an advanced guide through the - intelligent cloud conference · azure security center. free for...

An advanced guide through the

Azure Security jungle

Eric Berg

Lead IT-Architekt – Team Azure / Team Modern Workplace

Azure, Datacenter and Modern Workplace

Azure, System Center, Windows Server and Client

[email protected]

@ericberg_de | @GeekZeugs

www.ericberg.de | www.geekzeugs.de

Intelligent Cloud Conference 2018

Event Sponsors


Expo Sponsors

Expo Light Sponsors

Security Jungle?!

Platform Services

Infrastructure Services

Compute Storage

Datacenter Infrastructure

Application Platform

WebApps

MobileApps

API Apps

Notification Hubs

HybridCloud

Backup

StorSimple

Azure SiteRecovery

Import/Export

Networking

Data

SQL Database DocumentDB

Redis Cache

AzureSearch

StorageTables

SQL DataWarehouse

Azure AD Health Monitoring

Virtual Network

ExpressRoute

Blob Files DisksVirtual Machines

AD PrivilegedIdentity Management

Traffic Manager

AppGateway

OperationalAnalytics

Compute Services

Cloud Services

BatchRemoteApp

ServiceFabric

Developer Services

Visual Studio

ApplicationInsights

VS Team Services

Containers DNSVPN Gateway

Load Balancer

Domain Services

Analytics & IoT

HDInsight MachineLearning Stream Analytics

Data Factory

EventHubs

Data LakeAnalytics Service

IoT Hub

Data Catalog

Security & Management

Azure ActiveDirectory

Multi-FactorAuthentication

Automation

Portal

Key Vault

Store/Marketplace

VM Image Gallery& VM Depot

Azure ADB2C

Scheduler

Xamarin

HockeyApp

Power BI Embedded

SQL Server Stretch Database

MobileEngagement

Functions

Intelligence

Cognitive Services Bot Framework Cortana

Security Center

Container Service

Queues

VM Scale Sets

Data Lake Store

Dev/Test Lab

Integration

BizTalkServices

Service Bus

Logic Apps

API Management

Media & CDN

Content DeliveryNetwork

Media Services

Media Analytics

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiy6vj9mtDNAhVB4mMKHUztCUcQjRwIBw&url=https://developer.microsoft.com/en-us/app-middleware-partners&psig=AFQjCNFdctU6OJlviMmzVX3AK3wCAgJKIw&ust=1467391908422760

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwijrpzbm9DNAhVU52MKHRcjAxMQjRwIBw&url=https://azure.microsoft.com/en-gb/services/power-bi-embedded/&psig=AFQjCNGAz6ASOEuOFwrvcGbgivFPur_t7w&ust=1467392103935851

Azure AD

VPN / Express Route

Azure Security Center

Encryption

Network

Logging

Azure Monitor

Network Security Groups

Reporting

Subscriptions

Antimalware Audit

MFA

Key Vault

Automation

Azure Advisor

Resource Policies


Security Components?!

Datacenter Security


Perimeter

Computer room

Building

Seismic

bracing

Security

operations center

24X7

security staff

Days of

backup power

Cameras AlarmsTwo-factor access control:

Biometric readers & card readers

Barriers Fencing

Physical Security

• Azure regions

• access control

• video surveillance

• weight locks

• In-house disc destruction

https://cloud-platform-

assets.azurewebsites.net/datacenter


https://cloud-platform-assets.azurewebsites.net/datacenter

Secure Multi-tenancy

• Isolates customer environments using the Fabric

Controller

• Runs a configuration-hardened version of

Windows Server as the Host OS

• Uses Hyper-V – a battle tested and enterprise

proven hypervisor


Azure

Storage

SQL

Database

FabricController

Customer

Admin

Guest VM Guest VM

Customer 2

Guest VM

Customer 1Portal

Smart API

End

Users

Host OS

Hypervisor

Microsoft Azure

Network Protection

• Provides logical isolation while

enabling customer control

• Restricts access from the

Internet, permits traffic only to

endpoints, and provides load

balancing and NAT at the Cloud

Access Layer

• Private IP addresses are

isolated from other customers


Customer 2

INTERNET

Isolated Virtual

Networks

Customer 1

Subnet 1 Deployment X Deployment Y

VLAN-to-VLAN

Cloud Access Layer

RDP Endpoint(password access)

Client

Subnet 2 Subnet 3

DNS Server

VPN

Microsoft Azure

Corp 1

Virtual Networks / VPN

• Extension of own Datacenter to Azure

• Dedicated Express Route connection

• Management over VPN

• Network Security Group (NSG)

• Azure Software Defined Network


DDoS Defense System

• Azure’s DDoS defense system

is designed not only to

withstand attacks from the

outside, but also from within.

• Azure monitors and detects

internally initiated DDoS attacks

and removes offending VMs

from the network


MSFT Routing Layer

Detection Pipeline

Profile DB

Scrubbing Array

SLB

Application

Attack Traffic

Scrubbed Traffic

Flow Data

Routing Updates

Internet

Data Segregation

• Stored data accessible only through

claims-based IDM & access control

with private key

• Storage blocks are hashed by the

hypervisor to separate accounts

• SQL Azure isolates separate

account databases

• VM switch at the host level blocks

inter-tenant communication


Azure

Storage

SQL

Database

FabricController

Customer

Admin

Guest VM Guest VM

Customer 2

Guest VM

Customer 1Portal

Smart API

End

Users

Access

Control

Host OS

Hypervisor

Microsoft Azure

Data Protection


Data segregation

Logical isolation segregates each

customer’s data from that of others.

In-transit data protection

Industry-standard protocols encrypt data

in transit to/from outside components, as

well as data in transit internally by default.

Data redundancy

Customers have multiple options for

replicating data, including number of

copies and number and location of

replication datacenters.

At-rest data protection

Customers can implement a range of

encryption options for virtual machines

and storage.

Encryption

Data encryption in storage or in transit

can be deployed by the customer to align

with best practices for ensuring

confidentiality and integrity of data.

Data destruction

When customers delete data or leave

Azure, Microsoft follows procedures to

render the previous customer’s data

inaccessible.

Azure Active Directory

• Only authorized Access allowed

• MFA

• Privileged Identity Management

• Standard Protocols

• Stand-Alone or Hybrid

• Application Integration


Self-service Singlesign on

•••••••••••

Username

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other Directories

Windows ServerActive Directory

On-premises Microsoft Azure Active Directory

RBAC

• Connection between Azure AD and Subscription

• Default Roles

• Owner

• Contributor

• Reader

• Other Roles

• Automation Operator

• DevTest Labs User

• …

• Own Roles


Azure Hierarchy


Accounts

Accounts

Accounts

Accounts

Subscription

Application1

Subscription

ProjektA

Application2

Subscription

…

Subscription

…

Enrollment

Country /

Branch /

Subsidiary

Country /

Branch /

Subsidiary

Country /

Branch /

Subsidiary

Country /

Branch /

Subsidiary

Azure Governance

„IT‘s not going to be easy…“

• Billing?!

• User Rights?!

• Protection?!

• Standards?!

• Audits?!


Guide?!

Azure Security Guide

• Operations Management Suite

• Azure Monitor

• Azure AD

• Azure Security Center

• Azure Investigation Dashboard

• Azure Network Watcher

• Traffic Analytics / NSG Flow

• Azure Advisor



Free for Azure Ressources

• Security policy, assessment, and

recommendations

• Connected partner solutions

15 $ / Month Azure and Hybrid (incl. free)

• Security event collection and search

• Just in time VM Access

• Adaptive application controls

• Advanced threat detection for networks,

VMs/servers, and Azure services

• Built-in and custom alerts

• Threat intelligence


Quiz:

What is the most common attack targeting IaaS

VMs?


JIT VM Access

• Known IP ranges

• 100,00 attacks/month/VM (RDP and SSH)

• Easy access to local accounts

• Always open


Next Steps?!

Reading educates …

• Azure Virtual Datacenter Whitepaper

• https://azure.microsoft.com/de-de/blog/azure-virtual-

datacenter/

• Azure Security Overview

• https://docs.microsoft.com/en-

us/azure/security/azure-security

• Azure Trust Center

• https://www.microsoft.com/en-

us/trustcenter/security/azure-security


https://azure.microsoft.com/de-de/blog/azure-virtual-datacenter/

https://docs.microsoft.com/en-us/azure/security/azure-security

https://www.microsoft.com/en-us/trustcenter/security/azure-security

Network Security Groups

Azure AD

VPN / Express Route


Encryption

Network

Logging

Azure Monitor

Reporting

Subscriptions

Antimalware

Audit

MFA

Key Vault

Automation

Azure Advisor

Resource Policies

Questions?!

Follow: @ericberg_de | Slides: www.ericberg.de | Contact: [email protected]

an advanced guide through the - intelligent cloud conference · azure security center. free for...

Documents