Securing workloads on Azure

Slide 1

Slide 1 text

Securing Azure Workloads

Slide 2

Slide 2 text

Kerala ● Sathyajith Bhat ● SRE, Adobe I/O ● Author, Practical Docker With Python ● AWS Community Hero

Slide 3

Slide 3 text

Kerala

Slide 4

Slide 4 text

Kerala Definitions ● IaaS ○ Infrastructure as service ○ Cloud Computing provider manages the physical infrastructure ○ Custom manages end-to-end – from the OS to the application

Slide 5

Slide 5 text

Kerala Definitions ● PaaS ○ Platform as a Service ○ Cloud Computing provider manages a platform – including the OS and the infrastructure ○ Customer manages the dev tooling and the application

Slide 6

Slide 6 text

Kerala Definitions ● SaaS ○ Software as a Service ○ Cloud Computing provider provisions and manages application ○ Customer uses the application, sets up user auth etc

Slide 7

Slide 7 text

Kerala

Slide 8

Slide 8 text

Kerala

Slide 9

Slide 9 text

Kerala ● What to look at for securing your workloads? ○ Identity & Access Management ○ Infrastructure & Application ○ Network Security

Slide 10

Slide 10 text

Kerala ● Identity Management ○ Subscriptions ○ MFA (Multi Factor Authentication) ○ RBAC

Slide 11

Slide 11 text

Kerala ● Subscriptions ○ Logical container for resources ○ Don’t put all your resources in one subscription, separated by resource group ○ Design strategies: ■ Workload separation ■ Application category ■ Functional strategy ■ BU strategy

Slide 12

Slide 12 text

Kerala ● Subscriptions ○ Design strategies ■ Mixed strategy ○ Read more

Slide 13

Slide 13 text

Kerala ● MFA (Multi Factor authentication) ○ Use a password + second factor (hardware key, one time number, biometrics) ○ Azure supports: ■ Authenticator App ■ OATH Hardware Token ■ SMS/Voice calls

Slide 14

Slide 14 text

Kerala ● Security Defaults ○ Applied preconfigured security settings ■ MFA for all users, block legacy auth ● Conditional Access ○ For more granularity on when additional auth is needed, or for user exclusions ○ Example: exclude break glass / emergency access accounts

Slide 15

Slide 15 text

Kerala ● Role Based Access Control (RBAC) ○ Fine grained access to various resources ○ Roles ■ Owner, Contributor, Reader, custom ○ Security Principal ■ User, Group, Managed Identity, Service Principal ○ Scope ■ Set of resources that the access applies to

Slide 16

Slide 16 text

Kerala ● Role Based Access Control (RBAC) ■ Role assignment

Slide 17

Slide 17 text

Kerala ● Role Based Access Control (RBAC) ○ Create groups (DBA, Network Admins) ○ Assign the group to specific access. ○ Scope to as broad or as narrow as you want: ■ Management Subscription to individual resources

Slide 18

Slide 18 text

Kerala ● Infrastructure Security ○ Encryption ○ Backup ○ Secure Machine Images ○ Secure Container Images ○ Azure Key vault ○ Virtual Networking

Slide 19

Slide 19 text

Kerala ● Encryption at Rest ○ Azure Disk Encryption ○ Server Side Encryption/Client Side encryption ■ Disks encrypted out of the box with platform managed keys ■ Supports customer managed keys using envelope encryption ● Disk encryption using DM-Crypt(Linux) and BitLocker(Windows) ● Keys saved in Key Vault

Slide 20

Slide 20 text

Kerala ● Encryption at Rest ○ Azure Blob Storage encryption ■ Storage Service Encryption – enabled for all accounts by default using platform managed keys ■ Supports customer managed keys, keys stored in Key Vault ■ (Preview) Customer Provided keys – provide the keys for Blob storage, Blob storage transparently encrypt it

Slide 21

Slide 21 text

Kerala ● Backup ○ Azure Managed Backup ■ Does backup of entire VM using snapshots, at prescribed schedule ■ Pre-requisites: ● VMSnapshot extension (Windows) ● VMSnapshotLinux extension (Linux) ■ Backup saved to Recovery Vault

Slide 22

Slide 22 text

Kerala ● Secure Images ○ Azure Marketplace hosts Virtual Machine Images ○ Recommend: build your own images ■ Patch with updates ■ Use Hashicorp Packer to build your images

Slide 23

Slide 23 text

Kerala ● Secure Containers ○ Build your own Docker Images ○ Use Azure Container Registry to store the images ○ Scan the images for vulnerabilities(ACR does this on push) ■ Third party scanners ● Paid: Aqua, Prisma Cloud(née Twistlock) ● Open Source: Anchore, Clair, Dagda, Trivy

Slide 24

Slide 24 text

Kerala ● Azure Key Vault ○ Managed secrets solution for: ■ Secrets Management: Store API keys, tokens, passwords ■ Key Management: Store API Keys ■ Certificate Management: Provision/manage TLS certificates ○ Monitor how/when secrets are accessed ■ Send logs to storage accounts/Azure Monitor logs

