SlideShare une entreprise Scribd logo

Experts Live Norway - Azure Infrastructure Security

T
Tom Janetscheck

In today's cloud era, admins struggle to keep their IT infrastructures safe. Cloud security is joint responsibility and what we need is a new approach! In this session, you will learn how to securely deploy and maintain Azure infrastructure solutions, why automation is essential, what network security and encryption options you have, and how access control can prevent you from having sleepless nights. We will successfully attack an Azure environment live on stage, dive deep into Azure Security Center, and see how we can use it to ultimately secure IT infrastructures on premises, hybrid, and on Azure.

Présentations et discours publics
1  sur  40
#ExpertsLiveNO Platinum Sponsor 2019 Azure Infrastructure Security ultimate security in the cloud era Tom Janetscheck Principal Consultant | Devoteam Alegri @azureandbeyond
#ExpertsLiveNO About me Tom Janetscheck Principal Consultant @ Devoteam Alegri Focused on Azure Infrastructure, Governance, Security Microsoft Azure MVP & P-CSA Twitter: @azureandbeyond Blog: http://azureandbeyond.com
#ExpertsLiveNO Cloud momentum continues to accelerate “The question is no longer: ‘How do I move to the cloud?’ Instead, it’s ‘Now that I’m in the cloud, how do I make sure I’ve optimized my investment and risk exposure?”1 “By 2020 clouds will stop being referred to as ‘public’ and ‘private’. It will simply be the way business is done and IT is provisioned.”² 1KPMG: 2014 Cloud Survey Report, Elevating business in the cloud, December 10, 2014 2IDC: IDC Market Spotlight, Cloud Definitions and Opportunity, April 2015
#ExpertsLiveNO But cloud security concerns persist Management is increasingly distributed Cloud environments are more dynamic Attackers continue to innovate
#ExpertsLiveNO Cloud Security is a Shared Responsibility Securing and managing the cloud foundation JOINT RESPONSIBILITYMICROSOFT COMMITMENT Physical assets Datacenter operations Cloud infrastructure Securing and managing your cloud resources Virtual machines Applications & workloads Data
#ExpertsLiveNO Azure Governance
#ExpertsLiveNO Governance – a definition Establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization[…]1 1Source: BusinessDictionary
#ExpertsLiveNO Azure Governance Scaffold Source: https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/appendix/azure-scaffold
#ExpertsLiveNO Azure Account Owner vs. Azure AD Global Admin
#ExpertsLiveNO 5 tips and best practices Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources
#ExpertsLiveNO Common sense… …is not so common Voltaire
#ExpertsLiveNO 5 tips and best practices Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources
#ExpertsLiveNO 5 tips and best practices Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources Common Sense
#ExpertsLiveNO Identity protection is essential uuuuuuu uu$$$$$$$$$$$uu uu$$$$$$$$$$$$$$$$$uu u$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$" "$$$" "$$$$$$u "$$$$" u$u $$$$" $$$u u$u u$$$ $$$u u$$$u u$$$ "$$$$uu$$$ $$$uu$$$$" "$$$$$$$" "$$$$$$$" u$$$$$$$u$$$$$$$u u$"$"$"$"$"$"$u uuu $$u$ $ $ $ $u$$ uuu u$$$$ $$$$$u$u$u$$$ u$$$$ $$$$$uu "$$$$$$$$$" uu$$$$$$ u$$$$$$$$$$$uu """"" uuuu$$$$$$$$$$ $$$$"""$$$$$$$$$$uuu uu$$$$$$$$$"""$$$" """ ""$$$$$$$$$$$uu ""$""" uuuu ""$$$$$$$$$$uuu u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$ $$$$$$$$$$"""" ""$$$$$$$$$$$" "$$$$$" ""$$$$"" $$$" $$$$" 88 88 88 88 88 88 88 88 88 88,dPPYba, ,adPPYYba, ,adPPYba, 88 ,d8 ,adPPYba, ,adPPYb,88 88P' "8a "" `Y8 a8" "" 88 ,a8" a8P_____88 a8" `Y88 88 88 ,adPPPPP88 8b 8888[ 8PP""""""" 8b 88 88 88 88, ,88 "8a, ,aa 88`"Yba, "8b, ,aa "8a, ,d88 88 88 `"8bbdP"Y8 `"Ybbd8"' 88 `Y8a `"Ybbd8"' `"8bbdP"Y8 Implement multi- factor authentication Adhere to the principle of least privilege Establish privileged identity/access management (PIM/PAM) Enable conditional access policies Use passphrases rather than (complex) passwords
#ExpertsLiveNO Identity protection is essential oooo$$$$$$$$$$$$oooo oo$$$$$$$$$$$$$$$$$$$$$$$$o oo$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o o$ $$ o$ o $ oo o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o $$ $$ $$o$ oo $ $ "$ o$$$$$$$$$ $$$$$$$$$$$$$ $$$$$$$$$o $$$o$$o$ "$$$$$$o$ o$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$o $$$$$$$$ $$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$ $$$$$$$$$$$$$$ """$$$ "$$$""""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$ $$$ o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$o o$$" $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$o $$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" "$$$$$$ooooo$$$$o o$$$oooo$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ o$$$$$$$$$$$$$$$$$ $$$$$$$$"$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$"""""""" """" $$$$ "$$$$$$$$$$$$$$$$$$$$$$$$$$$$" o$$$ "$$$o """$$$$$$$$$$$$$$$$$$"$$" $$$ $$$o "$$""$$$$$$"""" o$$$ $$$$o oo o$$$" "$$$$o o$$$$$$o"$$$$o o$$$$ "$$$$$oo ""$$$$o$$$$$o o$$$$"" ""$$$$$oooo "$$$o$$$$$$$$$""" ""$$$$$$$oo $$$$$$$$$$ """"$$$$$$$$$$$ $$$$$$$$$$$$ $$$$$$$$$$" "$$$""""
#ExpertsLiveNO Role-based access control 1. Security principal = user, group, service principal
#ExpertsLiveNO Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom
#ExpertsLiveNO Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom Contributor "permissions": [ { "actions": [ "*" ], "notActions": [ "Authorization/*/Delete" "Authorization/*/Write" "Authorization/elevateAccess/Action" ], "dataActions": [ ], "notDataActions": [ ], } ],
