Security, responsibility and trust in Azure
Application
•Ensure applications are secure and free of vulnerabilities. •Store sensitive application secrets in a secure storage medium. •Make security a design requirement for all application development. Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code. We encourage all development teams to ensure their applications are secure by default, and that they're making security requirements non-negotiable.
Data
In almost all cases, attackers are after data: •Stored in a database •Stored on disk inside virtual machines •Stored on a SaaS application such as Office 365 •Stored in cloud storage It's the responsibility of those storing and controlling access to data to ensure that it's properly secured. Often, there are regulatory requirements that dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.
Privileged Identity Management
- In addition to managing Azure resource access with role-based access control (RBAC), a comprehensive approach to infrastructure protection should consider including the ongoing auditing of role members as their organization changes and evolves. - Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.
Usage scenarios- Use Security Center for incident response
- 1.Use Security Center for incident response. - Many organizations learn how to respond to security incidents only after suffering an attack. - To reduce costs and damage, it's important to have an incident response plan in place before an attack occurs. You can use Azure Security Center in different stages of an incident response. - Detect. Review the first indication of an event investigation. For example, you can use the Security Center dashboard to review the initial verification that a high-priority security alert was raised. •Assess. Perform the initial assessment to obtain more information about the suspicious activity. For example, obtain more information about the security alert. •Diagnose. Conduct a technical investigation and identify containment, mitigation, and workaround strategies. For example, follow the remediation steps described by Security Center in that particular security alert.
To reduce security risk
- A layered approach to network security helps reduce your risk of exposure through network-based attacks.
Stopping Distributed Denial of Service (DDos) attacks
- Any resource exposed on the internet is at risk of being attacked by a denial of service attack.
Cloud security is a shared responsibility
- As computing environments move from customer-controlled data centers to cloud data centers, the responsibility of security also shifts. - Microsoft provides two factor authentication and role based authentication for authorized users - It also sends it over the TLS security layer - provides access to resources - to check login failures, login attempts, suspicion locations and so on. - provides "Denial of service protection", "Real-time telemetry, firewalls, to block malicious traffic - MS is responsible for physical security of its data center as well as the entire Azure platform - degree of responsibility varies depending of the type of service you use whether is it SaaS (Office 365) of Paas or IaaS.
Authentication and authorization
- Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials, and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are. - Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it. - Note - Authentication is sometimes shortened to AuthN, and authorization is sometimes shortened to AuthZ.
Available tiers
- Azure Security Center is available in two tiers: 1.Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only. 2.Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.
Identity and access
- Control access to infrastructure and change control. - Use single sign-on and multi-factor authentication. - Audit events and changes.
1.Encryption at rest
- Data at rest is the data that has been stored on a physical medium. This could be data stored on the disk of a server, data stored in a database, or data stored in a storage account. Regardless of the storage mechanism, encryption of data at rest ensures that the stored data is unreadable without the keys and secrets needed to decrypt it. If an attacker was to obtain a hard drive with encrypted data and did not have access to the encryption keys, the attacker would not compromise the data without great difficulty. - The actual data that is encrypted could vary in its content, usage, and importance to the organization. This could be financial information critical to the business, intellectual property that has been developed by the business, personal data about customers or employees that the business stores, and even the keys and secrets used for the encryption of the data itself.
2.Encryption in transit
- Data in transit is the data actively moving from one location to another, such as across the internet or through a private network.
A layered approach to security
- Defense in depth is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. - Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. - Microsoft applies a layered approach to security, both in physical data centers and across Azure services. - The objective of defense in depth is to protect and prevent information from being stolen by individuals who are not authorized to access it.
What is encryption?
- Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key. There are two top-level types of encryption: symmetric and asymmetric.
Encryption
- Encryption serves as the last and strongest line of defense in a layered security strategy.
Introduction
- Every system, architecture, and application needs to be designed with security in mind.
Summary
- Identity allows us to maintain a security perimeter, even outside our physical control. With single sign-on and appropriate role-based access configuration, we can always be sure who has the ability to see and manipulate our data and infrastructure.
