live_tv
Livestream Starting Soon
00
Hours
:
00
Minutes
:
00
Seconds
Up next in 10
Security is integrated in every part of Azure but with shared responsibility model. Microsoft takes part of some security aspects and enables us to take care of the rest. Every Azure service has security features built in and we have services that are dedicated solely to security. Combining these features and services can bring to rock solid Azure tenant with no security holes. Come and see how to do it yourself and build safe Azure environment!
Conference Website: https://www.2020twenty.net/azure
C# Corner - Global Community for Software and Data Developers
https://www.c-sharpcorner.com
Show More Show Less View Video Transcript
0:00
Okay, so we're going to discuss 10 things that you need to do to build a rock-solid
0:08
Azure tenant. Magnus already gave a wonderful introduction, so I'm not going to keep much time on it
0:17
There was a video as well and everything. So let's discuss the security and the structure around Azure
0:27
So back in the days when cloud computing was just starting out, there was a lot of mistrust around it
0:35
A lot of people were concerned, what will happen to my data, to my application if I put it in cloud
0:41
Who has access to it? Who can control it? Who can see my data? And so on
0:47
As a result of that, all cloud providers advertised cloud computing as very secure
0:55
and we need to keep a couple of things in mind when it comes to cloud security
1:03
because this selling cloud as a secure place kind of puts people asleep
1:11
It puts them off guard because, okay, cloud is a very secure place
1:17
but to some extent, it's not like if we just put it in cloud
1:23
if we just take our application and data and put it in cloud and put it in azure it doesn't make it
1:29
secure by default there are some precautions there are some steps that we need to take care of so
1:37
uh there's a lot of structure around security when we when we observe it like for example first one
1:45
that comes to mind is physical security the physical security of data center and and physical
1:51
security of the server and infrastructure running that data center. So basically, this is, when it comes to Azure, this is top of the R, like best, greatest and
2:05
latest, like up to best industry standards. We have cameras and alarms
2:10
We have security stop on premise constantly. We have barriers, fencing. everything needs to be accessed by two-factor authentication
2:23
We have days of backup power that runs security systems. There's a lot of things when it comes to that physical security
2:32
And when we compare it to what most of the companies have nowadays, this is way better than like 99.9% organizations will ever have
2:43
Exceptions are maybe some financial institutions or military, but most of the companies don't invest in physical security of their data center as much
2:56
Then we have network layer. And finally, we have virtual machines and applications in those data centers
3:05
Now, network is basically the first step where we as a customer, as an Azure consumer, start taking some of the responsibilities for ourselves
3:21
Microsoft is still responsible for the physical network security, but there are some network aspects like endpoints and virtual network security and things like that
3:32
that we actually need to take care of. Because, for example, if we just leave an unprotected endpoint
3:40
like we place our data in Azure, and we leave the endpoint as a public access
3:46
and someone accesses our sensitive data because it was publicly accessible, we cannot actually blame Microsoft for someone stealing our data
3:57
It was our fault. Similar thing can go in terms of application security
4:02
When it comes to like, if you place application that's vulnerable to SQL injection
4:08
and that's still a very painful place for a lot of companies
4:13
a lot of applications are still vulnerable to that. If we have an application like that, and someone manages, again, to steal our data
4:23
because of vulnerability in our software, we cannot blame, again, Microsoft because we wrote bad code
4:29
It's basically up to us to secure that part as well. Fortunately, in Azure, there's a lot of things that helps us
4:38
how we can actually do that. Microsoft takes care of some parts
4:46
It's a concept that is like shared responsibility, where Microsoft takes care of one part of the security
4:53
and the rest of the security, we have to do it ourselves
4:57
But Microsoft enables us with a lot of different tools to actually do that and to actually create secure environment for our application and information
5:11
Okay, so first step that everyone needs to do is definitely enable multi-factor authentication
5:19
It's a really simple thing. And why? So there's a big change when it comes to identity and account access when moving from on-premises to the cloud
5:39
In our on-premises environment, even if someone stole some credentials and managed to have access to certain data in our own network, they still would need to actually physically access the network, gain access to the network first before they misuse those credentials
6:00
