SlideShare a Scribd company logo

Make your Azure PaaS Deployment More Safe

Download as PPTX, PDF
Thuan Ng
Thuan Ng

This presentation targets to guiding security expert and developer to protect PaaS deployment to eliminate security threats. This also introduces Threat Modeling.

1 of 61
Downloaded 27 times
Make your PaaS Deployment More Safe
• Passionate about software product and security engineering on cloud. • Microsoft MVP (2011 – Now) • Blog at http://thuansoldier.net • Twitter at @nnthuan About Me
• introduce myself as a hacker or script kiddie • blame developers on security unawareness making the software vulnerable • talk about coding security practice • bring information security management (e.g. Compliance, Risk, Regulation…) I’m not going to….
Please interrupt me anytime for open discussion even if I’m wrong
My security principles Security is not a silver bullet Security must come firstly from your awareness Security by default before security by design No pain no gain if you dare
…think about the impact System gets hacked Down service Your data is compromised Operational Impact Business Impact Sell to competitor Down reputation Money loss Why Security?
Is your application imperviable?
• Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001 Certified • Motion Sensor • 24x7 protected Access • Biometric controlled access systems • Video camera surveillance • Anti-passback and map-traps • Security breach alarms • Low-key Appearance Physical Security
Azure Compliance Industry United States Regional
• Azure is unbreakable • Your system is imperviable • No security concern for PaaS because no one has access to any kind of Azure compute like IaaS • Underlying infrastructure takes care network and kind of DDos attack …it does not mean
Understand shared responsibility • Data governance & rights management. • Client endpoints • Account & access management
Threat Modeling Approach
..if IaaS Defense System HAZ Zone Agency Network Your Defense System Virtual Machine
…how about PaaS
• PaaS is a horizontal plane when implementing. • Everything has a dedicated flat. • Designed to leverage platform strengths • No one really wraps each other like IaaS (e.g. vm is wrapped in subnet in virtual network). • Arbitrary only, without systematic approach • Before protecting your PaaS, you need to identify your inherent weakness. • Threat model is an approach to identifying your PaaS deployment’s threats. PaaS Security Challenges
• When you would like to answer some of the following questions: • Where to get started with your PaaS security? • What can go wrong with your building? • What should you do to mitigate those things that can go wrong? • What are structured approach to build a defense framework? • Part of SSDL (Security Software Development Lifecycle) • Repeatable way to identify attack surface • Mitigation and acceptance criteria When thinking about Threat Model for PaaS?
1. Create high-level diagram 2. Identify your valuable assets 3. Create Data Flow Diagram 4. Finding your threats 5. Managing and Address Threats Threat Modeling Process
What are you going to build? Browser App Service SQL Database Browser Web Front- End SQL Database Service/Business Logic
…can be more complex Browser Web Front- End SQL Database Service/Business Logic (iDP) Blob Storage Web Job Pull SharePoint Online What would go wrong? Who control what? Who has right to modify my database? What is attacker’s target? What is potential threat when pulling data from Web Job?
Improving the diagram with boundaries Browser Web Front- End SQL Database Service/Business Logic Blob Storage Web Job Pull SharePoint Online Push App Service Storage
Trust Boundary • Adding trust boundary is to identify attack surface. • Answer who control what • Without trust boundary, your system seems to open largely attack surface. • If there is a ‘talk’, add a boundary • Web master/admin talks to administrator portal • Web talks to business logic • Service instance talks to database Attacker Database Boundary Application Boundary
Defining Data Flow Diagram (DFD) Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity
Defining Data Flow Diagram (DFD) Web Client Web Master Front-End Web Service/API Database Database Admin Data Log External Entity Trust Boundary Data Flow Process Entity Data Store
