Azure security

Rising costs

Increasing Evolving
complexity The security threats
On-
premises
landscape Cloud

Talent gap
95% of Fortune 500 businesses trust Microsoft Cloud

“From a security point of view, I
think Azure is a demonstrably more
secure environment than most
banks’ datacenters.”
— John Schlesinger, Chief Enterprise Architect
“Azure complies with multiple international and industry
security compliance standards and certifications that our
customers demand. This allows us to offer our solutions in
Azure with confidence.”
— Brandon Pulsipher, Vice President of Technical Operation and Managed
Services

“Microsoft has a great commitment to the
problems of the enterprise. The security
built into Azure is huge for us and ensures
the safety of our data wherever it is.”
— Julia Anderson, Global Chief Information Officer
“Building with the additional layer of
Azure security, we feel we have a far
better security posture than we could
provide ourselves.”
— Thomas Fredell, Chief Product Officer
“Today, our operations team saves
at least 30 percent of its time by
using Security Center.”
— Monish Darda, Co-founder and CTO
 Security operations that work for you

Enterprise-class technology Partnerships for a heterogeneous world

 Security operations that work for you

Enterprise-class intelligent security Partnerships for a heterogeneous world

A secure foundation
at global scale

Each physical datacenter Secured with cutting-

protected with world-class, Over 100 edge operational security
multi-layered protection
datacenters • Restricted access
• 24x7 monitoring
across the
• Global security experts
planet

Global cloud infrastructure

with custom hardware and
network protection
Azure infrastructure security
Secure foundation

Protect customer data

Data, network segregation. DDoS
protection at the edge
Customer 1 Customer 2

Secure hardware
Custom-built hardware with
integrated security and attestation

Continuous testing
Red team exercises by Microsoft
teams, vulnerability scanning &
continuous monitoring
Security operations that work for you
Microsoft Intelligent Security Graph
Shared threat data
Unique insights, informed by trillions of signals from partners,
researchers, and law
OneDrive enforcement
Outlook
5B worldwide
threats
detected on
devices every
month
400B
emails 6.5B
analyzed
200+
threat signals
analyzed daily
global cloud consumer Botnet data from
and commercial Microsoft Digital
Windows
services Crimes Unit
Azure
Microsoft
accounts

Enterprise security Bing

for 90% of 18B+ Bing web

Fortune 500 pages scanned

1B+ 450B
monthly
Azure user authentications
accounts
Stopping cyber attacks
Real-world intelligence at work

Local ML models, behavior-based detection algorithms, generics, heuristics

Metadata-based ML models
Intelligent Edge
Sample analysis-based ML models
Intelligent
Cloud
Detonation-based ML models

Big data analytics

October 2017 – Cloud-based detonation ML March 6 – Behavior-based detection

models identified Bad Rabbit, protecting users algorithms blocked more than 400,000
14 minutes after the first encounter. instances of the Dofoil trojan.

2017 2018
February 3 – Client machine learning August 2018 – Cloud machine learning
algorithms automatically stopped the algorithms blocked a highly targeted campaign
malware attack Emotet in real time. to deliver Ursnif malware to under 200 targets
 Security operations that work for you

Enterprise-class intelligent security Partnerships for a heterogeneous world

Cloud Services Security is a Shared Responsibility
Managed by
Service Provider

Managed by
Customer
On Prem IaaS PaaS SaaS

Administration

Microsoft cloud The You own your data Applications

services are built security and identities and
on a foundation of of your the responsibility for Data
trust and security. Microsoft protecting them, the
Microsoft provides cloud service security of your on- Runtime
you security controls is a partnership premises resources,
and capabilities to between and the security of Middleware
help you protect your You and cloud components
data and applications Microsoft. you control O/S
(varies by service
Virtualization

Servers

Storage

Networking
 Azure Built-in Controls

Identity & Apps & data Network Threat Security

access security security protection management

Defense in Depth
Technology
Identity and
access management
Identity and access management
Secure identities to reach zero trust

Secure Role based Identity

authentication access control, protection
Conditional
access
Customer Lockbox to control
Microsoft support access
Operational Security