With cloud computing, it's much different. We no more have that restriction where someone actually needs to get inside our company and then try to access it
6:12
Basically, with cloud services, everything is available from anywhere in the world
6:17
Now, credentials are becoming big vulnerability and based on a lot of security research, like 95 point something percent of data breaches and security issues come because of some kind of credential leaks
6:37
It can be social engineering, it can be a phishing attack. But a lot of times data is stolen, security is in question when credentials are leaked
6:52
So by enabling multifactor identification, we are adding additional step, additional confirmation that we are actually trying to sign in to access any kind of application
7:06
or database, any kind of Azure resource, we need to provide, besides traditional username and password
7:15
we need to provide additional authentication methods. So basically, when I sign into my account, I will be prompted
7:23
and most popular thing nowadays is to use mobile phone that supports either call, SMS, or authenticator app
7:36
which is pretty popular, pretty easy to use. I have like 40 different accounts in it and words like charm
7:43
And basically, when I try to sign in, I'm automatically prompted on my phone to approve that request
7:50
that it's actually me signing in. And if someone else tries to actually sign in
7:58
I can deny that access. I know I'm like 100 meters from my computer right now
8:05
I'm not trying to sign in, and I get prompted on my phone
8:10
that I trying to sign in I can block that request and even report it that it a malicious attempt of some kind So basically this is providing a lot of additional security when it comes to cloud resources Also there an option
8:28
very popular nowadays to go completely passwordless and use USB tokens to actually approve
8:35
that kind of access. Now that's completely different story and it kind of have its pros and cons
8:42
but it's also valid option to consider when we are talking to account security
8:51
Next thing, and we kind of touched on that in the beginning, in the introduction, is we need to use
8:59
role by access control. So basically, we've already mentioned back in the days when Microsoft Azure
9:08
actually it wasn't Microsoft Azure back then, it was Windows Azure. It has much different
9:14
structure. Basically, everything was on the subscription. We didn't have any granular
9:21
access or control over it. So basically, if I wanted to allow Magnus to run single application
9:29
on my subscription, I had to make him co-admin of my entire subscription
9:35
I couldn't say he has access to this application or this set of resources
9:40
It was completely different. Now, role-based access control gave us a lot of different options
9:47
So it goes from the tenant level that we can create management groups
9:52
and then beneath management groups, we can create subscriptions. and then go a step further, create resource groups
10:03
and then under resource groups, we have resources. So basically, all of these levels
10:09
are different management levels, and we can assign users with access to any level that we want
10:17
And it's expanded quite more compared to traditional co-admin and admin roles
10:26
we have hundreds of predefined role assignments nowadays, but we also have ability to create
10:33
our own custom role assignments. So basically we can create our custom roles
10:39
if something is not covered by default roles by themselves, which is really rare
10:47
Like we're talking about couple of hundred different role assignments by default
10:51
and you can probably cover 99% of the scenarios that can be happening
10:59
And how it actually works. So basically, if I provide a user with contributor access to subscription level
11:09
that user would automatically have contributor access on everything below that subscription
11:17
So basically, complete subscription, all resource groups in that subscription, and all resources running on that subscription
11:25
Now, if I apply a different user with the reader access to a certain resource group
11:30
that user would not see anything else on that subscription. That user would have access to that specific resource group
11:37
and could access resources in a read mode in that specific resource group
11:45
And if you go even a step below, we can assign user with the access on the single resource
11:52
And user will basically see that resource group and all the resources, but could make some kind of action only for the resources that is actually assigned role for
12:03
So it gave us a lot of flexibility, a lot of granularity, and allowed us to much better control over our resources and how we can provide user access
12:17
Okay, next thing that is very important and can help increase security is privileged identity management
12:26
So this is one of the concepts that I'm a big fan of
12:31
From a security perspective, I do a lot of security things in cloud especially
12:37
And privileged identity management basically provides a concept of something called just-in-time administration and just-enough administration
12:50
