Securing workloads on Azure

Transcript

1. Securing Azure Workloads

2. Kerala • Sathyajith Bhat • SRE, Adobe I/O • Author,

   Practical Docker With Python • AWS Community Hero

3. Kerala

4. Kerala Definitions • IaaS ◦ Infrastructure as service ◦ Cloud

   Computing provider manages the physical infrastructure ◦ Custom manages end-to-end – from the OS to the application

5. Kerala Definitions • PaaS ◦ Platform as a Service ◦

   Cloud Computing provider manages a platform – including the OS and the infrastructure ◦ Customer manages the dev tooling and the application

6. Kerala Definitions • SaaS ◦ Software as a Service ◦

   Cloud Computing provider provisions and manages application ◦ Customer uses the application, sets up user auth etc

7. Kerala

8. Kerala

9. Kerala • What to look at for securing your workloads?

   ◦ Identity & Access Management ◦ Infrastructure & Application ◦ Network Security

10. Kerala • Identity Management ◦ Subscriptions ◦ MFA (Multi Factor

    Authentication) ◦ RBAC

11. Kerala • Subscriptions ◦ Logical container for resources ◦ Don’t

    put all your resources in one subscription, separated by resource group ◦ Design strategies: ▪ Workload separation ▪ Application category ▪ Functional strategy ▪ BU strategy

12. Kerala • Subscriptions ◦ Design strategies ▪ Mixed strategy ◦

    Read more

13. Kerala • MFA (Multi Factor authentication) ◦ Use a password

    + second factor (hardware key, one time number, biometrics) ◦ Azure supports: ▪ Authenticator App ▪ OATH Hardware Token ▪ SMS/Voice calls

14. Kerala • Security Defaults ◦ Applied preconfigured security settings ▪

    MFA for all users, block legacy auth • Conditional Access ◦ For more granularity on when additional auth is needed, or for user exclusions ◦ Example: exclude break glass / emergency access accounts

15. Kerala • Role Based Access Control (RBAC) ◦ Fine grained

    access to various resources ◦ Roles ▪ Owner, Contributor, Reader, custom ◦ Security Principal ▪ User, Group, Managed Identity, Service Principal ◦ Scope ▪ Set of resources that the access applies to

16. Kerala • Role Based Access Control (RBAC) ▪ Role assignment

17. Kerala • Role Based Access Control (RBAC) ◦ Create groups

    (DBA, Network Admins) ◦ Assign the group to specific access. ◦ Scope to as broad or as narrow as you want: ▪ Management Subscription to individual resources

18. Kerala • Infrastructure Security ◦ Encryption ◦ Backup ◦ Secure

    Machine Images ◦ Secure Container Images ◦ Azure Key vault ◦ Virtual Networking

19. Kerala • Encryption at Rest ◦ Azure Disk Encryption ◦

    Server Side Encryption/Client Side encryption ▪ Disks encrypted out of the box with platform managed keys ▪ Supports customer managed keys using envelope encryption • Disk encryption using DM-Crypt(Linux) and BitLocker(Windows) • Keys saved in Key Vault

20. Kerala • Encryption at Rest ◦ Azure Blob Storage encryption

    ▪ Storage Service Encryption – enabled for all accounts by default using platform managed keys ▪ Supports customer managed keys, keys stored in Key Vault ▪ (Preview) Customer Provided keys – provide the keys for Blob storage, Blob storage transparently encrypt it

21. Kerala • Backup ◦ Azure Managed Backup ▪ Does backup

    of entire VM using snapshots, at prescribed schedule ▪ Pre-requisites: • VMSnapshot extension (Windows) • VMSnapshotLinux extension (Linux) ▪ Backup saved to Recovery Vault

22. Kerala • Secure Images ◦ Azure Marketplace hosts Virtual Machine

    Images ◦ Recommend: build your own images ▪ Patch with updates ▪ Use Hashicorp Packer to build your images

23. Kerala • Secure Containers ◦ Build your own Docker Images

    ◦ Use Azure Container Registry to store the images ◦ Scan the images for vulnerabilities(ACR does this on push) ▪ Third party scanners • Paid: Aqua, Prisma Cloud(née Twistlock) • Open Source: Anchore, Clair, Dagda, Trivy

24. Kerala • Azure Key Vault ◦ Managed secrets solution for:

    ▪ Secrets Management: Store API keys, tokens, passwords ▪ Key Management: Store API Keys ▪ Certificate Management: Provision/manage TLS certificates ◦ Monitor how/when secrets are accessed ▪ Send logs to storage accounts/Azure Monitor logs

25. Kerala • Azure Key Vault ◦ Integrated with other Azure

    services ▪ Reference to key vault & name in ARM for secrets injection during provision ▪ Create a managed identity to auth your VMs • Let your applications fetch secrets instead of hard coding them

26. Kerala • Azure Key Vault ◦ Guidelines ▪ RBAC is

    your friend. Use least privilege access principal ▪ Use VNET Service Endpoints ▪ Separate Key Vault per application, per environment ▪ Enable soft delete for recovery of accidental deletion • Gotcha: With soft delete, key vault is not listed in portal, but key vault w/same name cannot be created ▪ Optional, enable purge protection

27. Kerala • Azure Key Vault ◦ Demo on how to

    fetch secrets without embedding keys ◦ https://h2100discord.azurewebsites.net/api/hiway_to_discord?name=Everyone

28. Kerala • Network Security ◦ VNets ◦ Network Security Groups(NSG)

    ◦ Azure Firewall ◦ Just in Time VM Access ◦ Azure Service Endpoints ◦ DDoS Protection

29. Kerala • VNets ◦ RFC1918 compliant custom private address space

    ◦ Break into subnets, deploy Azure resources to specific subnets ◦ VNet scoped to subscriptions, further limiting access ◦ Unrestricted outbound to internet by default ▪ Inbound communication via Standard Load Balancer or Public IP

30. Kerala • Vnet Guidelines: ◦ Don’t have overlapping address spaces.

    ◦ Reserve some space for future. Can’t resize a subnet ◦ Filter traffic with Network Security Groups/to subnets to limit access ◦ Communication to other resources: ▪ Vnet peering within Azure ▪ Azure Service Endpoints ▪ VPN/ ExpressRoute

31. Kerala • Network Security Groups(NSG) ◦ Consists of security rules

    that allow/deny inbound/outbound ◦ Specify source & destination, Protocol ▪ Source/Dest can be ServiceTags, IP addresses, Application Security Groups ◦ Evaluated by priority using the 5-tuple combination ▪ Source, SourcePort, Destination, DestinationPort, Protocol ◦ Rules are stateful ▪ inbound rule isn’t required if connection initiated from VM

32. Kerala • Network Security Groups(NSG) ◦ Default rules (inbound) ▪

    AllowVNetInbound (VirtualNetwork, port: 0-65k, protocol: Any) ▪ AllowAzureLoadBalancerInbound (AzureLoadBalancer, port 0-65k, protocol: any) ▪ DenyAllInbound (0.0.0.0/0, port 0-65k, protocol: any) ◦ Default rules (outbound) ▪ AllowVnetOutbound (0.0.0.0/0, port 0-65k, protocol: any)

33. Kerala • Azure Firewall ◦ Managed network security service ◦

    Apply filtering rules on FQDN ◦ Inbound filtering on HTTP/S as well as RDP, SSH, FTP ◦ Use a first level of defense ◦ Chain with NSG for defense in depth approach

34. Kerala • Just in Time VM Access ◦ Lock down

    access to inbound traffic via NSG ◦ Request access to VM ▪ Azure checks for required RBAC permission • If true, modify NSG automatically & allow traffic • Revoke access after expiry • Note: Existing connections are not interrupted

35. Kerala • Just in Time VM Access ◦ How to

    request access? ▪ Via Azure Security Center ▪ Via VM Page ▪ Via PowerShell/API

36. Kerala • Azure Service Endpoints ◦ Typical service traffic goes

    over public IP ▪ Need for whitelisting, complicated security group rules ◦ Service Endpoint switches traffic to use private endpoints ◦ Further apply endpoint policies for fine-grained access

37. Kerala • Azure Service Endpoints ◦ Azure Service Endpoint policy

    gotchas ▪ Seems to support only Azure Storage for now, no other managed service supported ▪ Cannot apply on traffic from on-prem to Azure service ▪ Classic Storage Accounts are not supported

38. Kerala • Azure Security Center ◦ Unified Security Management system

    for Azure ◦ Let’s you improve security by reviewing and configuring recommended controls

39. Kerala

40. Kerala • References ◦ Subscription Decision Guide ◦ Security Defaults

    ◦ Common conditional access policies ◦ Cloud Adoption Framework Decision Guide – Encryption ◦ Azure best practices for Network Security

41. Kerala • References ◦ Azure Security Center ◦ Azure Advent

    Videos ▪ Azure Key Vault ▪ Azure Sentinel