Windows Azure Security A Peek Under the Hood Charlie Kaufman 06/03/2010
Agenda Introduction Azure Compute Security Azure Storage Security SQL Azure Security Questions
Azure Combines Three Components Compute Think Stateless CPU in the Cloud (Rented by the CPU - hour) Storage Like a file system, but structured differently to support scalability and parallelism (Rented by the Gigabyte - Month) SQL Azure Another form of storage, accessed with SQL queries rather than file-like operations Can be used separately, but more commonly a Compute tenant is layered atop Storage, SQL Azure, or both There will likely be more components in the future 3
Security Threats Customer Admin User Azure Customer Tenant External Web Site 4
From Subscription Portal Create a Compute Tenant Create a Storage Account Create a SQL Azure Database Once created, they are managed via separate mechanisms Customer authenticates to Subscription Portal using LiveID 5
Agenda Introduction Azure Compute Security Azure Storage Security SQL Azure Security Questions
Underlying Hardware Rack-mounted servers Each rack has a collection of identical nodes Each node (currently) has 2 CPU chips with 4 cores each 16 Gig of memory Disks for local storage Network Interface to a Top-of-Rack Switch 7
8 Hypervisor and VM Sandbox All Guest access to network and disk is mediated by Root VM (via the Hypervisor) Hypervisor Network/Disk R o o t V M G u e s t V M G u e s t V M G u e s t V M G u e s t V M G u e s t V M G u e s t V M G u e s t V M
What Does the World Look Like to a Guest VM? 1, 2, 4, or 8 CPUs; up to 14 GB of memory Three disk drives: C:\ (for temps; initially populated with config file) D:\ (for application code; initially as supplied by customer admin) E:\ (for OS code; initially as supplied by Azure) Network connectivity to Internet via NAT and to other VMs of same tenant Guest agent accepts incoming HTTP/RPC connections from Root OS 9
Handling Attacks by a Tenant Not dependent on the security of Windows Instead, dependent on the security of the Hypervisor and the exposed network and disk drivers C:\, D:\, and E:\ are not really disks. They are VHD files in the root OS s file system. Attack surface is minimized by accepting few commands and supporting only a few hardware devices 10
Root OS Services Disk I/O remapping and bandwidth quota enforcement Network Packet Filter and bandwidth quota enforcement No forging of IP address or false responses to ARPs Connectivity only to Internet, peer VMs within tenant, and a small set of specific services (e.g., DNS) Multicast blocked except for use of DHCP to get IP address 11
Azure Network Services For scalability, customer tenants can be divided into roles (e.g., front end, back end) Roles can have multiple instances Azure will divide incoming connections among front-end role instances When a new role instance is created, its disks (C:\, D:\, and E:\) are initialized. When a role instance is discarded, the contents of its disks are discarded. Compute holds only ephemeral data permanent data must be kept in Azure Storage, SQL Azure, or an external customer-provided store. High availability is achieved through fast failover. Individual VMs can be discarded and reinitialized at any time. 12
Recovery from Any Sort of Failure If a customer VM fails, the Root VM can reboot it or if necessary reinitialize all of its on-disk state If a Root VM fails or an entire node fails, the Fabric Controller can power cycle the node, reboot it from the network, and reinitialize all of its actual disks All customer VMs can be migrated to other nodes while the node is being tested before it is returned to service or queued for manual repair 13
Handling Attacks by a Customer Administrator Customer Administrator gets to specify: How many roles in a tenant, how many instances of each role, and what size VM each runs on The application software that runs in each VM and its configuration Certificates, passwords, and secret keys each VM can use to authenticate to other entities Requests go through the Developer Portal (browser based) or Developer API (RPC over HTTP over SSL) Authentication to Developer API uses a certificate and private key registered through the Developer Portal 14
Protecting the Fabric Controllers Developer Portal Developer API Fabric Controller Fabric Agent Root VM Guest Agent Guest VM Hypervisor 15
Handling Attacks by an End User Azure divides incoming connections among front-end role instances Customer has all the facilities of Windows to protect the VM against end-user attacks Azure must deal with DDoS (bandwidth) attacks that could overwhelm all of Azure Customer must deal with DDoS attacks that could overwhelm the customer front ends Increasing the number of front ends is always an option 16
Internet Gateways Gateways are shared with other Microsoft properties (e.g., Hotmail, MSN, Live, ) Very high speed links at multiple locations worldwide Not impossible to overload, but one of the highest capacity targets deployed today 17
One More Problem to Worry About Azure could be used as a platform for attacking other Internet sites A customer tenant could be recruited into a bot army to spread spam or participate in DDoS attacks A customer could intentionally participate in such things We have to be responsive to complaints from other Internet sites that they are under attack from one of our tenants 18
Agenda Introduction Azure Compute Security Azure Storage Security SQL Azure Security Questions
Azure Storage Runs on separate hardware with no network connectivity to compute except (logically) through Internet Requests run over HTTP and optionally over SSL with server authentication Storage is organized into storage accounts A single customer may have many storage accounts A single secret key controls all access to a storage account Fine-grained access controls are not implemented A customer wanting fine-grained access controls can implement a front-end compute tenant that has full access to the storage account but mediates access to data items 20
Azure Storage Scalability To reduce the need for locks when dealing with a conventional file system, Azure storage implements the primitives: blobs, tables, and queues. For backwards compatibility, it also implements an XDrive with disk semantics for applications that have not been converted. The customer is responsible for coordinating the assignment of XDrives to VMs. An XDrive can only be open from one VM at a time. 21
Azure Storage Security Data from many customers is mixed in a single pool Access to data in a specific account is only granted to entities having the secret key for that account Storage keys are randomly generated when the storage account is created (or later at the request of the customer) A storage account may have two active keys at any given time to support key rollover Storage keys are used to HMAC sign each access request 22
Access Control Extensions To deal with some common cases: Blobs can be marked as world readable, which allows them to be read without authentication by anyone knowing their name Queries can be HMAC signed with some of their parameters unspecified. Passing such a query and its signature to a process allows it to access a subset of the data in an XStore. 23
Agenda Introduction Azure Compute Security Azure Storage Security SQL Azure Security Questions
Azure SQL As with storage, runs on separate hardware with no connectivity to compute except (logically) over the Internet Subscription portal can create databases Data from many customers is pooled in a single SQL instance, but they are treated as separate and access controlled independently 25
Questions & Answers Submit text questions using the Ask button. Send us your feedback and content ideas in the survey. Replay of this webcast will be available in 24 hours. Get the latest developer content (webcasts, podcasts, videos, virtual labs) at: www.microsoft.com/events/series/ For more security webcasts: www.microsoft.com/events/series/securitytalk 26
2008Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.