GABC2018: How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud? by Lorenzo Barbieri

Transcript

1. HOW DO YOU PROTECT A HYBRID PA AS-IA AS SOLUTION,

   BUILT ENTIRELY IN THE CLOUD? # G LO B A L A Z U R E # A Z U R E Z U R I C H [email protected] @_geniodelmale

2. EVERYTHING STARTS WITH A “GOOD” ARCHITECTURE Web UI Users Photos

   URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production

3. 1ST STRIKE The case of disappearing resources Attack one! Destro

   y ‘em all! Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production

4. MITIGATION Infrastructure as Code: • Script everything • Backup everything

   DevOps Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production

5. REMEDIATION Subscription role protection o RBAC Azure AD could be

   protected with MFA Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production

6. 2ND STRIKE The case of unexpected load Web UI Users

   Photos URLs RAW Photos Thumbnails Watermarking Photo resize Attack two…o…o… oooo! $$$ $ RG for - Dev-Test - Production

7. MITIGATION o Alert rules and monitoring o web.config based IP

   restriction o Functions in App Service Plan Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production

8. REMEDIATION o Web App Firewall o API Management o <NEW>

   Azure DDOS Protections for VNET Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production

9. 3RD STRIKE The case of data and storage loss Web

   UI Users Photos URLs RAW Photos Thumbnails Watermarking Attack three! I know your secrets! Photo resize +web.config RG for - Dev-Test - Production

10. MITIGATION o Key rotation o Least user privilege (DB) o

    Alert Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production

11. REMEDIATION o SQL DB Firewall o VNET Storage Web UI

    Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config o Handle Disconnect RG for - Dev-Test - Production

12. 4TH STRIKE The case of being Gitted Web UI Users

    Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Fourth Attack! Keys from the octocat! Photo resize +web.config RG for - Dev-Test - Production

13. REMEDIATION o Move all the keys to a secure path

    o Use Team Build to set them before deployment o Azure Key Vault o Managed Service Identity (preview) Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config ? RG for - Dev-Test - Production

14. >_ SSH 5TH STRIKE The case of remote connections Web

    UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Remote Attack! Photo resize +web.config >_ SSH RG for - Dev-Test - Production

15. REMEDIATION o Network Security Groups Web UI Users Photos URLs

    +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config >_ SSH RG for - Dev-Test - Production

16. A BETTER ARCHITECTURE Web UI Users Photos URLs +SQL DB

    Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production

17. RECAP – THE 7 GOLDEN RULES • Script everything •

    Backup everything • Least user privilege • Trust no one • Monitor everything • Assume cloud failure • Protect your secrets

18. TAKE A LOOK AT AZURE SECURITY CENTER

19. RESOURCES • “Parts Unlimited” sample site with telemetry and fault

    injection: – https://microsoft.github.io/PartsUnlimited/ • The “bible of Chaos Engineering”: http://principlesofchaos.org/ • Only for the “Brave”, Netflix Chaos Monkey integrated with Spinnaker: https://github.com/Netflix/chaosmonkey • Cloud Bedlam: https://github.com/GitTorre/CloudBedlamLinux/tree/dotnet-core

20. THANK YOU VERY MUCH! • Feedbacks are important! • Tweet:

    @_geniodelmale #GlobalAzure #AzureZurich or send me an email  [email protected] @_geniodelmale