Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai

5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com

http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 1/28

Understanding & Implementing

Windows Azure Platform SecurityLai Hoong Fai

Microsoft [email protected]



Agenda

Cloud Security Concerns

Windows Azure Platform Security Model – Compute Services

– Storage

– Identity and Access

– Networking

– Management

Data Center Security and Data Location



S e c u r i t y T a l k

3

Services and Server Platforms

Build Your

Own

We Run it for

You

Scale-out Apps

Massive Scale

Prescribed Hardware

Cost of Operations

Optimized

for

Any Workload or Application

Levels of Scale

Hardware Configurations

Operational Models

Versatile

across…




4

Platform as a Service Security Model

Physical

Network

Host

Application

Data

Physical

Network

Application

Data

On Premises Platform as a Service

C u s t o

m e r C

u s t o m e r

M i c r o s o f t

Host




5


Where is my data located?

Is the Microsoft Cloud “ secure? ”

Who can see my data? How do you make sure my company data follows “ the rules? ”

What happens if …

“Cloudy with a chance of Rain”, The Economist, March 5, 2010




6

DataData

Windows Azure Security Layers

PhysicalPhysical

ApplicationApplication

HostHost

NetworkNetwork

Strong storage keys for access control

SSL support for data transfers between all parties

Front-end .NET code running under partial trust

Windows account with least privileges

Windows Server 2008 R2 OS image

Host boundaries enforced by external hypervisor

Host firewall limiting traffic to VMs

VLANs and packet filters in routers

World-class physical security

ISO 27001 and SAS 70 Type II certifications for datacenter

processes

Layer Defenses




7

Secure by Design

Industry leading software securityassurance process

– Prescriptive yet practical approach

– Proactive – not just “looking for bugs”

– Eliminate security problems early

– Proven results

Protects Windows Azure Platformcustomers by

– Reducing the number of vulnerabilities

– Reducing the severity of vulnerabilities




8

The Windows Azure Platform is an internet-scale cloud services platform hosted in Microsoft data

centers around the world, proving a simple, reliable and powerful platform for the creation of web

applications and services.

Windows Azure Platform

GENERAL PURPOSE PROGRAMMING LANGUAGES

Windows Azure Platform



S e c u r i t y T a l

k

9

Windows Azure Architecture

Fabric

Controller

Load-balancersLoad-balancers SwitchesSwitches

Services composed of roles, mix andmatch in any topology

Desired state of service

# of role instances, availability and updatedomains, config settings

Agnostic to programming languages

Service

Model

RoleTypes



S e c u r i t y T a l

k

10

Windows Azure Compute Security

Customer code run on dedicated virtual machines (VMs)

VMs isolated by a Hyper-V based hypervisor

All access to network and disk is mediated by a “host” virtual machine

Stripped down, hardened version of

Windows Server 2008 or R2

No persistent storage in the

Compute nodes

Limited number of device drivers

Network connectivity restricted

using host firewall

VM isolation

Web Role Worker Role VM Role

Hyper-V based hypervisor

H o s t V M

Network/Dis

k

Network packet filtering




11

Windows Azure Compute Security

The VM is the security boundary upon which WindowsAzure security is based

– The host OS and Fabric Controller are trusted by theinfrastructure

– The guest agent and customer code are untrusted

– The Fabric Controller host agent ensures that theVM can only access IP addresses assigned to VMs of the same service

• Allows access to Internet addresses

Fabric Controller uses certificates and network security toauthorize access to datacenter resources




12

Windows Azure Compute Reliability

Unit of failure based on data center

topology – E.g. top-of -rack switch on a rack of

machines

Windows Azure considers fault

domains when allocating service

roles

– 2 fault domains per service

– Will try and spread instances outacross more than one fault domain

• E.g. won’t put all instances in same

rack

Front-

End-1

Front-End-1

Front-

End-2

Front-End-2

Middle

Tier-2

Middle

Tier-2Middle

Tier-1

Middle

Tier-1




13

Windows Azure storage is

an application managed

by the Fabric Controller

Windows Azure

applications can use

native storage, SQL Azure,

or even run MySQL within

a VM

Application state is kept in

storage services, so

worker roles can replicate

as needed

Storage Services in Windows Azure




14

Windows Azure Storage Security




15

SQL Azure

Relational Database as a Service in Azure

– Built upon the SQL Server engine

–

One logical server per Azure subscription – Abstracts the Logical from the Physical Administration

Server Side Processing of Data

• Aggregation, Stored Procedure, Queries, Joins, Sorts, Views,

Index, etc.

