windows azure security features and functionality
DESCRIPTION
Windows Azure Security Features And FunctionalityTRANSCRIPT
Windows Azure Security Features and FunctionalityVivek Bhatnagar WW Lead Technical Sales Windows Azure Microsoft [email protected]
Windows Azure Security…
Windows Azure Combines Three Components
Compute – Think Stateless CPU in the Cloud(Rented by the CPU - hour)
Storage – Like a file system, but structured differently to support scalability and parallelism
(Rented by the Gigabyte - Month)SQL Azure – Another form of storage, accessed with SQL queries rather than file-like operations
Can be used separately, but more commonly a Compute tenant is layered atop Storage, SQL Azure, or both
There will likely be more components in the future
Responsibility for Threat Mitigation
There are many threats to a traditional serverThere are some additional threats in the case of cloud computingSome threats are handled by Windows Azure; others remain the responsibility of the customer
Threats We Worry About
Windows Azure
Customer Tenant
Customer Admin Users
External Web Site
Physical AttacksOn ServersCentral Admin
Attacks against Windows Azure
A successful attack on the infrastructure could compromise all of our customersWindows Azure must secure its facilities against unauthorized accessWindows Azure must secure its interfaces against attacks over the network
Customer tenants breaking out of their VMsAttackers successfully impersonating customer administrators or Windows Azure administratorsCustomer administrators affecting other than their own tenants
Windows Azure
Customer Tenant
Customer AdminUsers
Physical AttacksOn Servers
Abuse of Privilege by Windows Azure AdministratorsWindows Azure administrators could
make unauthorized access to customer data
Procedures involving customer consent when such access is necessarySeparation of Duty to prevent abuse by a single rogue administratorAuditing to assure that unauthorized access will be discovered
Windows Azure
Customer Tenant
Central Admin
Using Windows Azure as a Platform for Attacking
OthersWe will receive complaints of misbehavior by Windows Azure tenantsWe proactively monitor outbound access to detect common cases (port scans, spam)If a good customer’s tenant has been compromised (botted), we work with the customer to resolve the problemIf a customer intentionally attacks others, we ban them
Windows Azure
Customer Tenant
External Web Site
Threats Customer Still Must Worry About
Windows Azure
Customer Tenant
Customer Admin Users
Attacks on a Customer’s Tenant
A tenant is much like a physical server. If there are bugs in its code, it can be compromised over the networkWe can look for symptoms in some cases, but it is ultimately the customer’s responsibility
Windows Azure
Customer Tenant
Users
Abuse of Privilege by a Customer Administrator
Customer administrators are authorized to update the code and access the data belonging to any customer tenantCustomer administrators are authenticated with cryptographic keys that the customer must protectCustomers should implement deployment practices as carefully as they would for applications in their own data centers
Windows Azure
Customer Tenant
Customer Admin
Windows Azure Security LayersManaged Code Access Security: partial trust
Windows Account: running with least privileges
Windows FW (VM): rules based on service model
Virtual Machine: fixed CPU, memory, disk resourcesRoot Partition Packet Filter: defense in depth against VM “jailbreaking”Network ACLs: dedicated VLANS for tenant nodes
12
How does it work?
For Windows Azure Storage and SQL Azure, like any other shared service
Storage or SQL account owned by some customer who sets access policyAccess policy is enforced by the code that parses and satisfies requests
For Windows Azure Compute, we create customer owned VMs, isolated by a hypervisor
Underlying Hardware
Rack mounted serversEach rack has a collection of identical nodesEach node (currently) has 2 CPU chips with 4 cores each
16 Gig of memoryDisks for local storageNetwork Interface to a Top of
Rack Switch
Hypervisor & VM Sandbox
All Guest access to network and disk is mediated by Root VM (via the Hypervisor)
Hypervisor
Network/Disk
Root VM
Guest VM
Guest VM
Guest VM
Guest VM
Guest VM
Guest VM
Guest VM
Managing it all through the Fabric Controllers
What does the world look like to a Guest VM?
1, 2, 4, or 8 CPUs; up to 14 GB or memory
Three disk drives:
C:\ (for temps; initially populated with config file)
D:\ (for OS code; initially as supplied by Windows Azure)
E:\ (for application code; initially as supplied by customer admin)
Network connectivity to Internet via NAT and to other VMs of same tenant
Guest agent accepts incoming HTTP/RPC connections from Root OS
Handling Attacks by a Tenant
Not dependent on the security of WindowsInstead, dependent on the security of the Hypervisor and the exposed network and disk driversC:\, D:\, and E:\ are not really disks. They are VHD files in the root OS’s file system.Attack surface is minimized by accepting few commands and supporting only a few hardware devices
Windows Azure Storage
Runs on separate hardware with no network connectivity to compute except (logically) through Internet
Requests run over HTTP and optionally over SSL with server authentication
Storage is organized into storage accounts
A single customer may have many storage accounts
A single secret key controls all access to a storage account
Access Control
Some accommodation to more fine-grained access controls:• Some data can be marked as world-
readable• Shared access signatures supports
some forms of limited delegationA customer wanting fine-grained access controls can implement a front end compute tenant that has full access to the storage account but mediates access to data items
Windows Azure Storage Scalability
To reduce the need for locks when dealing with a conventional file system, Windows Azure storage implements the primitives: blobs, tables, and queues.For backwards compatibility, it also implements an virtual drive with disk semantics for applications that have not been converted.The customer is responsible for coordinating the assignment of virtual drives to VMs. A virtual drive can only be open for write from one VM at a time.
Windows Azure Storage Security
Data from many customers is mixed in a single poolAccess to data in a specific account is only granted to entities having the secret key for that accountStorage keys are randomly generated when the storage account is created (or later at the request of the customer)A storage account may have two active keys at any given time to support key rolloverStorage keys are used to HMAC sign each access request
SQL Azure
As with storage, runs on separate hardware with no connectivity to compute except (logically) over the InternetDeveloper portal can create databases and set an administrator passwordSQL administrator can create additional user accounts, each authenticated with a passwordData from many customers is pooled in a single SQL instance, but they are treated as separate and access controlled independently
Defenses Inherited by Windows Azure Tenants
SpoofingTampering & Disclosure
Port Scanning/ Service
Enumeration
Elevation of
PrivilegeLoad-balanced Infrastructure
Network bandwidth throttling
CiscoGuard enabled on Storage nodes
Configurable scale-out
Denial of Service
Service Definition file, Windows Firewall, VM switch packet filtering
VM switch hardening
Certificate Services
Shared-Access Signatures
HTTPS
Sidechannel protections
VLANs
Top of Rack Switches
Custom packet filtering
Partial Trust Runtime
Hypervisor custom sandboxing
Virtual Service Accounts
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.