Spark the future.

May 4 – 8, 2015Chicago, IL

Enabling Data Protection in Microsoft Azure Devendra Tiwari, Senior Program ManagerThomas Knudson, Senior Program Manager

Microsoft Corporation

BRK3490

In this Session

What are we covering?•How Azure protects your data•How you can protect your data•How you can control and protect your keys using Azure Key Vault•Azure Data retention and deletion policies• How to use Azure Access Control and Access Auditing

features

What are we NOT covering?• Data Protection Manager• Compliance Controls and Certifications• Privacy, Data classification and Data management• Cryptography 101

Cybersecurity concerns persistGlobal attacks are increasing and costs are rising

Cybercrime extracts between 15% and 20% of the value created by the Internet.1

Total financial losses attributed to security compromises increased 34% in 2014.3

In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past year.2

Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth.4

Security Development Lifecycle & Operational Security AssuranceNetwork, Identity and Data Isolation

Data Protection – Data Encryption and Key Management

Least Privilege / Just-in-Time (JIT) Access

Respond

Protect

Auditing and Certification

Live Site Penetration Testing

Fraud and Abuse Detection

Centralized Logging and Monitoring

Detect

Breach Containment

Coordinated Security Response

Customer Notification

Microsoft Cloud Security

Vulnerability / Update Management

Data protectionAzure provides customers with strong data protections – both by default and as customer options

6

Data isolation

Logical isolation segregates each customer’s data from that of others is enabled by default.

In-transit data protection

Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default.

Data redundancy

Customers have multiple options for replicating data, including number of copies and number and location of replication data centers.

At-rest data protection

Customers can implement a range of encryption options for virtual machines and storage.

Encryption

Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data.

Data destruction

Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default.

Azure Data Encryption:In-Transit and At-Rest

Data In Transit – Encryption Options We work to protect your data across all communications

stages Microsoft:• Azure Portal

• Encrypts transactions through Azure Portal using HTTPS

• Strong Ciphers are used / FIPS 140-2 support

• Import / Export

• Only accepts bitlocker encrypted data disks

• Datacenter to Datacenter

• Encrypts customer data transfer between Azure datacenters

Customers:• Storage

• Choose HTTPS for REST API for Storage

• N-Tier Applications• Encrypt traffic between Web client and

server by implementing TLS on IIS

Data in transit between a user and the serviceProtects user

from interception of their communication and helps ensure transaction integrity

Data in transit between data centers

Protects from bulk interception of data

End-to-end encryption of communications between usersProtects from

interception or loss of data in transit between users

1 2 3

Azure KeyVault <Keys and Secrets controlled by customers in their key vault>

Authentication to Key Vault<Authentication to Key Vault is using Azure AD>

Azure Data Encryption - Data at RestVirtual Machines – Windows and Linux

• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]>• Partner Volume Encryption – <CloudLink® SecureVM>

SQL Server and SQL Database• Transparent Data Encryption - <SQL Server OR SQL Database>• Cell Level Encryption - <SQL Server OR SQL Database>• Always Encrypted

Azure Storage – Blobs, Tables, Queues

• Application Level Encryption - <Storage Client-Side encryption>• Cloud Integrated Storage - <StorSimple>

HDInsight

• HDInsight – <Leverages Azure Storage, SQL Azure DB encryption>

Azure Backup Service

• Azure Backup Service – <Leverages Azure Disk Encryption>

Keys Management

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

What:• Windows and Linux IaaS VM’s• Enables migration of encrypted VHDs from on-premises to cloud• Enables encryption on running VM’s and new VM’s• Key management integrated in customer key vault using HSM

Value Proposition:• VM’s are secured at rest and theft of an image is meaningless

• VM’s boot under the policies and keys controlled by organization CSO/CISO, and they can audit their usage in Key Vault.

Threats Addressed:• Data breach Loss of Disks, Loss of storage account keys

Azure Disk Encryption

Azure Disk Encryption Scenarios

Machine

Protection elements

Access control: Customer control access to the keys/secrets in their key vault

Monitoring and Logging: Customer collect logs in their storage account

Data Security and Availability: Disks are stored encrypted in customer storage account and are automatically replicated by Azure storage

Boot volume

Data volumeAzure storage

Keys/Secrets are protected in customer key vault

Encryption Scenarios• New VM’s from Customer Encrypted

VHD’s

• New VMs from Azure Gallery

• Running VM/s in Azure

Azure Disk Encryption - Customer Encrypted VHD Workflow

Portal/API

HOST

1. Customer uploads Encrypted VHD to their Azure storage account

2. Customer provision encryption key material* in their key vault and grants access to platform to provision VM

3. Customer opt into enabling disk encryption.

4. Azure service management updates service model with encryption and key vault configuration

5. Azure platform provision encrypted VM

* Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux]

