$30 off During Our Annual Pro Sale. View Details »

Designing secure cloud applications

Adora Nwodo
September 30, 2020

Designing secure cloud applications

Adora Nwodo

September 30, 2020
Tweet

More Decks by Adora Nwodo

Other Decks in Programming

Transcript

  1. None
  2. A few benefits of moving to the cloud

  3. None
  4. None
  5. Security risks in cloud applications

  6. Security risks in cloud applications

  7. Security risks in cloud applications

  8. None
  9. None
  10. None
  11. Will my application contain sensitive customer data? Where and how

    is my applications data stored? Will this application be available over the internet (publicly) or just internally? How do I plan to verify my users identity? What sensitive tasks are performed in my application? Does my application perform any risky software activities?
  12. None
  13. Federated Identity Valet Key Gatekeeper

  14. None
  15. None
  16. None
  17. Benefits of using the gatekeeper:

  18. None
  19. None
  20. None
  21. None
  22. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  23. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  24. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } }
  25. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  26. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  27. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  28. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  29. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  30. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } }
  31. public class ValuesController : ApiController { private readonly BlobServiceClient blobServiceClient;

    private readonly string blobContainer; ... /// <summary> /// Return a limited access key that allows the caller to upload a file /// to this specific destination for a defined period of time (10 minutes). /// </summary> private StorageEntitySas GetSharedAccessReferenceForUpload(string blobName) { var blob = blobServiceClient.GetBlobContainerClient(this.blobContainer).GetBlobClient(blobName); var storageSharedKeyCredential = new StorageSharedKeyCredential(blobServiceClient.AccountName, ConfigurationManager.AppSettings["AzureStorageEmulatorAccountKey"]); var blobSasBuilder = new BlobSasBuilder { BlobContainerName = this.blobContainer, BlobName = blobName, Resource = "b", StartsOn = DateTimeOffset.UtcNow.AddMinutes(-10), ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(10) }; policy.SetPermissions(BlobSasPermissions.Write); var sas = policy.ToSasQueryParameters(storageSharedKeyCredential).ToString(); return new StorageEntitySas { BlobUri = blob.Uri, Credentials = sas }; } public struct StorageEntitySas { public string Credentials; public Uri BlobUri; } } Code snippet from docs.microsoft.com
  32. None
  33. None
  34. Claims based access control

  35. Federated identity pattern use case

  36. Claims based access control Image from docs.microsoft.com

  37. None
  38. Identity

  39. Core security

  40. Core security - Threat modelling S - T - R

    - I - D - E -
  41. Core security - Threat modelling

  42. Bonus - Implementation

  43. Additional reading

  44. www.adoranwodo.com @adoranwodo