Approach to drawing DFD • Asset-centric • Things attacker want • Things you want to protect • Stepping stone to either of these • Software-centric • Without software-centric, asset-centric would only focus on system credential and database. • Include not only asset but also other connections and software flows. • Can be either DFD, UML or Swim Lanes Diagram • Attack-centric • Identify potential attackers (from the connection, community, intelligent databases) • Not recommended, but good to know Things you protect Stepping stone Things attacker want
STRIDE methodology Spoofing Tampering Repudiation Information of Disclosure Denial of Service Elevation of Privilege Pretending to be something or someone other than yourself Modifying something on data, system configuration. Claiming that you didn’t do something, or were not responsible Allowing someone to do something they’re not authorized to do Providing information to someone not authorized to see it Absorbing resources needed to provide service
STRIDE Analysis - Spoofing Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity Claimtobeadatabaseadmin
STRIDE Analysis - Tampering Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity
STRIDE Analysis - Tampering Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity RepudiatetobeanewDBadmin
STRIDE Analysis – Info of Disclosure Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity ReaduserInfotableoverinjection
STRIDE Analysis – Denial of Service Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity DenyofSQLserviceoverInternet
STRIDE Analysis – Elevation of Privilege Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity ExecuteT-SQLquery
• Provide stencils to model your threats • Use STRIDE per Interaction • Analysis View + Threat Lists provide threats per diagram Microsoft Threats Modeling Tool
Threats Tree ThreatTrees Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Info of Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
Threat Mitigation Tactics
• You can build your own identity • Use Azure Active Directory to transfer threats to Microsoft • Bring Trust Center • Encryption stuff • Azure AD is your central identity and access management • Certificate-based mutual authentication Authentication Web Front- End Azure Active Directory Azure SQL Database
• Does Azure AD have threat if being used? • Client ID + Client Secret can be the stepping stone. • Someone might claim to be an Azure global administrator. • Someone might claim to be your end-user. Azure Active Directory Threats? <appSettings> <add key="AzureSubscriptionId" value="2ll0cb59-ed12-4755-a3zc-352z212fbafc" /> <add key="AzureTenantId" value="00087603-0fc0-4103-bd94-cdffllfb2226" /> <add key="AzureClientId" value="034boi383-dl20-4bf0-a78d-6d89c7de2d24" /> <add key="AzureClientSecret" value="64x6MsdDBmBg5sfej6z3rMCiUkgfVcZ42L000=" /> </appSettings>
• Authenticate to Azure resources via clientID & clientSecret • Work with Azure AD B2C Demo
• Azure AD by Managed Service Identity • Azure Resource Manager • Azure Key Vault • Azure Data Lake • Azure SQL • Azure Event Hubs • Azure Service Bus • Use certificate rather than client ID + client Secret • To protect identity • Enable MFA for your global administrator • Enable Azure AD Premium to gain benefit of Conditional Access Azure Authentication Threat Mitigation Azure App Service http://localhost/oauth2/token Credentials 3 1 2 Azure Service Azure (inject and roll credentials)
• Identity & Authentication Provider • Azure Active Directory • Web boundary • Azure App Service Plan • Web Job • Azure Functions • API • Storage • Azure Storage • Azure SQL Database (Threat Detection to mitigate SQL Injection). • Encryption in transit Integrity Web Front- End Service/Business Logic Azure SQL Database Upload Authorized user (admin, webmaster) Allow Deny Unauthorized user
• What need to be confidential? • System configuration • Database • HTTP Request • API • Source Code • Use Azure Key Vaults for secret and key management • Encryption at Rest (Azure Blob, SQL Database) • Implement DevOps Security Confidentiality
• An additional protection layer to your secret • Secret should be only • Database connection string • Redis Cache Key • Shared Signature Access • API Key • System/Service Principal Credential • Public certificate (used to encrypt/decrypt with private key) • Key types: • RSA: a 2048-bit RSA key (soft-key) • EC: Elliptic Curve • Certificate is used for encryption/decryption or signing Azure Key Vaults Overview
Azure Key Vaults Flow Azure App Service Database Connection String Retrieve Azure SQL Database Traditional With KV Azure App Service Get access token authorize Check permission Returnsecret Access/query
