Azure and Security Available features Stavrinides - Azure Security.… · Organizations can...
Transcript of Azure and Security Available features Stavrinides - Azure Security.… · Organizations can...
![Page 1: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/1.jpg)
Azure SecurityServices, Features and Options
Ioannis StavrinidesTechnical Evangelist, CEE MC
![Page 2: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/2.jpg)
Agenda for today
• General security features• Encryption• Other security mechanisms
• Azure Active Directory security features• Azure Key Vault• SQL Db security features• Azure Security Center
![Page 3: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/3.jpg)
Securing your services shouldn’t be an afterthought
It should be the foundation of the process
![Page 4: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/4.jpg)
General security features
![Page 5: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/5.jpg)
Encryption
![Page 6: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/6.jpg)
EncryptionData in transit
Strong SSL/TLS cipher suitePerfect Forward SecrecyDatacenter-to-datacenter encryption
Data at restBitLocker disk encryptionPer-file encryption for customer content
![Page 7: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/7.jpg)
Encryption in Transit
AzureEncrypts communication between Azure DatacentersEncrypts transactions through Azure Portal with HTTPSSupports FIPS 140-2
CustomerCan choose HTTPS for REST API (recommended) Configures HTTPS endpoints for application running in AzureEncrypts traffic between Web client and server by implementing TLS on IIS
![Page 8: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/8.jpg)
Encryption at Rest
Provides defense-in-depth against• Offline attacks• Online attacks when keys are used as a secondary AuthZ mechanism
Encryption at-rest is required by certain sovereign laws and certifications
![Page 9: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/9.jpg)
Azure E@R Promises
Control Customers can choose if and when data is encryptedCustomers can choose what encryption keys are used and where they are storedCustomers can decide at anytime to revoke access to the keys and data
TransparencyCustomers have full visibility to the encryption state of their data Customers know at any time where their data is storedCustomers have the ability to view logs at any time related to the stored data and keys
![Page 10: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/10.jpg)
Encryption ModelsEncryption Models
Server Encryption Client Encryption
Server Side Encryption using service managed keys
Server side encryption using customer managed keys in Azure KeyVault
Server side encryption using on-prem customer managed keys
• Azure services can see decrypted data
• Microsoft manages thekeys
• Full cloud functionality
• Azure services can see decrypted data
• Customer controls keys via Azure Key Vault
• Full cloud functionality
• Azure services can see decrypted data
• Customer controls keys On-Prem
• Full cloud functionality
• Azure services cannot see decrypted data
• Customer keep keys on-premises
• REDUCED cloud functionality
![Page 11: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/11.jpg)
Other security mechanisms
![Page 12: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/12.jpg)
Firewall ProtectionGA
![Page 13: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/13.jpg)
Threat DetectionGA
![Page 14: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/14.jpg)
Network Security GroupGA
![Page 15: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/15.jpg)
Role Based Access ControlGA
![Page 16: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/16.jpg)
Azure Active Directory
![Page 17: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/17.jpg)
Integration• Federation for AD integration• Directly from the Portal. No code necessary• Using the Active Directory Authentication Library
(ADAL) for custom scenarios
GA
![Page 18: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/18.jpg)
Azure AD B2C: IdMaaS for Applications
• Azure AD security, availability, and scalability for customer IDM• Adds B2C features to Azure AD
• Social IdPs and “application local accounts”• Self-service sign up, password reset, profile management• Customizable sign in and sign up UI• Same protocols, libraries, and programming model
• Consumption based pricing• Meters for # of users and # of authentications
IN PREVIEW
![Page 19: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/19.jpg)
Azure AD B2CIN PREVIEW
![Page 20: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/20.jpg)
Microsoft account + Azure AD
• Many apps want to sign users in from both Microsoft account and Azure AD
• Working on unified dev experience• Single endpoint, OpenID Connect and OAuth 2.0• Single SDK• Single end user sign in experience• Single streamlined app registration experience, outside of Azure
portal, no Azure subscription required• Works with unified Office business + consumer APIs
GA
![Page 21: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/21.jpg)
Enhanced Device Support
Windows 10 Azure AD Join: sign-in to desktop with Azure AD accountSingle sign on to:
Kerberos-based on-premises applicationsNative applications that use WebAccountManagerWeb apps that support Azure AD sign-in
IN PREVIEW
![Page 22: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/22.jpg)
Multi Factor Authentication
Authenticate the user over a different channel• Text• Call• Authenticator app• Secure Tokens
Username/Password is something you knowSecond factor is something you own/have (device, RSA tokens etc)
GA
![Page 23: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/23.jpg)
Self Service Password Reset
Administrators can create users and know only their initial password• User must change password on first log-in
Users can reset their password without contacting support• Two factor authentication (phone, secondary email)
GA
![Page 24: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/24.jpg)
Rights Management (RMS)
Protect information from unauthorized accessProtect information anywhereAudit and monitor usage
GA
![Page 25: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/25.jpg)
Azure Active DirectoryAdvanced Monitoring Features
![Page 26: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/26.jpg)
Brute Force attack
![Page 27: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/27.jpg)
Sign in from anonymizing network
IP Address:31.172.30.4
![Page 28: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/28.jpg)
Unlikely Travel
[email protected]: Seattle, WATime: 8:29 AM, PST (3:29 PM, UTC)
[email protected]: Somewhere in AsiaTime: 7:54 AM, local time(3:54 PM, UTC)
![Page 29: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/29.jpg)
Tenant spanning activity
IP Address: 199.34.28.10X Bad username
X Bad password
X Bad password
X Bad password
X Bad usernameX Bad username
X Bad username
X Bad password
![Page 30: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/30.jpg)
Sign in from know, infected device
![Page 31: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/31.jpg)
Active Directory Identity ProtectionUsing the aforementioned features:
Compiles risk score of attemptSurfaces data to administrators
Admins can investigate and tend to events manuallyPolicies for automated mitigation
Request 2FABlock request
IN PREVIEW
![Page 32: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/32.jpg)
More AD Security features in Preview
Privileged Identity ManagementDynamic Group MembershipConditional Access PoliciesPassword RolloverSelf-Service Access Requests
![Page 33: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/33.jpg)
Azure Key Vault
GA
![Page 34: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/34.jpg)
Secret management asks from our customers
“My app on Azure has passwords and cryptographic keys…”“I need a safe place to save these in Azure.”“I need to (re)use AD users and groups to manage access to secrets.”“I do NOT want to be in the news for a silly mistake”
![Page 35: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/35.jpg)
Azure Key Vault
An Azure resource provider that lets you• Store & manage SECRETS (esp app config), and release them to authorized apps &
users.• Store & manage KEYS, and perform cryptographic operations in isolated service.