No standing access to production

servers and services

Customers approve Just in Time

Microsoft support engineer access for
issue resolution

Multi-factor authentication required

for admin actions

“Secure Workstations” required to

access production

Access requests are audited, logged,

and monitored
Apps and
data security
Control data through its lifecycle

Standard Data Protection

At rest In transit In use

Encrypt data when stored in blob
storage, database, etc.
Examples:
Azure Storage Service Encryption
SQL Server Transparent Database
Encryption (TDE)
Encrypt data that is flowing Protect/Encrypt data that is in use
between untrusted public or during computation
private networks
Examples:
Examples: Trusted Execution Environments
HTTPS such as Intel SGX and VBS
TLS Homomorphic encryption
Safeguard cryptographic keys
and other secrets used by
cloud apps and services
Virtual Machines Applications Storage & Databases

Encrypt keys and small secrets using keys

in Hardware Security Modules (HSMs)

Simplify and automate tasks for SSL/TLS

certificates, enroll and automatically
renew certificates

Rapidly scale to meet the cryptographic

needs of your cloud applications and
match peak demand
Key, Secrets & Certificate
Management- Azure Key Vault
Network security
Network protection services enabling zero trust

DDoS Web Application Azure Network Service

protection Firewall Firewall Security Groups Endpoints

DDOS protection tuned Centralized inbound web Centralized outbound and Distributed inbound & Restrict access to Azure
to your application application protection inbound (non-HTTP/S) outbound network (L3-L4) service resources (PaaS)
traffic patterns from common exploits network and application traffic filtering on VM, to only your Virtual
and vulnerabilities (L3-L7) filtering Container or subnet Network

Application protection Micro segmentation

Threat protection
Protecting hybrid cloud workloads
Azure Security Center

Windows Server EDR with Windows Defender ATP

Server Machine learning based Application Whitelisting
Protection
Linux server threat protection

Azure VMs, Apps & Data

(IaaS & PaaS services)
Threat Detections, Actionable alerts for incidents
Prescriptive Threat
Recommendations Investigation for entire kill chain
Detection
Server workloads on- Automated response with Logic Apps workflow
premises & Other clouds

Brute force Just in time access to management ports

protection

Export to Excel
and Power BI
Security management
Speed + Control
Cloud-native governance -> removing barriers to compliance and enabling velocity

Management
Groups

Developers
Cost
Management
Cloud Custodian Team

Operations Policy

Blueprints

Templates RBAC Policies

Governance for the cloud
The broadest governance portfolio of any cloud

NEW NEW NEW

Management Group Policy Blueprints Resource Graph Cost Management

Define Real-time Deploy and update Query, explore & Monitor cloud
organizational enforcement, cloud environments analyze cloud spend and
hierarchy compliance in a repeatable resources at scale optimize resources
assessment and manner using
remediation composable artifacts

Hierarchy Control Environment Visibility Consumption

Gain visibility and guidance
to improve security state

CSPM
Continuous assessment of security
state with a dynamic secure score

Best practice recommendations

Central policy for security and

compliance

Across all your workloads

Simplify security management with Azure services

Identity & access App and Data Network Threat Security

management protection security protection management

Encryption Azure Security Center

Azure Active Directory VNET, VPN, NSG
(Disks, Storage, SQL)

Multi-Factor Application Gateway Microsoft Antimalware

Azure Key Vault Azure Log Analytics
Authentication (WAF), Azure Firewall for Azure

Role Based Confidential DDoS Protection

Access Control Computing Standard

Azure Active Directory

ExpressRoute
(Identity Protection)

+ Partner Solutions
 Security operations that work for you

Enterprise-class intelligent security Partnerships for a heterogeneous world

Partnerships for a heterogeneous world

Partner Work with Work with

with peers industry alliances government
Microsoft Intelligent Security Association
Collaboration strengthens protection

Teaming up with our security partners to build an ecosystem of intelligent security

solutions that better defend against a world of increased threats
Extend your existing security solution to Azure with Marketplace
Partner solutions

Identity & access Data Network Threat Security

management protection security protection management

Palo Alto Networks HPE ArcSight

Splunk

Qualys Inc

IBM QRadar

And hundreds more with new partners integrating every month

 Defense in Depth

Identity & Apps & data Network Threat Security

access security security protection management

Role based Log

Encryption DDoS Protection Antimalware
access Management

AI Based
Multi-Factor Confidential Security Posture

Azure security
NG Firewall Detection and
Authentication Computing Assessment
Response