AADAAD

token

Azure Storage

Customer Key Vault

Virtual Machine

Encrypt Me

Service Managemen

tConfig

Customer Disks

Read

VHD

Read Key

Provision Encrypted VM

Azure Disk Encryption – New VM or Running VM Workflow

Portal/API

HOST

1. Customer opt into enabling disk encryption and Customer grant access to Azure platform to provision encryption key material* in their key vault

2. Azure service management updates service model with encryption and key vault configuration

3. Azure platform provision encrypted VM

* Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux]AA

DAAD token

Azure Storage

Customer Key Vault

Virtual Machine

Encrypt Me

Service Managemen

tConfig

Upload Key

Provision Encrypted VM

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Azure Disk Encryption – Key Management using Key Vault

• Secrets like BitLocker Encryption Keys [BEK] or Linux PassPhrase are stored protected in customer control in their key vault container

• Secrets are encrypted by customer controlled Key Encryption Key [KEK – RSA 2048]

• Customer grant [explicit] Read or Write access to their key vault container to Azure to enable disk encryption

• Customer specify key vault uri to allow access to Azure to their keys and secrets

• Azure do not have ANY default access to customer key vault for disk encryption feature

Microsoft Confidential

Secret Keys

Contoso.BEK [encrypted by ContosoKEK] – BitLocker Windows

ContosoPassPhrase [encrypted by ContosoKEK] – Linux

ContosoKEK

Azure Disk Encryption: Running VM scenario demo

Azure Disk Encryption – Key Vault demo

Storage Client-Side Encryption - PreviewWhat is Client-Side Encryption?• Allows for encrypting blob, tables and queue data• Users encrypt their data on the client side before uploading to

Azure Storage, and also decrypt it after downloading• Customer maintains control of keys and the storage service

never sees the keys and is incapable of decrypting the data• Integration with Azure Key Vault with customizability to support

other key management systems

Why Client-Side Encryption?• Most control over keys• Storage Service never sees the keys you use• Flexibility in key management systems and algorithms

Code Sample:Code Sample: // Create the KeyWrapper to be used for wrapping. AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); SymmetricKeyWrapper aesKeyWrapper = new SymmetricKeyWrapper("symencryptionkey", aes);

// Create the encryption policy to be used for upload. BlobEncryptionPolicy uploadPolicy = new

BlobEncryptionPolicy(BlobEncryptionMode.FullBlob, aesKeyWrapper, null);   // Set the encryption policy on the request options. BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy

};

// Upload the encrypted contents to the blob. blob.UploadFromStream(stream, size, null, options, null);   // Download and decrypt the encrypted contents from the blob. MemoryStream outputStream = new MemoryStream(); blob.DownloadToStream(outputStream, null, options, null);

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Storage – Cloud Integrated Storage

• Hybrid Applications – Windows Server Data Snapshots• Data Encrypted on-premise and backed up in Azure• AES 256 Encryption and Integrity Protected with SHA-

256 Hashes

SQL Server, SQL Database Encryption• Encryption Options:• Transparent Data Encryption (TDE), Cell Level Encryption (CLE)• SQL Server Encrypted Backups• Always Encrypted• SQL Server Extensible Key Management (EKM) provider shifts

encryption master keys to external key manager• Separation of duties between data and key management

• Azure Key Vault as an EKM• SQL Server Connector enables Azure Key Vault use as an EKM• Customer owned Encryption Master Keys in software or hardware

(FIPS Validated HSM) Vault• SQL Server On-prem / Azure VMs

Key Vault Service

Azure Active Directory

SQL Server Connector to Key Vault

SQL Server Admin

Security Operations

Auditor

SQL Server

Connector

1. Register SQL Server instance

2a. Create Vault2b. Create Master Key2c. Give SQL Server Access to Vault

4. Authenticate

3. Configure SQL Server Encryption

5. Protect Keys

6. Audit Key Usage(coming soon)

SQL Server TDE with Key Vault demo

Microsoft Azure

IaaS SaaSPaaS

Microsoft Azure Key Vault

Microsoft Confidential

Key Vault offers an easy, cost-effective way to safeguard keys and other secrets used by cloud apps and services using HSMs.

