Azure SecurityServices, Features and Options

Ioannis StavrinidesTechnical Evangelist, CEE MC

Agenda for today

• General security features• Encryption• Other security mechanisms

• Azure Active Directory security features• Azure Key Vault• SQL Db security features• Azure Security Center

Securing your services shouldn’t be an afterthought

It should be the foundation of the process

General security features

Encryption

EncryptionData in transit

Strong SSL/TLS cipher suitePerfect Forward SecrecyDatacenter-to-datacenter encryption

Data at restBitLocker disk encryptionPer-file encryption for customer content

Encryption in Transit

AzureEncrypts communication between Azure DatacentersEncrypts transactions through Azure Portal with HTTPSSupports FIPS 140-2

CustomerCan choose HTTPS for REST API (recommended) Configures HTTPS endpoints for application running in AzureEncrypts traffic between Web client and server by implementing TLS on IIS

Encryption at Rest

Provides defense-in-depth against• Offline attacks• Online attacks when keys are used as a secondary AuthZ mechanism

Encryption at-rest is required by certain sovereign laws and certifications

Azure E@R Promises

Control Customers can choose if and when data is encryptedCustomers can choose what encryption keys are used and where they are storedCustomers can decide at anytime to revoke access to the keys and data

TransparencyCustomers have full visibility to the encryption state of their data Customers know at any time where their data is storedCustomers have the ability to view logs at any time related to the stored data and keys

Encryption ModelsEncryption Models

Server Encryption Client Encryption

Server Side Encryption using service managed keys

Server side encryption using customer managed keys in Azure KeyVault

Server side encryption using on-prem customer managed keys

• Azure services can see decrypted data

• Microsoft manages thekeys

• Full cloud functionality

• Azure services can see decrypted data

• Customer controls keys via Azure Key Vault

• Full cloud functionality

• Azure services can see decrypted data

• Customer controls keys On-Prem

• Full cloud functionality

• Azure services cannot see decrypted data

• Customer keep keys on-premises

• REDUCED cloud functionality

Other security mechanisms

Firewall ProtectionGA

Threat DetectionGA

Network Security GroupGA

Role Based Access ControlGA

Azure Active Directory

Integration• Federation for AD integration• Directly from the Portal. No code necessary• Using the Active Directory Authentication Library

(ADAL) for custom scenarios

GA

Azure AD B2C: IdMaaS for Applications

• Azure AD security, availability, and scalability for customer IDM• Adds B2C features to Azure AD

• Social IdPs and “application local accounts”• Self-service sign up, password reset, profile management• Customizable sign in and sign up UI• Same protocols, libraries, and programming model

• Consumption based pricing• Meters for # of users and # of authentications

IN PREVIEW

Azure AD B2CIN PREVIEW

Microsoft account + Azure AD

• Many apps want to sign users in from both Microsoft account and Azure AD

• Working on unified dev experience• Single endpoint, OpenID Connect and OAuth 2.0• Single SDK• Single end user sign in experience• Single streamlined app registration experience, outside of Azure

portal, no Azure subscription required• Works with unified Office business + consumer APIs

GA

Enhanced Device Support

Windows 10 Azure AD Join: sign-in to desktop with Azure AD accountSingle sign on to:

Kerberos-based on-premises applicationsNative applications that use WebAccountManagerWeb apps that support Azure AD sign-in

IN PREVIEW

Multi Factor Authentication

Authenticate the user over a different channel• Text• Call• Authenticator app• Secure Tokens

Username/Password is something you knowSecond factor is something you own/have (device, RSA tokens etc)

GA

Self Service Password Reset

Administrators can create users and know only their initial password• User must change password on first log-in

Users can reset their password without contacting support• Two factor authentication (phone, secondary email)

GA

Rights Management (RMS)

Protect information from unauthorized accessProtect information anywhereAudit and monitor usage

GA

Azure Active DirectoryAdvanced Monitoring Features

Brute Force attack

Sign in from anonymizing network

IP Address:31.172.30.4

Unlikely Travel

Joe@Contoso.comLocation: Seattle, WATime: 8:29 AM, PST (3:29 PM, UTC)

Joe@Contoso.comLocation: Somewhere in AsiaTime: 7:54 AM, local time(3:54 PM, UTC)

