Azure Security Best Practices

AZURE SECURITY BEST PRACTICES GRIGORE CIPRIAN-STEFAN

INTRO ABOUT ME ▸ Working at Maxcode for some time
▸ Part of a team developing Azure cloud applications ▸ And I am into devops culture

INTRO MOTIVATION - DEVOPS CULTURE ▸ “DevOps is a cultural
movement encouraging collaboration between operations specialists and developers” ▸ ”DevOps culture blurs the line between the roles of developer and operations staff and may eventually eliminate the distinction.”

INTRO MOTIVATION - SECURITY AWARENESS ▸ Our teams have more
power - from the development phase through the release stage. ▸ We need to think about security in most of the aspects, not development.

INTRO CLOUD BENEFITS ▸ The responsibility of security is shared
between the implementor and cloud provider (Microsoft) ▸ Microsoft said the cloud security is their top priority

INTRO WHAT LEFT TO US, THE DEVS? ▸ A lot…
▸ We need to know what the cloud offers in terms of security, what’s default, what extra options do we have, also what are the best practices.. ▸ White paper with best practices - they are in format like this - describe the recommended practice, mention what you can use from azure (what capability/features/component), and what happens if you don’t

AREAS 6 FUNCTIONAL AREAS ▸ Azure security capabilities - 6
functional areas ▸ Each area having a multitude of components/capability

▸ I propose a new one: CASINO ▸ Compute (and
keys) ▸ Applications ▸ Storage (and Data) ▸ Identity ▸ Networking ▸ Operations AREAS 6 FUNCTIONAL AREAS - HOW TO GRASP THEM ▸ There is a method… ▸ We are accustomed with all kind of acronyms/abbreviations - SOLID, DRY, KISS, STRIDE …

NEXT ▸ I will go through each of the functional
areas and present some capabilities and best practices ▸ Nota bene - Not all of them are mandatory for use - that depends on speci fi c client’s requirements, possible some of the features insuring additional costs. ▸ Show you a case study

COMPUTE (AND KEYS) COMPUTE (AND KEYS) ▸ Hardware Security Module
▸ Azure Key Vault ▸ Virtual machine backup ▸ SQL VM TDE ▸ VM Disk Encryption ▸ Virtual networking ▸ Patch Updates ▸ Antimalware & Antivirus ▸ Azure Security Center C A S I N O

BEST PRACTICE : CHOOSE A KEY MANAGEMENT SOLUTION Protecting your
keys is essential to protecting your data in the cloud. COMPUTE (AND KEYS) C A S I N O

AZURE KEY VAULT ▸ Securely stores and access secrets ▸
Secrets can be ▸ Api Keys, Connection Strings, Passwords ▸ Keys (private keys) ▸ Certi fi cates (SSL) COMPUTE (AND KEYS) C A S I N O

AZURE KEY VAULT ▸ It may resemble with a windows
certi fi cate store ▸ Sort of … COMPUTE (AND KEYS) C A S I N O

AZURE KEY VAULT - CENTRALISE YOUR SECRETS ▸ By having
in only one place you can control their distribution ▸ Reduce chances of accidentally leaking information ▸ The devs don’t need to store the secrets in application code / git repos (e.g. connection strings can be placed in vault) ▸ Access the secret info by using URIs. COMPUTE (AND KEYS) C A S I N O

AZURE KEY VAULT - HARDWARE SECURITY MODULE (HSM) ▸ They
are stored in HSMs ▸ HSMs are (FIPS) 140-2 Level 2 validated (usually required for credit card processing) Q: What is the difference between a software-protected and HSM-protected key with Azure Key Vault? A: Both types of key have the key stored in the HSM at rest. The difference is for a software- protected key when cryptographic operations are performed they are performed in software in compute VMs while for HSM-protected keys the cryptographic operations are performed within the HSM   In test/dev environments using the software-protected option is recommended while in production use HSM-protected. The only downside with HSM-protected is an additional charge per-month if the key is used in that month. COMPUTE (AND KEYS) C A S I N O

AZURE KEY VAULT - HOW TO USE VAULT CREATE THE
KEY VAULT COMPUTE (AND KEYS) C A S I N O

AZURE KEY VAULT - HOW TO USE VAULT SETUP DOTNET
CORE CONSOLE APP COMPUTE (AND KEYS) C A S I N O

AZURE KEY VAULT - HOW TO USE VAULT USAGE FROM
DOTNET CORE CONSOLE APP COMPUTE (AND KEYS) C A S I N O

AZURE KEY VAULT - WHAT ELSE ▸ Monitor access and
use ▸ APIs for sign/verify/encrypt ▸ Soft delete capability; purge later COMPUTE (AND KEYS) C A S I N O

IDENTITY AND ACCESS MANAGEMENT ▸ Azure Active Directory ▸ Role-based
access control (RBAC) IDENTITY AND ACCESS MANAGEMENT C A S I N O

BEST PRACTICE : OPTIMISE IDENTITY AND ACCESS MANAGEMENT Centralise identity
management, Use role-based access control. IDENTITY AND ACCESS MANAGEMENT C A S I N O

AZURE ACTIVE DIRECTORY (AD) - DEFINITION IDENTITY AND ACCESS MANAGEMENT
C A S I N O

AZURE ACTIVE DIRECTORY (AD) - USE CASES - RIGHTS TO
USERS ‣ admin/owner gives rights for access azure resources to users; e.g. on resource groups, or on storage account IDENTITY AND ACCESS MANAGEMENT C A S I N O

EXTERNAL APPS ‣ admin/owner gives rights for access resources to external applications like TFS/Azure Pipeline (access Azure resources from your CI/CD pipeline) ‣ … Using an already created Service Principal IDENTITY AND ACCESS MANAGEMENT C A S I N O

EXTERNAL APPS ‣ admin/owner gives rights for access resources to external applications like TFS/Azure Pipeline (access Azure resources from your CI/CD pipeline) ‣ … Using an already created Service Principal ‣ Or creating a new one IDENTITY AND ACCESS MANAGEMENT C A S I N O

AD APPS ‣ admin/owner gives rights for access resources to apps or services from Azure; e.g. access Azure Key Vault from an app service or azure function ‣ … Using a “managed service identity” - each service has its own identity IDENTITY AND ACCESS MANAGEMENT C A S I N O

AZURE ACTIVE DIRECTORY (AD) - ANOTHER USE CASE ▸ As
a developer want to use it in my code… IDENTITY AND ACCESS MANAGEMENT C A S I N O

AZURE ACTIVE DIRECTORY (AD) - MICROSOFT IDENTITY PLATFORM ▸ formerly
Azure Active Directory for developers ▸ Programmer’s heaven: ▸ How to "Build a single-page app”, “Build a protected web API”, “Build a daemon app that calls web APIs” ▸ How to “Build a customer-facing app that signs in social & local identities” IDENTITY AND ACCESS MANAGEMENT C A S I N O

RBAC - ROLE BASED ACCESS CONTROL IDENTITY AND ACCESS MANAGEMENT
C A S I N O

STORAGE & DATA ▸ Encryption in Transit ▸ Encryption at
Rest ▸ Client-Side Encryption ▸ Storage analytics ▸ Role-Based Access Control (RBAC) ▸ Shared Access Signature STORAGE & DATA C A S I N O

BEST PRACTICE : PROTECT YOUR DATA BY USING ENCRYPTION Azure
SQL Database transparent data encryption helps protect data on disk and protects against unauthorised access to hardware. STORAGE & DATA C A S I N O

▸ How is it protected? ▸ Security practice to follow:
protect data at rest, protect data in transit, in use ▸ Same for SQL Server AZURE SQL STORAGE & DATA C A S I N O

TRANSPARENT DATA ENCRYPTION (ENCRYPTION-AT-REST) ▸ Protects data at rest ▸
It solves the risk of physical device being stolen ▸ Enabled by default for new databases ▸ No code to be changed STORAGE & DATA C A S I N O

TRANSPARENT DATA ENCRYPTION (ENCRYPTION-AT-REST) ▸ 2 options for choosing the
encryption key ▸ Service managed key ▸ Customer managed key (from Key Vault) - BYOK STORAGE & DATA C A S I N O

TRANSPORT LAYER SECURITY TLS (ENCRYPTION-IN-TRANSIT) ▸ Use “encrypt=true;trustservercerti fi cate=false”
in connection string STORAGE & DATA C A S I N O

ALWAYS ENCRYPTED (ENCRYPTION-IN-USE) ▸ Data is encrypted on client side
▸ Protect sensitive data stored in speci fi c database columns from being access by admins (for example, credit card numbers, national identi fi cation numbers) ▸ The encryption key is never exposed to SQL and can be stored either in the Windows Certi fi cate Store or in Azure Key Vault. STORAGE & DATA C A S I N O

ALWAYS ENCRYPTED (ENCRYPTION-IN-USE) - INITIAL SETUP ▸ With SSMS or
Powershell ▸ Select Columns to be encrypted ▸ Have Master Key - stored in Azure Vault or Certi fi cate Store STORAGE & DATA C A S I N O

ALWAYS ENCRYPTED (ENCRYPTION-IN-USE) - INITIAL SETUP ▸ What gets created
in the end ▸ How does data look like encrypted STORAGE & DATA C A S I N O

