- Azure provides a unified platform for modern business with compute, data, storage, networking and application services across global Azure regions and a consistent hybrid cloud.
- Azure focuses on security and privacy with an emphasis on detection, response, and protection across infrastructure, platforms and applications.
- Security is a shared responsibility between Microsoft and customers, with Microsoft providing security controls and capabilities to help protect customer data and applications.
Report
Share
Report
Share
1 of 28
More Related Content
Azure security and Compliance
2. Unified platform for modern business
Azure Regions
Compute Data Storage Network Services App Services
5. AZURE
SECURITY POSTURE
!
DETECT
Auditing and Certification
Live Site Penetration Testing
Centralized Logging and Monitoring
Fraud and Abuse Detection
RESPOND
Breach Containment
Coordinated Security Response
Customer Notification
PROTECT
Security Development Lifecycle
Threat Modeling
Code Review
Security Testing
Network/User/Data/System security
LEARN
Post-Breach Assessment
ASSUME BREACH
6. Cloud Services Security is a Shared Responsibility
The
security
of your
Microsoft
cloud service
is a partnership
between
You and
Microsoft.
Microsoft cloud
services are built
on a foundation of
trust and security.
Microsoft provides
you security controls
and capabilities to
help you protect your
data and applications
You own your data
and identities and
the responsibility for
protecting them, the
security of your on-
premises resources,
and the security of
cloud components
you control
(varies by service
Administration
Applications
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Managed by
Customer
Managed by
Service Provider
IaaSOn Prem PaaS SaaS
7. Incident
Response
(MSRC)
Establish
release
criteria &
sign-off as
part of FSR
Guide product teams to meet SDL requirements
Administer and track
security training
Training Requirements Design Implementation Verification Release Response
Education Process Accountability
Ongoing Process Improvements
Security Development Lifecycle
Infrastructure security controls Operational security controls Compliance
8. • Secure Development Lifecycle -
https://www.microsoft.com/en-us/sdl/
• Tools to enable writing and releasing secure code
Empowering You
Secure Code Analysis VSTS Extension (Private Preview)
Contact: sdt-vsts@microsoft.com
Static Analysis for .NET
Roslyn, Security Analyzers
Binary Static Analysis Tool [GitHub]
provides security and correctness results for Windows portable executables
CREDSCAN
Detecting creds in
source & more
Credential Scanner
GitHub, VS-IDE Integration
Threat Modelling Tool
TMT2016
Secure Development Lifecycle
9. Natural Disasters
Intrusion & DDoS
Identity
Management
Administration Console Hardware
Management
Vulnerability Patching
/ Monitoring
DATA
COMPUTE
NETWORK
STORAGE
TRUST
Data Protection
Physical Access
SECURING THE PLATFORM
EMPOWERING YOU
10. Natural Disasters
Intrusion & DDoS
Administration Console and
Identity Management
Hardware
Management
Vulnerability Patching
/ Monitoring
Data
Protection
Physical Access
DATA
COMPUTE
BANDWIDTH
RELIABILITY
TRUST
• Locked down Secure Admin Workstation
• Secure Boot, HW security, no admin, restricted browsing,
• AppLocker & Device Guard, Software Center, App security review
• Dedicated identity and resource forests
• Multi-factor authentication with physical or virtual smartcard
• Least and Temporarily Privilege, Just in Time elevation
• Access Control and Monitoring
Securing the Platform
• Privileged Access Workstation guidance on TechNet [link]
• Multi-factor authentication
• AAD Conditional Access (Location, Compliant devices)
• Just in Time access to IaaS
• AAD Monitoring
Empowering You
Identity
Management
Administration Console
11. Data Protection
• Azure Key Vault & internal key management solution
• Bitlocker
• Access Control with Just In Time elevation and monitoring
• Data segregation (multi-tenant)
Securing the Platform
• Azure Key Vault with Hardware Security Modules (“HSM”)
• Virtual machine encryption
• Storage encryption
• Transparent data layer encryption (“TDLE”) for SQL
• Data destruction policy
Empowering you
Intrusion & DDoS
Hardware
Management
Vulnerability Patching
/ Monitoring
Data
Protection
Physical Access
DATA
COMPUTE
BANDWIDTH
RELIABILITY
TRUST
Identity
Management
Administration Console
Natural Disasters
12. Vulnerability Patching / Monitoring
• Access Control and Monitoring
• Baseline configuration
• Antimalware
• Update monitoring and management
• Vulnerability scanning
Securing the Platform
• Azure Security Center
• Antimalware
• Baseline configuration monitoring
• Update monitoring
• Vulnerability scanning (3rd party solution)
• Security detections
• Web Application Firewall
• SIEM integration with Azure Monitor
Empowering you
Intrusion & DDoS
Hardware
Management
Vulnerability Patching
/ Monitoring
Data
Protection
Physical Access
DATA
COMPUTE
BANDWIDTH
RELIABILITY
TRUST
Identity
Management
Administration Console
Natural Disasters
14. Intrusion and DDoS
• Segmentation
• Access Control Lists
• Intrusion Detection
• Host firewall
• Edge vulnerability scanning
• DDoS protection
Securing the Platform
• Host firewall (IaaS)
• Virtual Networks (private IP space for your services)
• Network Security Groups
• Virtual Private Networks
• Just-in-Time VM access (Azure Security Center)
• Network access rules in AAD
Empowering you
Intrusion & DDoS
Hardware
Management
Vulnerability Patching
/ Monitoring
Data
Protection
Physical Access
DATA
COMPUTE
BANDWIDTH
RELIABILITY
TRUST
Identity
Management
Administration Console
Natural Disasters
15. Data Center Security
• Multiple layers of physical security
• 24/7/365 surveillance and protection
• Vehicle and individual access checkpoints
• Multi-factor biometric entry point
• Metal detectors
• State-of-the-art fire suppression systems
Securing the Platform
Intrusion & DDoS
Hardware
Management
Monitoring
Data
Protection
Physical Access
DATA
COMPUTE
BANDWIDTH
RELIABILITY
TRUST
Identity
Management
Administration Console
Natural Disasters
17. RED team vs. BLUE team
ExfiltrateElevateMovePersistFootholdDeliveryRecon
ExecutePlanContextTriageAlertDetectGather
Red Team
• Dedicated adversary performing targeted and persistent attacks against our
Microsoft Online Services.
• Attack and penetrate environments using the same steps adversary’s kill chain
• Mean Time to Compromise (MTTC) + Mean Time to Privilege Escalation (MTTP)
Blue Team
• Dedicated set of security responders or members from across the Security Incident Response, Engineering and
Operations organizations.
• Estimated Time to Detection (ETTD) + Estimated Time to Recovery (ETTR)
18. USGovGlobalRegionalIndustry
ISO 27001:2013
ISO 27017:2015
ISO 27018:2014
ISO 22301:2012
ISO 9001:2015
ISO 20000-1:2011
SOC 1 Type 2
SOC 2 Type 2
SOC 3
CSA STAR Certification
CSA STAR Attestation
CSA STAR Self-Assessment
WCAG 2.0 (ISO
40500:2012)
FedRAMP High
FedRAMP Moderate
EAR
DoE 10 CFR Part 810
NIST SP 800-171
NIST CSF
Section 508 VPATs
FIPS 140-2
ITAR
CJIS
IRS 1075
PCI DSS Level 1
GLBA
FFIEC
Shared Assessments
FISC (Japan)
APRA (Australia)
FCA (UK)
MAS + ABS (Singapore)
23 NYCRR 500
HIPAA BAA
HITRUST
21 CFR Part 11 (GxP)
MARS-E
NHS IG Toolkit (UK)
NEN 7510:2011 (Netherlands)
FERPA
CDSA
MPAA
DPP (UK)
FACT (UK)
SOX
Argentina PDPA
Australia CCSL / IRAP
Canada Privacy Laws
China GB 18030:2005
China DJCP (MLPS) Level 3
Singapore MTCS Level 3
Spain ENS
Spain DPA
UK Cyber Essentials Plus
UK G-Cloud
UK PASF
China TRUCS / CCCPPF
EN 301 549
EU ENISA IAF
EU Model Clauses
EU – US Privacy Shield
Germany C5
DFARS
DoD DISA SRG Level 5
DoD DISA SRG Level 4
DoD DISA SRG Level 2
Germany IT-Grundschutz workbook
India MeitY
Japan CS Mark Gold
Japan My Number Act
Netherlands BIR 2012
New Zealand Gov CC Framework
https://aka.ms/AzureCompliance
Azure is a market leader in compliance coverage
24. Identity & Access: Azure AD Overview
Azure Active Directory (AAD)
offers identity and access
management in the cloud w/
federation to enterprise AD
Enterprise Cloud
Strong authentication adds an
extra layer of security for user
logins.