#ExpertsLiveNO Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights 3. Scope = MG, subscription, RG, resource Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom Contributor "permissions": [ { "actions": [ "*" ], "notActions": [ "Authorization/*/Delete" "Authorization/*/Write" "Authorization/elevateAccess/Action" ], "dataActions": [ ], "notDataActions": [ ], } ], Azure subscription Resource group Management Group
#ExpertsLiveNO Role-based access control – Role assignment Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom "actions": [ "*" ], "notActions": [ "Auth/*/Delete" "Auth/*/Write" "Auth/elevate… ], Azure subscription Resource group Management Group DevOps Group Contributor DevOps Resource Group Role Assignment
#ExpertsLiveNO 5 tips and best practices Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources Common Sense
#ExpertsLiveNO 5 tips and best practices Use tags and policies Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC
#ExpertsLiveNO Resource Tags § Name:Value, e.g. CostCenter:ProdIT, ResourceOwner:Tom § Help to define responsibility and view consolidated billing § Always tag RGs § Owner § Dept § CostCenter § […] § Tag resources as needed § Define tags in advance
#ExpertsLiveNO Resource Policies § Rule enforcements on MG, subscription or RG level § Initiative definitions vs. Policy definitions § Effect types: § Append § Deny § Audit
#ExpertsLiveNO 5 tips and best practices Use tags and policies Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC
#ExpertsLiveNO 5 tips and best practices Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies
#ExpertsLiveNO Hybrid network risks
#ExpertsLiveNO 5 tips and best practices Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies
#ExpertsLiveNO 5 tips and best practices Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network
#ExpertsLiveNO Azure Security Center
#ExpertsLiveNO Azure Security
#ExpertsLiveNO Cloud security starts with… „…challenges?“ “…security by design?“ „How do I figure out what I don‘t know?“ „Who actually owns security?“ „Not knowing where to start is my top AzSec challenge“ „Are you ever done?“ „It‘s not a security breach if it wasn‘t secure before!“
#ExpertsLiveNO … infrastructure as code! https://github.com/azureandbeyond/AzureSecurity
#ExpertsLiveNO Azure Security Services and Capabilities Network Security • Virtual Network Service Endpoints • DDoS Protection • Network Security Groups • NSG Service Tags • NSG Application Security Groups • NSG Augmented Rules • Global Virtual Network Peering • Azure DNS Private Zones • Site-to-Site VPN • Point-to-Site VPN • ExpressRoute • Azure Virtual Networks • Virtual Network Appliances • Azure Load Balancer • Azure Load Balancer HA Ports • Azure Application Gateway • Azure Firewall • Azure Web Application Firewall • Service Endpoints Monitoring and Logging • Azure Log Analytics • Azure Monitor • Network Watcher • VS AppCenter Mobile Analytics Compliance Program • Microsoft Trust Center • Service Trust Platform • Compliance Manager • Azure IP Advantage (legal) Identity and Access Management • Azure Active Directory • Azure Active Directory B2C • Azure Active Directory Domain Services • Azure Active Directory MFA • Conditional Access • Azure Active Directory Identity Protection • Azure Active Directory Privileged Identity Management • Azure Active Directory App Proxy • Azure Active Directory Connect • Azure RBAC • Azure Active Directory Access Reviews • Azure Active Directory Managed Service Identity Security Docs Site • Azure Security Information Site on Azure.com DDoS Mitigation • Azure DDoS Protection • Azure Traffic Manager • Autoscaling • Azure CDN • Azure Load Balancers • Fabric level edge protection Infrastructure Security • Comes with Azure Data Centers • Azure Advanced Threat Protection • Confidential Computing Pen Testing • Per AUP • Per TOS • No contact required Data Loss Prevention • Cloud App Discovery • Azure Information Protection Encryption • Azure Key Vault • Azure client-side encryption library • Azure Storage Service Encryption • Azure Disk Encryption • SQL Transparent Data Encryption • SQL Always Encrypted • SQL Cell/Column Level Encryption • Azure CosmosDB encrypt by default • Azure Data Lake encrypt by default • VPN protocol encryption (ssl/ipsec) • SMB 3.0 wire encryption Configuration and Management • Azure Security Center • Azure Sentinel • Azure Resource Manager • Azure Resource Graph • ARM Management Groups • Azure Policy • Azure Blueprints • Azure Automation • Azure Advisor • Azure API Gateway
Microsoft Azure Security Center Dynamically discover and manage the security of your hybrid cloud workloads in a single cloud-based console Enable actionable, adaptive protections that identify and mitigate risk to reduce exposure to attacks Use advanced analytics and Microsoft Intelligent Security Graph to rapidly detect and respond to evolving cyber threats
DETECT RESPOND Custom Alert Rules Investigation Automation & Orchestration Enrichment Prioritization Threat Intelligence Fusion Alert Exploration Built-in Analytics & Machine Learning Search Azure Security Center Pipeline Computers Security Data & Alerts REST APIs Azure Services
Detect threats across the kill chain
Detect threats across the kill chain
#ExpertsLiveNO DEMO
#ExpertsLiveNO Thank You! Platinum Gold Silver