• Password stripping if storing your private key as a secret • Read more about it (http://thuansoldier.net/?p=7462) • A single point of failure if retrieving secret by client ID and client Secret • Use Azure Managed Service Identity • Use certificated based (where certificate is uploaded in App certificate store) • Azure Key Vaults can be abused as secret-as-a-service • Attractive target to both internal and external attackers Azure Key Vault Threats
• Azure SQL Database • Bring your Own Key (BYOK) • Transparent Data Encryption (TDE) • Azure Blobs Storage • Managed secret (with your own key) • Azure API Management • Inbound Policy Azure Key Vaults Integration
• Create an app service and key vault • Enable MSI • Use AzureServiceTokenProvider to get access token locally var azureServiceTokenProvider = new AzureServiceTokenProvider(); string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/"); • Get authentication callback to be used with KeyVaultClient var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); • Get secret value var secret = await keyVaultClient.GetSecretAsync("secret identifier") App Service + MSI + Key Vault
• Fraud prevention • Well-managed Access Control • Less password, more certificate-based • Who is your administrator? • Only if that administrator uses his phone (MFA) Non-repudiation
• User Credential target via Brute-force attack • Brute-force attack mitigation with Conditional Access • MFA enabled • Web Front-end • Content Network Delivery • Azure Application Gateway • Web configuration (Dynamic, IP filtering…) • SQL Database • Control inbound network (with service endpoint) • Azure API Management Availability
Sample Availability Application Gateway App Service Application Gateway App Service
• RABC on every trust boundary • Azure Subscription • Azure AD • Web, Storage… • Implement DevOps Security to scan subscription access control • Visualize access control programmatically • .NET SDK or REST API. Authorization
• Wrap your PaaS inside a controlled virtual network • Azure App Service Environment (ASE) • Azure API Management • HDInsight • RedisCache • Azure AD DS • Azure Batch • Azure Application Gateway • Control inbound network • Azure Storage • Azure SQL Database One thing you’d be missing Application Gateway API Management Azure App Service Virtual Network Azure SQL Database Allow Azure App Service Deny Azure Managed Services
DevOps Security
• Developer workstation is compromised • Source code leakage • Bad coding security practice • Manual Subscription access control • Discontinuous security scanning Big threats are still existed in development (sample)
DevOps + Security DevOps + Security: DevSecOps Dev Software releases & updates Ops Reliability, performance & scaling Sec Confidentiality, Availability and Integrity • Make sure your code is both manually and dynamically scanned. • Continuous vulnerability assessment • Incorporate with Security Engineer team for better security & protection. • Eliminate double effort for code refactoring after security assessment
DevSecOps Picture (Sample)
DevSecOps Kit for Azure DevSecOps Kit for Azure Subscription Security (Policy, ASC Config, Alerts, RBAC, etc.) Security IntelliSense, Security Verification Test (SVTs) CICD Build/Release Extensions Continuous Assurance Runbooks OMS Solution for Alerting & Monitoring Cloud Risk Governance Scan and remediate security in subscription level with AzSK PowerShell module Integrate IDE extensions & automated security scanning with PowerShell during development. Implement security pipeline with Security extension in VSTS or other 3rd parties. Periodically scan in production to watch for drift Build OMS to visualize security dashboard across DevOps stage Make data-driven improvements to security
1. Scan subscription-level security 2. SecurityIntelliSense during development 3. Setting up security pipeline Demo
DevSecOpoly Game • Created by Mark Miller (https://www.linkedin.com /pulse/devsecopoly- anyone-mark-miller/) • Gameplay is like Monopoly • Entertain with people to step up to DevOps + Security.
• Threat modeling is very helpful for PaaS threat identification. • Download Microsoft Threat Modeling tool here • Transferring your threats to Microsoft Azure as many as possible (cost may increase). • Implement Security Software Development Lifecycle • Refer from Microsoft SDL here • DevOps Security is always recommended. Key takeaways
• Securing PaaS Deployment: https://docs.microsoft.com/en- us/azure/security/security-paas-deployments • OWASP AppSec Pipeline: https://www.owasp.org/index.php/OWASP_AppSec_Pip eline • Secure DevOps Kit for Azure (AzSDK): https://github.com/azsdk/azsdk-docs Additional References
Cloud First = Security First
Q & A
Ad