Multi-Factor Authentication
Developers can integrate
their app with Azure AD for
single sign-on functionality
Azure AD: Single Sign-on
Security reports monitor
access patterns that help
identify potential threats.
Security Monitoring
Role-based access; grant
least privilege required for
task
Role Based Access Control
Manage, control and monitor
access to Azure AD and O365
resources thru membership
in built-in admin roles.
Privileged Identity Mgmt
25. Review reports and
mitigate potential threats
Can enable Multi-Factor
Authentication
PCs and devices
Microsoft apps
Non-MS cloud-based apps
Custom
LOB apps
ISV/CSV
apps
Other Directories
Active Directory
Identity & Access: Single Sign-On Scenario
26. Data protection
Data segregation
Logical isolation segregates each customer’s
data from that of others.
In-transit data protection
Industry-standard protocols encrypt data in
transit to/from outside components, as well as
data in transit internally by default.
Data redundancy
Customers have multiple options for
replicating data, including number of copies
and number and location of replication
datacenters.
At-rest data protection
Customers can implement a range of
encryption options for virtual machines and
storage.
Encryption
Data encryption in storage or in transit can be
deployed by the customer to align with best
practices for ensuring confidentiality and
integrity of data.
Data destruction
When customers delete data or leave Azure,
Microsoft follows procedures to render the
previous customer’s data inaccessible.
26
27. • Monitor 100,000+ vulnerability reports
• Sourced from customers & worldwide
network of security researchers
• Reviews and tests all changes
• Prioritize critical
updates
• Monthly OS
releases with
patches
• Reconciliation
report
• Resolution
summary
• Scanning &
reporting of all
Azure VMs
• Track & remediate
any findings
AZURE:
Apply patch management as a
service
Rigorously reviews & tests all
changes
CUSTOMER:
Applies similar patch
management strategies for their
Virtual Machines
Update Management
MONTHLY
MSRC PATCH
REVIEW
PATCHING
ROLLOUT
SCANNING
AUDIT
VALIDATION
Encryption Secure Networking Partner Solutions
Slide script:
Thank you for taking the time today to walk through an end-to-end tour of Azure Security- the intensive and extensive work we’re doing to deliver a cloud you can trust.
We’ll focus first on the work we do to secure the platform, and then we’ll cover all of the options we provide to empower you to meet your security requirements.
Topline point: hard and fast rule – every software team goes through this, every release – it’s also embedded in our internal governance.
Slide script:
The Microsoft Security Development Lifecycle (SDL) is a set of processes and tools designed to minimize the number and severity of vulnerabilities in software products. It encompasses education of development personnel, secure development processes, and accountability of individuals and product teams, all for the building of more consistently secure software.
Azure uses the SDL to systematically address security threats throughout the development process: through threat modeling during the design process; following development best practices and code security standards during coding; and requiring the use of various tools for testing and verification before deployment. These proactive checks during development make software less vulnerable to potential threats after release, and the SDL provides a structured and consistent methodology through which to apply them. These methodologies, which are supported by an executive commitment to security, have helped Microsoft develop more secure software.
Slide script:
The security controls and risk management processes Microsoft has in place to secure the cloud infrastructure reduce the risk of security incidents, but in the event an incident occurs, the Security Incident Management (SIM) team within the Microsoft Online Security Services & Compliance (OSSC) team is ready 24 hours a day, every day to respond. SIM’s mission is to quickly and accurately assess and mitigate computer security incidents involving Microsoft's Online Services, while managing the necessary internal and customer communications.
When events are detected, a 9-step process is kicked off that focuses first on containment and recovery. Customers notification is a key part of this process. Customers notification is a key part of this process. Microsoft Azure provides coordination of forensic analysis, evaluation of logs, and VHD images in the event of platform-level incident. Azure also works with customers to provide log data to help them respond to threats.
AZURE:
Leverages a 9-step incident response process
Focuses on containment & recovery
Analyzes logs and VHD images in the event of platform-level incident and provides forensics information to customers when needed
Makes contractual commitments regarding customer notification
72 certificates as of Jan 2018
Microsoft Trust Center: https://www.microsoft.com/en-us/trustcenter
Slide title: Data protection
Slide objectives: Provide an overview of Azure data protection.