Slide 25

Slide 25 text

Kerala ● Azure Key Vault ○ Integrated with other Azure services ■ Reference to key vault & name in ARM for secrets injection during provision ■ Create a managed identity to auth your VMs ● Let your applications fetch secrets instead of hard coding them

Slide 26

Slide 26 text

Kerala ● Azure Key Vault ○ Guidelines ■ RBAC is your friend. Use least privilege access principal ■ Use VNET Service Endpoints ■ Separate Key Vault per application, per environment ■ Enable soft delete for recovery of accidental deletion ● Gotcha: With soft delete, key vault is not listed in portal, but key vault w/same name cannot be created ■ Optional, enable purge protection

Slide 27

Slide 27 text

Kerala ● Azure Key Vault ○ Demo on how to fetch secrets without embedding keys ○ https://h2100discord.azurewebsites.net/api/hiway_to_discord?name=Everyone

Slide 28

Slide 28 text

Kerala ● Network Security ○ VNets ○ Network Security Groups(NSG) ○ Azure Firewall ○ Just in Time VM Access ○ Azure Service Endpoints ○ DDoS Protection

Slide 29

Slide 29 text

Kerala ● VNets ○ RFC1918 compliant custom private address space ○ Break into subnets, deploy Azure resources to specific subnets ○ VNet scoped to subscriptions, further limiting access ○ Unrestricted outbound to internet by default ■ Inbound communication via Standard Load Balancer or Public IP

Slide 30

Slide 30 text

Kerala ● Vnet Guidelines: ○ Don’t have overlapping address spaces. ○ Reserve some space for future. Can’t resize a subnet ○ Filter traffic with Network Security Groups/to subnets to limit access ○ Communication to other resources: ■ Vnet peering within Azure ■ Azure Service Endpoints ■ VPN/ ExpressRoute

Slide 31

Slide 31 text

Kerala ● Network Security Groups(NSG) ○ Consists of security rules that allow/deny inbound/outbound ○ Specify source & destination, Protocol ■ Source/Dest can be ServiceTags, IP addresses, Application Security Groups ○ Evaluated by priority using the 5-tuple combination ■ Source, SourcePort, Destination, DestinationPort, Protocol ○ Rules are stateful ■ inbound rule isn’t required if connection initiated from VM

Slide 32

Slide 32 text

Kerala ● Network Security Groups(NSG) ○ Default rules (inbound) ■ AllowVNetInbound (VirtualNetwork, port: 0-65k, protocol: Any) ■ AllowAzureLoadBalancerInbound (AzureLoadBalancer, port 0-65k, protocol: any) ■ DenyAllInbound (0.0.0.0/0, port 0-65k, protocol: any) ○ Default rules (outbound) ■ AllowVnetOutbound (0.0.0.0/0, port 0-65k, protocol: any)

Slide 33

Slide 33 text

Kerala ● Azure Firewall ○ Managed network security service ○ Apply filtering rules on FQDN ○ Inbound filtering on HTTP/S as well as RDP, SSH, FTP ○ Use a first level of defense ○ Chain with NSG for defense in depth approach

Slide 34

Slide 34 text

Kerala ● Just in Time VM Access ○ Lock down access to inbound traffic via NSG ○ Request access to VM ■ Azure checks for required RBAC permission ● If true, modify NSG automatically & allow traffic ● Revoke access after expiry ● Note: Existing connections are not interrupted

Slide 35

Slide 35 text

Kerala ● Just in Time VM Access ○ How to request access? ■ Via Azure Security Center ■ Via VM Page ■ Via PowerShell/API

Slide 36

Slide 36 text

Kerala ● Azure Service Endpoints ○ Typical service traffic goes over public IP ■ Need for whitelisting, complicated security group rules ○ Service Endpoint switches traffic to use private endpoints ○ Further apply endpoint policies for fine-grained access

Slide 37

Slide 37 text

Kerala ● Azure Service Endpoints ○ Azure Service Endpoint policy gotchas ■ Seems to support only Azure Storage for now, no other managed service supported ■ Cannot apply on traffic from on-prem to Azure service ■ Classic Storage Accounts are not supported

Slide 38

Slide 38 text

Kerala ● Azure Security Center ○ Unified Security Management system for Azure ○ Let’s you improve security by reviewing and configuring recommended controls

Slide 39

Slide 39 text

Kerala

Slide 40

Slide 40 text

Kerala ● References ○ Subscription Decision Guide ○ Security Defaults ○ Common conditional access policies ○ Cloud Adoption Framework Decision Guide – Encryption ○ Azure best practices for Network Security

Slide 41

Slide 41 text

Kerala ● References ○ Azure Security Center ○ Azure Advent Videos ■ Azure Key Vault ■ Azure Sentinel