Recommandé

Techorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center UnleashedTechorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center Unleashed
Tom Janetscheck
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Tom Janetscheck
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
Adam Barrera
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 

Recommandé

Techorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center UnleashedTechorama 2019 - Azure Security Center Unleashed
Techorama 2019 - Azure Security Center Unleashed
Tom Janetscheck
 
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control planeMicrosoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Microsoft Ignite The Tour 2020 - BRK30173 - Identity is the new control plane
Tom Janetscheck
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
Adam Barrera
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
W3C Content Security Policy
W3C Content Security PolicyW3C Content Security Policy
W3C Content Security Policy
Markus Wichmann
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Matt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
Matt Raible
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
CypSec - Siber Güvenlik Konferansı
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
Scott Helme
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Matt Raible
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Amazon Web Services
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
Safety first – best practices in app security​
Safety first – best practices in app security​Safety first – best practices in app security​
Safety first – best practices in app security​
Ana Baotić
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)
DNIF
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
Philippe De Ryck
 
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıWebinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
BGA Cyber Security
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
Joe McCray
 
Cloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure SecurityCloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure Security
Tom Janetscheck
 
20181206 sps geneve we are moving to the cloud what about security
20181206 sps geneve we are moving to the cloud what about security20181206 sps geneve we are moving to the cloud what about security
20181206 sps geneve we are moving to the cloud what about security
Arjan Cornelissen
 

Contenu connexe

Tendances

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
CrowdStrike
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Matt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
Matt Raible
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Matt Raible
 
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Amazon Web Services
 

Tendances (20)

Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 201910 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım GüvenliğiBünyamin Demir - 10 Adımda Yazılım Güvenliği
Bünyamin Demir - 10 Adımda Yazılım Güvenliği
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
Content Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army KnifeContent Security Policy - The application security Swiss Army Knife
Content Security Policy - The application security Swiss Army Knife
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
Best Security Practices in the Intelligence Community - SID214 - re:Invent 2017
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
 
Safety first – best practices in app security​
Safety first – best practices in app security​Safety first – best practices in app security​
Safety first – best practices in app security​
 
Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)Mastering Next Gen SIEM Use Cases (Part 1)
Mastering Next Gen SIEM Use Cases (Part 1)
 
Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
 
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım SenaryolarıWebinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
Webinar: SOC Ekipleri için MITRE ATT&CK Kullanım Senaryoları
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 

Similaire à Experts Live Norway - Azure Infrastructure Security

Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
Joonas Westlin
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
Joonas Westlin
 
SEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsSEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
Joonas Westlin
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
Aaron Rinehart
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
Morgan Simonsen
 

Similaire à Experts Live Norway - Azure Infrastructure Security (20)

Cloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure SecurityCloudbrew 2019 - Azure Security
Cloudbrew 2019 - Azure Security
 
20181206 sps geneve we are moving to the cloud what about security
20181206 sps geneve we are moving to the cloud what about security20181206 sps geneve we are moving to the cloud what about security
20181206 sps geneve we are moving to the cloud what about security
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
 
Introduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDKIntroduction to basic governance in Azure - #GABDK
Introduction to basic governance in Azure - #GABDK
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017Identity theft: Developers are key - JFokus 2017
Identity theft: Developers are key - JFokus 2017
 
Tour to Azure Security Center
Tour to Azure Security CenterTour to Azure Security Center
Tour to Azure Security Center
 
Security pitfalls in script-able infrastructure pipelines.
Security pitfalls in script-able infrastructure pipelines.Security pitfalls in script-able infrastructure pipelines.
Security pitfalls in script-able infrastructure pipelines.
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
SEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOpsSEC303 Automating Security in Cloud Workloads with DevSecOps
SEC303 Automating Security in Cloud Workloads with DevSecOps
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
 
Zero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesZero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resources
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
 
Top 13 best security practices for Azure
Top 13 best security practices for AzureTop 13 best security practices for Azure
Top 13 best security practices for Azure
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
 

Dernier

Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
amilabibi1
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Hung Le
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
David Celestin
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
ZurliaSoop
 

Dernier (17)

Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait Cityin kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptx
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.
 

