Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing workloads on Azure

Securing workloads on Azure

With the advent of Cloud Computing, public cloud providers like Azure, it's easy to get started and deploy your apps in no time. Security remains an afterthought and doesn't get looked at till its too late. This talk looks at some of the guidelines to be followed when improving the security of your workloads.

Catch the video on demand at https://aka.ms/secgen

Sathya

May 29, 2020
Tweet

More Decks by Sathya

Other Decks in Technology

Transcript

  1. Securing Azure
    Workloads

    View full-size slide

  2. Kerala
    ● Sathyajith Bhat
    ● SRE, Adobe I/O
    ● Author, Practical Docker With Python
    ● AWS Community Hero

    View full-size slide

  3. Kerala
    Definitions
    ● IaaS
    ○ Infrastructure as service
    ○ Cloud Computing provider manages the physical infrastructure
    ○ Custom manages end-to-end – from the OS to the application

    View full-size slide

  4. Kerala
    Definitions
    ● PaaS
    ○ Platform as a Service
    ○ Cloud Computing provider manages a platform – including the OS and the
    infrastructure
    ○ Customer manages the dev tooling and the application

    View full-size slide

  5. Kerala
    Definitions
    ● SaaS
    ○ Software as a Service
    ○ Cloud Computing provider provisions and manages application
    ○ Customer uses the application, sets up user auth etc

    View full-size slide

  6. Kerala
    ● What to look at for securing your workloads?
    ○ Identity & Access Management
    ○ Infrastructure & Application
    ○ Network Security

    View full-size slide

  7. Kerala
    ● Identity Management
    ○ Subscriptions
    ○ MFA (Multi Factor Authentication)
    ○ RBAC

    View full-size slide

  8. Kerala
    ● Subscriptions
    ○ Logical container for resources
    ○ Don’t put all your resources in one subscription, separated by resource group
    ○ Design strategies:
    ■ Workload separation
    ■ Application category
    ■ Functional strategy
    ■ BU strategy

    View full-size slide

  9. Kerala
    ● Subscriptions
    ○ Design strategies
    ■ Mixed strategy
    ○ Read more

    View full-size slide

  10. Kerala
    ● MFA (Multi Factor authentication)
    ○ Use a password + second factor (hardware key, one time number, biometrics)
    ○ Azure supports:
    ■ Authenticator App
    ■ OATH Hardware Token
    ■ SMS/Voice calls

    View full-size slide

  11. Kerala
    ● Security Defaults
    ○ Applied preconfigured security settings
    ■ MFA for all users, block legacy auth
    ● Conditional Access
    ○ For more granularity on when additional auth is needed, or for user exclusions
    ○ Example: exclude break glass / emergency access accounts

    View full-size slide

  12. Kerala
    ● Role Based Access Control (RBAC)
    ○ Fine grained access to various resources
    ○ Roles
    ■ Owner, Contributor, Reader, custom
    ○ Security Principal
    ■ User, Group, Managed Identity, Service Principal
    ○ Scope
    ■ Set of resources that the access applies to

    View full-size slide

  13. Kerala
    ● Role Based Access Control (RBAC)
    ■ Role assignment

    View full-size slide

  14. Kerala
    ● Role Based Access Control (RBAC)
    ○ Create groups (DBA, Network Admins)
    ○ Assign the group to specific access.
    ○ Scope to as broad or as narrow as you want:
    ■ Management Subscription to individual resources

    View full-size slide

  15. Kerala
    ● Infrastructure Security
    ○ Encryption
    ○ Backup
    ○ Secure Machine Images
    ○ Secure Container Images
    ○ Azure Key vault
    ○ Virtual Networking

    View full-size slide

  16. Kerala
    ● Encryption at Rest
    ○ Azure Disk Encryption
    ○ Server Side Encryption/Client Side encryption
    ■ Disks encrypted out of the box with platform managed keys
    ■ Supports customer managed keys using envelope encryption
    ● Disk encryption using DM-Crypt(Linux) and BitLocker(Windows)
    ● Keys saved in Key Vault

    View full-size slide

  17. Kerala
    ● Encryption at Rest
    ○ Azure Blob Storage encryption
    ■ Storage Service Encryption – enabled for all accounts by default using platform
    managed keys
    ■ Supports customer managed keys, keys stored in Key Vault
    ■ (Preview) Customer Provided keys – provide the keys for Blob storage, Blob
    storage transparently encrypt it

    View full-size slide

  18. Kerala
    ● Backup
    ○ Azure Managed Backup
    ■ Does backup of entire VM using snapshots, at prescribed schedule
    ■ Pre-requisites:
    ● VMSnapshot extension (Windows)
    ● VMSnapshotLinux extension (Linux)
    ■ Backup saved to Recovery Vault

    View full-size slide

  19. Kerala
    ● Secure Images
    ○ Azure Marketplace hosts Virtual Machine Images
    ○ Recommend: build your own images
    ■ Patch with updates
    ■ Use Hashicorp Packer to build your images

    View full-size slide

  20. Kerala
    ● Secure Containers
    ○ Build your own Docker Images
    ○ Use Azure Container Registry to store the images
    ○ Scan the images for vulnerabilities(ACR does this on push)
    ■ Third party scanners
    ● Paid: Aqua, Prisma Cloud(née Twistlock)
    ● Open Source: Anchore, Clair, Dagda, Trivy