You manage your keys and secrets

Applications get high performance access to your keys and secrets… on your terms

Import keys

HSM

Key Vault

Microsoft Confidential

Increased security HSM protected keys Compliance Monitoring

Encrypt keys and small secrets like passwords using keys stored in tightly controlled and monitored Hardware Security Modules (HSMs)

Import or generate your keys in HSMs for added assurance - keys never leave the HSM boundary

Comply with regulatory standards for secure key management, including the US Government FIPS 140-2 Level 2 and Common Criteria EAL 4+

Monitor and audit key use through Azure logging – pipe logs into HDInsight or your SIEM for additional analysis (coming soon)

Enhance data protection and compliance

Security Operations Developer/IT Pro Auditor

Manages keys Deploys application Monitors access to keysCreates a Key Vault. Adds keys , secrets to the Vault. Grants permission to specific application(s) to perform specific operations e.g. decrypt, unwrap.

Enables usage logs

Tells application the URI of the key / secret

Application programuses key, secret (and may abuse) but never sees the keys

Reviews usage logs to confirm proper key use and compliance with data security standards

Azure KeyVault <Keys and Secrets controlled by customers in their key vault>

Authentication to Key Vault<Authentication to Key Vault is using Azure AD>

Azure Data Encryption - Data at Rest - RecapVirtual Machines – Windows and Linux

• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]>• Partner Volume Encryption – <CloudLink® SecureVM>

SQL Server and SQL Database• Transparent Data Encryption - <SQL Server OR SQL Database>• Cell Level Encryption - <SQL Server OR SQL Database>• Always Encrypted

Azure Storage – Blobs, Tables, Queues

• Application Level Encryption - <Storage Client-Side encryption>• Cloud Integrated Storage - <StorSimple>

HDInsight

• HDInsight – <Leverages Azure Storage, SQL Azure DB encryption>

Azure Backup Service

• Azure Backup Service – <Leverages Azure Disk Encryption>

Keys Management

Is my data gone? Retention/backup • Abandoned Data – Data retained for 90 days and available if

customer comes back, then subsequently deleted• Customer Deletion – Delete data at anytime

Is my data really gone? Destruction?• Defective Disks – Destroyed on-site• Decommission – Azure follows DoD data wiping standards

Data Retention and Data Destruction

Azure Access Control & Auditing

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

All data is encrypted, though not done yetFundamentals are key!Mitigate risk of compromised accountsMulti-Factor Authentication (Azure MFA / Windows Server ADFS)

Limit excessive permissions – least privilegeAzure AD Role Based Access Control (RBAC)Azure AD Privileged Identity Management (temporary/’JIT’ access controls)

Detect insider compromise or abuse of privilegesAzure auditing and loggingAzure AD anomaly detection and analysis

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Compromised accountsAccounts with weak authentication methods (passwords) can be compromised (e.g. spear-phishing) Secure your user accounts with Azure MFACan be used with Azure Active Directory or Windows Server Active Directory Federation Services (ADFS)Provides a second factor (e.g. phone or device) as a second factor

Secure your user accounts with Smart Cards with Windows Server ADFS & AADUse your existing PKI (Smart Card, Virtual Smart Card) to secure accounts by using Azure AD accounts federated to your on premises infrastructure

On-Premises App

Windows Server ADFS

Multi-FactorAuthenticationServer

Option: User Azure MFA in Azure Active Directory with Phone Authorization Step1

Multi-FactorAuthenticationServiceAzure

Active Directory

Option: Use existing on premises ADFS for Smart Card / Virtual Smart Card or Phone Authorization2

Multi-Factor Authentication Flow

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Limiting PermissionsPermissions to sensitive data should follow ‘least privilege’ principal – only grant access necessary for role. Azure RBAC (20 built-in roles, custom coming soon)General: Readers, Contributors, OwnersResource Specific: e.g. VirtualMachine-Contributor, SQLDB Contributor …Assign Users, Groups, and Service Principals

Key Vault Access ControlVery fine grained access controls to key vaults for user and service principalsCreate, verify, sign, wrap/unwrap, etc. (able to enforce segregation of duties)

Azure Role Based Access Control

Assign roles to users and groups at subscription, resource group, or resource level

Assignments inherit down the hierarchy

Use built-in roles with pre-configured permissions 20 built-in roles

Create custom roles (coming soon)

Subscription

Reader

Contributor

Owner

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

RBAC ExampleResource Group == EmployeeBenefitsApp-Virtual Machines, SQL DB, Storage Accounts

EmployeeBenefitsApp Role Assignments- Owners == HR IT Admins- Contributors == HR IT DevOps Team-Readers == HR Benefits Team

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Controlling privileged accountsSuperuser accounts have special risk and deserve special management.• Enable “Just In Time” (JIT) privileged access

• Reduces attack surfaces from multiple different types of attacks (compromised accounts, XSS, etc.)

