Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Organized crime, nation states, activists, insiders Premera Blue Cross Anthem Sony Target NSA DoD RSA McDonnell Douglas Saudi Aramco J.P. Morgan Chase Home Depot 100 U.S. banks

Slide 6

Virtualization Cloud computing Service providers

Slide 7

Enterprise Microsoft, other cloud service provider SaaSPaaSIaaSPrivate Data governance & rights management Client endpoints Account & access management Identity & directory infrastructure Applications Network controls Operating system Hosting infrastructure Network infrastructure Physical datacenter Responsibility for security

Slide 8

Administrator privileges will be compromised: social engineering, bribery, private initiative 50 years ago we gave the administrator the keys to the kingdom All these attacks exploit privileged accounts: Stolen admin credentials Insiders Malicious service provider staff

Slide 9

Principles Trust boundaries Assume breach

Slide 10

Government Enterprises Principles Providers Bad guys Trust boundaries Assume breach

Slide 11

Slide 12

Slide 13

Fabric, workloads, control plane Fabric manager Workload manager

Slide 14

Trust plane isolated from fabric, control plane Key service

Slide 15

Virtual Secure Mode VSM Key service

Slide 16

VSM VM protected at rest, in transit 3. Deliver vTPM key encrypted to VSM TPM Key service Workload manager HSM

Slide 17

Slide 18

VSM Key service

Slide 19

Trust in the environment VSM Key service

Slide 20

VSM Key service Trust in the environment Regulatory and compliance domainAzure Office 365 Dynamics CRMIntune ISO 27001:2013 ISO/IEC 27018:2014 U.S. Government Cloud Federal Risk and Authorization Management Program (FedRAMP) Moderate Family Educational Rights and Privacy Act (FERPA) N/A Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry (PCI) Data Security Standards (DSS) Level 1 N/A SOC 1 Type 2 (SSAE 16/ISAE 3402) Attestations SOC 2 Type 2 (AT section 101) Criminal Justice Information Services (CJIS) UK G-cloud Official Accreditation EU Model Clauses EU Model Contract Clauses (EUMC) EU Safe Harbor http://azure.microsoft.com/en-us/support/trust-center/services/

Slide 21

VSM Key service Trust in the environment 1.Attestation request: TPM public key, VSM public key, UEFI secure boot log, HVCI policy 2.Deliver attestation certificate Attestation service

Slide 22

Slide 23

Variants of the Trust Plane pattern in many systems: The pattern can be generalized: Azure Key Vault with SQL TDE Azure Key Vault with Azure Resource Manager Windows Server Guardian for encrypted VMs Azure Key Vault for encrypted VMs Certificates Data disksContainers Databases Networks Nested VMs

Slide 24

Slide 25

VSM Protect workload from direct attack

Slide 26

Identity and access control across clouds AD, Azure AD, ADFS Control plane RBAC Azure portal multi-factor authentication Just in time, just enough admin Limit administrator privileges in time and space Elevation request self-service Containment and auditability

Slide 27

Slide 28

Reduce attack surface Nanoserver Anti-malware & patching Workload tuning, cluster awareness, orchestration, scheduling Status and configuration baseline monitoring Harden for common attacks Pass-the-hash mitigations (LSA In VSM) Next generation credentials Network Secure enterprise connectivity Network security groups Third-party network security appliances

Slide 29

With all this protection, are we safe now?

Slide 30

Slide 31

Data sources Fabric Workloads Network Storage, services Private, hosted and public clouds Cloud-scale analytics Machine learningThird-party extensibility Behavior Anti-malware Anti-crime Industry, government

Slide 32

Slide 33

Slide 34

Advanced Threat Analytics analyzes all Active Directory-related traffic and collects relevant events from SIEM Advanced Threat Analytics automatically learns all entities behaviors AnalyzeLearn ATA builds the organizational security graph, detects abnormal behavior, protocol attacks, and weaknesses, and then constructs an attack timeline Detect 123

Slide 35

Abnormal Behavior Anomalous logins Remote execution Suspicious activity Unknown threats Password sharing Lateral movement Security issues and risks Broken trust Weak protocols Known protocol vulnerabilities Malicious attacks Pass-the-Ticket (PtT) Pass-the-Hash (PtH) Overpass-the-Hash Forged PAC (MS14-068) Golden Ticket Skeleton key malware Reconnaissance BruteForce Alert 4

Slide 36

Slide 37

Protect Windows and Linux, current and down- level Cloud services: directory, key vault, detection, forensics Minimize workflow impact on tenant, cloud owner Consistency across clouds

Slide 38

Apply protection, identity management, detection in private cloud Require assurance from service providers Protect assets in complex scenarios, e.g. cross-cloud disaster recovery Use detection services for all workloads Enterprises: Get servers with TPM and UEFI Assume breach! Offer protection, attestation, identity management, detection services Leverage Azure services Service providers: Everybody:

Slide 39

39 NDA Microsoft Confidential Harden the Fabric: Protecting Tenant Secrets in Hyper-VDean WellsWednesday, May 6 th 3:15 PM 4:30 PM Enabling Data Protection in Microsoft AzureDevendra Tiwari Thomas Knudson Tuesday, May 5 th 5:00 pm 6:15 PM Protecting Windows and Microsoft Azure Active Directory with Privileged Access Management Mark WahlThursday, May 7 th 5:00 PM 6:15 PM How to Protect Your Corporate Resources from Advanced Attacks Microsoft Advanced Threat Analysis Deep Dive Demi Albuz Benny Lakunishok Tuesday, May 5 th 10:45 AM 12:00 PM Security Threat Analysis Using Microsoft Azure Operational InsightsJoseph ChanThursday, May 7 th 1:30 PM 2:45 PM How Microsoft Active Directory Helps Prevent, Detect and Remediate Attacks to your Enterprise Alex Weinert David Howell Friday, May 6th 10:45 12:00 PM

Slide 40

Microsoft Cloud Security for Enterprise Architects Systematic approach to securing your identities, data, and applications in the cloud Visio version PDF version

Slide 41

Microsofts Enterprise Cloud Roadmap Resources for IT decision makers http://aka.ms/CloudArchitecture Map of Microsoft SaaS, PaaS, IaaS, and private cloud offerings Identity architecture Security architecture Deployment and integration options for Exchange, Lync, and SharePoint Azure architecture blueprints Cloud design patterns Design stencils

Slide 42

Enter session code and remove this box NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9 th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge

Slide 43

Slide 44

Slide 45