– Supports Familiar Relational T-SQL Programming Model

Accessible through existing APIs

• ADO .Net, ODBC, etc. – Easy to use Schema Migration and Data Migration tools

available




16

Multiple front-endservers receiving

client connectionsData stored in three

replicas

– Reads are

completed at theprimary

– Writes are

replicated to aquorum of secondaries

Replica 1

Replica 2

Replica 3

DB

Single Logical

Database

Multiple Physical

Replicas

Multiple

Secondaries




17

Identity and Access Management

Active Directory Other Providers

WS-* and SAML

On Premises

Use of Active Directory identities

and groups through federation

Enables seamless access

experience with othercorporate applications

tied to AD

Integration with 3rd

party systems through

WS-* and SAML 2.0

open standards

Single sign-on with

popular Internet identity

providers




18

AppFabric Access Control 2.0

Provides rules-driven, claims-based authorization for:

– Web applications

– REST Web services

– SOAP Web services

Key features

– Broad identity provider support, including AD Federation Services v2and popular Web identity providers (Live ID, Facebook, Google,Yahoo)

– WS-Trust and WS-Federation protocol support

– Full integration with Windows Identity Foundation (WIF) – Configurable through new management web portal



Demo #1Demo #1

AppFabric ACSAppFabric ACS



S e c u r i t y T a

l k

20

Windows Azure Management

Public REST interfaces

Service Management and Diagnostics APIs

• Deployment and life cycle management

• Diagnostics and logging

PowerShell

• Enable building of sophisticateddeployment scripts

System Center integrationRemote Desktop interface



S e c u r i t y T a

l k

21

Windows Azure Management Security

Customers create Windows Azure subscription usingLive ID credentials

Hosted services and storage accounts managedthrough Live ID or a Service Management API overSSL with certificate-based mutual authentication

Fabric controllers updates and manages the computerand storage nodes – Fabric controllers run on separate hardware than the

compute or storage services

– Communication between Fabric controllers andmanaged nodes are authenticated and encrypted usingSSL



Demo #2Demo #2

ManagementManagement

SecuritySecurity



S e c u r i t y T a

l k

23

Data Center Security

24x7 secured access

Electronically controlled access

systems

Video camera surveillance

Motion sensors

Security breach alarms

24x7 secured access

Electronically controlled access

systems

Video camera surveillance

Motion sensors

Security breach alarms

WorldWorld--Class Physical SecurityClass Physical Security

ISO/IEC 27001:2005

SAS 70 Type II

ISO/IEC 27001:2005

SAS 70 Type II

Industry CertificationsIndustry Certifications



S e c u r i t y T a

l k

24

North America Europe AsiaWest Europe

North Europe

South Asia

South

Central US

North

Central US

Microsoft complies with all applicable laws regarding cross-border datatransfer including EU and US Safe Harbor requirements

East Asia



S e c u r i t y T a

l k

25

Call to Action

1. Sign up and deploy your first app on Windows AzurePlatform - http://bit.ly/tBavpE

2.Activate your Windows Azure benefit for MSDNSubscribers - http://bit.ly/qT0HW9

– How to activate - http://bit.ly/r1ONwn

3. Download Windows Azure SDK and Tools-http://bit.ly/odmOEy

4. Attend a 1-day Windows Azure Discovery Workshop onNov 12. Email

[email protected]



S e c u r i t y T a

l k

26

Summary


Windows Azure Platform Security Model

– Compute Services

– Storage

– Identity and Access

– Networking

– Management

Data Center Security and Data Location



References• Windows Azure Security Guidance -

http://bit.ly/uU2w5I

• ACS Samples and Documentation - http://bit.ly/rTX93K• Microsoft Global Foundation Services (GFS) -

http://bit.ly/sfvoci• GFS Infrastructure videos - http://bit.ly/rqhAEA• Security Resources for Windows Azure -

http://bit.ly/rIulDp• Real World Windows Azure Security -

http://bit.ly/uo6Mwo• Windows Azure Training courses - http://bit.ly/uC8oYo



Thank YouThank YouQ&AQ&A

Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai

Documents

Transcript of Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai