an advanced guide through the - intelligent cloud conference · azure security center. free for...

An advanced guide through the

Azure Security jungle

Eric Berg

Lead IT-Architekt – Team Azure / Team Modern Workplace

Azure, Datacenter and Modern Workplace

Azure, System Center, Windows Server and Client

info@ericberg.de

@ericberg_de | @GeekZeugs

www.ericberg.de | www.geekzeugs.de

Intelligent Cloud Conference 2018

Event Sponsors

Intelligent Cloud Conference 2018

Expo Sponsors

Expo Light Sponsors

Security Jungle?!

Platform Services

Infrastructure Services

Compute Storage

Datacenter Infrastructure

Application Platform

WebApps

MobileApps

API Apps

Notification Hubs

HybridCloud

Backup

StorSimple

Azure SiteRecovery

Import/Export

Networking

Data

SQL Database DocumentDB

Redis Cache

AzureSearch

StorageTables

SQL DataWarehouse

Azure AD Health Monitoring

Virtual Network

ExpressRoute

Blob Files DisksVirtual Machines

AD PrivilegedIdentity Management

Traffic Manager

AppGateway

OperationalAnalytics

Compute Services

Cloud Services

BatchRemoteApp

ServiceFabric

Developer Services

Visual Studio

ApplicationInsights

VS Team Services

Containers DNSVPN Gateway

Load Balancer

Domain Services

Analytics & IoT

HDInsight MachineLearning Stream Analytics

Data Factory

EventHubs

Data LakeAnalytics Service

IoT Hub

Data Catalog

Security & Management

Azure ActiveDirectory

Multi-FactorAuthentication

Automation

Portal

Key Vault

Store/Marketplace

VM Image Gallery& VM Depot

Azure ADB2C

Scheduler

Xamarin

HockeyApp

Power BI Embedded

SQL Server Stretch Database

MobileEngagement

Functions

Intelligence

Cognitive Services Bot Framework Cortana

Security Center

Container Service

Queues

VM Scale Sets

Data Lake Store

Dev/Test Lab

Integration

BizTalkServices

Service Bus

Logic Apps

API Management

Media & CDN

Content DeliveryNetwork

Media Services

Media Analytics

Intelligent Cloud Conference 2018

Azure AD

VPN / Express Route

Azure Security Center

Encryption

Network

Logging

Azure Monitor

Network Security Groups

Reporting

Subscriptions

Antimalware Audit

MFA

Key Vault

Automation

Azure Advisor

Resource Policies

Intelligent Cloud Conference 2018

Intelligent Cloud Conference 2018

Security Components?!

Datacenter Security

Intelligent Cloud Conference 2018

Perimeter

Computer room

Building

Seismic

bracing

Security

operations center

24X7

security staff

Days of

backup power

Cameras AlarmsTwo-factor access control:

Biometric readers & card readers

Barriers Fencing

Physical Security

• Azure regions

• access control

• video surveillance

• weight locks

• In-house disc destruction

https://cloud-platform-

assets.azurewebsites.net/datacenter

Intelligent Cloud Conference 2018

Secure Multi-tenancy

• Isolates customer environments using the Fabric

Controller

• Runs a configuration-hardened version of

Windows Server as the Host OS

• Uses Hyper-V – a battle tested and enterprise

proven hypervisor

Intelligent Cloud Conference 2018

Azure

Storage

SQL

Database

FabricController

Customer

Admin

Guest VM Guest VM

Customer 2

Guest VM

Customer 1Portal

Smart API

End

Users

Host OS

Hypervisor

Microsoft Azure

Network Protection

• Provides logical isolation while

enabling customer control

• Restricts access from the

Internet, permits traffic only to

endpoints, and provides load

balancing and NAT at the Cloud

Access Layer

• Private IP addresses are

isolated from other customers

Intelligent Cloud Conference 2018

Customer 2

INTERNET

Isolated Virtual

Networks

Customer 1

Subnet 1 Deployment X Deployment Y

VLAN-to-VLAN

Cloud Access Layer

RDP Endpoint(password access)

Client

Subnet 2 Subnet 3

DNS Server

VPN

Microsoft Azure

Corp 1

Virtual Networks / VPN

• Extension of own Datacenter to Azure

• Dedicated Express Route connection

• Management over VPN

• Network Security Group (NSG)

• Azure Software Defined Network

Intelligent Cloud Conference 2018

DDoS Defense System

• Azure’s DDoS defense system

is designed not only to

withstand attacks from the

outside, but also from within.

