Design Practices for a Secure Azure Solution

Editor's Notes

• #2: Design Practices for a Secure Azure Solution When companies endeavor to move their applications and services to the cloud, they tend to worry more about security up front. Interestingly, platforms such as Azure provide an even more secure environment than most self-managed co-location facilities can hope to offer, not to mention the plethora of features on the platform that help you secure your solutions end to end. In this session Michele will review the mini-avalanche that comprises Azure security across features. Taking the architect's view of the platform (with demos) she’ll cover best practices for securing Azure solutions end to end and discuss the tangential benefits of moving to Azure and how it can help you with checking the boxes on those pesky security surveys.
• #3: Customers worry about cloud security But the truth is, the cloud can also improve the security of your solution in some ways The remaining issues, are probably issues whether you are in the cloud, or not
• #4: When you think about security for a solution, what do you think about? From a high level…list… In this session, I want to take you through the types of questions I frequently encounter helping customers “prove their security” to their customers We will review the topics listed here and within each some of the key questions I see on questionnaires that ask people for proof of trust In the process, I’ll draw from the special sauce Azure provides in terms of features for data protection, key management, identity, networking and generally secure solution design and implementation
• #6: Easy win, if you word it right Do you have DDOS protection measures in place? Do you have appropriate isolation? Assurance of packet routing to correct tenant? Do you have appropriate network boundaries to protect data/assets? (this is on you)
• #7: Azure fabric provides 3 layers of DOS prevention before it reaches your servers You can further secure your VMs with sw firewalls, appliances, IDS (specific client rules not just packet patterns) Add networking tiers, VPN and dedicated express route if you have $ Azure part of hacking challenge; constantly pen testing looking for holes, practicing recovery
• #8: Also related to infrastructure, VM security Do you keep patched? Do you remove guest accounts? Least privilege for services? Access to logs for forensic study? Will show ASC and OMS later Patch a machine with Resource Manager (get RM, update something, redeploy)
• #9: Portal tour
• #10: Also related to infrastructure, VM security Do you keep patched? Do you remove guest accounts? Least privilege for services? Access to logs for forensic study? Will show ASC and OMS later Patch a machine with Resource Manager (get RM, update something, redeploy)
• #13: Good practice topology to check that box There are other ways to be secure calling db, defense in depth, ip restrictions, protected account creds, roles and separation of tables
• #14: For example you may build a multi-tier IaaS deployment Use subnets and network security groups to ensure appropriate restrictions to subnet 2, 3
• #15: Can also achieve this with PaaS using app service environment
• #16: In this case, azure only access to sql otherwise firewall rules Can still shield behind API to public access and call from inside your azure services Service fabric endpionts can’t be reached without http endpoint exposed so the physical tier only needed if you have compliance requirement
• #17: Only the cluster has access Still may need token flow, however
• #21: From a checklist perspective, a lot of requests for proof of recommended practices for password and user account management
• #23: Password writeback Multifactor auth
• #26: Password writeback Multifactor auth
• #28: Seems obvious but these are also important questions that pop up
• #41: FIDO on Windows 10
• #42: Many features for encryption OOB in transit all HTTPS within azure Only bitlocker encrypted vhd uploaded SQL server TDE, SQL masking
• #47: What should you do? At minimum, using dynamic data masking; after copying, for all PII Ideally, do not copy; mask it on the way: maskme.net
• #48: Server=tcp:snapboarddemo.database.windows.net,1433;Database=SnapboardTdeCopy;User ID=snapadmin@snapboarddemo;Password={your_password_here};Encrypt=True;TrustServerCertificate=False;Connection Timeout=30; Sn@pB0rdDemo