Windows Azure and Office 365 are great cloud platforms to host both your internal and external applications on. And since it is managed by Microsoft, a number of security services and protection-services come as part of the service.
What are the security measures you need to focus on? How do you keep your applications and cloud infrastructure secure?
3. Industry Cloud Models
Infrastructure as a service
host
IaaS
Platform as a service
build
PaaS
Software as a service
consume
SaaS
Directory
Access control
Multi-factor authN
Rights mgmt
4. Cloud Security Concerns
Where is my data located?
Is the Microsoft cloud “secure”?
Who can see my data?
How do you make sure my company data follows “the rules”?
What happens if…
“Cloudy with a chance of Rain”, The Economist
5. Cloud Security Model
Less customer control, more trust on the provider
Physical
Network
Host
Application
Data
On-Premises
Customer
Microsoft
Physical
Network
Data
PaaS
Physical
Network
Host
Application
Data
SaaS
Host
Application
Physical
Application
Data
IaaS
Network
Host
6. Threats in the cloud: physical
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?
7. Threats in the cloud: network
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Examples:
• DNS Attack (spoofing)
• Network flooding
Responsibilty?
8. Threats in the cloud: management
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Examples:
• Management workstations
compromised
• Admin account/certificate
compromised
Responsibilty?
9. Threats in the cloud: privacy
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Examples:
• Local authorities at
datacenter-location
accessing your data
Responsibilty?
10. Threats in the cloud: admin misuse
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?
11. Threats in the cloud: VM-escape
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?
12. Threats in the cloud: exploiting unpatched
vulnerabities
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?
13. Threats in the cloud: outgoing attacks
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?
14. DataDefense in Depth
Approach
Physical
Application
Host
Network
Strong storage keys for access control
SSL support for data transfers between all parties
Front-end .NET framework code running under partial
trust
Windows account with least privileges
Stripped down version of Windows Server 2008 OS
Host boundaries enforced by external hypervisor
Host firewall limiting traffic to VMs
VLANs and packet filters in routers
World-class physical security
ISO 27001 and SAS 70 Type II certifications for datacenter
processes
Layer Defenses
Windows Azure Security Layers
15. Physical Security
Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001
Certified
Motion Sensors
24x7 protected Access
Biometric controlled access systems
Video Camera surveillance
Security breach alarms
16. Defenses Inherited by
Windows Azure Platform Applications
Spoofing
Tampering/
Disclosure
Elevation of
Privilege
Configurable
scale-out
Denial of
Service
VM switch
hardening
Certificate
Services
Shared-
Access
Signatures
HTTPS
Side
channel
protections
VLANs
Top of Rack
Switches
Custom
packet
filtering
Partial Trust
Runtime
Hypervisor
custom
sandboxing
Virtual
Service
Accounts
Repudiation
Monitoring
Diagnostics
Service
Information
Disclosure
HTTPS
Shared
Access
Signatures
17. Your responsibilities in the cloud
PaaS
SaaS
IaaS
Secure
Authentication
(multifactor authN)
Secure
Management
(limit nr of admins!)
Access
control Data
encryption
Application
Security
SDL Least
privilege
Pen-testing
Secure Configuration
(framework level)
Network access
Control (<ipsecurity>)
Patching!
Network access
Control (endpoint ACLs)
OS hardening
Site-to-site or
Point-to-site VPNs
Certs & storage keys
OS level authentication
18. Azure/O365 multifactor authentication
Microsoft provides a multi-factor authentication solution (phonefactor.net)
Multiple authentication solutions
SMS (OTP or notification (push))
Automated Call
Multifactor authentication App (Windows Phone, Android & iOS)
Cost: per user or per authentication
http://technet.microsoft.com/library/en-us/dn249471
22. Application mitigations
.Net framework provides numerous
mitigating functionality
Request validation
Header checking
Anti XSS encoders
Anti forgery tokens
Strong session management
…
Some features are not enabled by default or require
some configuration
One has to use them correctly and at the proper
moment
Know the impact of certain settings
Not every vulnerability can be covered by the .Net
framework
Rely on 3rd party libraries
Rely on own development
Test your applications!
23. Call to action
Is the Microsoft Cloud a good choice ?
Review:
http://azure.microsoft.com/en-us/support/trust-center/
http://office.microsoft.com/en-001/business/office-365-trust-center-
cloud-computing-security-FX103030390.aspx
Check Certifications
Microsoft will not solve everything for you!
Make the right choice: IAAS – PAAS – SAAS
24. How can The Security Factory help?
Development Security
Secure development (SDLC) and training
Application security testing
Environment Security
Security, authentication & authorization for cloud applications (Assessments, architecture,
design, testing)
Protect you internal network
Leverage existing investments
Infrastructure security testing
People Security
Security awareness
Social engineering testing
www.theSecurityFactory.be
25. Contact us
Raf Cox
The Security Factory
Veldkant – 2550 Kontich
raf.cox@cronos.be
www.theSecurityFactory.be