Professional Documents
Culture Documents
Azure Security Overview
Azure Security Overview
Rising costs
Increasing Evolving
complexity The security threats
On-
premises
landscape Cloud
Talent gap
95% of Fortune 500 businesses trust Microsoft Cloud
“From a security point of view, I “Azure complies with multiple international and industry
think Azure is a demonstrably more security compliance standards and certifications that our
secure environment than most customers demand. This allows us to offer our solutions in
banks’ datacenters.” Azure with confidence.”
— John Schlesinger, Chief Enterprise Architect — Brandon Pulsipher, Vice President of Technical Operation and Managed
Services
“Microsoft has a great commitment to the “Building with the additional layer of “Today, our operations team saves
problems of the enterprise. The security Azure security, we feel we have a far at least 30 percent of its time by
built into Azure is huge for us and ensures better security posture than we could using Security Center.”
the safety of our data wherever it is.” provide ourselves.” — Monish Darda, Co-founder and CTO
— Julia Anderson, Global Chief Information Officer — Thomas Fredell, Chief Product Officer
Security operations that work for you
Secure hardware
Custom-built hardware with
integrated security and attestation
Continuous testing
Red team exercises by Microsoft
teams, vulnerability scanning &
continuous monitoring
Security operations that work for you
Microsoft Intelligent Security Graph
Shared threat data
Unique insights, informed by trillions of signals from partners,
researchers, and law
OneDrive enforcement
Outlook
5B worldwide
threats
detected on
devices every
month
400B
emails 6.5B
analyzed
200+
threat signals
analyzed daily
global cloud consumer Botnet data from
and commercial Microsoft Digital
Windows
services Crimes Unit
Azure
Microsoft
accounts
1B+ 450B
monthly
Azure user authentications
accounts
Stopping cyber attacks
Real-world intelligence at work
Metadata-based ML models
Intelligent Edge
Sample analysis-based ML models
Intelligent
Cloud
Detonation-based ML models
2017 2018
February 3 – Client machine learning August 2018 – Cloud machine learning
algorithms automatically stopped the algorithms blocked a highly targeted campaign
malware attack Emotet in real time. to deliver Ursnif malware to under 200 targets
Security operations that work for you
Managed by
Customer
On Prem IaaS PaaS SaaS
Administration
Servers
Storage
Networking
Azure Built-in Controls
Defense in Depth
Technology
Identity and
access management
Identity and access management
Secure identities to reach zero trust
DDOS protection tuned Centralized inbound web Centralized outbound and Distributed inbound & Restrict access to Azure
to your application application protection inbound (non-HTTP/S) outbound network (L3-L4) service resources (PaaS)
traffic patterns from common exploits network and application traffic filtering on VM, to only your Virtual
and vulnerabilities (L3-L7) filtering Container or subnet Network
Export to Excel
and Power BI
Security management
Speed + Control
Cloud-native governance -> removing barriers to compliance and enabling velocity
Management
Groups
Developers
Cost
Management
Cloud Custodian Team
Operations Policy
Blueprints
Define Real-time Deploy and update Query, explore & Monitor cloud
organizational enforcement, cloud environments analyze cloud spend and
hierarchy compliance in a repeatable resources at scale optimize resources
assessment and manner using
remediation composable artifacts
CSPM
Continuous assessment of security
state with a dynamic secure score
+ Partner Solutions
Security operations that work for you
Splunk
Qualys Inc
IBM QRadar
AI Based
Multi-Factor Confidential Security Posture
Azure security
NG Firewall Detection and
Authentication Computing Assessment
Response
Privileged
Information Network
Identity IoT Security SIEM
Protection Segmentation
Management
Microsoft + Partners
Security operations that work for you
Customer
notification
Incident
assessment
© Microsoft Corporation
“We’ve already consolidated most of
the business into a single Azure AD
domain, and we use Identity Protection
to automate policies for leaked Chris Suozzi
credentials, sign-ins from unfamiliar Director of Cloud Programs
locations, and other suspicious Hearst Communications
activity.”
Learn more >
© Microsoft Corporation
“We can check to make sure that our
infrastructure doesn’t have an open
port to the public internet or is
experiencing a brute-force attack. Matthew Douglas
Director of Cloud and
We’ve been able to lock down our Solutions Architecture
security much tighter with Azure Smithfield Foods
Security
Learn more >Center data.”
