An advanced guide through the
Azure Security jungle
Eric Berg
Lead IT-Architekt – Team Azure / Team Modern Workplace
Azure, Datacenter and Modern Workplace
Azure, System Center, Windows Server and Client
@ericberg_de | @GeekZeugs
www.ericberg.de | www.geekzeugs.de
Intelligent Cloud Conference 2018
Event Sponsors
Intelligent Cloud Conference 2018
Expo Sponsors
Expo Light Sponsors
Security Jungle?!
Platform Services
Infrastructure Services
Compute Storage
Datacenter Infrastructure
Application Platform
WebApps
MobileApps
API Apps
Notification Hubs
HybridCloud
Backup
StorSimple
Azure SiteRecovery
Import/Export
Networking
Data
SQL Database DocumentDB
Redis Cache
AzureSearch
StorageTables
SQL DataWarehouse
Azure AD Health Monitoring
Virtual Network
ExpressRoute
Blob Files DisksVirtual Machines
AD PrivilegedIdentity Management
Traffic Manager
AppGateway
OperationalAnalytics
Compute Services
Cloud Services
BatchRemoteApp
ServiceFabric
Developer Services
Visual Studio
ApplicationInsights
VS Team Services
Containers DNSVPN Gateway
Load Balancer
Domain Services
Analytics & IoT
HDInsight MachineLearning Stream Analytics
Data Factory
EventHubs
Data LakeAnalytics Service
IoT Hub
Data Catalog
Security & Management
Azure ActiveDirectory
Multi-FactorAuthentication
Automation
Portal
Key Vault
Store/Marketplace
VM Image Gallery& VM Depot
Azure ADB2C
Scheduler
Xamarin
HockeyApp
Power BI Embedded
SQL Server Stretch Database
MobileEngagement
Functions
Intelligence
Cognitive Services Bot Framework Cortana
Security Center
Container Service
Queues
VM Scale Sets
Data Lake Store
Dev/Test Lab
Integration
BizTalkServices
Service Bus
Logic Apps
API Management
Media & CDN
Content DeliveryNetwork
Media Services
Media Analytics
Intelligent Cloud Conference 2018
Azure AD
VPN / Express Route
Azure Security Center
Encryption
Network
Logging
Azure Monitor
Network Security Groups
Reporting
Subscriptions
Antimalware Audit
MFA
Key Vault
Automation
Azure Advisor
Resource Policies
Intelligent Cloud Conference 2018
Intelligent Cloud Conference 2018
Security Components?!
Datacenter Security
Intelligent Cloud Conference 2018
Perimeter
Computer room
Building
Seismic
bracing
Security
operations center
24X7
security staff
Days of
backup power
Cameras AlarmsTwo-factor access control:
Biometric readers & card readers
Barriers Fencing
Physical Security
• Azure regions
• access control
• video surveillance
• weight locks
• In-house disc destruction
https://cloud-platform-
assets.azurewebsites.net/datacenter
Intelligent Cloud Conference 2018
Secure Multi-tenancy
• Isolates customer environments using the Fabric
Controller
• Runs a configuration-hardened version of
Windows Server as the Host OS
• Uses Hyper-V – a battle tested and enterprise
proven hypervisor
Intelligent Cloud Conference 2018
Azure
Storage
SQL
Database
FabricController
Customer
Admin
Guest VM Guest VM
Customer 2
Guest VM
Customer 1Portal
Smart API
End
Users
Host OS
Hypervisor
Microsoft Azure
Network Protection
• Provides logical isolation while
enabling customer control
• Restricts access from the
Internet, permits traffic only to
endpoints, and provides load
balancing and NAT at the Cloud
Access Layer
• Private IP addresses are
isolated from other customers
Intelligent Cloud Conference 2018
Customer 2
INTERNET
Isolated Virtual
Networks
Customer 1
Subnet 1 Deployment X Deployment Y
VLAN-to-VLAN
Cloud Access Layer
RDP Endpoint(password access)
Client
Subnet 2 Subnet 3
DNS Server
VPN
Microsoft Azure
Corp 1
Virtual Networks / VPN
• Extension of own Datacenter to Azure
• Dedicated Express Route connection
• Management over VPN
• Network Security Group (NSG)
• Azure Software Defined Network
Intelligent Cloud Conference 2018
DDoS Defense System
• Azure’s DDoS defense system
is designed not only to
withstand attacks from the
outside, but also from within.
