Karl Ots has assessed the security of over 100 Azure solutions. He has found that there are 18 security pitfalls that are common across all industry verticals and company sizes. In this session, he will share what these security pitfalls are, why do they matter and how to mitigate them. As presented by Karl Ots in Techorama Belgium 2019 conference in Antwerpen.

1. Top 18 Azure security fails
and how to avoid them
Karl Ots

2. @fincooper

3. Top 9 Azure security fails
and how to avoid them
Karl Ots

4. @fincooper
Karl Ots
Chief Consulting Officer
karl.ots@zure.com
• Cloud & cybersecurity expert
• User group and conference organizer
• Patented inventor
• Working on Azure since 2011
• Helped to secure 100+ Azure applications, from startups to
Fortune 500 enterprises
• zure.ly/karl

5. @fincooper
13,7 100%
4,5 / 5 3 6.
32 / 36
experts years avg. Azure
satisfaction Azure MVPs GPTW

6. @fincooper
What to expect in this session
• Azure security landscape
• Top Azure security fails I have wondered upon in my adventures
• Why are they bad?
• How to fix them?
• Resources to help you secure your Azure environment, regardless of your
current status

7. @fincooper
With great power comes great responsibility

8. @fincooper
Secure DevOps kit for Azure (AzSK)
• Set of tools for assessing the security posture of your Azure environment
• Built by Microsoft Core Services Engineering
• Used to secure 1000+ Azure subscriptions at Microsoft
• Easy to get started with non-intrusive platform scans, expands end-to-end
tooling from developer machine to DevSecOps
• Most Azure security “fails” in this session can be detected by using AzSK

9. @fincooper
Security controls for Azure applications
Subscriptions
and Resource
Groups
AAD and RBAC
ARM Templates,
Policies and
Locks
Logging,
Alerting &
Auditing
Data Encryption
Backups &
Disaster
Recovery
Privacy &
Compliance
Network
security

10. @fincooper
Role Based Access Control
Role Scope Object
RBAC
Assignment

11. @fincooper
Role-Based Access Control
Subscription
Resource Groups
Resources
Owner
Can perform all management
operations for a resource and
its child resources including
access management and
granting access to others.
Contributor
Can perform all management
operations for a resource
including create and delete
resources. A contributor cannot
grant access to other.
Reader
Has read-only access to a
resource and its child resources.
A reader cannot read secrets.

12. @fincooper
RBAC Roles
• A collection of actions
• Microsoft.Compute/virtualMachines/*
• Microsoft.Compute/virtualMachines/start/action
• Microsoft.Network/virtualNetworks/read
• +70 built-in roles for Azure RBAC
• e.g. Virtual Machine Contributor, Backup Contributor, Security Reader, etc.

13. @fincooper
Manage to Least Privilege
Reader Resource-specific
or Custom role
Contributor Owner
Subscription
Resource Group
Resource

14. @fincooper
Security fail #1
• Unprotected public endpoints
• HTTP / RDP / SSH
• Mitigation:
• Every public IP is a risk and should be carefully reviewed
• Use Network Security Groups to control access to / from virtual machines
• Use Azure Security Center’s Just-in-time access to dynamically change NSG rules
• Use Web Application Firewall to control access to public HTTP endpoints
• Configure Service Endpoint Firewalls for PaaS services
• AzSK Control ID:
• Azure_Subscription_NetSec_Justify_PublicIPs

15. @fincooper

16. @fincooper
Security fail #2
• Every user is an Owner
• …In the Subscription scope
• Mitigation:
• Default access scope should be Resource Group, not Subscription
• Default RBAC access should be Contributor, not Owner
• Service Principal RBAC assignments should follow the least privileged principle
• Service Principals should NOT be granted access in the Subscription scope
• Service Principals should NOT be granted Owner access in any scope
• AzSK Control ID:
• Azure_Subscription_AuthZ_Justify_Admins_Owners

17. @fincooper
Security fail #3
• Custom roles
• Mitigation:
• Do not use custom RBAC roles
• Use careful scoping for built-in RBAC rules
• AzSK Control ID:
• Azure_Subscription_AuthZ_Custom_RBAC_Roles

18. @fincooper

19. @fincooper
Security fail #4
• Untrusted authorization provider being used
• (Microsoft Account, Gmail, unmanaged or external Azure AD…)
• Mitigation:
• Always use trusted Azure AD authentication that is managed by your organization
• Monitor Azure Subscription access using AAD PIM
• AzSK control ID:
• Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities

20. @fincooper

21. @fincooper
Security fail #5
• Credentials in code
• Mitigation:
• Storage Access Keys should be stored in Azure Key Vault and rotated programmatically
• Use data pane RBAC roles (new)
• Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
• AzSK control ID:
• Azure_Storage_DP_Rotate_Keys

22. @fincooper
Security fail #6
• Insufficient monitoring
• Mitigation:
• Configure Activity Log retention, default is only 90 days!
• Enable Azure SQL Audit logging
• Monitor all HTTP endpoint traffic with Application Gateway / Web Application Firewall
• AzSK control ID’s
• Azure_AppService_Configure_Important_Alerts
• Azure_Subscription_Config_Azure_Security_Center
• Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server

23. @fincooper

24. @fincooper
Security fail #7
• Insufficient alerting
• Mitigation:
• Enable Application Insight Smart Alerts
• Enable Advanced Treat Protection for Azure SQL and Storage Accounts
• Enable Service Health Alerts
• Enable custom Activity Log Alerts
• AzSK control ID’s
• Azure_Subscription_Config_Azure_Security_Center
• Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server

25. @fincooper

26. @fincooper
Security fail #8
• No network controls for PaaS storage
• STRIDE threat categorization:
• Information Disclosure
• Mitigation:
• Enable Firewall for your storage layer services
• When using SAS tokens, enable IP restriction
• AzSK Control ID’s:
• Azure_CosmosDB_AuthZ_Enable_Firewall
• Azure_SQLDatabase_AuthN_Dont_Use_SQL_AuthN
• Azure_DataLakeStore_AuthZ_Enable_Firewall

27. @fincooper

28. @fincooper
Security fail #9
• Missing Virtual Machine updates
• STRIDE threat categorization:
• Information Disclosure
• Elevation of Privilege
• Mitigation:
• Update management
• Azure Security Center

29. @fincooper
Secure DevOps kit for Azure (AzSK)
• Set of tools for assessing the security posture of your Azure environment
• Built by Microsoft Core Services Engineering
• Used to secure 1000+ Azure subscriptions at Microsoft
• Easy to get started with non-intrusive vulnerability scans, expands end-to-
end tooling from developer machine to CI/CD to continuous assurance

30. @fincooper
Resources
• My slides: zure.ly/karl/slides
• Secure DevOps Kit for Azure:
• azsk.azurewebsites.net
• Microsoft Ignite 2018 session THR2104 Assess your Microsoft Azure security
like a pro:
• zure.ly/karl/THR2104
• Whitepaper: Develop Secure Applications on Azure:
• zure.ly/karl/secureapps