Security Best Practices for Microsoft Azure Applications

Security Best Practices for Microsoft Azure Applications Varun Sharma Principal Security Engineer, Information Security & Risk Management (ISRM), Microsoft IT

Service Lines Application Security Infrastructure Security Customized Solutions & Training 10+ years of tailored best practices and specialized intellectual property Microsoft Internal MSIT MSN Microsoft.com Product Groups Service Channels Microsoft External MCS Premier Acquisitions Global and Strategic Partners Unique knowledge transfer and value-add for Microsoft and its customers, partners and acquisitions Functional Capacity Specialization Totals Canada Global Delivery India Application Security 30 Infrastructure Security Dedicated PMs Total 16 4 50 US- Redmond, ACE HQ United States Mission: to protect key assets by lowering overall information security risk for Microsoft and its customers through advisory services

Comprehensive Approach Security Program Security Architect Led & Program Manager Supported Infrastructure Security Application Security

Introductions

Shared security responsibility Data classification & accountability Client & endpoint protection Identity & access management Application level controls Network level controls Host Security Physical Security

Agenda 1. Setup the sample HRPortal application 2. Authentication 3. Auditing & Logging 4. Configuration Management 5. Sensitive Data 6. Communication 7. Host Security

HRPortal sample app Architecture diagram Admin Azure Active Directory User Use cases User can login to HR Website User can view salary, edit bank account number, update skills and upload resume AV scan engine scans resumes for malware Admin deploys solution to Azure Azure subscription HR Website AV Scan engine Azure Storage Azure SQL Database

Lab: Setup the sample application

1. Authentication

Authentication - Threats and Countermeasures Countermeasures Admin User Admin Use organizational accounts or corporate identities Azure Active Directory Use strong passwords Use multi-factor authentication Use federated identity pattern... Extend on-premise AD to Azure Azure Portal Cloud Service Virtual Machines... Active Directory Enterprise

Use Organizational Accounts or Corporate Identities Microsoft Account (Windows Live ID) Azure Active Directory Azure Active Directory Azure Active Directory Directory sync with password Directory sync with Federation Active Directory Active Directory Enforce password policies Enforce Cloud based Multi factor Authentication Enforce On premise Multi factor Authentication

Lab: Azure AD password policy

Lab: Enabling MFA for Azure AD users

Directory sync with federation Admin logs in on-prem Admin browses to Azure portal Windows Azure Portal Windows Azure Active Directory ADFS (sts.contoso.c om) Active Directory Admin is redirected to AAD AAD redirects to onprem STS since directory sync with SSO is setup. Admin authenticates to on-prem STS https://windows.azure.com/contoso.com On-prem STS returns admin token to AAD AAD has a trust with STS, validates token, redirects to Azure portal

Demo: Directory sync with federation

Federated Identity Pattern Consumer authenticates and requests token STS returns token Identity Provider (IdP) or Security Token Service (STS) Service trusts IdP or STS Consumer Consumer presents token to service Service

Lab: Enabling Azure AD authentication on Azure Website

Extend on-premise Active Directory to Azure Application... Availability Set Virtual Network SQL Server... VPN Domain controllers Availability Set... = OR Availability Set AD Replication Enterprise... Active Directory User Enterprise

Authentication Summary Threats Improper de-provisioning Credential theft Brute forcing passwords Countermeasures Use organizational accounts or corporate identities Use strong passwords Use multi-factor authentication Use federated identity pattern Extend on-premise AD to Azure

2. Auditing & Logging

Auditing & Logging - Threats and Countermeasures Countermeasures Admin User Admin Enable logging Transfer logs to storage Azure Active Directory Monitor logs for suspicious activity Subscription Audit logs... Auditing and Activity Logging Azure Portal Cloud Service Virtual Machines Windows Azure Diagnostics Azure Storage Logging Azure storage Azure SQL Database SQL Azure Auditing

Demo: Subscription operation logs

Demo: SQL database logs

Demo: Azure storage logs

Demo: Cloud Service logs

Auditing and Logging Summary Azure component Logging feature Examples of suspicious behavior Azure Active Directory Auditing and Activity Logging Addition of user, admin, change of group membership Azure Subscription Subscription Operation logs Addition of co-administrator, enabling RDP on cloud service, operation from unexpected IP Address Azure Web Sites Application and Site Diagnostics Performance degradation due to DOS attack Cloud Services Windows Azure Diagnostics Security event for malware, remote login, creation of local user, change of important files, performance Virtual Machines Windows Azure Diagnostics or Windows Event degradation due to DOS attack Forwarding Azure Storage Azure Storage Logging Operation from unexpected IP Address, unexpected operated Azure SQL Database SQL Azure Auditing Operation from unexpected IP Address

3. Configuration Management

Configuration Management - Threats and Countermeasures Dev cspkg Admin cscfg Countermeasures Protect secrets in config files Use Runtime Reconfiguration pattern Rollover secret keys Visual Studio Online Git repository cscfg Azure subscription cloud service Azure Storage Azure SQL Database

Lab: Setting configuration values for Azure Websites

Runtime Reconfiguration pattern Dev Admin Admin changes configuration in service configuration file Visual Studio Online cspkg cscfg cloud service Application code subscribes to an event to know if configuration has changed. Code allows change if acceptable. Git repository cscfg Azure subscription If change is not acceptable and may cause configuration issues, code requests a role restart. Azure Storage Azure SQL Database

