AZ-900 Notes: Security, responsibility, and trust in Azure
Sudha Chandran B C
Posted on August 7, 2020
In this note you'll understand:
- Security responsibility is shared with Azure
- Identity management provides protection, even outside your network
- Encryption capabilities built into Azure can protect your data
- To protect your network and virtual networks
Security is a shared responsibility
Infrastructure as a service (IaaS). With IaaS, you are leveraging the lowest-level service and asking Azure to create virtual machines (VMs) and virtual networks. It's still your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure.
Platform as a service (PaaS) outsources several security concerns. Azure is taking care of the operating system and of most foundational software like database management systems. Everything is updated with the latest security patches and can be integrated with Azure Active Directory for access controls. ou can "point and click" within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed.
Software as a service (SaaS), you outsource almost everything.
SaaS is software that runs with an internet infrastructure. The code is controlled by the vendor but configured to be used by the customer.
For all cloud deployment types, you own your data and identities. You are responsible for helping secure your data and identities, your on-premises resources, and the cloud components you control (which vary by service type).
Regardless of the deployment type, you always retain responsibility for the following items:
- Data
- Endpoints
- Accounts
- Access management
A layered approach to security
- In Defense in depth strategy, Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
- Microsoft applies a layered approach to security, both in physical data centers and across Azure services.
- Defense in depth can be visualized as a set of concentric rings, with the data to be secured at the center.
- Each ring adds an additional layer of security around the data. - This approach removes reliance on any single layer of protection and acts to slow down an attack and provide alert telemetry that can be acted upon, either automatically or manually. Let's take a look at each of the layers.
Data
In almost all cases, attackers are after data:
- Stored in a database
- Stored on disk inside virtual machines
- Stored on a SaaS application such as Office 365
- Stored in cloud storage
It's the responsibility of those storing and controlling access to data to ensure that it's properly secured.
Application
- Ensure applications are secure and free of vulnerabilities.
- Store sensitive application secrets in a secure storage medium.
- Make security a design requirement for all application development.
Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code.
Compute
- Secure access to virtual machines.
- Implement endpoint protection and keep systems patched and current.
Malware, unpatched systems, and improperly secured systems open your environment to attacks. Make sure your compute resources are secure with proper controls in place to minimize security issues.
Networking
- Limit communication between resources.
- Deny by default.
- Restrict inbound internet access and limit outbound, where appropriate.
- Implement secure connectivity to on-premises networks.
Limiting the network connectivity across all your resources to allow only what is required.
Perimeter
- Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
- Use perimeter firewalls to identify and alert on malicious attacks against your network.
At the network perimeter, it's about protecting from network-based attacks against your resources.
Identity and access
- Control access to infrastructure and change control.
- Use single sign-on and multi-factor authentication. Audit events and changes.
It is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.
Physical security
- Physical building security and controlling access to computing hardware within the data center is the first line of defense.
The intent is to provide physical safeguards against access to assets. These safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.
Azure helps alleviate your security concerns. But security is still a shared responsibility.
Azure Security Center
Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:
- Provide security recommendations
- Monitor security settings
- Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
- Use machine learning to detect and block malware
- Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred.
- Provide just-in-time access control for ports
Available tiers
Azure Security Center is available in two tiers:
- Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.
- Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.
Usage scenarios
- Use Security Center for incident response: You can use Security Center during the detect, assess, and diagnose stages
- Use Security Center recommendations like security policy, Security Center analysis to enhance security.
Identity and access
Network perimeters, firewalls, and physical access controls used to be the primary protection of any data.
Authentication and authorization
Two fundamental concepts:
- Authentication is the process of establishing the identity of a person or service looking to access a resource, It involves the act of challenging a party for legitimate credentials.
- Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.
Azure Active Directory
Azure AD is a cloud-based identity service.
Azure AD provides services such as:
- Authentication. Providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.
- Single-Sign-On (SSO). A single identity is tied to a user, simplifying the security model.
- Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the
- Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data.
- Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
- Device Management. Manage how your cloud or on-premises devices access your corporate data.
Single sign-on
SSO enables users to remember only one ID and one password to access multiple applications.
- Access across applications is granted to a single identity tied to a user, simplifying the security model.
- By leveraging Azure AD for SSO you'll also have the ability to combine multiple data sources into an intelligent security graph. This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD.
Multi-factor authentication
Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication.
- Something you know would be a password or the answer to a security question.
- Something you possess could be a mobile app that receives a notification or a token-generating device.
- Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.
Providing identities to services
Service principals:
An identity is just a thing that can be authenticated.
A principal is an identity acting with certain roles or claims.
A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.
Managed identities for Azure services
Managed identities for Azure services are much easier and will do most of the work for you to create Service principles.
Role-based access control
Roles are sets of permissions, like "Read-only" or "Contributor", that users can be granted to access an Azure service instance.
- Identities are mapped to roles directly or through group membership
- Roles can be granted at the individual service instance level,
Privileged Identity Management
Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.
Identity allows us to maintain a security perimeter, even outside our physical control. With single sign-on and appropriate role-based access configuration, we can always be sure who has the ability to see and manipulate our data and infrastructure.
Encryption
Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key.
There are two top-level types of encryption: symmetric and asymmetric.
Symmetric encryption uses the same key to encrypt and decrypt the data.
Asymmetric encryption uses a public key and private key pair.
Encryption at rest
Data at rest is the data that has been stored on a physical medium. This data could be stored on the disk of a server, data stored in a database, or data stored in a storage account. Regardless of the storage mechanism, encryption of data at rest ensures that the stored data is unreadable without the keys and secrets needed to decrypt it.
Encryption in transit
Data in transit is the data actively moving from one location to another, such as across the internet or through a private network. Secure transfer can be handled by several different layers. It could be done by encrypting the data at the application layer prior to sending it over a network. HTTPS is an example of application layer in transit encryption.
Encryption on Azure
Encrypt raw storage
Azure Storage Service Encryption
- With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval.
- The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to applications using the services.
Encrypt virtual machine disks
Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS virtual machine disks.
The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).
Encrypt databases
Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity.
Encrypt secrets
In Azure, we can use Azure Key Vault to protect our secrets.
Azure Key Vault is a centralized cloud service for storing your application secrets.
It is useful for a variety of scenarios:
- Secrets management.
- Key management.
- Certificate management.
- Store secrets backed by hardware security modules (HSMs).
Benefits:
- Centralized application secrets.
- Securely stored secrets and keys.
- Monitor access and use.
- Simplified administration of application secrets.
- Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services.
Azure certificates
Transport Layer Security (TLS) is the basis for encryption of website data in transit. TLS uses certificates to encrypt and decrypt data.
Types of certificates
- Service certificates are used for cloud services
- Management certificates are used for authenticating with the management API
Service certificates
- Service certificates are attached to cloud services and enable secure communication to and from the service.
- You can upload service certificates to Azure either using the Azure portal or by using the classic deployment model.
- Service certificates are associated with a specific cloud service.
- They are assigned to a deployment in the service definition file.
Management certificates
- Management certificates allow you to authenticate with the classic deployment model.
- Many programs and tools (such as - Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services.
- However, these types of certificates are not related to cloud services.
Using Azure Key Vault with certificates
You can store your certificates in Azure Key Vault - much like any other secret.
However, Key Vault provides additional features above and beyond the typical certificate management.
- You can create certificates in Key Vault, or import existing certificates
- You can securely store and manage certificates without interaction with private key material.
- You can create a policy that directs Key Vault to manage the life cycle of a certificate.
- You can provide contact information for notification about life-cycle events of expiration and renewal of certificate.
- You can automatically renew certificates with selected issuers - Key Vault partner x509 certificate providers / certificate authorities.
Network Security
Securing your network from attacks and unauthorized access is an important part of any architecture.
A layered approach to network security: A layered approach provides multiple levels of protection, so that if an attacker gets through one layer, there are further protections in place to limit further attack.
Internet protection
Azure Security Center will identify internet-facing resources that don't have network security groups associated with them, as well as resources that are not secured behind a firewall.
Firewal
A firewall is a service that grants server access based on the originating IP address of each request.
Firewall rules, generally speaking, also include specific network protocol and port information.
To provide inbound protection at the perimeter, you have several choices.
- Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources.
- It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
- Azure Firewall provides inbound protection for non-HTTP/S protocols.
- Examples of non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
- Azure Application Gateway is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is designed to protect HTTP traffic.
- Network virtual appliances (NVAs) are ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances.
Azure DDoS Protection
Distributed Denial of Service (DDoS) attacks: Any resource exposed on the internet is at risk of being attacked by a denial of service attack. These types of attacks attempt to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive.
The Azure DDoS Protection service protects your Azure applications by monitoring traffic at the Azure network edge before it can impact your service's availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics.
Azure DDoS Protection provides the following service tiers:
- Basic - The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks. Azure's global network is used to distribute and mitigate attack traffic across regions.
- Standard - The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS standard protection can mitigate the following types of attacks:
- Volumetric attacks. The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
- Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
- Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.
Controlling the traffic
Virtual network security:
Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol
You can completely remove public internet access to your services by restricting access to service endpoints. With service endpoints, Azure service access can be limited to your virtual network.
Network integration
Virtual private network (VPN) connections are a common way of establishing secure communication channels between networks. Connections between Azure Virtual Network and an on-premises VPN device are a great way to provide secure communication between your network and your VNet on Azure.
ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.
A layered approach to network security helps reduce your risk of exposure through network-based attacks.
Protect your shared documents
Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Labels can be applied automatically based on rules and conditions. Labels can also be applied manually. You can also guide users to choose recommended labels with a combination of automatic and manual steps.
Azure Advanced Threat Protection
Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Azure ATP consists of several components:
- Azure ATP portal: In this you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment.
- Azure ATP sensor: Azure ATP sensors are installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.
- Azure ATP cloud service: Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.
Azure Advanced Threat Protection
Azure ATP is available as part of the Enterprise Mobility + Security E5 suite (EMS E5) and as a standalone license. You can acquire a license directly from the Enterprise Mobility + Security Pricing Options page or through the Cloud Solution Provider (CSP) licensing model. It is not available to purchase via the Azure portal.
Microsoft Security Development Lifecycle (SDL)
The Microsoft Security Development Lifecycle (SDL) introduces security and privacy considerations throughout all phases of the development process. It helps developers build highly secure software, address security compliance requirements, and reduce development costs.
It lets you:
- Provide training
- Define security requirements
- Define metrics and compliance reporting
- Perform threat modeling
- Establish design requirements
- Define and use cryptography standards
- Manage security risks from using third-party components
- Use approved tools
- Perform Static Analysis Security Testing
- Perform Dynamic Analysis Security Testing
- Perform penetration testing
- Establish a standard incident response process
Thank you for Reading 😊
Posted on August 7, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.