So basically what it means. We are providing users with a specific role
12:55
But that role is not present on the user account by default when users sign them
13:01
They actually need to go to portal and activate that role. And only when activating role, they will actually have ability to perform certain actions
13:14
So if I provide user with ability to be a security administrator, when they sign in on their account, they would actually just see resources like regular user resources, like applications that they can access or mail or SharePoint or whatever, everything that's tied to their user account as a user
13:38
But they wouldn't see any kind of privileged roles like administrator roles and stuff
13:43
So this security administrator would see everything that a regular user sees
13:48
And if a user actually needs to perform some things that only security administrator can do, they actually have to go to a portal, activate their role
14:01
They need to say for how long they want to perform that role and then actually perform the work that's associated with that role
14:10
This provides us with that just-in-time access or just-in-time administration where even if the credentials leaked and even if someone somehow bypasses MFA, they still cannot do much damage if they actually don't know that this account needs to be activated to perform certain operations
14:37
It's kind of a damage control. Another thing, the part just enough administration, is that this option is giving us ability to see how often users actually use certain rules
14:53
I've seen that many, many times in organizations, such audits are not performed regularly
14:59
And we have even users that left company years ago and still have certain administrator rights and stuff
15:09
So, Privileged Netty Management provides us with periodic reports telling us which users actually use their role or didn't use their role for a certain amount of time
15:20
So basically, if we have a user that is, I don't know, enterprise administrator and didn't actually enable that, didn't activate that role for last year, that user probably doesn't need that role anymore
15:34
So it gives us opportunity to review what privileged assignments are given to users, and we can actually decrease the numbers of privileged accounts in our environment
15:48
Next thing is to use network security groups. This is especially when we talk about virtual networks and virtual machines
15:56
If you're using this part, this is basically the first step to protect our resources
16:02
By default, everything is open and basically anyone can access anything. Our endpoints in Azure are unprotected
16:10
If we assign public IP addresses and a virtual machine without network security group
16:16
It's completely unprotected and basically any port is open for traffic. Network security groups give us control over traffic what can come inside or what can come outside Basically it provides us with the traffic control and we can basically allow only certain ports that are necessary for our application to work to actually to be publicly
16:44
available. Another thing that we need to note is that network security groups can be attached either
16:50
to network interface on the virtual machine or to network security groups. Either way will work
16:57
but I recommend the second one. Go with attaching network security groups to the subnets
17:03
because basically attaching them to network interface will create a whole lot of problems
17:10
It's perfectly fine when you have five virtual machines, but when you have 50, it becomes a problem
17:17
When you have 1,000, it's completely unmanageable. So basically creating subnets that are treated as a logical grouping of your virtual machine
17:30
For example, if you look at the classical three-tier architecture where we have front-end, middle layer, and back-end
17:39
we will basically have first subnet for the front-end that will allow traffic over HTTPS
17:48
but would block everything else. And on the second subnet for the mid-tier
17:54
we would disallow traffic from the outside. So basically anything from internet would be disallowed
18:01
and allowing only to the virtual machines in the front end to actually communicate with middle tier
18:09
And backend would only allow traffic from the middle tier, not even allowing the front end subnet to communicate
18:17
So basically, this is a good way to start controlling your traffic and protecting your resources
18:25
Optionally, we can use Azure Firewall that gives us a lot more options
18:30
It's much better control, but the big difference is network security groups are for free
18:35
and Azure Firewall can increase your Azure costs substantially. Next thing, web application firewall
18:44
A very cool part, Web Application Firewall is part of Application Gateway that is basically layer 7 load balancer
18:55
But what it does, it provides you with a lot of filtering options
19:00
It can distinguish what kind of request is valid and which one is malicious
19:07
So basically, application gateway has a built-in ability to prevent SQL injection or cross-site scripting or similar attacks and recognize which attacks are valid
19:20
