In today's cloud era, admins struggle to keep their IT infrastructures safe. Cloud security is joint responsibility and what we need is a new approach! In this session, you will learn how to securely deploy and maintain Azure infrastructure solutions, why automation is essential, what network security and encryption options you have, and how access control can prevent you from having sleepless nights. We will successfully attack an Azure environment live on stage, dive deep into Azure Security Center, and see how we can use it to ultimately secure IT infrastructures on premises, hybrid, and on Azure.

1. #TechforPeople.

2. welcome.

3. Innovative technology consulting for business.
Azure Infrastructure
SecurityUltimate security in the cloud era
Tom Janetscheck, Principal Cloud Security Architect &
Microsoft MVP

4. about me.
Tom Janetscheck
Principal Cloud Security Architect @ Devoteam Alegri
Focused on Azure Identity, Security, Governance, and Infrastructure
Community Lead of Azure Meetup Saarbrücken
Co-organizer of Azure Saturday
Tech blogger and book author
@azureandbeyond
https://blog.azureandbeyond.com

5. ● Cloud security challenges
Why is cloud security so difficult and identity security so
important?
● Azure Governance
Define your guardrails to enable security
● Azure Security Center
Improve your hybrid cloud security posture
● Microsoft Intelligent Security
Graph
Unique insights, informed by trillions of signals
● Best practices
● Demo
agenda.

6. Federal criminal agency – 2018 cybercrime situation report
87.000 cases of cybercrime in
2018
60.000.000 € amount of
damage with an immense dark
figure
Estimated amount of damage
according to Bitcom: 100.000.000.000
(!) € per yearSource: BKA - 2018 Cybercrime situation report

7. Today‘s cloud security challenges
Increasingly
sophisticated attacks
It’s both, a strength and a challenge
of the cloud. How do you make sure
that ever-changing services are up to
your security standards?
Attack automation and evasion
techniques are evolving along
multiple dimensions
We need human expertise,
adaptability, and creativity to combat
human threat actors.

8. Office 365
Modernizing the security perimeter
•
•
+
=



9. Cloud Security is a Shared Responsibility
Securing and managing the cloud foundation
JOINT RESPONSIBILITYMICROSOFT COMMITMENT
Physical assets
Datacenter operations
Cloud infrastructure
Securing and managing your cloud resources
Virtual machines
Applications & workloads
Data

10. Governance – a definition
Establishment of policies, and
continuous monitoring of their
proper implementation, by the
members of the governing body of
an organization[…]1
1Source: BusinessDictionary

11. 5 tips and best practices
Common
Sense
Protect
your IDs
and
implement
RBAC
Use tags and
policies
Secure
your
network
Monitor your
resources

13. 5 tips and best practices
Common
Sense
Protect
your IDs
and
implement
RBAC
Use tags and
policies
Secure
your
network
Monitor your
resources

14. 5 tips and best practices
Protect your
IDs and
implement
RBAC
Use tags
and
policies
Secure your
network
Monitor
your
resources
Common
Sense

15. Identity protection is essential!
uuuuuuu
uu$$$$$$$$$$$uu
uu$$$$$$$$$$$$$$$$$uu
u$$$$$$$$$$$$$$$$$$$$$u
u$$$$$$$$$$$$$$$$$$$$$$$u
u$$$$$$$$$$$$$$$$$$$$$$$$$u
u$$$$$$$$$$$$$$$$$$$$$$$$$u
u$$$$$$" "$$$" "$$$$$$u
"$$$$" u$u $$$$"
$$$u u$u u$$$
$$$u u$$$u u$$$
"$$$$uu$$$ $$$uu$$$$"
"$$$$$$$" "$$$$$$$"
u$$$$$$$u$$$$$$$u
u$"$"$"$"$"$"$u
uuu $$u$ $ $ $ $u$$ uuu
u$$$$ $$$$$u$u$u$$$ u$$$$
$$$$$uu "$$$$$$$$$" uu$$$$$$
u$$$$$$$$$$$uu """"" uuuu$$$$$$$$$$
$$$$"""$$$$$$$$$$uuu uu$$$$$$$$$"""$$$"
""" ""$$$$$$$$$$$uu ""$"""
uuuu ""$$$$$$$$$$uuu
u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$
$$$$$$$$$$"""" ""$$$$$$$$$$$"
"$$$$$" ""$$$$""
$$$" $$$$"
88 88 88
88 88 88
88 88 88
88,dPPYba, ,adPPYYba, ,adPPYba, 88 ,d8 ,adPPYba, ,adPPYb,88
88P' "8a "" `Y8 a8" "" 88 ,a8" a8P_____88 a8" `Y88
88 88 ,adPPPPP88 8b 8888[ 8PP""""""" 8b 88
88 88 88, ,88 "8a, ,aa 88`"Yba, "8b, ,aa "8a, ,d88
88 88 `"8bbdP"Y8 `"Ybbd8"' 88 `Y8a `"Ybbd8"' `"8bbdP"Y8
Implement multi-
factor authentication
Adhere to the
principle of least
privilege
Establish privileged
identity/access
management
(PIM/PAM)
Enable conditional
access policies
Use passphrases
rather than (complex)
passwords
or go password-less

