best practices in cloud security
TRANSCRIPT
BEST PRACTICES IN CLOUD SECURITY
Michael Washam
CEO, Opsgility
Azure Security Tips
Protecting Identities
Azure Active Directory
Identity Source for Azure & Office 365 subscriptions
Key takeaways for protecting identitiesMulti-Factor Authentication
Privileged Identity Management
Conditional Access
Multi-Factor Authentication (MFA)
What is it?
A method of authentication requiring the use of more than one verification method to authenticate a user.
How does it work
Requires two or more verification methods
Something you know (typically a password)
Something you have (a trusted device that is not easily duplicated, like a phone number.
6
1. Login using username and
password
2. Microsoft Azure MFA
Challenge
3. Response to challenge from device
What is Privileged Identity Management?
Manage, control, and monitor access within your organization
Includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune
Configuring Conditional Access
Protection against stolen or phished credentials
Keeps Data Safe
Enforces BYOD policies
Works with Azure AD and MFA
Applied to individual users or groups
DEMODEMO
Microsoft Azure
Protecting Infrastructure
Protecting Your Infrastructure
Available ToolsIsolated Virtual Networks
Network Security Groups
Virtual Appliances
App Service Environment
Disk Encryption
Anti-Malware
Secure Endpoints (SQL and Storage)
Virtual Network Best Practices
Isolate workloads in different subnets
Deploy Network Security Groups to minimize surface attack area
Avoid exposure to the Internet except where necessary
Control routing Enable Forced Tunneling
Deploy Security Appliances
Enforce a DMZ
DEMODEMO
Microsoft Azure
Protecting Data
Data at Rest- Encryption PointsMicrosoft:
• Storage Service Encryption
• Automatically encrypts customer data prior to
persisting to storage and decrypts prior to
retrieval
• Microsoft manages encryption keys
Customers:
• Azure VMs
• Disk Encryption
• PaaS
• Azure SQL Database supports TDE
• Applications
• Client Side encryption through .NET Crypto API
• RMS Service and SDK for file encryption by your
applications
Data In Transit - Encryption Points
Data in transit
between a user
and the service
Protects user from
interception of
their
communication
and helps ensure
transaction
integrity
Data in transit
between data
centers
Protects from
bulk
interception of
data
End-to-end
encryption of
communication
s between
usersProtects from
interception or
loss of data in
transit between
users
Microsoft:
• Azure Portal
• Encrypts transactions through Azure Portal using
HTTPS
• Strong Ciphers are used / FIPS 140-2 support
• Import / Export
• Only accepts bit locker encrypted data disks
• Datacenter to Datacenter
• Encrypts customer data transfer between Azure
datacenters (via Site-to-Site VPN connections)
Customers:
• Azure Services
• Various services offer additional capabilities for
securing data in transit
• N-Tier Applications
• Encrypt traffic between Web client and server by
implementing TLS on IIS
DEMODEMO
Microsoft Azure
Applying Governance
Tools for Governance
Azure EA Portal
Azure AD
Resource Groups
Policies
Role Based Access Control
Resource Locks
Security Center
Operations Management Suite (OMS)
Templates and Command Line
Policies Role Based Access Control
• Manage what resources or configurations are available at the subscription, resource group or resource level
• Examples• Supported Regions
• Naming Conventions
• Supported Services
• Supported SKUs
• Tag requirements
• Manage which users or groups can perform which actions on which resources
• Examples• Owner
• Contributor
• Reader
• Resource specific roles like Storage Account Contributor
• Custom Roles
DEMODEMO
Microsoft Azure
Thank You.