• Also prevents common operational mistakes “I thought I was deleting the test tenant”• Enhances monitoring of admin activity – and understanding of how often privileged

access is used

• Microsoft uses this paradigm to protect Azure• No standing access• Temporary, specifically scoped elevations to resolve incidents & provide support

• Customers can now benefit from this learning – Azure AD Privileged Identity Management

• Discover current admin permissions in one view

• Set temporary authorization policies for Azure AD management roles• Global, billing, password, service, and user administrators can use PIM

• Collect justification & work item reference for every elevation/activation

• Coming soon – support for Azure RBAC

Azure AD PIM

• Simple view of all admin role assignments

• Track overall % of permanent vs. temporary authorizations

• Set policies to transition permanent role assignments to temporary assignments

View permissions & set policies

Request role activation / elevation• Simple process for

accounts to activate their role assignment

• Permissions automatically removed at end of policy duration

• Collect justification (and optional work item ID + source)

Effective auditing is foundational for monitoring user activity (and thus detecting attacks) • Azure management operations are audited• Operation• User / client / source IP address• Available in UI or query service management API

• Azure Active Directory management audit• All tenant admin activity logged – these are the ‘global’ admins, largest

impact if compromised

• Azure AD PIM admin activations audit

Auditing & logging

Management Auditing

Management Auditing – DetailOperation, user, client IP, and success/failure are audited

All logs available via REST APIs as well for import into SIEM systems:GEThttps://management.core.windows.net/<subscription-id>/operations

Monitoring admin elevations with PIM• See clearly who is regularly

using admin permissions, and reasons

• Supports overall oversight and role/permission management program

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Azure AD login anomaly detection• Detect potentially comprised

accounts (impossible travel)• Detect potential brute force

attempts• Get active notifications

• Question: How many of you can enumerate all permissions in your entire environment?

• This is a really challenging problem

• With Azure Resource Manager & RBAC, this is now trivial

• Easily export and analyze all permissions in your whole environment

Auditing permissions

Microsoft Azure helps you enable data protection: • Trusted cloud platform• Provide broad support for encryption solutions to

encrypt your data• Allow control of your encryption keys and

storage• Allow securing and managing admin accounts• Allow auditing, logging, and advanced detection

tools for monitoring accounts

In Closing..

• BRK2706 – Introduction to Microsoft Azure Key Vault• BRK2482 – Data Center Security and Assurance• BRK2570 – Overview of Microsoft SQL Server Security

Futures• BRK3457 – Harden the Fabric, Protecting Tenant Secrets

in Hyper-V• BRK3336 – Running Linux in Azure• BRK2707 – Roles Based Access Control for Microsoft

Azure• BRK3873 – Protecting Windows and Microsoft Azure

Active Directory with Privileged Access Management

Related Sessions at Ignite

Azure Trust Center (security and privacy): http://azure.microsoft.com/en-us/support/trust-center/

Azure Active Directory: http://azure.microsoft.com/en-us/services/active-directory/

Azure RBAC: http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure

Azure MFA: http://azure.microsoft.com/en-us/services/multi-factor-authentication/

Azure PIM: http://blogs.technet.com/b/ad/archive/2015/05/04/azure-cloud-app-discovery-ga-and-our-new-privileged-identity-management-service.aspx

StorSimple: http://www.microsoft.com/en-us/server-cloud/products/storsimple/

SQL Server TDE: http://msdn.microsoft.com/en-us/library/bb934049.aspx

Always On with TDE: http://blogs.msdn.com/b/alwaysonpro/archive/2014/01/28/how-to-enable-tde-encryption-on-a-database-in-an-availability-group.aspx

Azure SQL DB: http://azure.microsoft.com/en-us/services/sql-database/

BitLocker tools: http://technet.microsoft.com/en-us/library/jj647767.aspx

Encrypting with .Net: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography(v=vs.110).aspx

Storage Client-Side Encryption: http://blogs.msdn.com/b/windowsazurestorage/archive/2015/04/28/client-side-encryption-for-microsoft-azure-storage-preview.aspx

Learning references

Ignite Azure Challenge Sweepstakes

Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!

Aka.ms/MyAzureChallenge

Enter this session code online: BRK3490

NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.

Questions