Serverless Applications Securing In Azure 

About me @SjoukjeZaal https://www.sjoukjezaal.com Sjoukje Zaal Managing Consultant / Azure MVP 

© 2020 Sjoukje Zaal Securing Functions Demo Securing Logic Apps Demo Azure AD & Graph Demo Monitoring Demo Step 05 Step 04 Step 03 What & Why Scenario Step 02 Step 01 Agenda 

© 2020 Sjoukje Zaal What is Serverless Serverless is simplicity, but not necessarily simpler​ Source: Paul Johnston (former AWS Serverless developer advocate)​ Remember, there are NO servers!​ Source: Jeff Hollan (Microsoft PM Azure Functions) 

© 2020 Sjoukje Zaal Microsoft Serverless Offering Azure Functions Run custom code on demand and at scale in the cloud. The runtime is completely open source and can run everywhere. Cosmos DB A globally distributed, multi-model database service that supports document, key-value, wide-column, and graph databases. Event Hubs Fully managed, real-time data ingestion service. Stream millions of events per second from any source. Event Grid Fully managed event routing service from Azure services or from your own apps. Logic Apps Workflow orchestration. Specify the process steps how to run your serverless application. Azure Storage Provides durable, highly available, and massively scalable cloud storage. Key Vault Secure key management, use to encrypt keys and small secrets like passwords. Cognitive Services Adds intelligent features such as vision face and speech recognition into your app.. Azure Search Search-as-a-service solution to build search experiences into web and mobile applications. 

© 2020 Sjoukje Zaal Serverless Architecture A serverless architecture includes the platform, related services, and development tools​ 

© 2020 Sjoukje Zaal Reduce costs Focus on code Faster Fully Managed Why use Serverless? 

© 2020 Sjoukje Zaal Current scenario Contoso developed a serverless application that adds external customers to the Azure tenant and makes a custom marketing application available for the customers. Only Contoso employees can use the serverless application. They have used a Logic App to create the application. After an audit of the security department, the current solution does not comply with the organizations security and compliance regulations. 

© 2020 Sjoukje Zaal x t x b All users with the link to the Logic App can access it The Logic App can be accessed by all types of applications The Tenant ID, App ID and App Secret are hard-coded in the Logic App No monitoring is setup for the applications Security issues Discovered by the security department 

© 2020 Sjoukje Zaal Future scenario 

© 2020 Sjoukje Zaal z 8 6 ( Technical Security Building Blocks 01 Step 02 Step 03 Step 04 Step Azure Functions Secured using built-in authentication mechanism Managed Identities Accessing Azure resources securely Azure Key Vault Securely storing credentials Azure AD & Graph Register and Azure AD application and set permissions 

© 2020 Sjoukje Zaal Step 1 

© 2020 Sjoukje Zaal Functions Choose your App Service plan Use built-in Authentication and authorization Use custom SSL / domain Logic Apps Consumption model Uses a SAS token API Management Functions & Logic Apps Security feature and capability differences 

© 2020 Sjoukje Zaal Authorization Authentication Options Azure Active Directory Microsoft accounts Social Media Identity accounts ClaimsPrincipal binding data Application Gateway (WAF) API Management Application Insights Azure Functions security 

© 2019 Sjoukje Zaal Demo Securing Functions 

© 2020 Sjoukje Zaal Created the message queue To store new requests Created a request using an Azure AD registered user Passing on the ClaimsPrincipal Changed the authorization level for the function Enabled authentication / authorization for the Function Created the Function To initialize the workflow Step 1 Demo summary Step 2 Step 3 Step 4 Step 5 

© 2020 Sjoukje Zaal Step 2 

© 2020 Sjoukje Zaal Secure Azure Logic Apps security Authentication Azure AD Graph Managed Identities Integration Service Environment (ISE) Secure Outputs (Preview) Options Application Gateway (WAF) API Management Log Analytics Monitor & 

© 2020 Sjoukje Zaal x t x b Feature in Azure AD Keeps credentials secure System and user- assigned managed identity Authenticate to any service Managed Identities A primary resource in Azure AD 

© 2020 Sjoukje Zaal x t x b Increase security No direct access to keys Automate certificate tasks Use validated HSMs Azure Key Vault 

© 2019 Sjoukje Zaal Demo Securing Logic Apps 

© 2020 Sjoukje Zaal Created a system assigned managed identity Retrieving and parsing the queue message Into variables Created a new Logic App Using the Queue Trigger Connected to the queue using the managed identity Added the managed identity to the Key Vault Step 1 Demo summary Step 2 Step 3 Step 4 Step 5 

© 2020 Sjoukje Zaal Step 3 

© 2020 Sjoukje Zaal x t x b Azure AD registration OAuth 2.0 Authorization Framework App Permissions Microsoft Graph API Azure AD Application 

© 2020 Sjoukje Zaal Microsoft Graph • Azure Active Directory • Office 365 • Enterprise Mobility & Security • Windows 10 • Dynamics 365 

© 2020 Sjoukje Zaal OAuth 2.0 client credentials grant 

© 2019 Sjoukje Zaal Demo Azure AD MS Graph 

© 2020 Sjoukje Zaal Created an Azure AD Application Set the application permissions Created a guest user in Azure AD Generated an Access token Retrieved Key Vault secrets in Logic App Enabled Secure Outputs Added the Tenant ID, App ID, and App Secret to the Key Vault Step 1 Demo summary Step 2 Step 3 Step 4 Step 5 

© 2020 Sjoukje Zaal Step 4 

© 2020 Sjoukje Zaal 3 2 1 Monitoring Serverless Apps Log Analytics Used by the Logic App Azure Monitor Aggregates and displays (log) data from several resources Application Insights Used by the Azure Function 

© 2020 Sjoukje Zaal Application Insights 

© 2020 Sjoukje Zaal x t x b Unique environment for Azure Monitor log data Integrated in Azure Monitor Kusto query language (KQL) Collects data of different Azure resources Log Analytics 

© 2020 Sjoukje Zaal Azure Monitor 

© 2020 Sjoukje Zaal Demo Monitoring applications 

© 2020 Sjoukje Zaal Navigated to Azure Monitor in the Azure portal Looked at Log Analytics capabilities Looked at Application Insights capabilities Step 1 Demo summary Step 2 Step 3 

© 2020 Sjoukje Zaal 01 02 03 Azure Functions only support Azure AD v1 Azure Function need to be configured for anonymous access Logic Apps Key Vault Connector doesn’t support Managed Identities b C s Wrap up Key takeaways 

? any Are there questions?