Azure Security I
Access between PaaS Roles (web/worker) internally occurs through what type of endpoints.
Internal Endpoints Complex rules can be set up in the service definition specifying which Roles can talk to which other Roles. This option is only available in PaaS as IaaS does not offer it.
What does Azure use to help identify and mitigate threats from both outside and inside of Azure?
Intrusion detection Prevention systems including DOS prevention Regular penetration testing Forensic tools
What does reimaging help prevent?
Intrusions that weren't detected. This makes it much more difficult for a compromise to persist. Iaas VM's could allow such an intrusion to persist making it more difficult to remove.
What allows communication between deployments using private IP addresses?
Isolated Virtual Network
What does an Azure Active Directory (a.k.a. Directory) keep track of?
It keeps track of organization users and resources that are outside of an organizations network unless a hyrbid approach is used to sync the on-premises directory with the Azure directory.
What are some of the security measures that MS takes to protect customer data?
• Physical access to Windows Azure datacenters is severely restricted. • The Windows Azure infrastructure is segmented off from Microsoft's internal corporate network. • Microsoft does not maintain credentials into customer Virtual Machines. • Access to infrastructure components (e.g. the machines which host customer Virtual Machines) is severely limited and heavily audited. • All data traveling within Windows Azure datacenters or globally between Windows Azure datacenters travels over tightly controlled, Microsoft-owned links. It is important to note that these links are not line-encrypted and may cross national borders. • Numerous platform features prevent network eavesdropping and spoofing. • All disk drives which housed customer data are securely wiped before disposal.
What annual audit validates that Microsoft has implemented the internationally recognized information security controls defined in this standard?
ISO 27001
Why can't the Service Administrator be an organization account that resides in the Azure Directory?
If you were to delete the organization user, than the subscription would be left without a Service Administrator. This is why a Microsoft account should be used as the Service Administrator.
Access from the Internet to PaaS Roles (web/worker) occurs through what type of endpoints which are specified in the service definition file?
Input Endpoints
1 of 100 All communications between Azure internal components are protected with this type of security.
SSL
TLS is the new name for what?
SSL
What protocol should always be used to create and distribute SAS?
SSL Otherwise, man-in-the-middle can read SAS and then access the data.
Where in the Azure Portal can key-value pairs be entered for application configuration values for Cloud Services Web Role and Worker Role?
Service Configuration for the role. The code should check RoleEnviroment.IsAvailable; and if not, fall back to your web.config settings which can have the local development settings defined. This works well for connectionStrings.
What do you use to securely share access to Azure storage blobs and containers.
Shared Access Signatures
What enables you to fine-tune access to a blob or container resource?
Shared Access Signatures (SAS)
What's the storage signature called that allows an application to produce a URL with built-in permissions, including a time window in which the signature is valid?
Shared Access Signatures (SAS)
What's the storage signature called that allows for the creation of container-level access policies which can be referenced in signatures and then modified or revoked later?
Shared Access Signatures (SAS)
Azure Portal Roles can be assigned to what types of Azure AD security principals?
*Users* User roles can be assigned to organizational users that are in the Azure AD with which the Azure subscription is associated. Roles can also be assigned to external Microsoft account users (such as [email protected]) by using the Invite action to assign the user to a role in the Azure Preview portal. Assigning a role to an external Microsoft account user causes a guest account to be created in the Azure AD for it. If this guest account is disabled in the directory, the external user won't be allowed to access any Azure resource that the user has been granted access to. *Groups* Group roles can be assigned to Azure AD security groups. A user is automatically granted access to a resource if the user becomes a member of a group that has access. The user also automatically loses access to the resource after getting removed from the group. Managing access via groups by assigning roles to groups and adding users to those groups is the best practice, instead of assigning roles directly to users. Azure RBAC does not allow assigning roles to distribution lists. The ability to assign roles to groups lets an organization extend its existing access control model from its on-premises directory to the cloud, so security groups that are already established to control access on-premises can be re-used to control access to resources in the Azure Preview portal. For more information about different options for synchronizing users and groups from an on-premises directory, see Directory integration. Azure AD Premium also offers a delegated group management feature with which the ability to create and manage groups can be delegated to non-administrator users from Azure AD. *Service Principals* Service identities are represented as service principals in the directory. They authenticate with Azure AD and securely communicate with one another. Services can be granted access to Azure resources by assigning roles via the Azure module for Windows PowerShell to the Azure AD service principal representing that service.