Central Identity Key Web App Cloud Workload Policy and

Management Management Firewall Protection governance

Identity Certificate Private SQL Threat Regulatory

Protection Management Connections Protection Compliance

Privileged
Information Network
Identity IoT Security SIEM
Protection Segmentation
Management

Microsoft + Partners
 Security operations that work for you

Enterprise-class technology Partnerships for a heterogeneous world

© Copyright Microsoft Corporation. All rights reserved.
Deep Dive
Security Response and Monitoring
Secure foundation

Customer
notification

Incident
assessment

Incident response 3500+ security professionals

Multi-step incident response process
Focus on containment & recovery
Working to harden, patch and protect
the platform
24x7 monitoring for threats;
emergency response drills
 “Just telling clients that we’re
partnering with Azure makes them
immediately comfortable. Azure is a Jonathon Dreyer
significant competitive advantage for Senior Director of
Nuance and our healthcare clients.” Solutions Marketing
Nuance Healthcare

Learn more >

© Microsoft Corporation
 “We’ve already consolidated most of
the business into a single Azure AD
domain, and we use Identity Protection
to automate policies for leaked Chris Suozzi
credentials, sign-ins from unfamiliar Director of Cloud Programs
locations, and other suspicious Hearst Communications
activity.”
Learn more >

© Microsoft Corporation
 “We can check to make sure that our
infrastructure doesn’t have an open
port to the public internet or is
experiencing a brute-force attack. Matthew Douglas
Director of Cloud and
We’ve been able to lock down our Solutions Architecture
security much tighter with Azure Smithfield Foods
Security
Learn more >Center data.”

© Microsoft Corporation
Physical datacenter security
Extensive layers of protection

Access
approval
Background System
check check

Perimeter

Perimeter Front 1 defined Video Ongoing

fencing entrance gate access point coverage roaming patrols

Building

Two-factor No building Ongoing Video Verified single 24x7x365

authentication signage roaming patrols coverage person entry security operations
with biometrics

Server
environment
Video coverage Employee & Video Metal Inability to identify Two-factor Ongoing Secure
rack front & back contractor vetting coverage detectors location of specific authentication roaming patrols destruction bins
customer data with biometrics
© Microsoft Corporation
Azure infrastructure security
Network isolation

Internet Client
Internet access not
enabled by default
Microsoft Azure
Isolates access through
Cloud Access RDP Endpoint
Layer (password access) Private IP addresses

Customer 1 Customer 2
Subnet 1 Subnet 2 Subnet 3 Deployment X Deployment Y Firewall, load-balancer,
network address
VPN translation (NAT) services
VLAN-to-VLAN
managed by your admin
Corp 1

Virtual Networks provide

logical isolation
DNS Server Isolated Virtual Networks

Network isolation prevents

tenant-to-tenant communications
© Microsoft Corporation
Azure infrastructure security
Platform protection for DDoS

Internet

Routing updates
Profile DB
MSFT Routing Layer Designed to withstand internal
Flow data
and external attacks
Detection pipeline
Removes offending VMs from
Attack traffic network when internally-
initiated attack detected
Scrubbed traffic

Scrubbing Array

SLB

Application

© Microsoft Corporation
Azure infrastructure security
Firmware Supply Chain
Microsoft Azure Platform

Where Firmware and Address attack surface/threats and

Microcontrollers are
part of TCB
vulnerabilities in firmware:
BIOS FW
ME FW Azure defined hardware specification (platform part of OCP)
BMC FW Reduce supply chain with limited suppliers, source code
NIC/FPGA FW access, & firmware SDL
SSD FW
NAND Flash FW PEN testing and Security reviews
PCIe OptROM FW
GPU FW Hardware root of Trust, NIST SP800-147b
M.2
DIMM SPD FW
PCU (VR) FW
EC FW
HBA
Chassis Manager
Rack Manager

© Microsoft Corporation
Azure infrastructure security
Cerberus | Hardware root-of-trust
Microsoft Azure Platform

Validates all firmware on the Azure Platform

before the OS boots:

NIST 800-193 compliant to enforce firmware integrity

Cryptographic microcontroller enforces digital signatures

on all platform firmware modules

Hierarchical root-of-trust topology provides scalable

attestation for all firmware modules

© Microsoft Corporation
Azure infrastructure security
Code Integrity Policy

Hardware isolation renders current

attack methods obsolete

“Locked-Down” User and Kernel mode policies

PE’s and Scripts

Host & Infra Guest enforcement

Fine → Coarse grained policy rules

Signed Policy validated with Secure Boot

(prevent rollback attacks)

© Microsoft Corporation
Azure infrastructure security
Secure execution

Virtualization-based security prevent

Host OS
credentials from being compromised
Secure world Normal world

HVCI CI Secure Secure execution & Trust boundary for

Policy App System Software
(VSM VMs
Cred
enclave) Normal App
User Guard
User and Kernel Write+Execute Page blocked
Measured

Kernel
Malware
Hardened boundary HyperVisor Code Integrity (HVCI) polices run
within hardened boundary enforced – even if a
vulnerability allows unauthorized Kernel mode
Hypervisor
memory access

Firmware (UEFI)
Local Security Authority (LSA) Credential Isolation

Hardware (TPM 2.0, Vt – x2, IOMMU)

© Microsoft Corporation
Azure infrastructure security
UEFI Secure & measured boot

UEFI Secure Boot Verifies that only trusted

code can run
Measured User Mode
apps Azure Host OS
boot Only signed and trusted Firmware &
VSM
OS
Hyper-Visor Code Integrity
TPM Critical Boot Drivers load
2.0
Other drivers CCI
CCI
CCI
All Drivers are measured into TPM
Cerberus

Policy
Policy
Policy
ELAM drivers
UEFI
UEFI 2.5+
2.5+
OS/kernel File A trustworthy TCG log is signed and
drivers
UEFI 2.3.1c+ Trusted boot produced used during Attestation
Microsoft/
Software
Boot manager OS boot loader WHQL signed
OPROMs OEM/ODM Rootkit Protection
Secure Hyper visor Firmware
ChipSet Init signed
boot
Hardware
NIC GPU BMC…

© Microsoft Corporation
Azure infrastructure security
Azure host attestation

Attestation Service Health attestation service

detects compromised hosts
Machine Bound Host
Health Certificate
Hardware root of trust, establishes trust in
cloud host health
Relying Party
(Cloud Fabric) Enables Shielded Virtual Machines with
established trust in Guest VMs

Guest (VM) attestation for VSM enclaves

TCG Log
Azure Host Machine Bound Host
Health Certificate

© Microsoft Corporation
Operational Security
Just-in-Time/Just Enough Admin Access

No standing access to Microsoft

Corporate
Leadership grants
the customer data temporary privilege Network
Microsoft Azure
Grants least privilege
required to complete task

Pre-screened admin requests access

Multi-factor authentication
required for all administration

Access requests are audited,

logged, and reviewed

“Secure Workstations” required

to access production
Lockbox: Microsoft Access with Customer Approval

Azure JIT

Engage DevOps
Support request
Customer opens On-Call
opened (MSSOLVE)
support ticket from
and assigned to
Azure portal
support engineer

Azure JIT grants Access

based on customer approval Lockbox Request Notification email

AZURE
LOCKBOX

Ability for customer to

approve the request

Lockbox Customer Approval UX

Operational Security
Additional production access protections
Azure Production Access

No standing access to production Active

servers and services Directory

Multi-factor authentication Users & SaaS Apps

required for admin actions Groups

“Secure Workstations” required Media SQL

HDinsight
Services Azure
to access production Sync

Roles Azure Platform Services

Access requests are audited, & Role
Assignments
logged and monitored Virtual
Storage Network
Machines
Azure
Active Azure Infrastructure Services
Directory Users & Groups
Operational Security
RBAC & Secure Administrator Workstation

Assign roles to users and groups

Secure Administration Workstation

Productivity
apps run in
Use built-in roles with pre- Whitelisted apps VM only
configured permissions No Local & URLs only
Administrators

Create custom roles

No incoming
Operator access connections
to production Microsoft Azure
Subscription

via a Secure
Administration
Console Owner Hardened Windows 10 x64
Reader Contributor
firmware with Hyper-V
Operational Security
Incident response

DevOps Engaged
Security Team
Event Engaged
Detected

Incident Customer
Event Assessment
Security Customer
Event Process
Start
Confirmed Notification Step 1

Determine
Affected Azure
Determine
Customers Customer
Customer Impact
Notification
Operational Security
Assume and Prevent Breach Execution

Red Team | Prevent Breach

Red
exercises
Code review Security development lifecycle (SDL)
Red
Monitor teaming
Threat model Security testing emerging
threats

Blue Team | Assume Breach Insider

attack
simulation
Execute
War game exercises Live site penetration test post
breach
Blue
Central security monitors teaming
Security Development Lifecycle

Education Process Accountability

Establish
Administer and track release Incident
Guide product teams to meet SDL requirements criteria & Response
security training sign-off as (MSRC)
part of FSR

Training Requirements Design Implementation Verification Release Response

Ongoing Process Improvements

Secure Development Lifecycle
Empowering You
• Secure Development Lifecycle -
https://www.microsoft.com/en-us/sdl/
• Tools to enable writing and releasing secure code

Threat Modelling Tool

TMT2016

CREDSCAN
Detecting creds in
Static Analysis for .NET
source & more Roslyn, Security Analyzers

Credential Scanner
GitHub, VS-IDE Integration

Binary Static Analysis Tool [GitHub] Secure Code Analysis VSTS Extension (Private Preview)
provides security and correctness results for Windows portable executables
Contact: sdt-vsts@microsoft.com
Secure authentication
Getting to a world without passwords

Windows Hello Microsoft Authenticator FIDO2 Security Keys

 User and location Device

Conditional
access
Azure AD
Conditional Access

Application Real time risk

 Workloads

People Intelligence
Conditional Data

access Devices

© Microsoft Corporation
Identity protection
An integral component of Microsoft Threat Protection

Azure
ATP

Microsoft
Cloud App
Security

Azure AD
Identity
Protection
Protecting data in use with Azure confidential computing

Protect data inside Run Intel SGX- Build enclave aware

the CPU from based enclaves applications with
malicious access open SDK
Carlos builds Woodgrove Bank’s first app on Azure

Front-end
(Azure Web App)

Azure Storage

Back-end
(Azure Virtual Machines)

Twitter
Many secrets in Carlos’ little app – of different types

Front-end
4 TLS certificate
(Azure Web App)

2 Storage API key

Azure Storage 5 Storage encryption master key

2 Storage API key

1 VM admin password
Back-end
(Azure Virtual Machines) 6 Disk encryption master key

3 Twitter API key

Twitter
 > Eliminate > Manage > Govern

1. Continuously on GitHub 2. When writing code (Visual Studio)

New New
3. When pushing to Git (Azure DevOps) 4. When building (Azure DevOps)

© Microsoft Corporation
 Discover > Eliminate > Manage > Govern

Authentication keys
Virtual Machines Resource Manager
VM Scale Sets Key Vault
Container Instances Data Lake
Web Apps SQL DB
Functions SQL DW
Logic Apps Event Hubs
API Management Service Bus
Data Factory V2 Storage
… …

Encryption keys

TLS Certificates and keys

Soon
MS Confidential – Shared under NDA

© Microsoft Corporation
 Discover > Eliminate > Manage > Govern

Azure Key Vault

Sources Destinations
as a Secrets Manager

Storage account keys Your code (VMs, Containers, App Services, …)

CosmosDB API keys Your PaaS resources (Data Bricks, Data Factory, …)
EventHub keys Deployment/Orchestration (ARM, Kubernetes, Chef, …)
ServiceBus keys DevOps tools (Azure DevOps)
… …

Configure Alerts & Reports

✓ Reduce mistakes – fewer humans, fewer hops Human action

✓ Centralize management – Azure Key Vault, Azure AD, Policy
✓ Get head start on compliance Automated flow
✓ Enable segregation of duty between security and devops
✓ Enhance availability for your apps
© Microsoft Corporation
 Discover > Eliminate > Manage > Govern

Azure Key Vault

Sources Destinations
as a Certificate Manager

Built-in CAs (Digicert, GlobalSign, D-Trust) Your code (VMs, Containers, App Services, …)
+ +
New Partners (GoDaddy, Venafi) Your PaaS endpoints (CDN, API Management, …)