Recommended

Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Thuan Ng
 
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
DIWUG
 
Cloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMSCloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMS
Morgan Simonsen
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
gjuljo
 
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...
European Collaboration Summit
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Peter Selch Dahl
 
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
NCCOMMS
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
Anthony Clendenen
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
Krunal Trivedi
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
Scott Hoag
 
The Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft AzureThe Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft Azure
Microsoft Azure
 
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
Morgan Simonsen
 
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi RoineO365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
NCCOMMS
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
European Collaboration Summit
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITProceed
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the Cloud
GWAVA
 
Windowsazureplatform Overviewlatest
Windowsazureplatform OverviewlatestWindowsazureplatform Overviewlatest
Windowsazureplatform Overviewlatest
rajramab
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
Aidan Finn
 
From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...
Joris Faure
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutes
Brian Blanchard
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
Sparkhound Inc.
 
Microsoft azure - the cloud for modern business
Microsoft azure - the cloud for modern businessMicrosoft azure - the cloud for modern business
Microsoft azure - the cloud for modern business
Vinh Nguyen Quang
 
Azure architecture
Azure architectureAzure architecture
Azure architecture
Amal Dev
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...
Peter Selch Dahl
 
Azure 101
Azure 101Azure 101
Azure 101
Korry Lavoie
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
Yusuf Hadiwinata Sutandar
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Ad

More Related Content

What's hot (20)

Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
Anthony Clendenen
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
Krunal Trivedi
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
Scott Hoag
 
The Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft AzureThe Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft Azure
Microsoft Azure
 
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
Morgan Simonsen
 
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi RoineO365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
NCCOMMS
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
European Collaboration Summit
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITProceed
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the Cloud
GWAVA
 
Windowsazureplatform Overviewlatest
Windowsazureplatform OverviewlatestWindowsazureplatform Overviewlatest
Windowsazureplatform Overviewlatest
rajramab
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
Aidan Finn
 
From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...
Joris Faure
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutes
Brian Blanchard
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
Sparkhound Inc.
 
Microsoft azure - the cloud for modern business
Microsoft azure - the cloud for modern businessMicrosoft azure - the cloud for modern business
Microsoft azure - the cloud for modern business
Vinh Nguyen Quang
 
Azure architecture
Azure architectureAzure architecture
Azure architecture
Amal Dev
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...
Peter Selch Dahl
 
Azure 101
Azure 101Azure 101
Azure 101
Korry Lavoie
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
Anthony Clendenen
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
Peter Selch Dahl
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
Krunal Trivedi
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
Scott Hoag
 
The Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft AzureThe Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft Azure
Microsoft Azure
 
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
Morgan Simonsen
 
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi RoineO365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
NCCOMMS
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
European Collaboration Summit
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITProceed
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the Cloud
GWAVA
 
Windowsazureplatform Overviewlatest
Windowsazureplatform OverviewlatestWindowsazureplatform Overviewlatest
Windowsazureplatform Overviewlatest
rajramab
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
Aidan Finn
 
From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...
Joris Faure
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutes
Brian Blanchard
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
Sparkhound Inc.
 
Microsoft azure - the cloud for modern business
Microsoft azure - the cloud for modern businessMicrosoft azure - the cloud for modern business
Microsoft azure - the cloud for modern business
Vinh Nguyen Quang
 
Azure architecture
Azure architectureAzure architecture
Azure architecture
Amal Dev
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...
Peter Selch Dahl
 
Azure 101
Azure 101Azure 101
Azure 101
Korry Lavoie
 

Similar to Make your Azure PaaS Deployment More Safe (20)

Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
Yusuf Hadiwinata Sutandar
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)
Shahar Geiger Maor
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
Microsoft TechNet - Belgium and Luxembourg
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended Events
Jason Strate
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
Yusuf Hadiwinata Sutandar
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
karthz
 
Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)
Shahar Geiger Maor
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
Microsoft TechNet - Belgium and Luxembourg
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended Events
Jason Strate
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
ThreatReel Podcast
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
ErikHof4
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Ad

More from Thuan Ng (20)

Accelerating Digital Transformation With Microsoft Azure And Cognitive Services
Accelerating Digital Transformation With Microsoft Azure And Cognitive ServicesAccelerating Digital Transformation With Microsoft Azure And Cognitive Services
Accelerating Digital Transformation With Microsoft Azure And Cognitive Services
Thuan Ng
 
An initiative to healthcare analytics with office 365 and power bi spsparis2017
An initiative to healthcare analytics with office 365 and power bi spsparis2017An initiative to healthcare analytics with office 365 and power bi spsparis2017
An initiative to healthcare analytics with office 365 and power bi spsparis2017
Thuan Ng
 
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
Thuan Ng
 
Lotus Notes Transition To Office 365
Lotus Notes Transition To Office 365Lotus Notes Transition To Office 365
Lotus Notes Transition To Office 365
Thuan Ng
 
Search Solution in SharePoint 2013
Search Solution in SharePoint 2013Search Solution in SharePoint 2013
Search Solution in SharePoint 2013
Thuan Ng
 
Planning and deploying_share_point_farm_in_azure_gabsg_2016
Planning and deploying_share_point_farm_in_azure_gabsg_2016Planning and deploying_share_point_farm_in_azure_gabsg_2016
Planning and deploying_share_point_farm_in_azure_gabsg_2016
Thuan Ng
 
B365 saturday practical guide to building a scalable search architecture in s...
B365 saturday practical guide to building a scalable search architecture in s...B365 saturday practical guide to building a scalable search architecture in s...
B365 saturday practical guide to building a scalable search architecture in s...
Thuan Ng
 
SharePoint 2013 Document Management Features
SharePoint 2013 Document Management FeaturesSharePoint 2013 Document Management Features
SharePoint 2013 Document Management Features
Thuan Ng
 