What is used to access the Azure Marketplace datasets in the following 3 scenarios? 1. When I access my dataset? 2. When users access my dataset? 3. When applications access the Marketplace API?
1. Use shared key. 2. Use OAuth delegation. Users will be prompted to provide their Live ID / Microsoft Account credentials. 3. Marketplace API requires authentication to successfully accomplish calls to it.
When an entire storage account or subscription is deleted, Windows Azure may preserve the contents of the storage account for up to how many days? What should customer do if it explicitly wants to assure the data is deleted as quickly as possible?
90 Customer should delete all of the tables and blob containers from a storage account before deleting the storage account itself.
How long does the time-based one time password (TOTP) for Multi-Factor Authentication stay valid?
90 seconds This means you have 90s to use the TOTP that was sent to your device.
What's the relationship between subscriptions and directories?
A subscription trusts only 1 directory for the subscription. A directory can be trusted by many Subscriptions (i.e. Office365, Azure, etc.). Deleting a subscription does not delete a directory. Directories enable SSO using AD Access Control services.
What enforces security separation for Cloud Services and VM's across customers?
A virtualized Host/Guest boundary is used to enforce security separation. An Azure Web site can share a virtual machine with other Windows Azure Web Sites tenants. Isolation in that case is provided within IIS.
What enables centralized authentication and authorization for your cloud application by working with standards-based identity providers, including Active Directory as well as consumer web identities such as Microsoft Account, Google, Yahoo!, and Facebook?
AD Access Control Its free! Use it to manage user accounts, synchronize with existing on-premises directories, and get single sign on across Azure, Office 365 and hundreds of popular software-as-a-service applications including Salesforce, DocuSign, Google Apps, Box, Dropbox, and more.
What AD service level includes Multi-Factor Authentication (Free, Basic, or Premium)?
AD Premium
How does Resource Scope work for RBAC in Azure Portal?
Access does not need to be granted to the entire subscription. Roles can also be assigned for *resource groups* as well as for *individual resources*. In Azure RBAC, a resource inherits role assignments from its parent resources. So if a user, group, or service is granted access to only a resource group within a subscription, they will be able to access only that resource group and resources within it, and not the other resources groups within the subscription. As another example, a security group can be added to the Reader role for a resource group, but be added to the Contributor role for a database within that resource group.
What enables customers to manage access to Azure, Office 365 and a world of other cloud apps?
Active Directory
What service is a comprehensive and high available identity and access management cloud solution?
Active Directory
What are 3 main IAM features in Azure that allow customers to secure access to applications?
Active Directory Multi-factor Authentication Access Monitoring
PREVIEW What feature of Azure AD allows member-password and user-access administration to be delegated to individual users?
Administration Delegation (Azure AD)
How many compliance programs has Azure had independently verified?
Around 10 (9 as of 12/6/2014)
How do you securely access data managed by in-memory cache?
Azure AD Access Control In-memory cache (formerly known as Azure Cache) relies on Azure AD Access Control for authentication. It uses shared keys available through the management portal. Use the keys in your code or configuration files when accessing the cache. Be sure to store the keys securely so as to avoid information disclosure.
How do you securely access Azure Service Bus queues?
Azure AD Access Control Service Bus and Azure AD Access Control have a special relationship in that each Service Bus service namespace is paired with a matching Access Control service namespace of the same name, with the suffix "-sb". The reason for this special relationship is in the way that Service Bus and Access Control manage their mutual trust relationship and the associated cryptographic secrets.