Providing identities to services
- It's usually valuable for services to have identities. Often, and against best practices, credential information is embedded in configuration files. With no security around these configuration files, anyone with access to the systems or repositories can access these credentials and risk exposure.
Learning Objectives
- Learn how security responsibility is shared with Azure - Learn how identity management provides protection, even outside your network - Learn how encryption capabilities built into Azure can protect your data - Learn how to protect your network and virtual networks - IntroductionLearn about advanced services and features Azure provides to keep your services and data secure and safe
Networking
- Limit communication between resources. - Deny by default. - Restrict inbound internet access and limit outbound, where appropriate. - Implement secure connectivity to on-premises networks.
Device Management
- Manage how your cloud or on-premises devices access your corporate data.
Business to business (B2B) identity services.
- Manage your guest users and external partners while maintaining control over your own corporate data Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
platform as a service (PaaS)
- Moving to platform as a service (PaaS) - At this level, Azure is taking care of the operating system and of most foundational software like database management systems. Everything is updated with the latest security patches and can be integrated with Azure Active Directory for access controls.
Multi-factor authentication
- Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories: - Something you know - Something you know would be a password or the answer to a security question. - Something you possess - Something you possess could be a mobile app that receives a notification or a token-generating device. - Something you are - Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices. - Using MFA increases security of your identity by limiting the impact of credential exposure. An attacker who has a user's password would also need to have possession of their phone or their face in order to fully authenticate. Authentication with only a single factor verified is insufficient, and the attacker would be unable to use those credentials to authenticate. The benefits this brings to security are huge, and we can't emphasize enough the importance of enabling MFA wherever possible.
For communication between virtual machines,
- Network Security Groups (NSGs) are a critical piece to restrict unnecessary communication.
Physical security
- Physical building security and controlling access to computing hardware within the data center is the first line of defense.
Get tips from Azure Security Center
- Provide security recommendations based on your configurations, resources, and networks. - Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online. - Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited. - Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute. - Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred. - Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.
Role-based access control
- Roles are sets of permissions, like "Read-only" or "Contributor", that users can be granted to access an Azure service instance. - Identities are mapped to roles directly or through group membership. Separating security principals, access permissions, and resources provides simple access management and fine-grained control. Administrators are able to ensure the minimum necessary permissions are granted. - Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy.
Single-sign-on
- SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.
Compute
- Secure access to virtual machines. - Implement endpoint protection and keep systems patched and current.
Encrypt virtual machine disks
- Storage Service Encryption provides low-level encryption protection for data written to physical disk, but how do you protect the virtual hard disks (VHDs) of virtual machines? If malicious attackers gained access to your Azure subscription and got the VHDs of your virtual machines, how would you ensure they would be unable to access the stored data?
Azure DDoS Protection - Basic
- The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft's online services use. Azure's global network is used to distribute and mitigate attack traffic across regions.
Azure DDoS Protection - Standard
- The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. - DDoS Protection Standard is simple to enable and requires no application changes. - Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway. DDoS standard protection can mitigate the following types of attacks: - Volumetri attacks. The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. - Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. - Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.
Managed identities for Azure services
- The creation of service principals can be a tedious process, and there are a lot of touch points that can make maintaining them difficult. Managed identities for Azure services are much easier and will do most of the work for you. - A managed identity can be instantly created for any Azure service that supports it—and the list is constantly growing. When you create a managed identity for a service, you are creating an account on your organization's Active Directory (a specific organization's Active Directory instance is known as an "Active Directory Tenant").
Single sign-on
- The more identities a user has to manage, the greater the risk of a credential-related security incident. More identities mean more passwords to remember and change. Password policies can vary between applications and, as complexity requirements increase, it becomes increasingly difficult for users to remember them. - With single sign-on (SSO), users need to remember only one ID and one password. - Access across applications is granted to a single identity tied to a user, simplifying the security model. - As users change roles or leave an organization, access modifications are tied to the single identity, greatly reducing the effort needed to change or disable accounts. - Using single sign-on for accounts will make it easier for users to manage their identities and will increase the security capabilities in your environment.
To upgrade Subscription
- To upgrade a subscription to the Standard tier, you must be assigned the role of Subscription Owner, Subscription Contributor, or Security Admin.
