Security Best Practices for Microsoft Azure Applications

Transcription

1 Security Best Practices for Microsoft Azure Applications Varun Sharma Principal Security Engineer, Information Security & Risk Management (ISRM), Microsoft IT

2 Service Lines Application Security Infrastructure Security Customized Solutions & Training 10+ years of tailored best practices and specialized intellectual property Microsoft Internal MSIT MSN Microsoft.com Product Groups Service Channels Microsoft External MCS Premier Acquisitions Global and Strategic Partners Unique knowledge transfer and value-add for Microsoft and its customers, partners and acquisitions Functional Capacity Specialization Totals Canada Global Delivery India Application Security 30 Infrastructure Security Dedicated PMs Total US- Redmond, ACE HQ United States Mission: to protect key assets by lowering overall information security risk for Microsoft and its customers through advisory services

3 Comprehensive Approach Security Program Security Architect Led & Program Manager Supported Infrastructure Security Application Security

4 Introductions

5 Shared security responsibility Data classification & accountability Client & endpoint protection Identity & access management Application level controls Network level controls Host Security Physical Security

6 Agenda 1. Setup the sample HRPortal application 2. Authentication 3. Auditing & Logging 4. Configuration Management 5. Sensitive Data 6. Communication 7. Host Security

7 HRPortal sample app Architecture diagram Admin Azure Active Directory User Use cases User can login to HR Website User can view salary, edit bank account number, update skills and upload resume AV scan engine scans resumes for malware Admin deploys solution to Azure Azure subscription HR Website AV Scan engine Azure Storage Azure SQL Database

8 Lab: Setup the sample application

9 1. Authentication

10 Authentication - Threats and Countermeasures Countermeasures Admin User Admin Use organizational accounts or corporate identities Azure Active Directory Use strong passwords Use multi-factor authentication Use federated identity pattern... Extend on-premise AD to Azure Azure Portal Cloud Service Virtual Machines... Active Directory Enterprise

11 Use Organizational Accounts or Corporate Identities Microsoft Account (Windows Live ID) Azure Active Directory Azure Active Directory Azure Active Directory Directory sync with password Directory sync with Federation Active Directory Active Directory Enforce password policies Enforce Cloud based Multi factor Authentication Enforce On premise Multi factor Authentication

12 Lab: Azure AD password policy

13 Lab: Enabling MFA for Azure AD users

14 Directory sync with federation Admin logs in on-prem Admin browses to Azure portal Windows Azure Portal Windows Azure Active Directory ADFS (sts.contoso.c om) Active Directory Admin is redirected to AAD AAD redirects to onprem STS since directory sync with SSO is setup. Admin authenticates to on-prem STS On-prem STS returns admin token to AAD AAD has a trust with STS, validates token, redirects to Azure portal

15 Demo: Directory sync with federation

16 Federated Identity Pattern Consumer authenticates and requests token STS returns token Identity Provider (IdP) or Security Token Service (STS) Service trusts IdP or STS Consumer Consumer presents token to service Service

17 Lab: Enabling Azure AD authentication on Azure Website

18 Extend on-premise Active Directory to Azure Application... Availability Set Virtual Network SQL Server... VPN Domain controllers Availability Set... = OR Availability Set AD Replication Enterprise... Active Directory User Enterprise

19 Authentication Summary Threats Improper de-provisioning Credential theft Brute forcing passwords Countermeasures Use organizational accounts or corporate identities Use strong passwords Use multi-factor authentication Use federated identity pattern Extend on-premise AD to Azure

20 2. Auditing & Logging

21 Auditing & Logging - Threats and Countermeasures Countermeasures Admin User Admin Enable logging Transfer logs to storage Azure Active Directory Monitor logs for suspicious activity Subscription Audit logs... Auditing and Activity Logging Azure Portal Cloud Service Virtual Machines Windows Azure Diagnostics Azure Storage Logging Azure storage Azure SQL Database SQL Azure Auditing

22 Demo: Subscription operation logs

23 Demo: SQL database logs

24 Demo: Azure storage logs

25 Demo: Cloud Service logs

26 Auditing and Logging Summary Azure component Logging feature Examples of suspicious behavior Azure Active Directory Auditing and Activity Logging Addition of user, admin, change of group membership Azure Subscription Subscription Operation logs Addition of co-administrator, enabling RDP on cloud service, operation from unexpected IP Address Azure Web Sites Application and Site Diagnostics Performance degradation due to DOS attack Cloud Services Windows Azure Diagnostics Security event for malware, remote login, creation of local user, change of important files, performance Virtual Machines Windows Azure Diagnostics or Windows Event degradation due to DOS attack Forwarding Azure Storage Azure Storage Logging Operation from unexpected IP Address, unexpected operated Azure SQL Database SQL Azure Auditing Operation from unexpected IP Address

27 3. Configuration Management

28 Configuration Management - Threats and Countermeasures Dev cspkg Admin cscfg Countermeasures Protect secrets in config files Use Runtime Reconfiguration pattern Rollover secret keys Visual Studio Online Git repository cscfg Azure subscription cloud service Azure Storage Azure SQL Database