What Azure AD Premium service lets you publish applications, such as SharePoint sites, Outlook Web Access and IIS-based apps, inside your private network and provides secure access to users outside your network?
Azure AD Application Proxy Employees can log into your apps from home, on their own devices and authenticate through this cloud-based proxy. You enable the AD Application Proxy in Azure Management Portal within AD Premium and then a setup file for the *Application Proxy Connector* can be downloaded and install the on a server inside the private network. Note: This is only available with the AD Premium service.
What wizard guides an administrator through the process of connecting an on-premises Active Directory forest to the cloud?
Azure Active Directory Connect Please note there will no longer be separate releases of Azure AD Synchronization and Azure AD Connect. And we have no future releases of DirSync planned. Azure AD Connect is now your one stop shop for sync, sign on and all combinations of hybrid connections.
Azure is administered by specific people who access services via this system.
Azure Customer Information System (ACIS)
What currently provides the best support for managing keys in the form of a secure certificate store?
Azure Portal certificate store. Once uploaded, private keys cannot be exported. Developers may access them though the standard Windows Certificate Store or via thumbprint references in the Service Configuration. Certificates can be provisioned into the Virtual Machine images certificate store using the standard process for Windows. Storing private keys in Windows Azure Storage is not recommended.
All Windows Azure Compute services are hosted on dedicated virtual machines, with the exception of which compute service which may be hosted on a VM shared with other customers.
Azure Web Sites
Unlike PaaS and IaaS VMs, customers cannot get administrative access to VMs for which Compute because this could compromise their isolation.
Azure Websites Azure Web Sites are hosted on a customized version of PaaS. The primary difference is that the roles have been tailored to facilitate Web hosting tasks, and different Web sites hosted on the same VM are isolated from one another by Internet Information Services (IIS).
What's the strongest data encryption that is offered on Azure?
Azure offers a wide range of encryption capabilities up to AES-256
This web service API controls all aspects of an Azure account - from deploying new code, changing configuration, scaling up and down services, managing storage accounts, etc.
Azure's Service Management API (SMAPI)
What vendor provides an web application firewall for Azure?
Barracuda Web Application Firewall
What protects communications within and between deployments of Azure services, from Azure to on-premises datacenters, and from Azure to administrators and users?
Built-in SSL and TLS cryptography
Why does cloud computing pose a higher security risk?
Cloud technologies and services are exposed as end points that can be potentially exploited by attackers versus in-memory components. This means more responsibility lies with the application developers to keep it secure.
What design pattern minimizes an applications attack surface by moving access to storage/DB out of the web site/role that is accessed by users?
Gatekeeper and Key Master - This creates a DMZ type design by having the web role (Gatekeeper) access another web/worker role (key master) that has access to storage and database.
100 of 100 What are the 2 ways that Azure administrators can authenticate themselves to Azure when using a tool such as Powershell, Visual Studio, etc. to manage/create/deploy/automate Azure services?
Credentials - username and password Management Certificate - certificate which is used most common for the tools to authenticate to your Azure subscription. Tools use private key so it should be kept secret. Azure uses public key. When using a management cert, use makecert to create a crt file that is uploaded to Azure. This can then be used for numerous tools. *Note: Microsoft is moving toward RBAC in the new Azure Portal to better define what an administrator can do. This will move away from management certs for better control.* For VS, there's a PublishSettings file that can be downloaded from Azure. There are actually 2 different ones, each with different format/content. One is for the VS tool to access Azure while the other is for websites used during deployment. Certificate is defined under Azure Portal/Settings/Management Certificates. - A subscription can only have 100 management certificates per subscription. - A service administrator can only create 100 across all subscriptions. Same goes for co-administrator.
Who keeps the security patches updated on VM's?
Customer
Microsoft will not transfer Customer Data outside the geo(s) customer specifies. What are some of the exceptions for why data could get transferred outside the geo?
