Windows Azure and Office 365 are great cloud platforms to host both your internal and external applications on. And since it is managed by Microsoft, a number of security services and protection-services come as part of the service. What are the security measures you need to focus on? How do you keep your applications and cloud infrastructure secure?

1. Cloud and security,
the mys(t)ery revealed
Raf Cox – Managing Partner

2. Overview
Introduction
Types of cloud
Control versus security responsibility
Threats in the cloud
Some best practices securing your cloud

3. Industry Cloud Models
Infrastructure as a service
host
IaaS
Platform as a service
build
PaaS
Software as a service
consume
SaaS
Directory
Access control
Multi-factor authN
Rights mgmt

4. Cloud Security Concerns
 Where is my data located?
 Is the Microsoft cloud “secure”?
 Who can see my data?
 How do you make sure my company data follows “the rules”?
 What happens if…
“Cloudy with a chance of Rain”, The Economist

5. Cloud Security Model
 Less customer control, more trust on the provider
Physical
Network
Host
Application
Data
On-Premises
Customer
Microsoft
Physical
Network
Data
PaaS
Physical
Network
Host
Application
Data
SaaS
Host
Application
Physical
Application
Data
IaaS
Network
Host

6. Threats in the cloud: physical
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?

7. Threats in the cloud: network
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Examples:
• DNS Attack (spoofing)
• Network flooding
Responsibilty?

8. Threats in the cloud: management
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Examples:
• Management workstations
compromised
• Admin account/certificate
compromised
Responsibilty?

9. Threats in the cloud: privacy
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Examples:
• Local authorities at
datacenter-location
accessing your data
Responsibilty?

10. Threats in the cloud: admin misuse
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?

11. Threats in the cloud: VM-escape
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?

12. Threats in the cloud: exploiting unpatched
vulnerabities
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?

13. Threats in the cloud: outgoing attacks
Physical
Network
Hypervisor
Tenant 2Tenant 1
Internal
Azure
Management
Azure
Management
Azure
Management
Tenant 1
(corporate
network)
Azure
Mgmt
Tenant 1
(customers;
external employees)
vm stora
ge
site AD
vm stora
ge
site AD
Responsibilty?

14. DataDefense in Depth
Approach
Physical
Application
Host
Network
 Strong storage keys for access control
 SSL support for data transfers between all parties
 Front-end .NET framework code running under partial
trust
 Windows account with least privileges
 Stripped down version of Windows Server 2008 OS
 Host boundaries enforced by external hypervisor
 Host firewall limiting traffic to VMs
 VLANs and packet filters in routers
 World-class physical security
 ISO 27001 and SAS 70 Type II certifications for datacenter
processes
Layer Defenses
Windows Azure Security Layers

15. Physical Security
 Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001
Certified
 Motion Sensors
 24x7 protected Access
 Biometric controlled access systems
 Video Camera surveillance
 Security breach alarms

16. Defenses Inherited by
Windows Azure Platform Applications
Spoofing
Tampering/
Disclosure
Elevation of
Privilege
Configurable
scale-out
Denial of
Service
VM switch
hardening
Certificate
Services
Shared-
Access
Signatures
HTTPS
Side
channel
protections
VLANs
Top of Rack
Switches
Custom
packet
filtering
Partial Trust
Runtime
Hypervisor
custom
sandboxing
Virtual
Service
Accounts
Repudiation
Monitoring
Diagnostics
Service
Information
Disclosure
HTTPS
Shared
Access
Signatures

17. Your responsibilities in the cloud
PaaS
SaaS
IaaS
Secure
Authentication
(multifactor authN)
Secure
Management
(limit nr of admins!)
Access
control Data
encryption
Application
Security
SDL Least
privilege
Pen-testing
Secure Configuration
(framework level)
Network access
Control (<ipsecurity>)
Patching!
Network access
Control (endpoint ACLs)
OS hardening
Site-to-site or
Point-to-site VPNs
Certs & storage keys
OS level authentication

18. Azure/O365 multifactor authentication
 Microsoft provides a multi-factor authentication solution (phonefactor.net)
 Multiple authentication solutions
 SMS (OTP or notification (push))
 Automated Call
 Multifactor authentication App (Windows Phone, Android & iOS)
 Cost: per user or per authentication
http://technet.microsoft.com/library/en-us/dn249471

19. Azure/O365 multifactor authentication

20. Azure/O365 network security
• Setup site-to-site VPN
• Setup point-to-site VPN
• Configure endpoints
• Set ACL on end-points
• Configure Access through
<ipsecurity> element in
web.config
(no config possible)
1 NIC
ONLY!
PaaS
SaaS
IaaS

21. Application Security threats

22. Application mitigations
 .Net framework provides numerous
mitigating functionality
 Request validation
 Header checking
 Anti XSS encoders
 Anti forgery tokens
 Strong session management
 …
 Some features are not enabled by default or require
some configuration
 One has to use them correctly and at the proper
moment
 Know the impact of certain settings
 Not every vulnerability can be covered by the .Net
framework
 Rely on 3rd party libraries
 Rely on own development
 Test your applications!

23. Call to action
Is the Microsoft Cloud a good choice ?
Review:
http://azure.microsoft.com/en-us/support/trust-center/
http://office.microsoft.com/en-001/business/office-365-trust-center-
cloud-computing-security-FX103030390.aspx
Check Certifications
Microsoft will not solve everything for you!
Make the right choice: IAAS – PAAS – SAAS

24. How can The Security Factory help?
 Development Security
 Secure development (SDLC) and training
 Application security testing
 Environment Security
 Security, authentication & authorization for cloud applications (Assessments, architecture,
design, testing)
 Protect you internal network
 Leverage existing investments
 Infrastructure security testing
 People Security
 Security awareness
 Social engineering testing
www.theSecurityFactory.be

25. Contact us
Raf Cox
The Security Factory
Veldkant – 2550 Kontich
raf.cox@cronos.be
www.theSecurityFactory.be