• Azure monitors and detects
internally initiated DDoS attacks
and removes offending VMs
from the network
Intelligent Cloud Conference 2018
MSFT Routing Layer
Detection Pipeline
Profile DB
Scrubbing Array
SLB
Application
Attack Traffic
Scrubbed Traffic
Flow Data
Routing Updates
Internet
Data Segregation
• Stored data accessible only through
claims-based IDM & access control
with private key
• Storage blocks are hashed by the
hypervisor to separate accounts
• SQL Azure isolates separate
account databases
• VM switch at the host level blocks
inter-tenant communication
Intelligent Cloud Conference 2018
Azure
Storage
SQL
Database
FabricController
Customer
Admin
Guest VM Guest VM
Customer 2
Guest VM
Customer 1Portal
Smart API
End
Users
Access
Control
Host OS
Hypervisor
Microsoft Azure
Data Protection
Intelligent Cloud Conference 2018
Data segregation
Logical isolation segregates each
customer’s data from that of others.
In-transit data protection
Industry-standard protocols encrypt data
in transit to/from outside components, as
well as data in transit internally by default.
Data redundancy
Customers have multiple options for
replicating data, including number of
copies and number and location of
replication datacenters.
At-rest data protection
Customers can implement a range of
encryption options for virtual machines
and storage.
Encryption
Data encryption in storage or in transit
can be deployed by the customer to align
with best practices for ensuring
confidentiality and integrity of data.
Data destruction
When customers delete data or leave
Azure, Microsoft follows procedures to
render the previous customer’s data
inaccessible.
Azure Active Directory
• Only authorized Access allowed
• MFA
• Privileged Identity Management
• Standard Protocols
• Stand-Alone or Hybrid
• Application Integration
Intelligent Cloud Conference 2018
Self-service Singlesign on
•••••••••••
Username
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises Microsoft Azure Active Directory
RBAC
• Connection between Azure AD and Subscription
• Default Roles
• Owner
• Contributor
• Reader
• Other Roles
• Automation Operator
• DevTest Labs User
• …
• Own Roles
Intelligent Cloud Conference 2018
Azure Hierarchy
Intelligent Cloud Conference 2018
Accounts
Accounts
Accounts
Accounts
Subscription
Application1
Subscription
ProjektA
Application2
Subscription
…
Subscription
…
Enrollment
Country /
Branch /
Subsidiary
Country /
Branch /
Subsidiary
Country /
Branch /
Subsidiary
Country /
Branch /
Subsidiary
Azure Governance
„IT‘s not going to be easy…“
• Billing?!
• User Rights?!
• Protection?!
• Standards?!
• Audits?!
Intelligent Cloud Conference 2018
Guide?!
Azure Security Guide
• Operations Management Suite
• Azure Monitor
• Azure AD
• Azure Security Center
• Azure Investigation Dashboard
• Azure Network Watcher
• Traffic Analytics / NSG Flow
• Azure Advisor
Intelligent Cloud Conference 2018
Azure Security Center
Azure Security Center
Free for Azure Ressources
• Security policy, assessment, and
recommendations
• Connected partner solutions
15 $ / Month Azure and Hybrid (incl. free)
• Security event collection and search
• Just in time VM Access
• Adaptive application controls
• Advanced threat detection for networks,
VMs/servers, and Azure services
• Built-in and custom alerts
• Threat intelligence
Intelligent Cloud Conference 2018
Quiz:
What is the most common attack targeting IaaS
VMs?
Azure Security Center
JIT VM Access
• Known IP ranges
• 100,00 attacks/month/VM (RDP and SSH)
• Easy access to local accounts
• Always open
Intelligent Cloud Conference 2018
DEMO
Next Steps?!
Reading educates …
• Azure Virtual Datacenter Whitepaper
• https://azure.microsoft.com/de-de/blog/azure-virtual-
datacenter/
• Azure Security Overview
• https://docs.microsoft.com/en-
us/azure/security/azure-security
• Azure Trust Center
• https://www.microsoft.com/en-
us/trustcenter/security/azure-security
Intelligent Cloud Conference 2018
Network Security Groups
Azure AD
VPN / Express Route
Azure Security Center
Encryption
Network
Logging
Azure Monitor
Reporting
Subscriptions
Antimalware
Audit
MFA
Key Vault
Automation
Azure Advisor
Resource Policies
Questions?!
Follow: @ericberg_de | Slides: www.ericberg.de | Contact: [email protected]