Tenant spanning activity

IP Address: 199.34.28.10X Bad username

X Bad password

X Bad password

X Bad password

X Bad usernameX Bad username

X Bad username

X Bad password

Sign in from know, infected device

Active Directory Identity ProtectionUsing the aforementioned features:

Compiles risk score of attemptSurfaces data to administrators

Admins can investigate and tend to events manuallyPolicies for automated mitigation

Request 2FABlock request

IN PREVIEW

More AD Security features in Preview

Privileged Identity ManagementDynamic Group MembershipConditional Access PoliciesPassword RolloverSelf-Service Access Requests

Azure Key Vault

GA

Secret management asks from our customers

“My app on Azure has passwords and cryptographic keys…”“I need a safe place to save these in Azure.”“I need to (re)use AD users and groups to manage access to secrets.”“I do NOT want to be in the news for a silly mistake”

Azure Key Vault

An Azure resource provider that lets you• Store & manage SECRETS (esp app config), and release them to authorized apps &

users.• Store & manage KEYS, and perform cryptographic operations in isolated service.

Backed by Hardware Security Modules• All secrets and keys are protected at rest with key chain terminating in HSMs.• Keys marked as ‘HSM-protected’ are protected even at runtime with HSMs.

Key Vault ≠ customer’s dedicated HSM• Azure Key Vault is a multi-tenant service backed by Microsoft-managed HSMs.

Your ORG is in control via Active Directory

Users and apps authenticate to your key vaults using your organization’s Azure AD

Benefits for organizations:Organizations can centrally revoke access to ALL key vaults in their organization.

If a user leaves, they instantly lose access to ALL key vaults in the organization.

Organizations can customize authentication via the options in Azure AD.

Azure do not have ANY default access to customer key vault for disk encryption feature

Azure SQL Db

Transparent Data Encryption

Regulatory ComplianceTDE is a requirement for HIPAA, PCI, SOX etc

SimplicityOn by default (V12)Protects database, backups and logsKeys managed by the service

TransparentNo changes needed from the app

GA

Row-Level Security

Fine-grained Access ControlMulti-tenant databases allow by definition access to it by different customersRLS allows to secure access to customer data from only the specific customer

Application TransparencyNo change needed for queries

Centralized Security LogicLogic in the databaseSchema-bound to the protected tableHigher security, reduced app maintenance and complexity

GA

Dynamic Data Masking

Limit sensitive data exposureOn the fly obfuscation

Policy drivenMultiple OOB functions availableDefine privileged usersRecommends fields to mask

Azure DB

Table.CreditCardNo

4465-6571-7868-5796

4468-7746-3848-1978

4484-5434-6858-6550

DynamicMasking

IN PREVIEW

Always Encrypted

Client-side encryption for Azure SQL DbData transparently encrypted inside a client driverClient manages keys

Encrypted data is queryableSensitive data remains encrypted at all times (never (!) decrypted)

IN PREVIEW

Threat Detection

Detects anomalous database activities indicating potential security threats to the database

SQL InjectionLogging of suspicious, anomalous behavior

IN PREVIEW

Azure Security Center

IN PREVIEW

Azure Security Center

PreventDetectRespond

Integrated monitoring across subscriptionsBroad ecosystem

Azure Security Center

PreventionMonitor security stateDefine policies and provides recommendationsRapid deployment of security services

Azure Security Center

DetectionCollection and analysis of security dataLeverage global threat intelligence dataAdvance analytics (Machine learning, Behavioral analysis)

Azure Security Center

RespondPrioritize security incidents/alertsInsights to source of attacks and impacted resourcesSuggestions to stop attack and prevent future attacks

Links

Encryption in TransitEncryption at RestAzure IaaS FirewallAzure NetSec WhitepaperAzure NSGsAzure RBACAzure ADAAD B2C

Microsoft Account + AADAzure AD Domain ServicesAzure AD MFAAzure AD Self-Service Pass ResetAzure RMSAzure AD Identity ProtectionAzure Key VaultAzure SQL Db TDE

Links

Azure SQL Db Row-Level SecurityAzure SQL Db Dynamic Data MaskingAzure SQL Db Always EncryptedAzure SQL Db Threat DetectionAzure Security Center

Questions?

Thank you