Experts Live Norway - Azure Infrastructure Security

  • 1. #ExpertsLiveNO Platinum Sponsor 2019 Azure Infrastructure Security ultimate security in the cloud era Tom Janetscheck Principal Consultant | Devoteam Alegri @azureandbeyond
  • 2. #ExpertsLiveNO About me Tom Janetscheck Principal Consultant @ Devoteam Alegri Focused on Azure Infrastructure, Governance, Security Microsoft Azure MVP & P-CSA Twitter: @azureandbeyond Blog: http://azureandbeyond.com
  • 3. #ExpertsLiveNO Cloud momentum continues to accelerate “The question is no longer: ‘How do I move to the cloud?’ Instead, it’s ‘Now that I’m in the cloud, how do I make sure I’ve optimized my investment and risk exposure?”1 “By 2020 clouds will stop being referred to as ‘public’ and ‘private’. It will simply be the way business is done and IT is provisioned.”² 1KPMG: 2014 Cloud Survey Report, Elevating business in the cloud, December 10, 2014 2IDC: IDC Market Spotlight, Cloud Definitions and Opportunity, April 2015
  • 4. #ExpertsLiveNO But cloud security concerns persist Management is increasingly distributed Cloud environments are more dynamic Attackers continue to innovate
  • 5. #ExpertsLiveNO Cloud Security is a Shared Responsibility Securing and managing the cloud foundation JOINT RESPONSIBILITYMICROSOFT COMMITMENT Physical assets Datacenter operations Cloud infrastructure Securing and managing your cloud resources Virtual machines Applications & workloads Data
  • 7. #ExpertsLiveNO Governance – a definition Establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization[…]1 1Source: BusinessDictionary
  • 8. #ExpertsLiveNO Azure Governance Scaffold Source: https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/appendix/azure-scaffold
  • 9. #ExpertsLiveNO Azure Account Owner vs. Azure AD Global Admin
  • 10. #ExpertsLiveNO 5 tips and best practices Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources
  • 12. #ExpertsLiveNO 5 tips and best practices Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources
  • 13. #ExpertsLiveNO 5 tips and best practices Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources Common Sense
  • 14. #ExpertsLiveNO Identity protection is essential uuuuuuu uu$$$$$$$$$$$uu uu$$$$$$$$$$$$$$$$$uu u$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$$$$$$$$$$$$$$$$$$$$u u$$$$$$" "$$$" "$$$$$$u "$$$$" u$u $$$$" $$$u u$u u$$$ $$$u u$$$u u$$$ "$$$$uu$$$ $$$uu$$$$" "$$$$$$$" "$$$$$$$" u$$$$$$$u$$$$$$$u u$"$"$"$"$"$"$u uuu $$u$ $ $ $ $u$$ uuu u$$$$ $$$$$u$u$u$$$ u$$$$ $$$$$uu "$$$$$$$$$" uu$$$$$$ u$$$$$$$$$$$uu """"" uuuu$$$$$$$$$$ $$$$"""$$$$$$$$$$uuu uu$$$$$$$$$"""$$$" """ ""$$$$$$$$$$$uu ""$""" uuuu ""$$$$$$$$$$uuu u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$ $$$$$$$$$$"""" ""$$$$$$$$$$$" "$$$$$" ""$$$$"" $$$" $$$$" 88 88 88 88 88 88 88 88 88 88,dPPYba, ,adPPYYba, ,adPPYba, 88 ,d8 ,adPPYba, ,adPPYb,88 88P' "8a "" `Y8 a8" "" 88 ,a8" a8P_____88 a8" `Y88 88 88 ,adPPPPP88 8b 8888[ 8PP""""""" 8b 88 88 88 88, ,88 "8a, ,aa 88`"Yba, "8b, ,aa "8a, ,d88 88 88 `"8bbdP"Y8 `"Ybbd8"' 88 `Y8a `"Ybbd8"' `"8bbdP"Y8 Implement multi- factor authentication Adhere to the principle of least privilege Establish privileged identity/access management (PIM/PAM) Enable conditional access policies Use passphrases rather than (complex) passwords
  • 15. #ExpertsLiveNO Identity protection is essential oooo$$$$$$$$$$$$oooo oo$$$$$$$$$$$$$$$$$$$$$$$$o oo$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o o$ $$ o$ o $ oo o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o $$ $$ $$o$ oo $ $ "$ o$$$$$$$$$ $$$$$$$$$$$$$ $$$$$$$$$o $$$o$$o$ "$$$$$$o$ o$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$o $$$$$$$$ $$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$ $$$$$$$$$$$$$$ """$$$ "$$$""""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$ $$$ o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$o o$$" $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$o $$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" "$$$$$$ooooo$$$$o o$$$oooo$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ o$$$$$$$$$$$$$$$$$ $$$$$$$$"$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$"""""""" """" $$$$ "$$$$$$$$$$$$$$$$$$$$$$$$$$$$" o$$$ "$$$o """$$$$$$$$$$$$$$$$$$"$$" $$$ $$$o "$$""$$$$$$"""" o$$$ $$$$o oo o$$$" "$$$$o o$$$$$$o"$$$$o o$$$$ "$$$$$oo ""$$$$o$$$$$o o$$$$"" ""$$$$$oooo "$$$o$$$$$$$$$""" ""$$$$$$$oo $$$$$$$$$$ """"$$$$$$$$$$$ $$$$$$$$$$$$ $$$$$$$$$$" "$$$""""
  • 16. #ExpertsLiveNO Role-based access control 1. Security principal = user, group, service principal
  • 17. #ExpertsLiveNO Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom
  • 18. #ExpertsLiveNO Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom Contributor "permissions": [ { "actions": [ "*" ], "notActions": [ "Authorization/*/Delete" "Authorization/*/Write" "Authorization/elevateAccess/Action" ], "dataActions": [ ], "notDataActions": [ ], } ],
  • 19. #ExpertsLiveNO Role-based access control 1. Security principal = user, group, service principal 2. Role definition = set of management rights 3. Scope = MG, subscription, RG, resource Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom Contributor "permissions": [ { "actions": [ "*" ], "notActions": [ "Authorization/*/Delete" "Authorization/*/Write" "Authorization/elevateAccess/Action" ], "dataActions": [ ], "notDataActions": [ ], } ], Azure subscription Resource group Management Group