ALWAYS ENCRYPTED (ENCRYPTION-IN-USE) - CODE CHANGES ▸ Use “Column Encryption
Setting=Enabled” in connection string STORAGE & DATA C A S I N O

ALWAYS ENCRYPTED (ENCRYPTION-IN-USE) - CODE CHANGES ▸ Init KeyVault for
Always Encrypted STORAGE & DATA C A S I N O

ALWAYS ENCRYPTED (ENCRYPTION-IN-USE) - DOWNSIDES ▸ Not all queries are
supported - those which requires some sql engine processing such as “LIKE” query ▸ e.g. 1 - like ▸ e.g. 2 - assign ▸ Can use EF, however for code fi rst, you still need to do initial setup STORAGE & DATA C A S I N O

▸ Q: Can it be used from App Service? ▸
A: Yes, check https://github.com/microsoft/azure-sql- security-sample ALWAYS ENCRYPTED (ENCRYPTION-IN-USE) - WHAT ELSE? STORAGE & DATA C A S I N O

NETWORKING ▸ Network Security Groups (NSG) ▸ Azure Virtual Network
▸ VPN Gateway ▸ Application Gateway ▸ Web Application Firewall ▸ Traf fi c Manager ▸ Azure Load Balancer ▸ Azure Security Center NETWORKING C A S I N O

FEW BEST PRACTICES ▸ Optimise uptime and performance - using
a load balancer (Application Gateway, Traf fi c Manager, or internal Load balancer) ▸ Disable RDP/SSH access to virtual machines NETWORKING C A S I N O

NETWORKING C A S I N O

APPLICATION ▸ Web Application vulnerability scanning ▸ Penetration testing ▸
Web Application fi rewall ▸ Authentication and authorization in Azure App Service ▸ Layered Security Architecture ▸ Web server diagnostics and application diagnostics APPLICATION C A S I N O

FEW BEST PRACTICES ▸ Use Web Application fi rewall is
based on OWAS core set list of vulnerabilities APPLICATION C A S I N O

APPLICATION FEW BEST PRACTICES ▸ Regularly run tools for vulnerability
scanning (TinFoil) APPLICATION C A S I N O

APPLICATION FEW BEST PRACTICES ▸ Layered Security Architecture APPLICATION C
A S I N O

APPLICATION FEW BEST PRACTICES ▸ Have webserver/application diagnostics logging enabled
APPLICATION C A S I N O

OPERATIONS ▸ Security and Audit Dashboard ▸ Azure Resource Manager
▸ Application Insights ▸ Azure Monitor ▸ Azure Monitor Logs ▸ Azure Advisor ▸ Azure Security Center OPERATIONS C A S I N O

BEST PRACTICE : AUTOMATE THE BUILD AND DEPLOYMENT OF SERVICES.
Infrastructure as code is a set of techniques and practices that help IT pros remove the burden of day-to-day build and management of modular infrastructure. It enables IT pros to build and maintain their modern server. OPERATIONS C A S I N O

ARM - AZURE RESOURCE MANAGER ▸ You can use Azure
Resource Manager to provision your applications by using a declarative template. ▸ In a single template, you can deploy multiple services along with their dependencies. You use the same template to repeatedly deploy your application in every stage of the application lifecycle. ▸ Repeatable deployments (no human errors) OPERATIONS C A S I N O

MONITOR THE PERFORMANCE OF YOUR APPLICATIONS Monitoring is the act
of collecting and analysing data to determine the performance, health, and availability of your application. An effective monitoring strategy helps you understand the detailed operation of the components of your application. It helps you increase your uptime by notifying you of critical issues so that you can resolve them before they become problems. It also helps you detect anomalies that might be security related. OPERATIONS C A S I N O

APPLICATION INSIGHTS ▸ monitor live web applications ▸ automatically detects
performance anomalies ▸ includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app OPERATIONS C A S I N O

CASE STUDY INITIAL SETUP

CASE STUDY COMPUTE & ENCRYPT

CASE STUDY IDENTITY

CASE STUDY STORAGE AND DATA

CASE STUDY NETWORKING

CASE STUDY APPLICATION

CASE STUDY OPERATIONS

CASE STUDY FINAL

END CONCLUSIONS / TAKEAWAYS ▸ I hope you’ve learned something
new about security capabilities/ tools from azure ▸ You can grasp the security capabilities easily now (remember - casino) ▸ and… most of the security best practices are already there

END QUESTIONS ?

END THANK YOU !

Azure Security Best Practices

Azure Security Best Practices

More Decks by grigoresc

Other Decks in Programming

Featured

Transcript