29 Lab: Setting configuration values for Azure Websites

30 Runtime Reconfiguration pattern Dev Admin Admin changes configuration in service configuration file Visual Studio Online cspkg cscfg cloud service Application code subscribes to an event to know if configuration has changed. Code allows change if acceptable. Git repository cscfg Azure subscription If change is not acceptable and may cause configuration issues, code requests a role restart. Azure Storage Azure SQL Database

31 Roll over secret keys Dev Admin Azure storage has primary and secondary access keys cspkg cscfg Change configuration to secondary access key Visual Studio Online Git repository cscfg Azure subscription cloud service Configuration changes at runtime Regenerate primary access key and change configuration to new primary access key Azure Storage Azure SQL Database Configuration changes at runtime Regenerates secondary access key

32 Demo: Re-generating storage access keys

33 Lab: Using Key Vault to store secrets

34 Configuration Management Summary Threats Secret keys compromised from repository Improper de-provisioning Countermeasures Protect secrets in config files Use Runtime Reconfiguration pattern Rollover secret keys

35 4. Sensitive Data

36 Sensitive Data - Threats and Countermeasures Admin User Countermeasures Use Valet Key pattern Encrypt sensitive data at rest Application... cloud service Web application SQL Server... Azure Storage Azure SQL Database

37 Valet Key Pattern SAS SAS User cloud service User requests a resource Application checks validity of request, generates Shared Access Signature (SAS) and returns to user User directly accesses resource using SAS Application Azure Storage

38 Demo: Shared Access Signatures

39 Encrypt sensitive data at rest BitLocker Drive Encryption Admin User SQL Server Transparent Data Encryption or Column Level Encryption Application... Web application cloud service Application level encryption using.net Crypto API or other languages or Azure SQL TDE SQL Server... Azure Storage Azure SQL Database

40 Lab: Encrypting data using Key Vault

41 Encrypt sensitive data at rest Scenario Encryption technology Key management Azure VMs with sensitive files BitLocker Drive Encryption 3rd party solutions Sensitive data in SQL Server on Azure VM Sensitive data in Azure Storage, NoSQL, Azure SQL Database SQL Server Transparent Data Encryption or Column Level Encryption Application level encryption using.net Crypto API or other languages or Azure SQL TDE Can use Extensible Key Management and existing on-premise HSM Azure Key Vault

42 5. Communication

43 Communication - Threats and Countermeasures User cloud service Admin Countermeasures Use SSL Disable remote desktop Limit input endpoints Use IP based restrictions Azure Storage Azure SQL Database Service Bus Relay App Server Enterprise

44 Demo: Configuring Azure Website to use SSL

45 Demo: SQL Database Firewall

46 Communication Summary IP based restriction Encrypt data in transit Azure Web Sites IIS IP Restrictions Upload SSL certificate and use custom domain Cloud Services Configure host firewall using Start-up task or use IIS IP Restrictions Upload SSL certificate and use custom domain Virtual Machines Network Access Control List Configure SSL certificate Virtual Network Inbound and Outbound IP restriction using Network Security Group Use SSL Azure SQL Database Azure SQL Firewall Use Encrypt=true; TrustServerCertificate=False in SQL Connection string

47 6. Host Security

48 Host - Threats and Countermeasures Countermeasures Patch management User Enable Anti-malware Application... cloud service Machine policy management Web application

49 Lab: Machine policy management using start-up tasks

50 Lab: Enabling Anti-malware on Cloud Services

51 Host Security Summary Threats Unpatched VMs Malware Insecure host settings Countermeasures Patch management Enable Anti-malware Machine policy management

52 Summary

53 Security Frame Threats and Countermeasures Security category Threats Countermeasures Authentication Auditing & Logging Configuration management Sensitive Data Improper de-provisioning Credential theft Brute forcing passwords Repudiation Logs lost due to recycle or deleted Improper de-provisioning Secret keys compromised from repository Shared secrets are only line of defense Use organizational accounts or corporate identities Use strong passwords Use multi-factor authentication Use federated identity pattern Extend on-premise AD to Azure Enable logging Transfer logs to storage Monitor logs for suspicious activity Encrypt secrets in config files Use Runtime Reconfiguration pattern Rollover secret keys Use Valet Key pattern Encrypt sensitive data at rest Communication Host Security Data sniffed on network Remote desktop password compromised Unpatched VMs Malware Insecure host settings Use SSL Disable remote desktop Limit input endpoints Use IP based restrictions Patch Management Enable Anti-malware Machine policy management

54 Summary Understand what you are responsible for Understand threats and implement countermeasures Use Azure security features, patterns and practices

55 References Related references for you to expand your knowledge on the subject Azure Trust Center, Azure Security Guidance, Azure Identity, Azure Multi-factor authentication, Cloud Design patterns, Security best practices for Windows Azure solutions, FDDEEE8F70C1/SecurityBestPracticesForWindowsAzureSolutionsFeb2014.docx Security Best Practices For Developing Windows Azure Applications, technet.microsoft.com/en-in aka.ms/mva msdn.microsoft.com/

56