• Azure monitors and detects

internally initiated DDoS attacks

and removes offending VMs

from the network

Intelligent Cloud Conference 2018

MSFT Routing Layer

Detection Pipeline

Profile DB

Scrubbing Array

SLB

Application

Attack Traffic

Scrubbed Traffic

Flow Data

Routing Updates

Internet

Data Segregation

• Stored data accessible only through

claims-based IDM & access control

with private key

• Storage blocks are hashed by the

hypervisor to separate accounts

• SQL Azure isolates separate

account databases

• VM switch at the host level blocks

inter-tenant communication

Intelligent Cloud Conference 2018

Azure

Storage

SQL

Database

FabricController

Customer

Admin

Guest VM Guest VM

Customer 2

Guest VM

Customer 1Portal

Smart API

End

Users

Access

Control

Host OS

Hypervisor

Microsoft Azure

Data Protection

Intelligent Cloud Conference 2018

Data segregation

Logical isolation segregates each

customer’s data from that of others.

In-transit data protection

Industry-standard protocols encrypt data

in transit to/from outside components, as

well as data in transit internally by default.

Data redundancy

Customers have multiple options for

replicating data, including number of

copies and number and location of

replication datacenters.

At-rest data protection

Customers can implement a range of

encryption options for virtual machines

and storage.

Encryption

Data encryption in storage or in transit

can be deployed by the customer to align

with best practices for ensuring

confidentiality and integrity of data.

Data destruction

When customers delete data or leave

Azure, Microsoft follows procedures to

render the previous customer’s data

inaccessible.

Azure Active Directory

• Only authorized Access allowed

• MFA

• Privileged Identity Management

• Standard Protocols

• Stand-Alone or Hybrid

• Application Integration

Intelligent Cloud Conference 2018

Self-service Singlesign on

•••••••••••

Username

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises Microsoft Azure Active Directory

RBAC

• Connection between Azure AD and Subscription

• Default Roles

• Owner

• Contributor

• Reader

• Other Roles

• Automation Operator

• DevTest Labs User

• …

• Own Roles

Intelligent Cloud Conference 2018

Azure Hierarchy

Intelligent Cloud Conference 2018

Accounts

Accounts

Accounts

Accounts

Subscription

Application1

Subscription

ProjektA

Application2

Subscription

…

Subscription

…

Enrollment

Country /

Branch /

Subsidiary

Country /

Branch /

Subsidiary

Country /

Branch /

Subsidiary

Country /

Branch /

Subsidiary

Azure Governance

„IT‘s not going to be easy…“

• Billing?!

• User Rights?!

• Protection?!

• Standards?!

• Audits?!

Intelligent Cloud Conference 2018

Guide?!

Azure Security Guide

• Operations Management Suite

• Azure Monitor

• Azure AD

• Azure Security Center

• Azure Investigation Dashboard

• Azure Network Watcher

• Traffic Analytics / NSG Flow

• Azure Advisor

Intelligent Cloud Conference 2018

Azure Security Center

Azure Security Center

Free for Azure Ressources

• Security policy, assessment, and

recommendations

• Connected partner solutions

15 $ / Month Azure and Hybrid (incl. free)

• Security event collection and search

• Just in time VM Access

• Adaptive application controls

• Advanced threat detection for networks,

VMs/servers, and Azure services

• Built-in and custom alerts

• Threat intelligence

Intelligent Cloud Conference 2018

Quiz:

What is the most common attack targeting IaaS

VMs?

Azure Security Center

JIT VM Access

• Known IP ranges

• 100,00 attacks/month/VM (RDP and SSH)

• Easy access to local accounts

• Always open

Intelligent Cloud Conference 2018

DEMO

Next Steps?!

Reading educates …

• Azure Virtual Datacenter Whitepaper

• https://azure.microsoft.com/de-de/blog/azure-virtual-

datacenter/

• Azure Security Overview

• https://docs.microsoft.com/en-

us/azure/security/azure-security

• Azure Trust Center

• https://www.microsoft.com/en-

us/trustcenter/security/azure-security

Intelligent Cloud Conference 2018

Network Security Groups

Azure AD

VPN / Express Route

Azure Security Center

Encryption

Network

Logging

Azure Monitor

Reporting

Subscriptions

Antimalware

Audit

MFA

Key Vault

Automation

Azure Advisor

Resource Policies

Questions?!

Follow: @ericberg_de | Slides: www.ericberg.de | Contact: info@ericberg.de