© Microsoft Corporation
Physical datacenter security
Extensive layers of protection
Access
approval
Background System
check check
Perimeter
Building
Server
environment
Video coverage Employee & Video Metal Inability to identify Two-factor Ongoing Secure
rack front & back contractor vetting coverage detectors location of specific authentication roaming patrols destruction bins
customer data with biometrics
© Microsoft Corporation
Azure infrastructure security
Network isolation
Internet Client
Internet access not
enabled by default
Microsoft Azure
Isolates access through
Cloud Access RDP Endpoint
Layer (password access) Private IP addresses
Customer 1 Customer 2
Subnet 1 Subnet 2 Subnet 3 Deployment X Deployment Y Firewall, load-balancer,
network address
VPN translation (NAT) services
VLAN-to-VLAN
managed by your admin
Corp 1
Internet
Routing updates
Profile DB
MSFT Routing Layer Designed to withstand internal
Flow data
and external attacks
Detection pipeline
Removes offending VMs from
Attack traffic network when internally-
initiated attack detected
Scrubbed traffic
Scrubbing Array
SLB
Application
© Microsoft Corporation
Azure infrastructure security
Firmware Supply Chain
Microsoft Azure Platform
© Microsoft Corporation
Azure infrastructure security
Cerberus | Hardware root-of-trust
Microsoft Azure Platform
© Microsoft Corporation
Azure infrastructure security
Code Integrity Policy
© Microsoft Corporation
Azure infrastructure security
Secure execution
Kernel
Malware
Hardened boundary HyperVisor Code Integrity (HVCI) polices run
within hardened boundary enforced – even if a
vulnerability allows unauthorized Kernel mode
Hypervisor
memory access
Firmware (UEFI)
Local Security Authority (LSA) Credential Isolation
© Microsoft Corporation
Azure infrastructure security
UEFI Secure & measured boot
Policy
Policy
Policy
ELAM drivers
UEFI
UEFI 2.5+
2.5+
OS/kernel File A trustworthy TCG log is signed and
drivers
UEFI 2.3.1c+ Trusted boot produced used during Attestation
Microsoft/
Software
Boot manager OS boot loader WHQL signed
OPROMs OEM/ODM Rootkit Protection
Secure Hyper visor Firmware
ChipSet Init signed
boot
Hardware
NIC GPU BMC…
© Microsoft Corporation
Azure infrastructure security
Azure host attestation
TCG Log
Azure Host Machine Bound Host
Health Certificate
© Microsoft Corporation
Operational Security
Just-in-Time/Just Enough Admin Access
Azure JIT
Engage DevOps
Support request
Customer opens On-Call
opened (MSSOLVE)
support ticket from
and assigned to
Azure portal
support engineer
AZURE
LOCKBOX
Productivity
apps run in
Use built-in roles with pre- Whitelisted apps VM only
configured permissions No Local & URLs only
Administrators
No incoming
Operator access connections
to production Microsoft Azure
Subscription
via a Secure
Administration
Console Owner Hardened Windows 10 x64
Reader Contributor
firmware with Hyper-V
Operational Security
Incident response
DevOps Engaged
Security Team
Event Engaged
Detected
Incident Customer
Event Assessment
Security Customer
Event Process
Start
Confirmed Notification Step 1
Determine
Affected Azure
Determine
Customers Customer
Customer Impact
Notification
Operational Security
Assume and Prevent Breach Execution
CREDSCAN
Detecting creds in
Static Analysis for .NET
source & more Roslyn, Security Analyzers
Credential Scanner
GitHub, VS-IDE Integration
Binary Static Analysis Tool [GitHub] Secure Code Analysis VSTS Extension (Private Preview)
provides security and correctness results for Windows portable executables
Contact: sdt-vsts@microsoft.com
Secure authentication
Getting to a world without passwords
Conditional
access
Azure AD
Conditional Access
People Intelligence
Conditional Data
access Devices
© Microsoft Corporation
Identity protection
An integral component of Microsoft Threat Protection
Azure
ATP
Microsoft
Cloud App
Security
Azure AD
Identity
Protection
Protecting data in use with Azure confidential computing
Front-end
(Azure Web App)
Azure Storage
Back-end
(Azure Virtual Machines)
Twitter
Many secrets in Carlos’ little app – of different types
Front-end
4 TLS certificate
(Azure Web App)
1 VM admin password
Back-end
(Azure Virtual Machines) 6 Disk encryption master key
Twitter
> Eliminate > Manage > Govern
New New
3. When pushing to Git (Azure DevOps) 4. When building (Azure DevOps)
© Microsoft Corporation
Discover > Eliminate > Manage > Govern
Authentication keys
Virtual Machines Resource Manager
VM Scale Sets Key Vault
Container Instances Data Lake
Web Apps SQL DB
Functions SQL DW
Logic Apps Event Hubs
API Management Service Bus
Data Factory V2 Storage
… …
Encryption keys
© Microsoft Corporation
Discover > Eliminate > Manage > Govern
Built-in CAs (Digicert, GlobalSign, D-Trust) Your code (VMs, Containers, App Services, …)
+ +
New Partners (GoDaddy, Venafi) Your PaaS endpoints (CDN, API Management, …)
© Microsoft Corporation
Discover > Eliminate > Manage > Govern
Crypto key from on-prem HSM Encryption or signing in your code (VMs, Containers, …)
or or
Crypto key from partner services Encryption with customer-managed key in
Azure SQL, Storage, VMs, Data Lake, Exchange, SharePoint,
(Thales CCKM, Gemalto DPOD)
Information Protection, Dynamics, MongoDB Atlas
Woodgrove Bank
Subscription
RG
KV
© Microsoft Corporation
Discover > Eliminate > Manage > Govern
© Microsoft Corporation
New
Azure Dedicated HSM
What is it
New service offering released in Nov 2018, for scenarios that require
FIPS 140-2 Level 3 or CC EAL 4+ to meet compliance needs
Direct control of HSMs (Gemalto SafeNet Luna Network HSM 7)
Low latency
Management Groups
grouping and organizing subscriptions in a logical hierarchy that support the
deployment of other Governance services in a structured way.
Azure Firewall
Centralized logging
• Archive logs to a storage account, stream events to your Spoke VNets
×
Built in high availability and scalability
Protect application
SQL Injection, XSS, protocol violation & others
XSS attack
Near real time monitoring
Azure Monitor & Azure Security Center WAF
WAF managed rules
Valid request
OWASP Core Rule Set 3.0 and 2.2.9 native support Site 2
WAF Configurability
×
SQL Injection
L7 LB
Attack
Vectors
56%
Multi-vector
Continued growth in frequency, size, sophistication, and
impact
Attack
Downtime
Often utilized as ‘cyber smoke screen’ to mask
infiltration attacks 35%
Businesses
impacted
Azure DDoS Protection
Cloud scale DDoS protection tuned to applications
Simple to provision for all your virtual network resources
Always on monitoring with near real time telemetry and
alerting
Automatic network layer attack
What’s new
DDoS Attack Analytics
Assess potential
vulnerabilities across Azure
SQL and Storage services
Prioritized
recommendations with a
security score