Slide script:
Both technological safeguards, such as encrypted communications, and operation processes help keep customer data secure. Customers have the flexibility to implement additional encryption and manage their own keys.
Data isolation. Azure is a multi-tenant service, meaning that multiple customers’ deployments and virtual machines are stored on the same physical hardware. Azure uses logical isolation to segregate each customer’s data from that of others. This provides the scale and economic benefits of multitenant services while rigorously preventing customers from accessing one another’s data.
Data at rest. Customers are responsible for ensuring that data stored in Azure is encrypted in accordance with their standards. Azure offers a wide range of encryption capabilities, giving customers the flexibility to choose the solution that best meets their needs.
Data in transit. For data in transit, customers can enable encryption for traffic between their own VMs and end users. Azure protects data in transit to or from outside components, as well as data in transit internally, such as between two virtual networks. Azure uses industry standard transport protocols such as TLS between user devices and Microsoft datacenters, and within datacenters themselves.
Encryption management. Encryption of data in storage and in transit can be used by Azure customers align with best practices for ensuring confidentiality and integrity of data. It is straightforward for customers to configure their Azure cloud services to use SSL to protect communications from the Internet and even between their Azure hosted VMs.
Data redundancy. Microsoft ensures data is protected in the event of a cyberattack or physical damage to a datacenter. Customers may opt for in-country storage for compliance or latency considerations or out-of-country storage for security or disaster recovery purposes. Data may be replicated within a selected geographic area for redundancy, but will not be transmitted outside it.
When you create your storage account, you must select one of the following replication options:
•Locally redundant storage (LRS). Locally redundant storage maintains three copies of your data. LRS is replicated three times within a single facility in a single region. LRS protects your data from normal hardware failures, but not from the failure of a single facility.
•Zone-redundant storage (ZRS). Zone-redundant storage maintains three copies of your data. ZRS is replicated three times across two to three facilities, either within a single region or across two regions, providing higher durability than LRS. ZRS ensures that your data is durable within a single region.
•Geo-redundant storage (GRS). Geo-redundant storage is enabled for your storage account by default when you create it. GRS maintains six copies of your data. With GRS, your data is replicated three times within the primary region, and is also replicated three times in a secondary region hundreds of miles away from the primary region, providing the highest level of durability. In the event of a failure at the primary region, Azure Storage will failover to the secondary region. GRS ensures that your data is durable in two separate regions.
Data destruction. When customers delete data or leave Azure, Microsoft follows strict standards for overwriting storage resources before reuse, as well physical destruction of decommissioned hardware. Microsoft executes a complete deletion of data on customer request and on contract termination.
Key point – patch management as a service – this gets done for you!
Slide script:
Security patches help protect systems from known vulnerabilities. Integrated deployment systems manage the distribution and installation of security updates for the Azure service. Customers can apply similar update management processes for virtual machines (VMs) deployed on Azure.
AZURE:
Microsoft Azure works with MSRC to identify when patch releases are required, and applies patches immediately or during a scheduled release to the Microsoft Azure environment based on the severity. Microsoft Azure is notified by the Microsoft Security Response Center (MSRC) and Microsoft Online Security Services & Compliance (OSSC) teams upon identification of updates applicable to Azure environment. This includes the notification of the latest patches released. Microsoft Azure works with MSRC and evaluates patch releases to determine applicability and impact to the Microsoft Azure environment and customers. The applicable security patches are released through the periodic OS release cycle in accordance with change and release management procedures. Emergency out-of-band security patches (e.g., Software Security Incident Response Process (SSIRP) patches) are expedited for more immediate release.
The patches are automatically applied to the customers’ Guest VMs unless the customer has configured the VM for manual upgrades. In this case, the customer is responsible for patching.
Microsoft Azure follows a change process to modify the underlying OS within the platform. All changes are reviewed and tested, at a minimum, for their quality, performance, impact on other systems, recovery objectives and security features before they are moved into production using the Microsoft Azure Release process. Microsoft Azure has established test windows for reviewing and testing of new features, changes to existing features and patches.
CUSTOMERS:
Customers apply patches to their Virtual Machines using Systems Center or whatever other processes they use on-premises.