Configure Alerts & Reports

✓ Improve security – key stays within Azure Human action

✓ Reduce outages – certificates are auto-renewed
Automated flow

© Microsoft Corporation
 Discover > Eliminate > Manage > Govern

Azure Key Vault

Sources Destinations
as a KMS, with HSMs

Crypto key from on-prem HSM Encryption or signing in your code (VMs, Containers, …)
or or
Crypto key from partner services Encryption with customer-managed key in
Azure SQL, Storage, VMs, Data Lake, Exchange, SharePoint,
(Thales CCKM, Gemalto DPOD)
Information Protection, Dynamics, MongoDB Atlas

Configure Alerts & Reports

✓ Destination does not see customer’s key Human action

✓ Customer manages key, gets near-realtime log
✓ HSMs are FIPS Level 2 overall, with the following at Level 3: Automated flow
Physical Security, Roles/Services/Authentication, EMI/EMC, Design Assurance
© Microsoft Corporation
 Discover > Eliminate > Manage > Govern

Woodgrove Bank

Wealth Mgmt Credit Card Services Test

Subscription Subscription Subscription Subscription Subscription Subscription

RG RG RG RG RG RG RG RG RG RG RG RG RG RG RG RG RG RG
KV KV KV KV KV KV KV KV KV KV KV KV KV KV KV KV KV KV

Subscription

RG

KV
© Microsoft Corporation
 Discover > Eliminate > Manage > Govern

Azure Active Directory tenant – Woodgrove Bank

New

MG - Wealth Mgmt MG – Credit Card Services MG – Test Azure Policy

- Audit
Subscription Subscription Subscription Subscription Subscription Subscription - Enforce
RG RG RG RG RG RG RG RG RG RG RG RG RG RG RG RG RG RG - Remediate
KV KV KV KV KV KV KV KV KV KV KV KV KV KV KV KV KV KV

Azure Log Analytics or your SIEM

© Microsoft Corporation
New
Azure Dedicated HSM

What is it
New service offering released in Nov 2018, for scenarios that require
FIPS 140-2 Level 3 or CC EAL 4+ to meet compliance needs
Direct control of HSMs (Gemalto SafeNet Luna Network HSM 7)
Low latency

How does it work

Microsoft hosts and powers the HSMs, and connects them to your VNET. You control
everything else.
That includes firmware & patches, redundancy & availability, disaster recovery & backup, root keys,
capacity plan.
When to use Dedicated HSM or Key Vault
Dedicated HSM
 Need FIPS 140-2 Level 3, CC
EAL 4+, or eIDAS
compliance.
 Need to run a legacy app in
Azure VMs e.g. Apache /
Ngnix SSL offload, Oracle
TDE, ADCS.
 Need to migrate an existing
app that uses Gemalto HSMs,
to Azure VMs.
Key Vault
Customer-managed keys for
PaaS/SaaS services support
only Key Vault.
 Azure Disk Encryption
 Azure Storage server-side
encryption
 Azure SQL DB TDE
 Azure Data Lake Store
encryption
 Azure Information Protection
 Office 365 service encryption
 Azure App Services SSL
 Azure CDN SSL
 API Management SSL
Can work with both
These can work with both. Key
Vault is optimal to meet cloud
expectations.
• New code.
• TDE for SQL Server in Azure
VM.
• Always Encrypted for SQL
Server in Azure VM and
Azure SQL DB.
• Azure Storage client side
encryption.
Azure Dedicated HSM features
Make/model Gemalto SafeNet Luna Network HSM 7
Certifications FIPS 140-2 Level 3
eIDAS CC EAL4+
NITES
Brazilian ITI
Management Single tenant, no shared hardware. Customer has sole administrative and cryptographic control.
100 partitions, to allow multiple apps.
APIs PKCS#11, Java (JCA/JCE), Microsoft CAPI and CNG, OpenSSL
Algorithms & Full Suite B support
key lengths Asymmetric: RSA, DSA, Diffie-Hellman, ECC (ECDSA, ECDH, Ed25519, ECIES)
Symmetric: AES, AES-GCM, Triple DES, DES, ARIA, SEED, RC2, RC4, RC5, CAST, and more
Hash/Message Digest/HMAC: SHA-1, SHA-2, SM3, and more
Key Derivation: SP800-108 Counter Mode
Key Wrapping: SP800-38F
Random Number Generation
Hybrid support Yes. HA domain can span Azure and on-premises HSMs. This allows backup on-premises, as
well as migration of keys between on-premises and Azure.
Performance RSA-2048: 10K tps, ECC P256: 20K tps, AES-GCM: 17K tps
Manage Security Posture and Define Governance

