BRK3490 Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime...
-
Upload
avis-gilbert -
Category
Documents
-
view
216 -
download
0
Transcript of BRK3490 Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime...
Spark the future.
May 4 – 8, 2015Chicago, IL
Enabling Data Protection in Microsoft Azure Devendra Tiwari, Senior Program ManagerThomas Knudson, Senior Program Manager
Microsoft Corporation
BRK3490
In this Session
What are we covering?•How Azure protects your data•How you can protect your data•How you can control and protect your keys using Azure Key Vault•Azure Data retention and deletion policies• How to use Azure Access Control and Access Auditing
features
What are we NOT covering?• Data Protection Manager• Compliance Controls and Certifications• Privacy, Data classification and Data management• Cryptography 101
Cybersecurity concerns persistGlobal attacks are increasing and costs are rising
Cybercrime extracts between 15% and 20% of the value created by the Internet.1
Total financial losses attributed to security compromises increased 34% in 2014.3
In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past year.2
Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth.4
Security Development Lifecycle & Operational Security AssuranceNetwork, Identity and Data Isolation
Data Protection – Data Encryption and Key Management
Least Privilege / Just-in-Time (JIT) Access
Respond
Protect
Auditing and Certification
Live Site Penetration Testing
Fraud and Abuse Detection
Centralized Logging and Monitoring
Detect
Breach Containment
Coordinated Security Response
Customer Notification
Microsoft Cloud Security
Vulnerability / Update Management
Data protectionAzure provides customers with strong data protections – both by default and as customer options
6
Data isolation
Logical isolation segregates each customer’s data from that of others is enabled by default.
In-transit data protection
Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default.
Data redundancy
Customers have multiple options for replicating data, including number of copies and number and location of replication data centers.
At-rest data protection
Customers can implement a range of encryption options for virtual machines and storage.
Encryption
Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data.
Data destruction
Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default.
Azure Data Encryption:In-Transit and At-Rest
Data In Transit – Encryption Options We work to protect your data across all communications
stages Microsoft:• Azure Portal
• Encrypts transactions through Azure Portal using HTTPS
• Strong Ciphers are used / FIPS 140-2 support
• Import / Export
• Only accepts bitlocker encrypted data disks
• Datacenter to Datacenter
• Encrypts customer data transfer between Azure datacenters
Customers:• Storage
• Choose HTTPS for REST API for Storage
• N-Tier Applications• Encrypt traffic between Web client and
server by implementing TLS on IIS
Data in transit between a user and the serviceProtects user
from interception of their communication and helps ensure transaction integrity
Data in transit between data centers
Protects from bulk interception of data
End-to-end encryption of communications between usersProtects from
interception or loss of data in transit between users
1 2 3
Azure KeyVault <Keys and Secrets controlled by customers in their key vault>
Authentication to Key Vault<Authentication to Key Vault is using Azure AD>
Azure Data Encryption - Data at RestVirtual Machines – Windows and Linux
• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]>• Partner Volume Encryption – <CloudLink® SecureVM>
SQL Server and SQL Database• Transparent Data Encryption - <SQL Server OR SQL Database>• Cell Level Encryption - <SQL Server OR SQL Database>• Always Encrypted
Azure Storage – Blobs, Tables, Queues
• Application Level Encryption - <Storage Client-Side encryption>• Cloud Integrated Storage - <StorSimple>
HDInsight
• HDInsight – <Leverages Azure Storage, SQL Azure DB encryption>
Azure Backup Service
• Azure Backup Service – <Leverages Azure Disk Encryption>
Keys Management
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
What:• Windows and Linux IaaS VM’s• Enables migration of encrypted VHDs from on-premises to cloud• Enables encryption on running VM’s and new VM’s• Key management integrated in customer key vault using HSM
Value Proposition:• VM’s are secured at rest and theft of an image is meaningless
• VM’s boot under the policies and keys controlled by organization CSO/CISO, and they can audit their usage in Key Vault.
