Securing_Serverless_Applications_in_Azure.pdf

Transcript

1. Serverless Applications Securing In Azure

2. About me @SjoukjeZaal https://www.sjoukjezaal.com Sjoukje Zaal Managing Consultant / Azure

   MVP

3. © 2020 Sjoukje Zaal Securing Functions Demo Securing Logic Apps

   Demo Azure AD & Graph Demo Monitoring Demo Step 05 Step 04 Step 03 What & Why Scenario Step 02 Step 01 Agenda

4. © 2020 Sjoukje Zaal What is Serverless Serverless is simplicity,

   but not necessarily simpler​ Source: Paul Johnston (former AWS Serverless developer advocate)​ Remember, there are NO servers!​ Source: Jeff Hollan (Microsoft PM Azure Functions)

5. © 2020 Sjoukje Zaal Microsoft Serverless Offering Azure Functions Run

   custom code on demand and at scale in the cloud. The runtime is completely open source and can run everywhere. Cosmos DB A globally distributed, multi-model database service that supports document, key-value, wide-column, and graph databases. Event Hubs Fully managed, real-time data ingestion service. Stream millions of events per second from any source. Event Grid Fully managed event routing service from Azure services or from your own apps. Logic Apps Workflow orchestration. Specify the process steps how to run your serverless application. Azure Storage Provides durable, highly available, and massively scalable cloud storage. Key Vault Secure key management, use to encrypt keys and small secrets like passwords. Cognitive Services Adds intelligent features such as vision face and speech recognition into your app.. Azure Search Search-as-a-service solution to build search experiences into web and mobile applications.

6. © 2020 Sjoukje Zaal Serverless Architecture A serverless architecture includes

   the platform, related services, and development tools​

7. © 2020 Sjoukje Zaal Reduce costs Focus on code Faster

   Fully Managed Why use Serverless?

8. © 2020 Sjoukje Zaal Current scenario Contoso developed a serverless

   application that adds external customers to the Azure tenant and makes a custom marketing application available for the customers. Only Contoso employees can use the serverless application. They have used a Logic App to create the application. After an audit of the security department, the current solution does not comply with the organizations security and compliance regulations.

9. © 2020 Sjoukje Zaal x t x b All users

   with the link to the Logic App can access it The Logic App can be accessed by all types of applications The Tenant ID, App ID and App Secret are hard-coded in the Logic App No monitoring is setup for the applications Security issues Discovered by the security department

10. © 2020 Sjoukje Zaal Future scenario

11. © 2020 Sjoukje Zaal z 8 6 ( Technical Security

    Building Blocks 01 Step 02 Step 03 Step 04 Step Azure Functions Secured using built-in authentication mechanism Managed Identities Accessing Azure resources securely Azure Key Vault Securely storing credentials Azure AD & Graph Register and Azure AD application and set permissions

12. © 2020 Sjoukje Zaal Step 1

13. © 2020 Sjoukje Zaal Functions Choose your App Service plan

    Use built-in Authentication and authorization Use custom SSL / domain Logic Apps Consumption model Uses a SAS token API Management Functions & Logic Apps Security feature and capability differences

14. © 2020 Sjoukje Zaal Authorization Authentication Options Azure Active Directory

    Microsoft accounts Social Media Identity accounts ClaimsPrincipal binding data Application Gateway (WAF) API Management Application Insights Azure Functions security

15. © 2019 Sjoukje Zaal Demo Securing Functions

16. © 2020 Sjoukje Zaal Created the message queue To store

    new requests Created a request using an Azure AD registered user Passing on the ClaimsPrincipal Changed the authorization level for the function Enabled authentication / authorization for the Function Created the Function To initialize the workflow Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

17. © 2020 Sjoukje Zaal Step 2

18. © 2020 Sjoukje Zaal Secure Azure Logic Apps security Authentication

    Azure AD Graph Managed Identities Integration Service Environment (ISE) Secure Outputs (Preview) Options Application Gateway (WAF) API Management Log Analytics Monitor &

19. © 2020 Sjoukje Zaal x t x b Feature in

    Azure AD Keeps credentials secure System and user- assigned managed identity Authenticate to any service Managed Identities A primary resource in Azure AD

20. © 2020 Sjoukje Zaal x t x b Increase security

    No direct access to keys Automate certificate tasks Use validated HSMs Azure Key Vault

21. © 2019 Sjoukje Zaal Demo Securing Logic Apps

22. © 2020 Sjoukje Zaal Created a system assigned managed identity

    Retrieving and parsing the queue message Into variables Created a new Logic App Using the Queue Trigger Connected to the queue using the managed identity Added the managed identity to the Key Vault Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

23. © 2020 Sjoukje Zaal Step 3

24. © 2020 Sjoukje Zaal x t x b Azure AD

    registration OAuth 2.0 Authorization Framework App Permissions Microsoft Graph API Azure AD Application

25. © 2020 Sjoukje Zaal Microsoft Graph • Azure Active Directory

    • Office 365 • Enterprise Mobility & Security • Windows 10 • Dynamics 365

26. © 2020 Sjoukje Zaal OAuth 2.0 client credentials grant

27. © 2019 Sjoukje Zaal Demo Azure AD MS Graph

28. © 2020 Sjoukje Zaal Created an Azure AD Application Set

    the application permissions Created a guest user in Azure AD Generated an Access token Retrieved Key Vault secrets in Logic App Enabled Secure Outputs Added the Tenant ID, App ID, and App Secret to the Key Vault Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

29. © 2020 Sjoukje Zaal Step 4

30. © 2020 Sjoukje Zaal 3 2 1 Monitoring Serverless Apps

    Log Analytics Used by the Logic App Azure Monitor Aggregates and displays (log) data from several resources Application Insights Used by the Azure Function

31. © 2020 Sjoukje Zaal Application Insights

32. © 2020 Sjoukje Zaal x t x b Unique environment

    for Azure Monitor log data Integrated in Azure Monitor Kusto query language (KQL) Collects data of different Azure resources Log Analytics

33. © 2020 Sjoukje Zaal Azure Monitor

34. © 2020 Sjoukje Zaal Demo Monitoring applications

35. © 2020 Sjoukje Zaal Navigated to Azure Monitor in the

    Azure portal Looked at Log Analytics capabilities Looked at Application Insights capabilities Step 1 Demo summary Step 2 Step 3

36. © 2020 Sjoukje Zaal 01 02 03 Azure Functions only

    support Azure AD v1 Azure Function need to be configured for anonymous access Logic Apps Key Vault Connector doesn’t support Managed Identities b C s Wrap up Key takeaways

37. ? any Are there questions?