SharePoint 2010 Intranet Presentation
SharePoint 2010 Intranet PresentationSharePoint 2010 Intranet Presentation
SharePoint 2010 Intranet Presentation
Thuan Ng
 
Make a better social collaboration platform with share point 2013
Make a better social collaboration platform with share point 2013Make a better social collaboration platform with share point 2013
Make a better social collaboration platform with share point 2013
Thuan Ng
 
Explanation of sp in crazy way
Explanation of sp in crazy wayExplanation of sp in crazy way
Explanation of sp in crazy way
Thuan Ng
 
SharePoint Development with Visual Studio 2012
SharePoint Development with Visual Studio 2012SharePoint Development with Visual Studio 2012
SharePoint Development with Visual Studio 2012
Thuan Ng
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyen
Thuan Ng
 
A glance at share point 2013 social features
A glance at share point 2013 social featuresA glance at share point 2013 social features
A glance at share point 2013 social features
Thuan Ng
 
Sp administration-training-prism
Sp administration-training-prismSp administration-training-prism
Sp administration-training-prism
Thuan Ng
 
Share point 2010 indoctrination
Share point 2010 indoctrinationShare point 2010 indoctrination
Share point 2010 indoctrination
Thuan Ng
 
Basics of project management - Week 1
Basics of project management - Week 1Basics of project management - Week 1
Basics of project management - Week 1
Thuan Ng
 
Designing service applications architecture
Designing service applications architectureDesigning service applications architecture
Designing service applications architecture
Thuan Ng
 
Sharepoint 2010 the medicine for your business hsu
Sharepoint 2010 the medicine for your business hsuSharepoint 2010 the medicine for your business hsu
Sharepoint 2010 the medicine for your business hsu
Thuan Ng
 
Sharepoint 2010 overview for student in university
Sharepoint 2010 overview for student in universitySharepoint 2010 overview for student in university
Sharepoint 2010 overview for student in university
Thuan Ng
 
Accelerating Digital Transformation With Microsoft Azure And Cognitive Services
Accelerating Digital Transformation With Microsoft Azure And Cognitive ServicesAccelerating Digital Transformation With Microsoft Azure And Cognitive Services
Accelerating Digital Transformation With Microsoft Azure And Cognitive Services
Thuan Ng
 
An initiative to healthcare analytics with office 365 and power bi spsparis2017
An initiative to healthcare analytics with office 365 and power bi spsparis2017An initiative to healthcare analytics with office 365 and power bi spsparis2017
An initiative to healthcare analytics with office 365 and power bi spsparis2017
Thuan Ng
 
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
Thuan Ng
 
Lotus Notes Transition To Office 365
Lotus Notes Transition To Office 365Lotus Notes Transition To Office 365
Lotus Notes Transition To Office 365
Thuan Ng
 
Search Solution in SharePoint 2013
Search Solution in SharePoint 2013Search Solution in SharePoint 2013
Search Solution in SharePoint 2013
Thuan Ng
 
Planning and deploying_share_point_farm_in_azure_gabsg_2016
Planning and deploying_share_point_farm_in_azure_gabsg_2016Planning and deploying_share_point_farm_in_azure_gabsg_2016
Planning and deploying_share_point_farm_in_azure_gabsg_2016
Thuan Ng
 
B365 saturday practical guide to building a scalable search architecture in s...
B365 saturday practical guide to building a scalable search architecture in s...B365 saturday practical guide to building a scalable search architecture in s...
B365 saturday practical guide to building a scalable search architecture in s...
Thuan Ng
 
SharePoint 2013 Document Management Features
SharePoint 2013 Document Management FeaturesSharePoint 2013 Document Management Features
SharePoint 2013 Document Management Features
Thuan Ng
 
SharePoint 2010 Intranet Presentation
SharePoint 2010 Intranet PresentationSharePoint 2010 Intranet Presentation
SharePoint 2010 Intranet Presentation
Thuan Ng
 
Make a better social collaboration platform with share point 2013
Make a better social collaboration platform with share point 2013Make a better social collaboration platform with share point 2013
Make a better social collaboration platform with share point 2013
Thuan Ng
 
Explanation of sp in crazy way
Explanation of sp in crazy wayExplanation of sp in crazy way
Explanation of sp in crazy way
Thuan Ng
 