Threats Addressed:• Data breach Loss of Disks, Loss of storage account keys
Azure Disk Encryption
Azure Disk Encryption Scenarios
Machine
Protection elements
Access control: Customer control access to the keys/secrets in their key vault
Monitoring and Logging: Customer collect logs in their storage account
Data Security and Availability: Disks are stored encrypted in customer storage account and are automatically replicated by Azure storage
Boot volume
Data volumeAzure storage
Keys/Secrets are protected in customer key vault
Encryption Scenarios• New VM’s from Customer Encrypted
VHD’s
• New VMs from Azure Gallery
• Running VM/s in Azure
Azure Disk Encryption - Customer Encrypted VHD Workflow
Portal/API
HOST
1. Customer uploads Encrypted VHD to their Azure storage account
2. Customer provision encryption key material* in their key vault and grants access to platform to provision VM
3. Customer opt into enabling disk encryption.
4. Azure service management updates service model with encryption and key vault configuration
5. Azure platform provision encrypted VM
* Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux]
AADAAD
token
Azure Storage
Customer Key Vault
Virtual Machine
Encrypt Me
Service Managemen
tConfig
Customer Disks
Read
VHD
Read Key
Provision Encrypted VM
Azure Disk Encryption – New VM or Running VM Workflow
Portal/API
HOST
1. Customer opt into enabling disk encryption and Customer grant access to Azure platform to provision encryption key material* in their key vault
2. Azure service management updates service model with encryption and key vault configuration
3. Azure platform provision encrypted VM
* Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux]AA
DAAD token
Azure Storage
Customer Key Vault
Virtual Machine
Encrypt Me
Service Managemen
tConfig
Upload Key
Provision Encrypted VM
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Azure Disk Encryption – Key Management using Key Vault
• Secrets like BitLocker Encryption Keys [BEK] or Linux PassPhrase are stored protected in customer control in their key vault container
• Secrets are encrypted by customer controlled Key Encryption Key [KEK – RSA 2048]
• Customer grant [explicit] Read or Write access to their key vault container to Azure to enable disk encryption
• Customer specify key vault uri to allow access to Azure to their keys and secrets
• Azure do not have ANY default access to customer key vault for disk encryption feature
Microsoft Confidential
Secret Keys
Contoso.BEK [encrypted by ContosoKEK] – BitLocker Windows
ContosoPassPhrase [encrypted by ContosoKEK] – Linux
ContosoKEK
Azure Disk Encryption: Running VM scenario demo
Azure Disk Encryption – Key Vault demo
Storage Client-Side Encryption - PreviewWhat is Client-Side Encryption?• Allows for encrypting blob, tables and queue data• Users encrypt their data on the client side before uploading to
Azure Storage, and also decrypt it after downloading• Customer maintains control of keys and the storage service
never sees the keys and is incapable of decrypting the data• Integration with Azure Key Vault with customizability to support
other key management systems
Why Client-Side Encryption?• Most control over keys• Storage Service never sees the keys you use• Flexibility in key management systems and algorithms
Code Sample:Code Sample: // Create the KeyWrapper to be used for wrapping. AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); SymmetricKeyWrapper aesKeyWrapper = new SymmetricKeyWrapper("symencryptionkey", aes);
// Create the encryption policy to be used for upload. BlobEncryptionPolicy uploadPolicy = new
BlobEncryptionPolicy(BlobEncryptionMode.FullBlob, aesKeyWrapper, null); // Set the encryption policy on the request options. BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy
};
// Upload the encrypted contents to the blob. blob.UploadFromStream(stream, size, null, options, null); // Download and decrypt the encrypted contents from the blob. MemoryStream outputStream = new MemoryStream(); blob.DownloadToStream(outputStream, null, options, null);
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Storage – Cloud Integrated Storage
• Hybrid Applications – Windows Server Data Snapshots• Data Encrypted on-premise and backed up in Azure• AES 256 Encryption and Integrity Protected with SHA-
256 Hashes
SQL Server, SQL Database Encryption• Encryption Options:• Transparent Data Encryption (TDE), Cell Level Encryption (CLE)• SQL Server Encrypted Backups• Always Encrypted• SQL Server Extensible Key Management (EKM) provider shifts
encryption master keys to external key manager• Separation of duties between data and key management
• Azure Key Vault as an EKM• SQL Server Connector enables Azure Key Vault use as an EKM• Customer owned Encryption Master Keys in software or hardware
(FIPS Validated HSM) Vault• SQL Server On-prem / Azure VMs
Key Vault Service
Azure Active Directory
SQL Server Connector to Key Vault
SQL Server Admin
Security Operations
Auditor
SQL Server
Connector
1. Register SQL Server instance
2a. Create Vault2b. Create Master Key2c. Give SQL Server Access to Vault
4. Authenticate
3. Configure SQL Server Encryption
5. Protect Keys
6. Audit Key Usage(coming soon)
SQL Server TDE with Key Vault demo
Microsoft Azure
IaaS SaaSPaaS
Microsoft Azure Key Vault
Microsoft Confidential
Key Vault offers an easy, cost-effective way to safeguard keys and other secrets used by cloud apps and services using HSMs.