Customer support Legal requirements Customer configures the account to enable transfer out Some services require data to be in a certain region like Multi-factor authentication requires data to be in US. Features that do not enable geo selection such as Content Delivery Network (CDN) that provides a global caching service Web and Worker Roles, which backup software deployment packages to the United States regardless of deployment geo; Preview, beta, or other pre-release features that may store or transfer Customer Data to the United States regardless of deployment geo; Azure Active Directory (except for Access Control), which may store Active Directory Data globally except for the United States (where Active Directory Data remains in the United States) and Europe (where Active Directory Data is in Europe and the United States);
Access to customer data by Microsoft operations and support personnel is allowed or denied by default?
Denied. When granted, access is carefully managed and logged.
Is it safe to virtualize Windows Server Active Directory domain controllers?
Deploying Windows Server Active Directory DCs on Azure virtual machines is subject to the same guidelines as running DCs on-premises in a virtual machine. Running virtualized DCs is a safe practice as long as guidelines for backing up and restoring DCs are followed.
RDP and Remote PowerShell are secured using what?
Digital certificates By default, Azure generates a self-signed certificate for administration. As soon as possible, this certificate should be swapped out for a CA signed certificate. Ideally, this certificate would be deployed via PowerShell cmdlets when the Virtual Machine is created.
What's the difference between a Directory Administrator and Subscription Administrator and Co-Administrator?
Directory Administrator - Admin users, roles, and permissions. It has nothing to do with adding services like VM's, websites, etc. There are roles like Global Administrator role but just note that the directory roles are scoped to the directory so it doesn't give access to add services to subscription. The roles are more meant for applications like Office365 and the roles those users will have. Subscription Administrator/Co-Administraor - Has over all permissions to add services such as VM's, websites, etc.
How does IaaS prevent other customers traffic from hitting input endpoints?
Host machine has packet filtering to block incoming connections that aren't from the same subscription. Another option is allowing all traffic without this filtering and attaching your Virtual Machines to a Azure Virtual Network. All VMs attached to the virtual network can only talk to other VMs attached to the same virtual network.
The primary mechanism of integrity protection for customer data lies within the PaaS VM design itself. Describe the drives that are used on PaaS VMs?
Each PaaS VMs are connected to three local Virtual Hard Disks (VHDs): • The C: drive contains configuration information, paging files, and other storage. • The D: drive contains one of several versions of the Guest OS which are kept up-to-date with relevant patches, selectable by the customer. • The E: drive contains an image constructed by the FC based on the package provided by the customer. The D: and E: virtual drives are effectively read-only because their Access Control Lists ACLs are set to disallow write access from customer processes. Since the operating system may need to update those read-only volumes, updates are permitted, but changes are discarded periodically. The initial VHDs for all role instances in an application start out identical. The D: drive is replaced any time Windows Azure patches the VHD containing the OS. The E: drive is replaced any time the VHD is updated with a new application image. All drives are reinitialized if a hardware failure forces the VM to migrate to different hardware. This design strictly preserves the integrity of the underlying operating system and customer applications. All three drives will revert to their initial states if the role instance is ever moved to a different physical machine, so customer applications should only cache data to the C: drive as a performance optimization. This helps prevent malware infections of a PaaS VM from persisting. With IaaS VMs, much more of the responsibility of application protection is left to the customer.
In addition to needing certificates and private keys, Windows Azure VMs also need access to other authentication keys such as Windows Azure Storage keys and Windows Azure SQL Database passwords. Since there is no mechanism for delivering this information to VMs, how do these keys need to be protected?
Encrypt these keys using a certificate that will be delivered to the VM and place the encrypted keys in the cloud service's configuration file.
What type of private connection allows customers to establish a private connection to Azure datacenters, keeping their traffic off the Internet?
ExpressRoute
To align with the principle of least privilege, customer software in PaaS VMs is restricted to running under what type of account by default?
Least/low privilege account
SMAPI runs over SSL and is authenticated via an OAuth 2.0 protocol to a Secure Token Service (STS) that is a part of Windows Azure Active Directory. This allows access to be easily terminated when the developer does what?
Leaves the company
What merchant level of PCI compliance is Azure?
Level 1 - Over 6M cardholder accounts
Data center access to the systems that store customer data is strictly controlled via what type of processes.
Lockbox is a "stringent time-based work flow". All actions related to access to your data go through a formal escalation request and approval process that is highly supervised, logged, and audited. The end result is a highly supervised, gated approach to data access.
What types of resources are available for customers to learn more about Azure security?
Lots of Whitepapers in Azure Azure documentation Forester Research Paper
Why deploy Windows Server Active Directory Domain Services (AD DS) on Azure Virtual Machines?
Many Windows Server AD DS deployment scenarios are well-suited for deployment as VMs on Azure. For example, suppose you have a company in Europe that needs to authenticate users in a remote location in Asia. The company has not previously deployed Windows Server Active Directory DCs in Asia due to the cost to deploy them and limited expertise to manage the servers post-deployment. As a result, authentication requests from Asia are serviced by DCs in Europe with suboptimal results. In this case, you can deploy a DC on a VM that you have specified must be run within the Azure datacenter in Asia. Attaching that DC to an Azure virtual network that is connected directly to the remote location will improve authentication performance. Azure is also well-suited as a substitute to otherwise costly disaster recovery (DR) sites. The relatively low-cost of hosting a small number of domain controllers and a single virtual network on Azure represents an attractive alternative. Finally, you may want to deploy a network application on Azure, such as SharePoint, that requires Windows Server Active Directory but has no dependency on the on-premises network or the corporate Windows Server Active Directory. In this case, deploying an isolated forest on Azure to meet the SharePoint server's requirements is optimal. Again, deploying network applications that do require connectivity to the on-premises network and the corporate Active Directory is also supported.
Who keeps the security patches updated on Paas?
Microsoft
What security software is built-in/installed on Cloud Services but is not installed by default on VM's?
Microsoft Anti-malware - This includes anti-virus because virus is a type of malware. Cloud services has it disabled by default even though it is installed. VM's have an option to install it.
How long in advance must customers notify Microsoft that they want to do a penetration test?
Minimum of 7 days
What services are ISO and HIPAA compliant?
Most are but it depends on the service. VM's, cloud services, websites, SQL Database, Storage, and Service Bus are all compliant.
What services are SOC compliant?
Most are but it depends on the service. VM's, cloud services, websites, Storage, and Service Bus are all compliant. ***NOT Compliant as of 12/6/2014 SQL Database (use storage for compliant storage) and couple others
What IAM service helps secure access to on-premises and cloud applications by providing an additional layer of authentication. It supports authentication through mobile app, phone call, email, or text message?
Multi-Factor Authentication
Azure uses what to prevent unwanted communications between deployments?
Network Isolation
Does Azure SQL Database support SQL Server Transparent Data Encryption (TDE)?
No
What can be secured with IAM: Multi-Factor Authentication?
On-premises VPNs, Microsoft Active Directory Federation Services, Microsoft IIS web applications, Remote Desktop, and other remote access applications using RADIUS, and LDAP authentication. Turn on Multi-Factor Authentication in Azure Active Directory to add the extra verification step to all of your cloud-based applications and services.
Who has standing permissions in Azure to access customer data?
Only customers. Azure administrators and operational staff must use lockbox to gain temporary access for a pre-defined set of permissions controlled by role based access controls.
What Web protocol is used for querying and updating data?
Open Data Protocol (OData) OData builds upon Web technologies such as HTTP, Atom Publishing Protocol (AtomPub) and JSON to provide access to information from a variety of applications, services, and stores. OData is able to expose and access information from a variety of sources including, but not limited to, relational databases, file systems, content management systems and traditional Web sites.
In Azure Portal (Preview), what are the 3 roles available?
Owner: has full control over Azure resources. Owner can perform all management operations on a resource including access management. Contributor: can perform all management operations except access management. So, a contributor can't grant access to others. Reader: can only view resources. Reader can't view secrets associated with a resource. Note: In an upcoming release of Azure RBAC, you will be able to define custom roles by composing a set of actions from a list of available ones that can be performed on Azure resources.
Why is key management handled via a separate mechanism than the code that uses them?
To lower the risk of exposing certificates and private keys to developers and administrators. Certificates and private keys are uploaded via SMAPI or the Windows Azure Portal as PKCS12 (PFX) files protected in transit by SSL. These files are stored encrypted within Fabric Controllers. Customers may choose to trust only a subset of their customer administrators to have access to the private keys, which is enforced by having the private keys be up-loadable but not down-loadable even by customer administrators.
Reimaging is a routine part of operations for PaaS or IaaS?
PaaS
Who can request access to data with the lockbox process?
Preassigned two-factor-authenticated administrators
Why does Storage have both a Primary and Secondary Storage Access Key (SAK)?
To support periodically changing SAKs without any breaks in service. The other one can be used in application while regenerated one of the keys. The sequence for changing the secret key is to: 1. Set the key not currently being used in production to a new value. 2. Send the new key value to applications accessing the service (including regenerating all SAS tokens) and have those applications start using the new values. 3. Set the key previously used in production on the storage account to a new value so that the old value will no longer be authorized.
All data from the Marketplace is exposed as what type of feeds?
RESTful OData feeds
What features are used to maintain availability of services in Azure?
Resource management Elasticity Load balancing Partitioning
What annual audit attests to the design and operating effectiveness of Azure controls?
SOC 1 Type 2
What annual audit examines Azure controls related to security, availability, and confidentiality?
SOC 2 Type 2
What type of authentication does SQL Database support?
SQL Server Authentication Windows Authentication (integrated security) is not supported. Users must provide credentials (login and password) every time they connect to SQL Database.
Linux clients use what protocol as the default method for administration?
SSH on the default port TCP22 which is open to internet. Like RDP, the SSH thumbprint is displayed in the Windows Azure Developer Portal. Upon the first connection to a Virtual Machine, SSH clients display this thumbprint. Comparing these thumbprints and ensuring they are identical helps you verify that the communication channel is secure. SSH clients will usually cache the thumbprint and won't prompt again in the future unless the thumbprint changes.
How does key management get handled for applications that encrypt data using certificates?
Someone from IT, not the developer, uploads the Certificate w/ Private Key to the Azure service Certificate store. To enable a website, web role, or worker role to use a certificate for encryption/decryption, first upload a certificate (pfx with private key) to the Azure certificate store. This will be the Certificates tab on the Cloud Service. Then, deploy the public key with the application and add the thumbprint to the service definition file. Your application uses the thumbprint to locate the certificate containing the private key in the Windows certificate store at runtime. *Note:* The developer uses a self-signed certificate created from IIS7 to develop and test their application locally. *Note:* The certificate store for Websites is only enabled for Basic and Standard tiers. Complete details reside here: http://azure.microsoft.com/blog/2011/09/07/field-note-using-certificate-based-encryption-in-windows-azure-applications/
Full access to each Windows Azure Storage Account is authorized by proof of possession of a per-storage-account symmetric key called what?
Storage Access Key (SAK)
What are the two mechanisms that support generalized access control to Azure Storage?
Storage account can be marked Publicly Readable AND Using Shared Access Signature (SAS) token (with Storage Access Key (SAK)) can validity time, permissions set, and what portions of the Storage Account are accessible.
Access control for managing all Azure services is governed by what?
Subscription
How does co-existence of RBAC with subscription co-admininistrators work in Azure Portal?
Subscription administrator and co-admins will continue to have full access to the Azure portals and management APIs. In the RBAC model, they are assigned the Owner role at the subscription level.
What differences are there between deploying AD on a VM in Azure versus deploying it on-premises?
There isn't much difference to setup, configuration, and maintenance. However, there are some considerations described here: 1. For any Windows Server Active Directory deployment scenario that includes more than a single VM, it is necessary to use an Azure virtual network for IP address consistency. Note that this guide assumes that DCs are running on an Azure virtual network. 2. As with on-premises DCs, static IP addresses are recommended. A static IP address can only be configured by using Azure PowerShell see Configure a Static Internal IP Address (DIP) for a VM. If you have monitoring systems or other solutions that check for static IP address configuration within the guest operating system, you can assign the same static IP address to the network adapter properties of the VM. But be aware that the network adapter will be discarded if the VM undergoes service healing or is shut down in the Management Portal and has its address deallocated. In that case, the static IP address within the guest will need to be reset. 3. Deploying VMs on a virtual network does not imply (or require) connectivity back to an on-premises network; the virtual network merely enables that possibility. You must create a virtual network for private communication between Azure and your on-premises network. You need to deploy a VPN endpoint on the on-premises network. The VPN is opened from Azure to the on-premises network. For more information, see Virtual Network Overview and Configure a Site-to-Site VPN in the Management Portal. 4. Regardless of whether you create a virtual network or not, Azure charges for egress traffic but not ingress. Various Windows Server Active Directory design choices can affect how much egress traffic is generated by a deployment. For example, deploying an RODC limits egress traffic because it does not replicate outbound. But the decision to deploy an RODC needs to be weighed against the need to perform write operations against the DC and the compatibility that applications and services in the site have with RODCs. For more information about traffic charges, see Azure pricing at-a-glance. 5. While you have complete control over what server resources to use for VMs on-premises, such as how much RAM, disk size, and so on, on Azure, you must select from a list of preconfigured server sizes. For a DC, a data disk is needed in addition to the operating system disk in order to store the Windows Server Active Directory database.
There are several articles about storing storage keys and connection strings in the RoleSettings/ServiceConfiguration, App Settings and/or Connection Strings areas in the Management Portal. 1) Are these areas protected so others cannot get the keys? 2) Do we need to encrypt the keys we put in these 3 areas of the Management Portal? 3) Do all 3 areas of the Management Portal have the same level of security? 4) Who can see this information other than co-administrators and site administrators? 5) Who in Microsoft can see this information?
These answers were provided by MS Azure Support on 12/28/2014: * 1) Are these areas protected so others cannot get the keys? * These settings can only be configured by the Account or Service Administrators associated with the azure account. http://msdn.microsoft.com/en-us/library/azure/dn584083.aspx talks about these accounts in more detail. * 2) Do we need to encrypt the keys we put in these 3 areas of the Management Portal? * Only the administrators have access to these keys, if you need additional protection, then you can encrypt these. But there is no out of the box functionality available currently to do this. The key vault service is designed to provide this functionality. The following articles discuss how to encrypt the connection strings. http://azure.microsoft.com/blog/2010/09/07/securing-your-connection-string-in-windows-azure-part-1/ http://azure.microsoft.com/blog/2010/09/08/securing-your-connection-string-in-windows-azure-part-2/ http://azure.microsoft.com/blog/2010/09/09/securing-your-connection-string-in-windows-azure-part-3/ http://azure.microsoft.com/blog/2010/09/10/securing-your-connection-string-in-windows-azure-part-4/ * 3) Do all 3 areas of the Management Portal have the same level of security? * Yes * 4) Who can see this information other than co-administrators and site administrators? * None * 5) Who in Microsoft can see this information? * These are stored in the configuration file which can be retrieved by the operations team on request. This goes through subscription validation before the package/config file can be retrieved. Which means, the support person must create a support incident to gain access and the retrieval is handled by our subscription management team which validates that the request is from an administrator. Long story short, MS support has access to see this information so its best to encrypt it for added security.
What type of authentication do Azure Cloud Administrators require to gain access?
Two-factor smartcard-based authentication
What services are PCI compliant?
VM's Cloud Services Storage Active Directory Multi-Factor Authentication VNET Traffic Manager ***NOT Compliant as of 12/6/2014 Websites SQL Database (use storage for cardholder data) and many others
What are the 2 types of IP addresses assigned to Windows Azure deployments?