Roll over secret keys Dev Admin Azure storage has primary and secondary access keys cspkg cscfg Change configuration to secondary access key Visual Studio Online Git repository cscfg Azure subscription cloud service Configuration changes at runtime Regenerate primary access key and change configuration to new primary access key Azure Storage Azure SQL Database Configuration changes at runtime Regenerates secondary access key

Demo: Re-generating storage access keys

Lab: Using Key Vault to store secrets

Configuration Management Summary Threats Secret keys compromised from repository Improper de-provisioning Countermeasures Protect secrets in config files Use Runtime Reconfiguration pattern Rollover secret keys

4. Sensitive Data

Sensitive Data - Threats and Countermeasures Admin User Countermeasures Use Valet Key pattern Encrypt sensitive data at rest Application... cloud service Web application SQL Server... Azure Storage Azure SQL Database

Valet Key Pattern SAS SAS User cloud service User requests a resource Application checks validity of request, generates Shared Access Signature (SAS) and returns to user User directly accesses resource using SAS Application Azure Storage

Demo: Shared Access Signatures

Encrypt sensitive data at rest BitLocker Drive Encryption Admin User SQL Server Transparent Data Encryption or Column Level Encryption Application... Web application cloud service Application level encryption using.net Crypto API or other languages or Azure SQL TDE SQL Server... Azure Storage Azure SQL Database

Lab: Encrypting data using Key Vault

Encrypt sensitive data at rest Scenario Encryption technology Key management Azure VMs with sensitive files BitLocker Drive Encryption 3rd party solutions Sensitive data in SQL Server on Azure VM Sensitive data in Azure Storage, NoSQL, Azure SQL Database SQL Server Transparent Data Encryption or Column Level Encryption Application level encryption using.net Crypto API or other languages or Azure SQL TDE Can use Extensible Key Management and existing on-premise HSM Azure Key Vault

5. Communication

Communication - Threats and Countermeasures User cloud service Admin Countermeasures Use SSL Disable remote desktop Limit input endpoints Use IP based restrictions Azure Storage Azure SQL Database Service Bus Relay App Server Enterprise

Demo: Configuring Azure Website to use SSL

Demo: SQL Database Firewall

Communication Summary IP based restriction Encrypt data in transit Azure Web Sites IIS IP Restrictions Upload SSL certificate and use custom domain Cloud Services Configure host firewall using Start-up task or use IIS IP Restrictions Upload SSL certificate and use custom domain Virtual Machines Network Access Control List Configure SSL certificate Virtual Network Inbound and Outbound IP restriction using Network Security Group Use SSL Azure SQL Database Azure SQL Firewall Use Encrypt=true; TrustServerCertificate=False in SQL Connection string

6. Host Security

Host - Threats and Countermeasures Countermeasures Patch management User Enable Anti-malware Application... cloud service Machine policy management Web application

Lab: Machine policy management using start-up tasks

Lab: Enabling Anti-malware on Cloud Services

Host Security Summary Threats Unpatched VMs Malware Insecure host settings Countermeasures Patch management Enable Anti-malware Machine policy management

Summary

Security Frame Threats and Countermeasures Security category Threats Countermeasures Authentication Auditing & Logging Configuration management Sensitive Data Improper de-provisioning Credential theft Brute forcing passwords Repudiation Logs lost due to recycle or deleted Improper de-provisioning Secret keys compromised from repository Shared secrets are only line of defense Use organizational accounts or corporate identities Use strong passwords Use multi-factor authentication Use federated identity pattern Extend on-premise AD to Azure Enable logging Transfer logs to storage Monitor logs for suspicious activity Encrypt secrets in config files Use Runtime Reconfiguration pattern Rollover secret keys Use Valet Key pattern Encrypt sensitive data at rest Communication Host Security Data sniffed on network Remote desktop password compromised Unpatched VMs Malware Insecure host settings Use SSL Disable remote desktop Limit input endpoints Use IP based restrictions Patch Management Enable Anti-malware Machine policy management

Summary Understand what you are responsible for Understand threats and implement countermeasures Use Azure security features, patterns and practices

References Related references for you to expand your knowledge on the subject Azure Trust Center, http://azure.microsoft.com/en-us/support/trust-center/ Azure Security Guidance, http://azure.microsoft.com/enus/documentation/articles/best-practices-security/ Azure Identity, http://azure.microsoft.com/enus/documentation/articles/fundamentals-identity/ Azure Multi-factor authentication, http://azure.microsoft.com/enin/services/multi-factor-authentication/ Cloud Design patterns, http://msdn.microsoft.com/en-us/library/dn600223.aspx Security best practices for Windows Azure solutions, http://download.microsoft.com/download/7/8/a/78ab795a-8a5b-48b0-9422- FDDEEE8F70C1/SecurityBestPracticesForWindowsAzureSolutionsFeb2014.docx Security Best Practices For Developing Windows Azure Applications, http://www.microsoft.com/en-in/download/details.aspx?id=7253 technet.microsoft.com/en-in aka.ms/mva msdn.microsoft.com/