SharePoint Development with Visual Studio 2012
SharePoint Development with Visual Studio 2012SharePoint Development with Visual Studio 2012
SharePoint Development with Visual Studio 2012
Thuan Ng
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyen
Thuan Ng
 
A glance at share point 2013 social features
A glance at share point 2013 social featuresA glance at share point 2013 social features
A glance at share point 2013 social features
Thuan Ng
 
Sp administration-training-prism
Sp administration-training-prismSp administration-training-prism
Sp administration-training-prism
Thuan Ng
 
Share point 2010 indoctrination
Share point 2010 indoctrinationShare point 2010 indoctrination
Share point 2010 indoctrination
Thuan Ng
 
Basics of project management - Week 1
Basics of project management - Week 1Basics of project management - Week 1
Basics of project management - Week 1
Thuan Ng
 
Designing service applications architecture
Designing service applications architectureDesigning service applications architecture
Designing service applications architecture
Thuan Ng
 
Sharepoint 2010 the medicine for your business hsu
Sharepoint 2010 the medicine for your business hsuSharepoint 2010 the medicine for your business hsu
Sharepoint 2010 the medicine for your business hsu
Thuan Ng
 
Sharepoint 2010 overview for student in university
Sharepoint 2010 overview for student in universitySharepoint 2010 overview for student in university
Sharepoint 2010 overview for student in university
Thuan Ng
 
Ad

Recently uploaded (20)

tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 

Make your Azure PaaS Deployment More Safe

  • 2. • Passionate about software product and security engineering on cloud. • Microsoft MVP (2011 – Now) • Blog at http://thuansoldier.net • Twitter at @nnthuan About Me
  • 3. • introduce myself as a hacker or script kiddie • blame developers on security unawareness making the software vulnerable • talk about coding security practice • bring information security management (e.g. Compliance, Risk, Regulation…) I’m not going to….
  • 4. Please interrupt me anytime for open discussion even if I’m wrong
  • 5. My security principles Security is not a silver bullet Security must come firstly from your awareness Security by default before security by design No pain no gain if you dare
  • 6. …think about the impact System gets hacked Down service Your data is compromised Operational Impact Business Impact Sell to competitor Down reputation Money loss Why Security?
  • 8. • Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001 Certified • Motion Sensor • 24x7 protected Access • Biometric controlled access systems • Video camera surveillance • Anti-passback and map-traps • Security breach alarms • Low-key Appearance Physical Security
  • 10. • Azure is unbreakable • Your system is imperviable • No security concern for PaaS because no one has access to any kind of Azure compute like IaaS • Underlying infrastructure takes care network and kind of DDos attack …it does not mean
  • 11. Understand shared responsibility • Data governance & rights management. • Client endpoints • Account & access management
  • 15. • PaaS is a horizontal plane when implementing. • Everything has a dedicated flat. • Designed to leverage platform strengths • No one really wraps each other like IaaS (e.g. vm is wrapped in subnet in virtual network). • Arbitrary only, without systematic approach • Before protecting your PaaS, you need to identify your inherent weakness. • Threat model is an approach to identifying your PaaS deployment’s threats. PaaS Security Challenges
  • 16. • When you would like to answer some of the following questions: • Where to get started with your PaaS security? • What can go wrong with your building? • What should you do to mitigate those things that can go wrong? • What are structured approach to build a defense framework? • Part of SSDL (Security Software Development Lifecycle) • Repeatable way to identify attack surface • Mitigation and acceptance criteria When thinking about Threat Model for PaaS?
  • 17. 1. Create high-level diagram 2. Identify your valuable assets 3. Create Data Flow Diagram 4. Finding your threats 5. Managing and Address Threats Threat Modeling Process
  • 18. What are you going to build? Browser App Service SQL Database Browser Web Front- End SQL Database Service/Business Logic
  • 19. …can be more complex Browser Web Front- End SQL Database Service/Business Logic (iDP) Blob Storage Web Job Pull SharePoint Online What would go wrong? Who control what? Who has right to modify my database? What is attacker’s target? What is potential threat when pulling data from Web Job?
  • 20. Improving the diagram with boundaries Browser Web Front- End SQL Database Service/Business Logic Blob Storage Web Job Pull SharePoint Online Push App Service Storage
  • 21. Trust Boundary • Adding trust boundary is to identify attack surface. • Answer who control what • Without trust boundary, your system seems to open largely attack surface. • If there is a ‘talk’, add a boundary • Web master/admin talks to administrator portal • Web talks to business logic • Service instance talks to database Attacker Database Boundary Application Boundary
  • 22. Defining Data Flow Diagram (DFD) Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity
  • 23. Defining Data Flow Diagram (DFD) Web Client Web Master Front-End Web Service/API Database Database Admin Data Log External Entity Trust Boundary Data Flow Process Entity Data Store
  • 24. Approach to drawing DFD • Asset-centric • Things attacker want • Things you want to protect • Stepping stone to either of these • Software-centric • Without software-centric, asset-centric would only focus on system credential and database. • Include not only asset but also other connections and software flows. • Can be either DFD, UML or Swim Lanes Diagram • Attack-centric • Identify potential attackers (from the connection, community, intelligent databases) • Not recommended, but good to know Things you protect Stepping stone Things attacker want
  • 25. STRIDE methodology Spoofing Tampering Repudiation Information of Disclosure Denial of Service Elevation of Privilege Pretending to be something or someone other than yourself Modifying something on data, system configuration. Claiming that you didn’t do something, or were not responsible Allowing someone to do something they’re not authorized to do Providing information to someone not authorized to see it Absorbing resources needed to provide service
  • 26. STRIDE Analysis - Spoofing Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity Claimtobeadatabaseadmin
  • 27. STRIDE Analysis - Tampering Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity
  • 28. STRIDE Analysis - Tampering Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity RepudiatetobeanewDBadmin
  • 29. STRIDE Analysis – Info of Disclosure Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity ReaduserInfotableoverinjection
  • 30. STRIDE Analysis – Denial of Service Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity DenyofSQLserviceoverInternet
  • 31. STRIDE Analysis – Elevation of Privilege Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity ExecuteT-SQLquery
  • 32. • Provide stencils to model your threats • Use STRIDE per Interaction • Analysis View + Threat Lists provide threats per diagram Microsoft Threats Modeling Tool
  • 33. Threats Tree ThreatTrees Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Info of Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 35. • You can build your own identity • Use Azure Active Directory to transfer threats to Microsoft • Bring Trust Center • Encryption stuff • Azure AD is your central identity and access management • Certificate-based mutual authentication Authentication Web Front- End Azure Active Directory Azure SQL Database
  • 36. • Does Azure AD have threat if being used? • Client ID + Client Secret can be the stepping stone. • Someone might claim to be an Azure global administrator. • Someone might claim to be your end-user. Azure Active Directory Threats? <appSettings> <add key="AzureSubscriptionId" value="2ll0cb59-ed12-4755-a3zc-352z212fbafc" /> <add key="AzureTenantId" value="00087603-0fc0-4103-bd94-cdffllfb2226" /> <add key="AzureClientId" value="034boi383-dl20-4bf0-a78d-6d89c7de2d24" /> <add key="AzureClientSecret" value="64x6MsdDBmBg5sfej6z3rMCiUkgfVcZ42L000=" /> </appSettings>