    View full-size slide

  21. Kerala
    ● Azure Key Vault
    ○ Managed secrets solution for:
    ■ Secrets Management: Store API keys, tokens, passwords
    ■ Key Management: Store API Keys
    ■ Certificate Management: Provision/manage TLS certificates
    ○ Monitor how/when secrets are accessed
    ■ Send logs to storage accounts/Azure Monitor logs

    View full-size slide

  22. Kerala
    ● Azure Key Vault
    ○ Integrated with other Azure services
    ■ Reference to key vault & name in ARM for secrets injection during provision
    ■ Create a managed identity to auth your VMs
    ● Let your applications fetch secrets instead of hard coding them

    View full-size slide

  23. Kerala
    ● Azure Key Vault
    ○ Guidelines
    ■ RBAC is your friend. Use least privilege access principal
    ■ Use VNET Service Endpoints
    ■ Separate Key Vault per application, per environment
    ■ Enable soft delete for recovery of accidental deletion
    ● Gotcha: With soft delete, key vault is not listed in portal, but key vault
    w/same name cannot be created
    ■ Optional, enable purge protection

    View full-size slide

  24. Kerala
    ● Azure Key Vault
    ○ Demo on how to fetch secrets without embedding keys
    ○ https://h2100discord.azurewebsites.net/api/hiway_to_discord?name=Everyone

    View full-size slide

  25. Kerala
    ● Network Security
    ○ VNets
    ○ Network Security Groups(NSG)
    ○ Azure Firewall
    ○ Just in Time VM Access
    ○ Azure Service Endpoints
    ○ DDoS Protection

    View full-size slide

  26. Kerala
    ● VNets
    ○ RFC1918 compliant custom private address space
    ○ Break into subnets, deploy Azure resources to specific subnets
    ○ VNet scoped to subscriptions, further limiting access
    ○ Unrestricted outbound to internet by default
    ■ Inbound communication via Standard Load Balancer or Public IP

    View full-size slide

  27. Kerala
    ● Vnet Guidelines:
    ○ Don’t have overlapping address spaces.
    ○ Reserve some space for future. Can’t resize a subnet
    ○ Filter traffic with Network Security Groups/to subnets to limit access
    ○ Communication to other resources:
    ■ Vnet peering within Azure
    ■ Azure Service Endpoints
    ■ VPN/ ExpressRoute

    View full-size slide

  28. Kerala
    ● Network Security Groups(NSG)
    ○ Consists of security rules that allow/deny inbound/outbound
    ○ Specify source & destination, Protocol
    ■ Source/Dest can be ServiceTags, IP addresses, Application Security Groups
    ○ Evaluated by priority using the 5-tuple combination
    ■ Source, SourcePort, Destination, DestinationPort, Protocol
    ○ Rules are stateful
    ■ inbound rule isn’t required if connection initiated from VM

    View full-size slide

  29. Kerala
    ● Network Security Groups(NSG)
    ○ Default rules (inbound)
    ■ AllowVNetInbound (VirtualNetwork, port: 0-65k, protocol: Any)
    ■ AllowAzureLoadBalancerInbound (AzureLoadBalancer, port 0-65k, protocol: any)
    ■ DenyAllInbound (0.0.0.0/0, port 0-65k, protocol: any)
    ○ Default rules (outbound)
    ■ AllowVnetOutbound (0.0.0.0/0, port 0-65k, protocol: any)

    View full-size slide

  30. Kerala
    ● Azure Firewall
    ○ Managed network security service
    ○ Apply filtering rules on FQDN
    ○ Inbound filtering on HTTP/S as well as RDP, SSH, FTP
    ○ Use a first level of defense
    ○ Chain with NSG for defense in depth approach

    View full-size slide

  31. Kerala
    ● Just in Time VM Access
    ○ Lock down access to inbound traffic via NSG
    ○ Request access to VM
    ■ Azure checks for required RBAC permission
    ● If true, modify NSG automatically & allow traffic
    ● Revoke access after expiry
    ● Note: Existing connections are not interrupted

    View full-size slide

  32. Kerala
    ● Just in Time VM Access
    ○ How to request access?
    ■ Via Azure Security Center
    ■ Via VM Page
    ■ Via PowerShell/API

    View full-size slide

  33. Kerala
    ● Azure Service Endpoints
    ○ Typical service traffic goes over public IP
    ■ Need for whitelisting, complicated security group rules
    ○ Service Endpoint switches traffic to use private endpoints
    ○ Further apply endpoint policies for fine-grained access

    View full-size slide

  34. Kerala
    ● Azure Service Endpoints
    ○ Azure Service Endpoint policy gotchas
    ■ Seems to support only Azure Storage for now, no other managed service
    supported
    ■ Cannot apply on traffic from on-prem to Azure service
    ■ Classic Storage Accounts are not supported

    View full-size slide

  35. Kerala
    ● Azure Security Center
    ○ Unified Security Management system for Azure
    ○ Let’s you improve security by reviewing and configuring recommended controls

    View full-size slide

  36. Kerala
    ● References
    ○ Subscription Decision Guide
    ○ Security Defaults
    ○ Common conditional access policies
    ○ Cloud Adoption Framework Decision Guide – Encryption
    ○ Azure best practices for Network Security

    View full-size slide

  37. Kerala
    ● References
    ○ Azure Security Center
    ○ Azure Advent Videos
    ■ Azure Key Vault
    ■ Azure Sentinel

    View full-size slide