best practices in cloud security

BEST PRACTICES IN CLOUD SECURITY

Michael Washam

CEO, Opsgility

Azure Security Tips

Michael Washam

michael@opsgility.com

www.opsgility.com

Microsoft Azure

Protecting Identities

Azure Active Directory

Identity Source for Azure & Office 365 subscriptions

Key takeaways for protecting identitiesMulti-Factor Authentication

Privileged Identity Management

Conditional Access

Multi-Factor Authentication (MFA)

What is it?

A method of authentication requiring the use of more than one verification method to authenticate a user.

How does it work

Requires two or more verification methods

Something you know (typically a password)

Something you have (a trusted device that is not easily duplicated, like a phone number.

6

1. Login using username and

password

2. Microsoft Azure MFA

Challenge

3. Response to challenge from device

What is Privileged Identity Management?

Manage, control, and monitor access within your organization

Includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune

Configuring Conditional Access

Protection against stolen or phished credentials

Keeps Data Safe

Enforces BYOD policies

Works with Azure AD and MFA

Applied to individual users or groups

DEMODEMO

Microsoft Azure

Protecting Infrastructure

Protecting Your Infrastructure

Available ToolsIsolated Virtual Networks

Network Security Groups

Virtual Appliances

App Service Environment

Disk Encryption

Anti-Malware

Secure Endpoints (SQL and Storage)

Virtual Network Best Practices

Isolate workloads in different subnets

Deploy Network Security Groups to minimize surface attack area

Avoid exposure to the Internet except where necessary

Control routing Enable Forced Tunneling

Deploy Security Appliances

Enforce a DMZ

DEMODEMO

Microsoft Azure

Protecting Data

Data at Rest- Encryption PointsMicrosoft:

• Storage Service Encryption

• Automatically encrypts customer data prior to

persisting to storage and decrypts prior to

retrieval

• Microsoft manages encryption keys

Customers:

• Azure VMs

• Disk Encryption

• PaaS

• Azure SQL Database supports TDE

• Applications

• Client Side encryption through .NET Crypto API

• RMS Service and SDK for file encryption by your

applications

Data In Transit - Encryption Points

Data in transit

between a user

and the service

Protects user from

interception of

their

communication

and helps ensure

transaction

integrity

Data in transit

between data

centers

Protects from

bulk

interception of

data

End-to-end

encryption of

communication

s between

usersProtects from

interception or

loss of data in

transit between

users

Microsoft:

• Azure Portal

• Encrypts transactions through Azure Portal using

HTTPS

• Strong Ciphers are used / FIPS 140-2 support

• Import / Export

• Only accepts bit locker encrypted data disks

• Datacenter to Datacenter

• Encrypts customer data transfer between Azure

datacenters (via Site-to-Site VPN connections)

Customers:

• Azure Services

• Various services offer additional capabilities for

securing data in transit

• N-Tier Applications

• Encrypt traffic between Web client and server by

implementing TLS on IIS

DEMODEMO

Microsoft Azure

Applying Governance

Tools for Governance

Azure EA Portal

Azure AD

Resource Groups

Policies

Role Based Access Control

Resource Locks

Security Center

Operations Management Suite (OMS)

Templates and Command Line

Policies Role Based Access Control

• Manage what resources or configurations are available at the subscription, resource group or resource level

• Examples• Supported Regions

• Naming Conventions

• Supported Services

• Supported SKUs

• Tag requirements

• Manage which users or groups can perform which actions on which resources

• Examples• Owner

• Contributor

• Reader

• Resource specific roles like Storage Account Contributor

• Custom Roles

DEMODEMO

Microsoft Azure

Thank You.