTOMER:ü Chooseswheredata
resides
ü Configuresdatareplicationoptions
ChoiceofDataLocation&Replication
Dataprotection
Data segregationLogicalisolationsegregateseachcustomer’sdatafromthatofothers.
In-transit data protectionIndustry-standardprotocolsencryptdataintransitto/fromoutsidecomponents,aswellasdataintransitinternallybydefault.
Data redundancyCustomershavemultipleoptionsforreplicatingdata,includingnumberofcopiesandnumberandlocationofreplicationdatacenters.
At-rest data protectionCustomerscanimplementarangeofencryptionoptionsforvirtualmachinesandstorage.
EncryptionDataencryptioninstorageorintransitcanbedeployedbythecustomertoalignwithbestpracticesforensuringconfidentialityandintegrityofdata.
Data destructionWhencustomersdeletedataorleaveAzure,Microsoftfollowsprocedurestorenderthepreviouscustomer’sdatainaccessible.
26
Datasegregation
SQL Database
FabricController
Azure Storage
Guest VM Guest VM
Customer 2
Guest VM
Customer 1
CustomerAdmin
PortalSMAPI
EndUsers
HostOS
Hypervisor
Microsoft Azure
AccessControl
• AccessisthroughStorageaccountkeysandSharedAccessSignature(SAS)keys
• Storageblocksarehashedbythehypervisortoseparateaccounts
Storage Isolation
• SQLDatabaseisolatesseparatedatabasesusingSQLaccounts
SQL Isolation
Network Isolation
• VMswitchatthehostlevelblocksinter-tenantcommunication
27
MicrosoftAzure
IaaS SaaSPaaS
MicrosoftAzureKeyVaultKeyVaultoffersaneasy,cost-effectivewaytosafeguardkeysandothersecretsusedbycloudappsandservicesusingHSMs.
ü You manage your keys and secrets
ü Applications get high performance access to your keys and secrets… on your terms
Importkeys
HSM
Key Vault
Encryptionintransit
Azure• Encryptsmostcommunicationbetween
Azuredatacenters• EncryptstransactionsthroughAzurePortal
usingHTTPS• SupportsFIPS140-2
Customer• CanchooseHTTPSforREST
API(recommended)• ConfiguresHTTPSendpointsfor
applicationrunninginAzure• EncryptstrafficbetweenWebclientand
serverbyimplementingTLSonIIS
AzureDatacenter
AzureDatacenter
Azure Portal
29
Encryptionatrest
• Datadrives– fulldiskencryptionusingBitLocker• Bootdrives– BitLockerandpartnersolutions• SQLServer– TransparentDataandColumnLevelEncryption• Files&folders– EFSinWindowsServer
Virtual Machines
• BitLockerencryptionofdrivesusingAzureImport/Exportservice• StorSimplewithAES-256encryption• Server-side encryption of Blob Storage using AES-256• Client-side encryption w/.NET and Java support
Storage
Applications
• ClientSideencryptionthrough.NETCryptoAPI• RMSServiceandSDKforfileencryptionbyyourapplications
30
RMS SDK.NET Crypto
SQL TDE BitLocker Partners EFS
BitLocker StorSimple
Virtual Machines
Applications
Storage
Application• .NETencryption API Managedbycustomer .NETCryptographydocumentation
• RMSSDK – encryptdatabyusingRMSSDK
Managedbycustomerviaon-premRMSkeymanagementserviceorRMSonline RMSSDKdocumentation
Platform
• SQLTDE/CLE onSQLserveronAzureIAASservers Managedbycustomers SQLTDE/CLEdocumentation
• SQLAzureTDEandColumnEncryptionfeaturesinprogress Managedbycustomers
• StorSimple– providesprimary,backup,archival Managedbycustomers
Supports AES-256toencryptdatainStorSimpleStorSimple linkanddocumentation
System
• BitLocker supportfordatavolumes• Partnersolutionsforsystemvolumeencryption
• BitLockersupport
Managedby customersBitLockerforfixedorremovablevolumesBitLockercommandlinetool
Others • Import/Export ofxstoredataontodrivescanbeprotectedbyBitLocker Managed bycustomers Import/exportstepbystepblog
Layer Encryption support Key Management Comments
Dataencryption
31
Datadestruction
DataDeletion
• Indeximmediatelyremovedfromprimarylocation
• Geo-replicatedcopyofthedata(index)removedasynchronously
• Customerscanonlyreadfromdiskspacetheyhavewrittento
• NIST800-88compliantprocessesareusedfordestructionofdefectivedisks
DiskHandling
32
Extensiveexperienceandcredentials
Operations Security
Assurance
HIPAA/HITECH
CJISSOC
1
201220112010
SOC 2
FedRAMPP-ATO
FISMAATO
UK G-Cloud OFFICIAL
2013 2014 2015
ISO/IEC 27001:2005
CSA Cloud Controls Matrix
PCI DSS Level 1
AU IRAP Accreditation
SingaporeMCTS
ISO/IEC 27018
EU Data Protection Directive
CDSA
Complianceframework
MicrosoftmaintainsateamofexpertsfocusedonensuringthatAzuremeetsitsowncomplianceobligations,whichhelpscustomersmeettheirowncompliancerequirements.
Compliance certifications
Compliancestrategyhelpscustomersaddressbusinessobjectivesandindustrystandards®ulations,includingongoingevaluationandadoptionofemergingstandardsandpractices.
Continual evaluation, benchmarking, adoption, test & audit
Ongoingverificationbythird-partyauditfirms.
Independent verification
Microsoftsharesauditreportfindingsandcompliancepackageswithcustomers.
Access to audit reports
Prescriptiveguidanceonsecuringdata,apps,andinfrastructureinAzuremakesiteasierforcustomerstoachievecompliance.
Best practices
34
Virtualmachines• Kaspersky• TrendMicro
ActiveDirectoryintegrations• Symantec• McAfee
Antimalware
• AlertLogic• aiScaler• Barracuda• CheckPoint• Riverbed• Cohesive
Networks
Networking security
• CloudLink• TownsendSecurity
Encryption
• AlertLogic• Derdack• Nagios
Monitoring and alerts
• Kaspersky• Barracuda• TrendMicro
Messaging Security
• Waratek
Application Security
• LoginPeople
Authentication
SecuritypartnersInadditiontotherobustsecuritycapabilitiesbuiltintoAzure,theAzureMarketplaceoffersaricharrayofadditionalsecurityproductsbuiltbyourpartnersforAzure.
35