And basically, only valid requests will pass the application gateway, blocking all other
19:26
So basically, I mentioned that in the beginning, this is the way Microsoft can help us secure our applications, even if we write a bad code that is unsecured
19:37
Next one is Azure Key Vault. I'm a big fan of Azure Key Vault
19:43
I use it for literally anything. Azure Key Vault is a big help
19:50
It can help you secure your secrets, password certificates, connection strings, it's used with infrastructure as a code and so on. Why
19:59
Well, again, similar to accounts and credentials, Secret password certificates might need to be treated a little differently in the cloud
20:10
They need to be managed in a different way. We need to control who sees what, who can access that
20:17
And Azure Key Vault helps us encrypt those information, allow application to access those information when needed
20:25
but preventing all other users to actually see those information. Same goes to the connection string
20:31
And when it comes to infrastructure as a code, a lot of services when we are deploying
20:38
So if you're doing cloud and you're building infrastructure, you need to do infrastructure as a code
20:42
Otherwise, you're doing it wrong. Basically, it has a lot of different options
20:48
It can go to the ARM templates. It can go to either PowerShell, Azure CLI
20:54
We can use different tools like Terraform, so on. There's a lot of different tools that can help us build infrastructure as a code
21:05
But a lot of services need some kind of administrator username and password when we are deploying them
21:13
And keeping those information in a code is also, again, a very bad idea
21:19
A lot of people can access a repository. A lot of people probably, everyone that has access to a repository probably don't need to see those kind of secrets
21:30
There's also a problem when a lot of times there was a mistake
21:40
when someone pushed those kind of secrets and user names, the passwords or secret endpoints to a public repository
21:50
and everyone could actually access that. So this can create a lot of problems
21:56
Infrastructure as a code with Azure Key Vault provides the ability to store those passwords and usernames inside the Key Vault and then basically call them on deployment
22:10
Infrastructure as a code, when it's actually used, is calling the Azure Key Vault, getting those information as used during deployment
22:20
completely encrypted, completely hidden, and even the person who is deploying the
22:28
infrastructure doesn't necessarily need to know what kind of username and password is used during the deployment process. Also, we need to remember to
22:39
encrypt data. Again, this is something we use Azure Key Vault for, but why we need
22:48
to do it. Let's first take a step back and say that all data in Azure Data Center is encrypted
22:56
at rest. So basically everything is encrypted at rest. If I somehow, with all the security
23:02
managed to get to Azure Data Center and pull one of the disks out of the server rack and run away
23:08
with it, it would be completely useless to me. The disk is encrypted and all data is encrypted at rest
23:14
The issue, it doesn't need to be an issue, but all data is encrypted with Microsoft provided keys
23:24
Microsoft is handling that kind of encryption. And a lot of security standards have a problem with that
23:35
So basically, if you want to be compliant according to, I don't know, ISO 27001 or there's tens of different security protocols and standards that you can follow
23:52
If you want to be compliant, but most of them, you actually have to be in charge of those keys that are used in the encryption
24:00
So that can create a problem. So with Azure Key Vault, we can actually encrypt that data
24:07
We can actually encrypt our data with our own managed keys that are stored inside Azure Key Vault
24:18
This also can be helpful when we are discussing the exporting of data
24:23
For example, if you take Azure Virtual Machine, each Azure Virtual Machine has a virtual disk
24:29
and that disk is encrypted at rest. But what happens with that disk when it's exported
24:37
from the Azure or downloaded to a local machine? It's no longer encrypted. Why
24:43
Because it's by default encrypted with Microsoft encrypted key and you cannot actually decrypt it once you download it So Microsoft is allowing you to download unencrypted data But when you encrypt that disk with
24:58
your own key, with your key that you are managing, that disk can be still
25:04
encrypted and in this way we are keeping all the data encrypted at all times, even
25:10
when exporting it out. Okay. Another thing that we need to consider
25:17
when we discuss security in Azure is to use Azure Security Center
25:22
It's an amazing product that gives you overall view of your current security situation
25:31
and allow you to control what's happening to your data. This is basically about security stand, how your current situation, your current resources are standing compared to best practices that Microsoft recommends
25:55
So basically, it yzes all resources that you have inside your subscription or even tenant
26:02
It can be on multiple layers. And it takes your current situation, your endpoints, your data and everything
26:09
and it compares that with what is the current best practice and tells you it provides you with a step that you actually need to implement
26:19
in order to actually secure your tenant more, to secure your Azure resources in a better way
26:30
It's about compliance. It's about hygiene, keeping everything steady, keeping everything up to the standards
26:37
And it has a few more tools, for example, just-in-time access for virtual machine
26:50
Okay, this is one of my favorite features in Asia Security Center
26:55
It provides you with a lot of cool things, like Asia Security Center gives you guidelines how to make it better
27:04
gives you guidelines how to make your resources more secure. It provides you with either – there are a lot of things
27:11
that you can basically fix with single click, allowing you to encrypt some stuff
27:17
or change certain endpoints or install certain antivirus software on virtual machine and so on and so on
27:24
So basically, there are a lot of one-click solutions where you just click a button in the Azure Security Center
27:30
and it resolves it. For other things that are more complicated and cannot be automated
27:35
or need certain user decisions and stuff, it provides you with step-by-step instructions
27:41
on how to actually can achieve that. But still, I really like just-in-time access for Azure virtual machines
27:48
Okay, now I'm going to explain why. Big problem that can become when we want to manage our virtual machines
28:02
from outside virtual network. So basically, best practice is definitely that we need to either have point-to-site or site-to-site connection to our virtual network and then access our virtual machines and manage them from a secure environment, from a secure network
28:23
But many times it's not possible. Our organization doesn't have infrastructure for that
28:29
or we are constantly traveling and we cannot provide all users with point-to-site VPN and so on and so on
28:37
And then we need to keep RDP port or PowerShell port open
28:44
to actually do some things. This is generally a very, very, very bad idea
28:51
I'm going to tell you why it's bad. idea. I created four blank virtual machines, four virtual machines that are just Windows Server
29:00
2019, nothing on them, like blank virtual machines. Only thing that was specific to those virtual
29:08
machines was that they had RDP port open. 3389 was open on those virtual machines, and you could
29:20
actually access them from outside, over the internet, from outside the network
29:27
What bad guys do? They are basically scanning public IP addresses range
29:32
and looking for openings. And they found that my virtual machines are open
29:39
In a single month, those virtual machines were hit in total 160,000 times by brute force attack
29:53
So basically, if you leave 3389 open, they're going to bombard it with brute force trying to get in
30:03
This is why it's really bad to actually leave that port open
30:08
Now, with just-in-time access in Azure Security Center, We can actually create similar situation to privileged entity management where we can say, okay, this port is actually closed, but we can request opening of that port from specific IP or IP ranges for a certain period of time
30:31
So basically, if I'm doing any kind of work and I need to access a specific virtual machine from my home network to fix something, I can go to just-in-time VM Access
30:46
I can start this type of access from my current IP address for a certain amount of time and then do my work
30:57
anyone else coming from different IP address will not be able to access it
31:04
Also, when the time I allocate it up front expires, I will not be able to work on that anymore
31:12
and I will actually need to go to Portal again to activate it
31:15
for an extended period of time if I'm not done with it
31:21
Finally, a very, very cool new feature. it's not really new anymore
31:27
It's over a year now, but still. One of the latest security features that we had is Asia Sentinel
31:33
that basically creates a lot of confusion when it was compared to Asia Security Center
31:40
Basically, Asia Security Center is for hygiene and guidelines on how your Asia Security needs to look like
31:54
But Azure Sentinel is about live threat hunting and yzing data on the fly to actually detect things that are happening right now
32:05
It works as a certain log warehouse that we can basically throw any kind of
32:13
It's not limited to Azure only. We can basically throw any kind of log, even from our on-premises environments, from different clouds
32:20
We can throw everything in there and then use Azure Sentinel with excessive machine learning capabilities
32:28
We can create our own Python scripts to yze data and so on and try to detect things that are happening before they actually happen
32:38
So, this is not only for keeping the guard, but it's actually to help you live hunting threats and possible security issues while they're actually happening
32:55
Okay, do we have any kind of questions
#Computer Security
#Enterprise Technology
#Network Security
#Distributed & Cloud Computing