Virtual IP Addresses (VIPs) are the external, Internet-routable addresses which can be used to contact a cloud service. Dynamic IP Addresses (DIPs) are the internal, non-routable addresses used inside the datacenter. The Software Load Balancer (SLB) performs IP address translation between VIPs and DIPs.
What distributed denial-of-service (DDoS) attacks does Azure protect from?
Windows Azure has a distributed denial-of-service (DDoS) defense system that helps prevent attacks against Windows Azure platform services. It uses standard detection and *mitigation techniques such as SYN cookies, rate limiting, and connection limits*. Windows Azure's DDoS defense system is designed not only to withstand attacks from the outside, but also from within. • For attacks launched from the outside (Internet), IP addresses can be spoofed, although they are prevented from spoofing Windows Azure datacenter IP address ranges. • For attacks launched from within a tenant, trusted packet filters prevent impersonation (spoofing) of Windows Azure IP addresses inside the Windows Azure datacenter. • Windows Azure monitors and detects internally initiated DDoS attacks and removes offending VMs from the network. Windows Azure's DDoS protection also benefits applications. However, it is still possible for applications to be targeted individually. As a result, customers should actively monitor their Windows Azure applications. For more information, see Collect Logging Data by Using Windows Azure Diagnostics. If a customer notices their application is under attack, they should contact Windows Azure Customer Support to receive assistance. Windows Azure Customer Support personnel are trained to react promptly to these types of requests.
Do connection strings need to be encrypted in configuration files such as web.config?
Yes Given the Platform-as-a-Service nature of Windows Azure, use a custom protected configuration provider Pkcs12 Protected Configuration Provider. See following link for more details: http://social.technet.microsoft.com/wiki/contents/articles/2951.windows-azure-sql-database-connection-security.aspx
Can I programmatically manage virtual networks?
Yes. We have REST APIs to manage virtual networks and cross-premises connectivity. You can use PowerShell and command line tools for a variety of platforms.
What are the 2 places in the Azure Portal where key-value pairs can be entered for application configuration values for WEBSITES?
You can enter key-value pairs as either "app settings" or "connection strings" in the portal. The only difference is that a connection string includes a little extra metadata telling Windows Azure Web Sites that the string value is a database connection string. That can be useful for downstream code running in a website to special case some behavior for connection strings. When retrieving environment values from within the application, the values in the portal have a prefix pre-appended. For "app settings" the name of the corresponding environment variable is prepended with "APPSETTING_". For "connection strings", there is a naming convention used to prepend the environment variable depending on the type of database you selected in the databases dropdown. Here's a sample list: If you select "Sql Databases", the prepended string is "SQLAZURECONNSTR_" If you select "SQL Server" the prepended string is "SQLCONNSTR_" If you select "MySQL" the prepended string is "MYSQLCONNSTR_" If you select "Custom" the prepended string is "CUSTOMCONNSTR_" For ASP.NET web applications, there is some extra runtime magic that is available as well. If looking at the names of the different key-value types seems familiar to a .NET developer that is intentional. "App settings" neatly map to the .NET Framework's "appSettings" collection. Similarly "connection strings" correspond to the .NET Framework's "connectionStrings" collection. When retrieving values from these collections, the preappended value (i.e. APPSETTING) is not present so developers simply get the same name that is entered in the portal. Furthermore, the web.config also has appSettings and connectionStrings sections which can be used by developers in their local environment. Here's how this works... For a Customer DB connection string called "custConnection-db" that is defined in the Portal under ConnectionStrings, a developer defines their own connection string in web.config that is named the same "custConnection-db". If Portal "custConnection-db"does not exist in the local development environment, the web.config "custConnection-db" is instead used. This resolves the problem of having to specify different connection strings in different environments. For more details, go here: http://azure.microsoft.com/blog/2013/07/17/windows-azure-web-sites-how-application-strings-and-connection-strings-work/
50 of 100 What search will find the best security methods in Azure
azure best practice security
Security needs to ensure data has CIA which means what?
confidentiality, integrity, and availability