You manage your keys and secrets
Applications get high performance access to your keys and secrets… on your terms
Import keys
HSM
Key Vault
Microsoft Confidential
Increased security HSM protected keys Compliance Monitoring
Encrypt keys and small secrets like passwords using keys stored in tightly controlled and monitored Hardware Security Modules (HSMs)
Import or generate your keys in HSMs for added assurance - keys never leave the HSM boundary
Comply with regulatory standards for secure key management, including the US Government FIPS 140-2 Level 2 and Common Criteria EAL 4+
Monitor and audit key use through Azure logging – pipe logs into HDInsight or your SIEM for additional analysis (coming soon)
Enhance data protection and compliance
Security Operations Developer/IT Pro Auditor
Manages keys Deploys application Monitors access to keysCreates a Key Vault. Adds keys , secrets to the Vault. Grants permission to specific application(s) to perform specific operations e.g. decrypt, unwrap.
Enables usage logs
Tells application the URI of the key / secret
Application programuses key, secret (and may abuse) but never sees the keys
Reviews usage logs to confirm proper key use and compliance with data security standards
Azure KeyVault <Keys and Secrets controlled by customers in their key vault>
Authentication to Key Vault<Authentication to Key Vault is using Azure AD>
Azure Data Encryption - Data at Rest - RecapVirtual Machines – Windows and Linux
• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]>• Partner Volume Encryption – <CloudLink® SecureVM>
SQL Server and SQL Database• Transparent Data Encryption - <SQL Server OR SQL Database>• Cell Level Encryption - <SQL Server OR SQL Database>• Always Encrypted
Azure Storage – Blobs, Tables, Queues
• Application Level Encryption - <Storage Client-Side encryption>• Cloud Integrated Storage - <StorSimple>
HDInsight
• HDInsight – <Leverages Azure Storage, SQL Azure DB encryption>
Azure Backup Service
• Azure Backup Service – <Leverages Azure Disk Encryption>
Keys Management
Is my data gone? Retention/backup • Abandoned Data – Data retained for 90 days and available if
customer comes back, then subsequently deleted• Customer Deletion – Delete data at anytime
Is my data really gone? Destruction?• Defective Disks – Destroyed on-site• Decommission – Azure follows DoD data wiping standards
Data Retention and Data Destruction
Azure Access Control & Auditing
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
All data is encrypted, though not done yetFundamentals are key!Mitigate risk of compromised accountsMulti-Factor Authentication (Azure MFA / Windows Server ADFS)
Limit excessive permissions – least privilegeAzure AD Role Based Access Control (RBAC)Azure AD Privileged Identity Management (temporary/’JIT’ access controls)
Detect insider compromise or abuse of privilegesAzure auditing and loggingAzure AD anomaly detection and analysis
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Compromised accountsAccounts with weak authentication methods (passwords) can be compromised (e.g. spear-phishing) Secure your user accounts with Azure MFACan be used with Azure Active Directory or Windows Server Active Directory Federation Services (ADFS)Provides a second factor (e.g. phone or device) as a second factor
Secure your user accounts with Smart Cards with Windows Server ADFS & AADUse your existing PKI (Smart Card, Virtual Smart Card) to secure accounts by using Azure AD accounts federated to your on premises infrastructure
On-Premises App
Windows Server ADFS
Multi-FactorAuthenticationServer
Option: User Azure MFA in Azure Active Directory with Phone Authorization Step1
Multi-FactorAuthenticationServiceAzure
Active Directory
Option: Use existing on premises ADFS for Smart Card / Virtual Smart Card or Phone Authorization2
Multi-Factor Authentication Flow
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Limiting PermissionsPermissions to sensitive data should follow ‘least privilege’ principal – only grant access necessary for role. Azure RBAC (20 built-in roles, custom coming soon)General: Readers, Contributors, OwnersResource Specific: e.g. VirtualMachine-Contributor, SQLDB Contributor …Assign Users, Groups, and Service Principals
Key Vault Access ControlVery fine grained access controls to key vaults for user and service principalsCreate, verify, sign, wrap/unwrap, etc. (able to enforce segregation of duties)
Azure Role Based Access Control
Assign roles to users and groups at subscription, resource group, or resource level
Assignments inherit down the hierarchy
Use built-in roles with pre-configured permissions 20 built-in roles
Create custom roles (coming soon)
Subscription
Reader
Contributor
Owner
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
RBAC ExampleResource Group == EmployeeBenefitsApp-Virtual Machines, SQL DB, Storage Accounts
EmployeeBenefitsApp Role Assignments- Owners == HR IT Admins- Contributors == HR IT DevOps Team-Readers == HR Benefits Team
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Controlling privileged accountsSuperuser accounts have special risk and deserve special management.• Enable “Just In Time” (JIT) privileged access
• Reduces attack surfaces from multiple different types of attacks (compromised accounts, XSS, etc.)