Backed by Hardware Security Modules• All secrets and keys are protected at rest with key chain terminating in HSMs.• Keys marked as ‘HSM-protected’ are protected even at runtime with HSMs.
Key Vault ≠ customer’s dedicated HSM• Azure Key Vault is a multi-tenant service backed by Microsoft-managed HSMs.
![Page 36: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/36.jpg)
Your ORG is in control via Active Directory
Users and apps authenticate to your key vaults using your organization’s Azure AD
Benefits for organizations:Organizations can centrally revoke access to ALL key vaults in their organization.
If a user leaves, they instantly lose access to ALL key vaults in the organization.
Organizations can customize authentication via the options in Azure AD.
Azure do not have ANY default access to customer key vault for disk encryption feature
![Page 37: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/37.jpg)
Azure SQL Db
![Page 38: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/38.jpg)
Transparent Data Encryption
Regulatory ComplianceTDE is a requirement for HIPAA, PCI, SOX etc
SimplicityOn by default (V12)Protects database, backups and logsKeys managed by the service
TransparentNo changes needed from the app
GA
![Page 39: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/39.jpg)
Row-Level Security
Fine-grained Access ControlMulti-tenant databases allow by definition access to it by different customersRLS allows to secure access to customer data from only the specific customer
Application TransparencyNo change needed for queries
Centralized Security LogicLogic in the databaseSchema-bound to the protected tableHigher security, reduced app maintenance and complexity
GA
![Page 40: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/40.jpg)
Dynamic Data Masking
Limit sensitive data exposureOn the fly obfuscation
Policy drivenMultiple OOB functions availableDefine privileged usersRecommends fields to mask
Azure DB
Table.CreditCardNo
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
DynamicMasking
IN PREVIEW
![Page 41: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/41.jpg)
Always Encrypted
Client-side encryption for Azure SQL DbData transparently encrypted inside a client driverClient manages keys
Encrypted data is queryableSensitive data remains encrypted at all times (never (!) decrypted)
IN PREVIEW
![Page 42: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/42.jpg)
Threat Detection
Detects anomalous database activities indicating potential security threats to the database
SQL InjectionLogging of suspicious, anomalous behavior
IN PREVIEW
![Page 43: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/43.jpg)
Azure Security Center
IN PREVIEW
![Page 44: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/44.jpg)
Azure Security Center
PreventDetectRespond
Integrated monitoring across subscriptionsBroad ecosystem
![Page 45: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/45.jpg)
Azure Security Center
PreventionMonitor security stateDefine policies and provides recommendationsRapid deployment of security services
![Page 46: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/46.jpg)
Azure Security Center
DetectionCollection and analysis of security dataLeverage global threat intelligence dataAdvance analytics (Machine learning, Behavioral analysis)
![Page 47: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/47.jpg)
Azure Security Center
RespondPrioritize security incidents/alertsInsights to source of attacks and impacted resourcesSuggestions to stop attack and prevent future attacks
![Page 48: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/48.jpg)
Links
Encryption in TransitEncryption at RestAzure IaaS FirewallAzure NetSec WhitepaperAzure NSGsAzure RBACAzure ADAAD B2C
Microsoft Account + AADAzure AD Domain ServicesAzure AD MFAAzure AD Self-Service Pass ResetAzure RMSAzure AD Identity ProtectionAzure Key VaultAzure SQL Db TDE
![Page 49: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/49.jpg)
Links
Azure SQL Db Row-Level SecurityAzure SQL Db Dynamic Data MaskingAzure SQL Db Always EncryptedAzure SQL Db Threat DetectionAzure Security Center
![Page 50: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/50.jpg)
Questions?
![Page 51: Azure and Security Available features Stavrinides - Azure Security.… · Organizations can centrally revoke access to ALL key vaults in their organization. If a user leaves, they](https://reader035.fdocuments.in/reader035/viewer/2022071107/5fe1c7b3e7b7466c0129081e/html5/thumbnails/51.jpg)
Thank you