Upgrade to Pro — share decks privately, control downloads, hide ads and more …



Serverless is all about unleashing developer productivity by reducing the management burden and allowing you to focus on the application logic. But even for serverless applications, security is key!

In this session Sjoukje will guide you on how to secure your serverless applications. We are going to take a look at the different options for securing your serverless apps, such as using Azure Key Vault, ClaimsPrincipal binding data for Azure Functions and much more.

Sjoukje Zaal

January 29, 2020

More Decks by Sjoukje Zaal

Other Decks in Technology


  1. © 2020 Sjoukje Zaal Securing Functions Demo Securing Logic Apps

    Demo Azure AD & Graph Demo Monitoring Demo Step 05 Step 04 Step 03 What & Why Scenario Step 02 Step 01 Agenda
  2. © 2020 Sjoukje Zaal What is Serverless Serverless is simplicity,

    but not necessarily simpler​ Source: Paul Johnston (former AWS Serverless developer advocate)​ Remember, there are NO servers!​ Source: Jeff Hollan (Microsoft PM Azure Functions)
  3. © 2020 Sjoukje Zaal Microsoft Serverless Offering Azure Functions Run

    custom code on demand and at scale in the cloud. The runtime is completely open source and can run everywhere. Cosmos DB A globally distributed, multi-model database service that supports document, key-value, wide-column, and graph databases. Event Hubs Fully managed, real-time data ingestion service. Stream millions of events per second from any source. Event Grid Fully managed event routing service from Azure services or from your own apps. Logic Apps Workflow orchestration. Specify the process steps how to run your serverless application. Azure Storage Provides durable, highly available, and massively scalable cloud storage. Key Vault Secure key management, use to encrypt keys and small secrets like passwords. Cognitive Services Adds intelligent features such as vision face and speech recognition into your app.. Azure Search Search-as-a-service solution to build search experiences into web and mobile applications.
  4. © 2020 Sjoukje Zaal Serverless Architecture A serverless architecture includes

    the platform, related services, and development tools​
  5. © 2020 Sjoukje Zaal Reduce costs Focus on code Faster

    Fully Managed Why use Serverless?
  6. © 2020 Sjoukje Zaal Current scenario Contoso developed a serverless

    application that adds external customers to the Azure tenant and makes a custom marketing application available for the customers. Only Contoso employees can use the serverless application. They have used a Logic App to create the application. After an audit of the security department, the current solution does not comply with the organizations security and compliance regulations.
  7. © 2020 Sjoukje Zaal x t x b All users

    with the link to the Logic App can access it The Logic App can be accessed by all types of applications The Tenant ID, App ID and App Secret are hard-coded in the Logic App No monitoring is setup for the applications Security issues Discovered by the security department
  8. © 2020 Sjoukje Zaal z 8 6 ( Technical Security

    Building Blocks 01 Step 02 Step 03 Step 04 Step Azure Functions Secured using built-in authentication mechanism Managed Identities Accessing Azure resources securely Azure Key Vault Securely storing credentials Azure AD & Graph Register and Azure AD application and set permissions
  9. © 2020 Sjoukje Zaal Functions Choose your App Service plan

    Use built-in Authentication and authorization Use custom SSL / domain Logic Apps Consumption model Uses a SAS token API Management Functions & Logic Apps Security feature and capability differences
  10. © 2020 Sjoukje Zaal Authorization Authentication Options Azure Active Directory

    Microsoft accounts Social Media Identity accounts ClaimsPrincipal binding data Application Gateway (WAF) API Management Application Insights Azure Functions security
  11. © 2020 Sjoukje Zaal Created the message queue To store

    new requests Created a request using an Azure AD registered user Passing on the ClaimsPrincipal Changed the authorization level for the function Enabled authentication / authorization for the Function Created the Function To initialize the workflow Step 1 Demo summary Step 2 Step 3 Step 4 Step 5
  12. © 2020 Sjoukje Zaal Secure Azure Logic Apps security Authentication

    Azure AD Graph Managed Identities Integration Service Environment (ISE) Secure Outputs (Preview) Options Application Gateway (WAF) API Management Log Analytics Monitor &
  13. © 2020 Sjoukje Zaal x t x b Feature in

    Azure AD Keeps credentials secure System and user- assigned managed identity Authenticate to any service Managed Identities A primary resource in Azure AD
  14. © 2020 Sjoukje Zaal x t x b Increase security

    No direct access to keys Automate certificate tasks Use validated HSMs Azure Key Vault
  15. © 2020 Sjoukje Zaal Created a system assigned managed identity

    Retrieving and parsing the queue message Into variables Created a new Logic App Using the Queue Trigger Connected to the queue using the managed identity Added the managed identity to the Key Vault Step 1 Demo summary Step 2 Step 3 Step 4 Step 5
  16. © 2020 Sjoukje Zaal x t x b Azure AD

    registration OAuth 2.0 Authorization Framework App Permissions Microsoft Graph API Azure AD Application
  17. © 2020 Sjoukje Zaal Microsoft Graph • Azure Active Directory

    • Office 365 • Enterprise Mobility & Security • Windows 10 • Dynamics 365
  18. © 2020 Sjoukje Zaal Created an Azure AD Application Set

    the application permissions Created a guest user in Azure AD Generated an Access token Retrieved Key Vault secrets in Logic App Enabled Secure Outputs Added the Tenant ID, App ID, and App Secret to the Key Vault Step 1 Demo summary Step 2 Step 3 Step 4 Step 5
  19. © 2020 Sjoukje Zaal 3 2 1 Monitoring Serverless Apps

    Log Analytics Used by the Logic App Azure Monitor Aggregates and displays (log) data from several resources Application Insights Used by the Azure Function
  20. © 2020 Sjoukje Zaal x t x b Unique environment

    for Azure Monitor log data Integrated in Azure Monitor Kusto query language (KQL) Collects data of different Azure resources Log Analytics
  21. © 2020 Sjoukje Zaal Navigated to Azure Monitor in the

    Azure portal Looked at Log Analytics capabilities Looked at Application Insights capabilities Step 1 Demo summary Step 2 Step 3
  22. © 2020 Sjoukje Zaal 01 02 03 Azure Functions only

    support Azure AD v1 Azure Function need to be configured for anonymous access Logic Apps Key Vault Connector doesn’t support Managed Identities b C s Wrap up Key takeaways