Cloud Security Posture Management

+ Governance

Continuous Assessment Centralized

Compliance Reports Templates & Blueprints
& Recommendations Security Policy
Azure Governance
Cloud Security Posture Management

Management Groups
grouping and organizing subscriptions in a logical hierarchy that support the
deployment of other Governance services in a structured way.
 Azure Firewall

Cloud native stateful Firewall as a service

A first among public cloud providers

Central governance of all traffic flows

• Built-in high availability and auto scale
• Network and application traffic filtering
• Centralized policy across VNets and subscriptions

Complete VNET protection

• Filter Outbound, Inbound, Spoke-Spoke & Hybrid
Connections traffic (VPN and ExpressRoute)

Centralized logging
• Archive logs to a storage account, stream events to your Spoke VNets

Event Hub, or send them to Log Analytics or Security

Integration and Event Management (SIEM) system of choice
On-Premises
Azure Web Application Firewall
Protect web sites from common application
vulnerabilities
Platform managed WAF
Site 1

×
Built in high availability and scalability

Protect application
SQL Injection, XSS, protocol violation & others
XSS attack
Near real time monitoring
Azure Monitor & Azure Security Center WAF
WAF managed rules
Valid request
OWASP Core Rule Set 3.0 and 2.2.9 native support Site 2

New preview features (Oct 2018)

WAF Configurability
×
SQL Injection
L7 LB

Control request and file sizes

WAF Exclusion List
DDoS Attack Trends Attack
Frequency
58%
Vs. 2017
2+ Tbps
(???)
Attack
1.7 Tbps Size
(Memcached)
1.7 Tbps
650 Gbps Peak
(Mirai)
400 Gbps 4X
(NTP amp) > 50Gbps

Attack
Vectors
56%
Multi-vector
Continued growth in frequency, size, sophistication, and
impact
Attack
Downtime
Often utilized as ‘cyber smoke screen’ to mask
infiltration attacks 35%
Businesses
impacted
 Azure DDoS Protection
Cloud scale DDoS protection tuned to applications
Simple to provision for all your virtual network resources
Always on monitoring with near real time telemetry and
alerting
Automatic network layer attack

What’s new
DDoS Attack Analytics

Attack data snapshots and full post attack summary

DDoS Rapid Response

Azure Security Center integration

Sample solution using Azure protection services
Protect against threats

Detect and block advanced

malware and threats for servers

Detect threats across IaaS and PaaS

services using advanced analytics

Reduce exposure to brute force attacks

Azure Security Center

Protect data services against

malicious attacks
Detect and block advanced malware for Windows and Linux servers

Detect threats on servers

with behavior analytics
and machine learning
Get Windows server EDR
with the integration of
Windows Defender ATP
Automate application
whitelisting with a ML
based solution
Detect threats across services

Detect threats targeting Azure

services such as Azure App
Services, Azure SQL, Storage
services and more
Get Azure UEBA with the
integration of Microsoft Cloud
App Security
Investigate and respond to an
attack with ASC Fusion kill chain
analysis
Limit exposure to brute force attacks

Reduce access to VM ports

only when it is needed
with Just-in-Time VM
Access
Access automatically
granted
for selected ports, and for
limited time, approved
users and source IPs
Protect data services

Assess potential
vulnerabilities across Azure
SQL and Storage services

Classify and audit access

to sensitive data in Azure
SQL
Strengthen security posture

Manage organizational security

policy and compliance

Continuously assess security state

Azure Security Center Optimize and improve security by

configuring recommended controls
Manage organizational security policy and compliance

Review coverage for Azure

Security Center across
different subscriptions

Easily set centralized security

policies across multiple
subscriptions

Track and review policy

compliance and governance
over time
Get insights on the security
state across your
infrastructure

Prioritized
recommendations with a
security score

Understand the network

topology and visualize
configurations
Apply a secure
configuration standard
with built-in
recommendations

Reduce attack surface by

applying proactive hygiene
measures
© Copyright Microsoft Corporation. All rights reserved.