VPN
- Virtual private network (VPN) connections are a common way of establishing secure communication channels between networks. - Connection between Azure Virtual Network and an on-premises VPN device is a great way to provide secure communication between your network and your VNet on Azure.
To provide defense against DDoS attacks
- When you combine Azure DDoS Protection with application design best practices, you help provide defense against DDoS attacks. DDoS Protection leverages the scale and elasticity of Microsoft's global network to bring DDoS mitigation capacity to every Azure region.
Application management.
- You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.
AIP
- You can purchase AIP either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise Mobility + Security, or Microsoft 365 Enterprise.
Identity and access
- Your company, Contoso Shipping, is focused on addressing these concerns right away. Your team's new hybrid cloud solution needs to account for mobile apps that have access to secret data when an authorized user is signed in — in addition to having shipping vehicles constantly send a stream of telemetry data that is critical to optimizing the company's business.
Network virtual appliances (NVAs)
- are ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances.
Azure Storage Service Encryption for data
- at rest helps you protect your data to meet your organizational security and compliance commitments.
Service principals
- first understand the words identity and principal, - An identity is just a thing that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates. - A principal is an identity acting with certain roles or claims. Usually, it is not useful to consider identity and principal separately, but think of using sudo on a Bash prompt in Linux or on Windows using "run as Administrator." In both those cases, you are still logged in as the same identity as before, but you've changed the role under which you are executing. Groups are often also considered principals because they can have rights assigned. - A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.
SSO with Azure Active DirectorySSO with Azure Active Directory
- have the ability to combine multiple data sources into an intelligent security graph. This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-premises AD.
Infrastructure as a Service (IaaS)
- infrastructure as a service (IaaS)- With IaaS, you are leveraging the lowest-level service and asking Azure to create virtual machines (VMs) and virtual networks. - At this level, it's still your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure.infrastructure as a service (IaaS).
Azure Disk Encryption
- is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks.
Azure Advanced Threat Protection (Azure ATP)
- is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Azure Information Protection (sometimes referred to as AIP)
- is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Azure Security Center
- is a great place to look for this information, because it will identify internet-facing resources that don't have network security groups associated with them, as well as resources that are not secured behind a firewall.
Azure Application Gateway
- is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites.
Azure Firewall
- is a managed, cloud-based, network security service that protects your Azure Virtual Network resources.
Firewall
- is a service that grants server access based on the originating IP address of each request.
Azure Key Vault
- to protect our secrets.
Asymmetric encryption
- uses a public key and private key pair. Either key can encrypt but a single key can't decrypt its own encrypted data. To decrypt, you need the paired key. Asymmetric encryption is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
Symmetric encryption
- uses the same key to encrypt and decrypt the data. Consider a desktop password manager application. You enter your passwords and they are encrypted with your own personal key (your key is often derived from your master password). When the data needs to be retrieved, the same key is used, and the data is decrypted.
software as a service (SaaS)
- you outsource almost everything. SaaS is software that runs with an internet infrastructure. The code is controlled by the vendor but configured to be used by the customer. Like so many companies, Contoso Shipping uses Office 365, which is a great example of SaaS!
2.Use Security Center recommendations to enhance security
- •A security policy defines the set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company's security requirements. - •Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy. The recommendations guide you through the process of configuring the needed security controls. - For example, if you have workloads that do not require the Azure SQL Database Transparent Data Encryption (TDE) policy, turn off the policy at the subscription level and enable it only in the resources groups where SQL TDE is required.
Perimeter
- •Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users. - Use perimeter firewalls to identify and alert on malicious attacks against your network.
Authentication
-Single-Sign-On (SSO).- This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.
What is Azure Active Directory?
Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone. This means that all your applications, whether on-premises, in the cloud (including Office 365), or even mobile can share the same credentials. Administrators and developers can control access to internal and external data and applications using centralized rules and policies configured in Azure AD.
Azure ExpressRoute
To provide a dedicated, private connection between your network and Azure, you can use .
Transparent data encryption (TDE)
helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity.