Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing workloads on Azure

Securing workloads on Azure

With the advent of Cloud Computing, public cloud providers like Azure, it's easy to get started and deploy your apps in no time. Security remains an afterthought and doesn't get looked at till its too late. This talk looks at some of the guidelines to be followed when improving the security of your workloads.

Catch the video on demand at https://aka.ms/secgen


May 29, 2020

More Decks by Sathya

Other Decks in Technology


  1. Securing Azure Workloads

  2. Kerala • Sathyajith Bhat • SRE, Adobe I/O • Author,

    Practical Docker With Python • AWS Community Hero
  3. Kerala

  4. Kerala Definitions • IaaS ◦ Infrastructure as service ◦ Cloud

    Computing provider manages the physical infrastructure ◦ Custom manages end-to-end – from the OS to the application
  5. Kerala Definitions • PaaS ◦ Platform as a Service ◦

    Cloud Computing provider manages a platform – including the OS and the infrastructure ◦ Customer manages the dev tooling and the application
  6. Kerala Definitions • SaaS ◦ Software as a Service ◦

    Cloud Computing provider provisions and manages application ◦ Customer uses the application, sets up user auth etc
  7. Kerala

  8. Kerala

  9. Kerala • What to look at for securing your workloads?

    ◦ Identity & Access Management ◦ Infrastructure & Application ◦ Network Security
  10. Kerala • Identity Management ◦ Subscriptions ◦ MFA (Multi Factor

    Authentication) ◦ RBAC
  11. Kerala • Subscriptions ◦ Logical container for resources ◦ Don’t

    put all your resources in one subscription, separated by resource group ◦ Design strategies: ▪ Workload separation ▪ Application category ▪ Functional strategy ▪ BU strategy
  12. Kerala • Subscriptions ◦ Design strategies ▪ Mixed strategy ◦

    Read more
  13. Kerala • MFA (Multi Factor authentication) ◦ Use a password

    + second factor (hardware key, one time number, biometrics) ◦ Azure supports: ▪ Authenticator App ▪ OATH Hardware Token ▪ SMS/Voice calls
  14. Kerala • Security Defaults ◦ Applied preconfigured security settings ▪

    MFA for all users, block legacy auth • Conditional Access ◦ For more granularity on when additional auth is needed, or for user exclusions ◦ Example: exclude break glass / emergency access accounts
  15. Kerala • Role Based Access Control (RBAC) ◦ Fine grained

    access to various resources ◦ Roles ▪ Owner, Contributor, Reader, custom ◦ Security Principal ▪ User, Group, Managed Identity, Service Principal ◦ Scope ▪ Set of resources that the access applies to
  16. Kerala • Role Based Access Control (RBAC) ▪ Role assignment

  17. Kerala • Role Based Access Control (RBAC) ◦ Create groups

    (DBA, Network Admins) ◦ Assign the group to specific access. ◦ Scope to as broad or as narrow as you want: ▪ Management Subscription to individual resources
  18. Kerala • Infrastructure Security ◦ Encryption ◦ Backup ◦ Secure

    Machine Images ◦ Secure Container Images ◦ Azure Key vault ◦ Virtual Networking
  19. Kerala • Encryption at Rest ◦ Azure Disk Encryption ◦

    Server Side Encryption/Client Side encryption ▪ Disks encrypted out of the box with platform managed keys ▪ Supports customer managed keys using envelope encryption • Disk encryption using DM-Crypt(Linux) and BitLocker(Windows) • Keys saved in Key Vault
  20. Kerala • Encryption at Rest ◦ Azure Blob Storage encryption

    ▪ Storage Service Encryption – enabled for all accounts by default using platform managed keys ▪ Supports customer managed keys, keys stored in Key Vault ▪ (Preview) Customer Provided keys – provide the keys for Blob storage, Blob storage transparently encrypt it
  21. Kerala • Backup ◦ Azure Managed Backup ▪ Does backup

    of entire VM using snapshots, at prescribed schedule ▪ Pre-requisites: • VMSnapshot extension (Windows) • VMSnapshotLinux extension (Linux) ▪ Backup saved to Recovery Vault
  22. Kerala • Secure Images ◦ Azure Marketplace hosts Virtual Machine

    Images ◦ Recommend: build your own images ▪ Patch with updates ▪ Use Hashicorp Packer to build your images
  23. Kerala • Secure Containers ◦ Build your own Docker Images

    ◦ Use Azure Container Registry to store the images ◦ Scan the images for vulnerabilities(ACR does this on push) ▪ Third party scanners • Paid: Aqua, Prisma Cloud(née Twistlock) • Open Source: Anchore, Clair, Dagda, Trivy
  24. Kerala • Azure Key Vault ◦ Managed secrets solution for:

    ▪ Secrets Management: Store API keys, tokens, passwords ▪ Key Management: Store API Keys ▪ Certificate Management: Provision/manage TLS certificates ◦ Monitor how/when secrets are accessed ▪ Send logs to storage accounts/Azure Monitor logs
  25. Kerala • Azure Key Vault ◦ Integrated with other Azure

    services ▪ Reference to key vault & name in ARM for secrets injection during provision ▪ Create a managed identity to auth your VMs • Let your applications fetch secrets instead of hard coding them
  26. Kerala • Azure Key Vault ◦ Guidelines ▪ RBAC is

    your friend. Use least privilege access principal ▪ Use VNET Service Endpoints ▪ Separate Key Vault per application, per environment ▪ Enable soft delete for recovery of accidental deletion • Gotcha: With soft delete, key vault is not listed in portal, but key vault w/same name cannot be created ▪ Optional, enable purge protection
  27. Kerala • Azure Key Vault ◦ Demo on how to

    fetch secrets without embedding keys ◦ https://h2100discord.azurewebsites.net/api/hiway_to_discord?name=Everyone
  28. Kerala • Network Security ◦ VNets ◦ Network Security Groups(NSG)

    ◦ Azure Firewall ◦ Just in Time VM Access ◦ Azure Service Endpoints ◦ DDoS Protection
  29. Kerala • VNets ◦ RFC1918 compliant custom private address space

    ◦ Break into subnets, deploy Azure resources to specific subnets ◦ VNet scoped to subscriptions, further limiting access ◦ Unrestricted outbound to internet by default ▪ Inbound communication via Standard Load Balancer or Public IP
  30. Kerala • Vnet Guidelines: ◦ Don’t have overlapping address spaces.

    ◦ Reserve some space for future. Can’t resize a subnet ◦ Filter traffic with Network Security Groups/to subnets to limit access ◦ Communication to other resources: ▪ Vnet peering within Azure ▪ Azure Service Endpoints ▪ VPN/ ExpressRoute
  31. Kerala • Network Security Groups(NSG) ◦ Consists of security rules

    that allow/deny inbound/outbound ◦ Specify source & destination, Protocol ▪ Source/Dest can be ServiceTags, IP addresses, Application Security Groups ◦ Evaluated by priority using the 5-tuple combination ▪ Source, SourcePort, Destination, DestinationPort, Protocol ◦ Rules are stateful ▪ inbound rule isn’t required if connection initiated from VM
  32. Kerala • Network Security Groups(NSG) ◦ Default rules (inbound) ▪

    AllowVNetInbound (VirtualNetwork, port: 0-65k, protocol: Any) ▪ AllowAzureLoadBalancerInbound (AzureLoadBalancer, port 0-65k, protocol: any) ▪ DenyAllInbound (, port 0-65k, protocol: any) ◦ Default rules (outbound) ▪ AllowVnetOutbound (, port 0-65k, protocol: any)
  33. Kerala • Azure Firewall ◦ Managed network security service ◦

    Apply filtering rules on FQDN ◦ Inbound filtering on HTTP/S as well as RDP, SSH, FTP ◦ Use a first level of defense ◦ Chain with NSG for defense in depth approach
  34. Kerala • Just in Time VM Access ◦ Lock down

    access to inbound traffic via NSG ◦ Request access to VM ▪ Azure checks for required RBAC permission • If true, modify NSG automatically & allow traffic • Revoke access after expiry • Note: Existing connections are not interrupted
  35. Kerala • Just in Time VM Access ◦ How to

    request access? ▪ Via Azure Security Center ▪ Via VM Page ▪ Via PowerShell/API
  36. Kerala • Azure Service Endpoints ◦ Typical service traffic goes

    over public IP ▪ Need for whitelisting, complicated security group rules ◦ Service Endpoint switches traffic to use private endpoints ◦ Further apply endpoint policies for fine-grained access
  37. Kerala • Azure Service Endpoints ◦ Azure Service Endpoint policy

    gotchas ▪ Seems to support only Azure Storage for now, no other managed service supported ▪ Cannot apply on traffic from on-prem to Azure service ▪ Classic Storage Accounts are not supported
  38. Kerala • Azure Security Center ◦ Unified Security Management system

    for Azure ◦ Let’s you improve security by reviewing and configuring recommended controls
  39. Kerala

  40. Kerala • References ◦ Subscription Decision Guide ◦ Security Defaults

    ◦ Common conditional access policies ◦ Cloud Adoption Framework Decision Guide – Encryption ◦ Azure best practices for Network Security
  41. Kerala • References ◦ Azure Security Center ◦ Azure Advent

    Videos ▪ Azure Key Vault ▪ Azure Sentinel