• Also prevents common operational mistakes “I thought I was deleting the test tenant”• Enhances monitoring of admin activity – and understanding of how often privileged
access is used
• Microsoft uses this paradigm to protect Azure• No standing access• Temporary, specifically scoped elevations to resolve incidents & provide support
• Customers can now benefit from this learning – Azure AD Privileged Identity Management
• Discover current admin permissions in one view
• Set temporary authorization policies for Azure AD management roles• Global, billing, password, service, and user administrators can use PIM
• Collect justification & work item reference for every elevation/activation
• Coming soon – support for Azure RBAC
Azure AD PIM
• Simple view of all admin role assignments
• Track overall % of permanent vs. temporary authorizations
• Set policies to transition permanent role assignments to temporary assignments
View permissions & set policies
Request role activation / elevation• Simple process for
accounts to activate their role assignment
• Permissions automatically removed at end of policy duration
• Collect justification (and optional work item ID + source)
Effective auditing is foundational for monitoring user activity (and thus detecting attacks) • Azure management operations are audited• Operation• User / client / source IP address• Available in UI or query service management API
• Azure Active Directory management audit• All tenant admin activity logged – these are the ‘global’ admins, largest
impact if compromised
• Azure AD PIM admin activations audit
Auditing & logging
Management Auditing
Management Auditing – DetailOperation, user, client IP, and success/failure are audited
All logs available via REST APIs as well for import into SIEM systems:GEThttps://management.core.windows.net/<subscription-id>/operations
Monitoring admin elevations with PIM• See clearly who is regularly
using admin permissions, and reasons
• Supports overall oversight and role/permission management program
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Azure AD login anomaly detection• Detect potentially comprised
accounts (impossible travel)• Detect potential brute force
attempts• Get active notifications
• Question: How many of you can enumerate all permissions in your entire environment?
• This is a really challenging problem
• With Azure Resource Manager & RBAC, this is now trivial
• Easily export and analyze all permissions in your whole environment
Auditing permissions
Microsoft Azure helps you enable data protection: • Trusted cloud platform• Provide broad support for encryption solutions to
encrypt your data• Allow control of your encryption keys and
storage• Allow securing and managing admin accounts• Allow auditing, logging, and advanced detection
tools for monitoring accounts
In Closing..
• BRK2706 – Introduction to Microsoft Azure Key Vault• BRK2482 – Data Center Security and Assurance• BRK2570 – Overview of Microsoft SQL Server Security
Futures• BRK3457 – Harden the Fabric, Protecting Tenant Secrets
in Hyper-V• BRK3336 – Running Linux in Azure• BRK2707 – Roles Based Access Control for Microsoft
Azure• BRK3873 – Protecting Windows and Microsoft Azure
Active Directory with Privileged Access Management
Related Sessions at Ignite
Azure Trust Center (security and privacy): http://azure.microsoft.com/en-us/support/trust-center/
Azure Active Directory: http://azure.microsoft.com/en-us/services/active-directory/
Azure RBAC: http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure
Azure MFA: http://azure.microsoft.com/en-us/services/multi-factor-authentication/
Azure PIM: http://blogs.technet.com/b/ad/archive/2015/05/04/azure-cloud-app-discovery-ga-and-our-new-privileged-identity-management-service.aspx
StorSimple: http://www.microsoft.com/en-us/server-cloud/products/storsimple/
SQL Server TDE: http://msdn.microsoft.com/en-us/library/bb934049.aspx
Always On with TDE: http://blogs.msdn.com/b/alwaysonpro/archive/2014/01/28/how-to-enable-tde-encryption-on-a-database-in-an-availability-group.aspx
Azure SQL DB: http://azure.microsoft.com/en-us/services/sql-database/
BitLocker tools: http://technet.microsoft.com/en-us/library/jj647767.aspx
Encrypting with .Net: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography(v=vs.110).aspx
Storage Client-Side Encryption: http://blogs.msdn.com/b/windowsazurestorage/archive/2015/04/28/client-side-encryption-for-microsoft-azure-storage-preview.aspx
Learning references
Ignite Azure Challenge Sweepstakes
Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!
Aka.ms/MyAzureChallenge
Enter this session code online: BRK3490
NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.
Questions