  • 20. #ExpertsLiveNO Role-based access control – Role assignment Owner Contributor Reader … Backup Operator Security Reader User Access Administrator Virtual Machine Contributor Reader Support Tickets Virtual Machine Operator Built in Custom "actions": [ "*" ], "notActions": [ "Auth/*/Delete" "Auth/*/Write" "Auth/elevate… ], Azure subscription Resource group Management Group DevOps Group Contributor DevOps Resource Group Role Assignment
  • 21. #ExpertsLiveNO 5 tips and best practices Protect your IDs and implement RBAC Use tags and policies Secure your network Monitor your resources Common Sense
  • 22. #ExpertsLiveNO 5 tips and best practices Use tags and policies Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC
  • 23. #ExpertsLiveNO Resource Tags § Name:Value, e.g. CostCenter:ProdIT, ResourceOwner:Tom § Help to define responsibility and view consolidated billing § Always tag RGs § Owner § Dept § CostCenter § […] § Tag resources as needed § Define tags in advance
  • 24. #ExpertsLiveNO Resource Policies § Rule enforcements on MG, subscription or RG level § Initiative definitions vs. Policy definitions § Effect types: § Append § Deny § Audit
  • 25. #ExpertsLiveNO 5 tips and best practices Use tags and policies Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC
  • 26. #ExpertsLiveNO 5 tips and best practices Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies
  • 28. #ExpertsLiveNO 5 tips and best practices Secure your network Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies
  • 29. #ExpertsLiveNO 5 tips and best practices Monitor your resources Common Sense Protect your IDs and implement RBAC Use tags and policies Secure your network
  • 32. #ExpertsLiveNO Cloud security starts with… „…challenges?“ “…security by design?“ „How do I figure out what I don‘t know?“ „Who actually owns security?“ „Not knowing where to start is my top AzSec challenge“ „Are you ever done?“ „It‘s not a security breach if it wasn‘t secure before!“
  • 33. #ExpertsLiveNO … infrastructure as code! https://github.com/azureandbeyond/AzureSecurity
  • 34. #ExpertsLiveNO Azure Security Services and Capabilities Network Security • Virtual Network Service Endpoints • DDoS Protection • Network Security Groups • NSG Service Tags • NSG Application Security Groups • NSG Augmented Rules • Global Virtual Network Peering • Azure DNS Private Zones • Site-to-Site VPN • Point-to-Site VPN • ExpressRoute • Azure Virtual Networks • Virtual Network Appliances • Azure Load Balancer • Azure Load Balancer HA Ports • Azure Application Gateway • Azure Firewall • Azure Web Application Firewall • Service Endpoints Monitoring and Logging • Azure Log Analytics • Azure Monitor • Network Watcher • VS AppCenter Mobile Analytics Compliance Program • Microsoft Trust Center • Service Trust Platform • Compliance Manager • Azure IP Advantage (legal) Identity and Access Management • Azure Active Directory • Azure Active Directory B2C • Azure Active Directory Domain Services • Azure Active Directory MFA • Conditional Access • Azure Active Directory Identity Protection • Azure Active Directory Privileged Identity Management • Azure Active Directory App Proxy • Azure Active Directory Connect • Azure RBAC • Azure Active Directory Access Reviews • Azure Active Directory Managed Service Identity Security Docs Site • Azure Security Information Site on Azure.com DDoS Mitigation • Azure DDoS Protection • Azure Traffic Manager • Autoscaling • Azure CDN • Azure Load Balancers • Fabric level edge protection Infrastructure Security • Comes with Azure Data Centers • Azure Advanced Threat Protection • Confidential Computing Pen Testing • Per AUP • Per TOS • No contact required Data Loss Prevention • Cloud App Discovery • Azure Information Protection Encryption • Azure Key Vault • Azure client-side encryption library • Azure Storage Service Encryption • Azure Disk Encryption • SQL Transparent Data Encryption • SQL Always Encrypted • SQL Cell/Column Level Encryption • Azure CosmosDB encrypt by default • Azure Data Lake encrypt by default • VPN protocol encryption (ssl/ipsec) • SMB 3.0 wire encryption Configuration and Management • Azure Security Center • Azure Sentinel • Azure Resource Manager • Azure Resource Graph • ARM Management Groups • Azure Policy • Azure Blueprints • Azure Automation • Azure Advisor • Azure API Gateway
  • 35. Microsoft Azure Security Center Dynamically discover and manage the security of your hybrid cloud workloads in a single cloud-based console Enable actionable, adaptive protections that identify and mitigate risk to reduce exposure to attacks Use advanced analytics and Microsoft Intelligent Security Graph to rapidly detect and respond to evolving cyber threats
  • 36. DETECT RESPOND Custom Alert Rules Investigation Automation & Orchestration Enrichment Prioritization Threat Intelligence Fusion Alert Exploration Built-in Analytics & Machine Learning Search Azure Security Center Pipeline Computers Security Data & Alerts REST APIs Azure Services
  • 37. Detect threats across the kill chain
  • 38. Detect threats across the kill chain