16. Identity protection is essential!
oooo$$$$$$$$$$$$oooo
oo$$$$$$$$$$$$$$$$$$$$$$$$o
oo$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o o$ $$ o$
o $ oo o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o $$ $$ $$o$
oo $ $ "$ o$$$$$$$$$ $$$$$$$$$$$$$ $$$$$$$$$o $$$o$$o$
"$$$$$$o$ o$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$o $$$$$$$$
$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$ $$$$$$$$$$$$$$ """$$$
"$$$""""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$
$$$ o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$o
o$$" $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$o
$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" "$$$$$$ooooo$$$$o
o$$$oooo$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ o$$$$$$$$$$$$$$$$$
$$$$$$$$"$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$""""""""
"""" $$$$ "$$$$$$$$$$$$$$$$$$$$$$$$$$$$" o$$$
"$$$o """$$$$$$$$$$$$$$$$$$"$$" $$$
$$$o "$$""$$$$$$"""" o$$$
$$$$o oo o$$$"
"$$$$o o$$$$$$o"$$$$o o$$$$
"$$$$$oo ""$$$$o$$$$$o o$$$$""
""$$$$$oooo "$$$o$$$$$$$$$"""
""$$$$$$$oo $$$$$$$$$$
""""$$$$$$$$$$$
$$$$$$$$$$$$
$$$$$$$$$$"
"$$$""""

17. Role-based access control
1. Security principal = user, group, service principal

18. Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom

19. Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
Contributor
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Authorization/*/Delete"
"Authorization/*/Write"
"Authorization/elevateAccess/Action"
],
"dataActions": [
],
"notDataActions": [
],
}
],

20. Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
3. Scope = MG, subscription, RG, resource
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
Contributor
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Authorization/*/Delete"
"Authorization/*/Write"
"Authorization/elevateAccess/Action"
],
"dataActions": [
],
"notDataActions": [
],
}
],
Azure
subscription
Resource
group
Management Group

21. Role-based access control – Role assignment
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
"actions": [
"*"
],
"notActions": [
"Auth/*/Delete"
"Auth/*/Write"
"Auth/elevate…
],
Azure
subscription
Resource
group
Management Group
DevOps Group
Contributor
DevOps Resource
Group
Role Assignment

22. 5 tips and best practices
Protect your
IDs and
implement
RBAC
Use tags
and
policies
Secure your
network
Monitor
your
resources
Common
Sense

23. 5 tips and best practices
Use tags
and policies
Secure
your
network
Monitor your
resources
Common
Sense
Protect your
IDs and
implement
RBAC

24. Resource Tags
Name:Value, e.g. CostCenter:ProdIT, ResourceOwner:Tom
Help to define responsibility and view consolidated billing
Always tag RGs
• Owner
• Dept
• CostCenter
• […]
Tag resources as needed
Define tags in advance

25. Resource Policies
Rule enforcements on MG, subscription or RG level
Initiative definitions vs. Policy definitions
Effect types:
• Append
• Deny
• Audit

26. 5 tips and best practices
Use tags
and policies
Secure
your
network
Monitor your
resources
Common
Sense
Protect your
IDs and
implement
RBAC

27. 5 tips and best practices
Secure your
network
Monitor
your
resources
Common
Sense
Protect
your IDs
and
implement
RBAC
Use tags
and policies

28. Hybrid network risks

29. 5 tips and best practices
Secure your
network
Monitor
your
resources
Common
Sense
Protect
your IDs
and
implement
RBAC
Use tags
and policies

30. 5 tips and best practices
Monitor your
resources
Common
Sense
Protect your
IDs and
implement
RBAC
Use tags
and
policies
Secure your
network

31. Azure Security Center

32. Microsoft Azure Security Center
Security Center assesses your
environment and enables you to
understand the status of your
resources, and whether they are
secure.
Enable actionable, adaptive
protections that identify and mitigate
risk to reduce exposure to attacks
Use advanced analytics and Microsoft
Intelligent Security Graph to rapidly
detect and respond to evolving cyber
threats

33. Strengthen your security posture
Identify shadow IT
subscriptions
Optimize and
improve resource
security
Continous
assessments

34. Microsoft Azure Security Center
Security Center assesses your
environment and enables you to
understand the status of your
resources, and whether they are
secure.
Enable actionable, adaptive
protections that identify and mitigate
risk to reduce exposure to attacks
Use advanced analytics and Microsoft
Intelligent Security Graph to rapidly
detect and respond to evolving cyber
threats

35. Adaptive threat prevention
Advanced Threat Protection
Native integration with
Microsoft Defender ATP for
Windows machines
Advanced Threat Detection
for Linux machines

36. Microsoft Azure Security Center
Security Center assesses your
environment and enables you to
understand the status of your
resources, and whether they are
secure.
Enable actionable, adaptive
protections that identify and mitigate
risk to reduce exposure to attacks
Use advanced analytics and Microsoft
Intelligent Security Graph to rapidly
detect and respond to evolving cyber
threats

37. Microsoft Intelligent Security Graph

38. Inside the Intelligent Security Graph
Microsoft Trust Center

39. Protect your cloud
storage/networkin
g!
Data leaks in the cloud often refer
to unprotected/publicly available
storage accounts or configuration
issues in both, platform and
infrastructure services.

40. Protect your
identities!
Most of today’s cyber attacks are
identity-focused. Keep that in
mind when planning your security
strategy.

41. Have your
governance
ready!
You need to define rules as
guardrails to avoid shadow IT and
other security issues.

42. Monitor the heck
out of
everything!
You need to know what’s going on
in your environment. Massive
telemetry is necessary!

43. Repeat!
Cloud security is an ongoing
process. Make sure you regularly
assess your current configuration
by leveraging automation tools.

44. Witness on-stage live attacks, see
adaptive identity protection,
passwordless signins and MFA, and
learn how Azure Security Center can
help you to protect your hybrid cloud
environment.
demo.

45. thank you.
#TechforPeople.