  • 37. • Authenticate to Azure resources via clientID & clientSecret • Work with Azure AD B2C Demo
  • 38. • Azure AD by Managed Service Identity • Azure Resource Manager • Azure Key Vault • Azure Data Lake • Azure SQL • Azure Event Hubs • Azure Service Bus • Use certificate rather than client ID + client Secret • To protect identity • Enable MFA for your global administrator • Enable Azure AD Premium to gain benefit of Conditional Access Azure Authentication Threat Mitigation Azure App Service http://localhost/oauth2/token Credentials 3 1 2 Azure Service Azure (inject and roll credentials)
  • 39. • Identity & Authentication Provider • Azure Active Directory • Web boundary • Azure App Service Plan • Web Job • Azure Functions • API • Storage • Azure Storage • Azure SQL Database (Threat Detection to mitigate SQL Injection). • Encryption in transit Integrity Web Front- End Service/Business Logic Azure SQL Database Upload Authorized user (admin, webmaster) Allow Deny Unauthorized user
  • 40. • What need to be confidential? • System configuration • Database • HTTP Request • API • Source Code • Use Azure Key Vaults for secret and key management • Encryption at Rest (Azure Blob, SQL Database) • Implement DevOps Security Confidentiality
  • 41. • An additional protection layer to your secret • Secret should be only • Database connection string • Redis Cache Key • Shared Signature Access • API Key • System/Service Principal Credential • Public certificate (used to encrypt/decrypt with private key) • Key types: • RSA: a 2048-bit RSA key (soft-key) • EC: Elliptic Curve • Certificate is used for encryption/decryption or signing Azure Key Vaults Overview
  • 42. Azure Key Vaults Flow Azure App Service Database Connection String Retrieve Azure SQL Database Traditional With KV Azure App Service Get access token authorize Check permission Returnsecret Access/query
  • 43. • Password stripping if storing your private key as a secret • Read more about it (http://thuansoldier.net/?p=7462) • A single point of failure if retrieving secret by client ID and client Secret • Use Azure Managed Service Identity • Use certificated based (where certificate is uploaded in App certificate store) • Azure Key Vaults can be abused as secret-as-a-service • Attractive target to both internal and external attackers Azure Key Vault Threats
  • 44. • Azure SQL Database • Bring your Own Key (BYOK) • Transparent Data Encryption (TDE) • Azure Blobs Storage • Managed secret (with your own key) • Azure API Management • Inbound Policy Azure Key Vaults Integration
  • 45. • Create an app service and key vault • Enable MSI • Use AzureServiceTokenProvider to get access token locally var azureServiceTokenProvider = new AzureServiceTokenProvider(); string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/"); • Get authentication callback to be used with KeyVaultClient var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); • Get secret value var secret = await keyVaultClient.GetSecretAsync("secret identifier") App Service + MSI + Key Vault
  • 46. • Fraud prevention • Well-managed Access Control • Less password, more certificate-based • Who is your administrator? • Only if that administrator uses his phone (MFA) Non-repudiation
  • 47. • User Credential target via Brute-force attack • Brute-force attack mitigation with Conditional Access • MFA enabled • Web Front-end • Content Network Delivery • Azure Application Gateway • Web configuration (Dynamic, IP filtering…) • SQL Database • Control inbound network (with service endpoint) • Azure API Management Availability
  • 49. • RABC on every trust boundary • Azure Subscription • Azure AD • Web, Storage… • Implement DevOps Security to scan subscription access control • Visualize access control programmatically • .NET SDK or REST API. Authorization
  • 50. • Wrap your PaaS inside a controlled virtual network • Azure App Service Environment (ASE) • Azure API Management • HDInsight • RedisCache • Azure AD DS • Azure Batch • Azure Application Gateway • Control inbound network • Azure Storage • Azure SQL Database One thing you’d be missing Application Gateway API Management Azure App Service Virtual Network Azure SQL Database Allow Azure App Service Deny Azure Managed Services
  • 52. • Developer workstation is compromised • Source code leakage • Bad coding security practice • Manual Subscription access control • Discontinuous security scanning Big threats are still existed in development (sample)
  • 53. DevOps + Security DevOps + Security: DevSecOps Dev Software releases & updates Ops Reliability, performance & scaling Sec Confidentiality, Availability and Integrity • Make sure your code is both manually and dynamically scanned. • Continuous vulnerability assessment • Incorporate with Security Engineer team for better security & protection. • Eliminate double effort for code refactoring after security assessment
  • 55. DevSecOps Kit for Azure DevSecOps Kit for Azure Subscription Security (Policy, ASC Config, Alerts, RBAC, etc.) Security IntelliSense, Security Verification Test (SVTs) CICD Build/Release Extensions Continuous Assurance Runbooks OMS Solution for Alerting & Monitoring Cloud Risk Governance Scan and remediate security in subscription level with AzSK PowerShell module Integrate IDE extensions & automated security scanning with PowerShell during development. Implement security pipeline with Security extension in VSTS or other 3rd parties. Periodically scan in production to watch for drift Build OMS to visualize security dashboard across DevOps stage Make data-driven improvements to security
  • 56. 1. Scan subscription-level security 2. SecurityIntelliSense during development 3. Setting up security pipeline Demo
  • 57. DevSecOpoly Game • Created by Mark Miller (https://www.linkedin.com /pulse/devsecopoly- anyone-mark-miller/) • Gameplay is like Monopoly • Entertain with people to step up to DevOps + Security.
  • 58. • Threat modeling is very helpful for PaaS threat identification. • Download Microsoft Threat Modeling tool here • Transferring your threats to Microsoft Azure as many as possible (cost may increase). • Implement Security Software Development Lifecycle • Refer from Microsoft SDL here • DevOps Security is always recommended. Key takeaways
  • 59. • Securing PaaS Deployment: https://docs.microsoft.com/en- us/azure/security/security-paas-deployments • OWASP AppSec Pipeline: https://www.owasp.org/index.php/OWASP_AppSec_Pip eline • Secure DevOps Kit for Azure (AzSDK): https://github.com/azsdk/azsdk-docs Additional References
  • 60. Cloud First = Security First
  • 61. Q & A