This presentation targets to guiding security expert and developer to protect PaaS deployment to eliminate security threats. This also introduces Threat Modeling.
2. • Passionate about software
product and security engineering
on cloud.
• Microsoft MVP (2011 – Now)
• Blog at http://thuansoldier.net
• Twitter at @nnthuan
About Me
3. • introduce myself as a hacker or script
kiddie
• blame developers on security unawareness
making the software vulnerable
• talk about coding security practice
• bring information security management
(e.g. Compliance, Risk, Regulation…)
I’m not going to….
5. My security principles
Security is not a silver
bullet
Security must come
firstly from your
awareness
Security by default
before security by
design
No pain no gain if
you dare
6. …think about the impact
System gets
hacked
Down service
Your data is
compromised
Operational
Impact
Business
Impact
Sell to
competitor
Down
reputation
Money loss
Why Security?
10. • Azure is unbreakable
• Your system is imperviable
• No security concern for PaaS
because no one has access to any
kind of Azure compute like IaaS
• Underlying infrastructure takes
care network and kind of DDos
attack
…it does not mean
15. • PaaS is a horizontal plane when implementing.
• Everything has a dedicated flat.
• Designed to leverage platform strengths
• No one really wraps each other like IaaS (e.g. vm is wrapped
in subnet in virtual network).
• Arbitrary only, without systematic approach
• Before protecting your PaaS, you need to identify
your inherent weakness.
• Threat model is an approach to identifying your
PaaS deployment’s threats.
PaaS Security Challenges
16. • When you would like to answer some of the following
questions:
• Where to get started with your PaaS security?
• What can go wrong with your building?
• What should you do to mitigate those things that can go wrong?
• What are structured approach to build a defense framework?
• Part of SSDL (Security Software Development Lifecycle)
• Repeatable way to identify attack surface
• Mitigation and acceptance criteria
When thinking about Threat Model for PaaS?
17. 1. Create high-level diagram
2. Identify your valuable assets
3. Create Data Flow Diagram
4. Finding your threats
5. Managing and Address Threats
Threat Modeling Process
18. What are you going to build?
Browser App Service
SQL
Database
Browser Web Front-
End
SQL
Database
Service/Business
Logic
19. …can be more complex
Browser Web Front-
End
SQL
Database
Service/Business
Logic (iDP)
Blob Storage
Web
Job
Pull
SharePoint
Online
What would go wrong? Who control what?
Who has right to modify
my database?
What is attacker’s
target?
What is potential threat when pulling
data from Web Job?
20. Improving the diagram with boundaries
Browser Web Front-
End
SQL
Database
Service/Business
Logic
Blob
Storage
Web
Job
Pull
SharePoint
Online
Push
App Service Storage
21. Trust Boundary
• Adding trust boundary is to identify
attack surface.
• Answer who control what
• Without trust boundary, your
system seems to open largely
attack surface.
• If there is a ‘talk’, add a boundary
• Web master/admin talks to administrator
portal
• Web talks to business logic
• Service instance talks to database
Attacker
Database Boundary
Application Boundary
22. Defining Data Flow Diagram (DFD)
Browser Web Front-
End
SQL
Database
Service/Business
Logic
App Service Storage
Identity
Provider
1
2
3 4
External Entity
23. Defining Data Flow Diagram (DFD)
Web Client Web Master Front-End
Web
Service/API
Database
Database
Admin
Data Log
External Entity
Trust Boundary
Data Flow
Process Entity
Data Store
24. Approach to drawing DFD
• Asset-centric
• Things attacker want
• Things you want to protect
• Stepping stone to either of these
• Software-centric
• Without software-centric, asset-centric would only
focus on system credential and database.
• Include not only asset but also other connections
and software flows.
• Can be either DFD, UML or Swim Lanes Diagram
• Attack-centric
• Identify potential attackers (from the connection,
community, intelligent databases)
• Not recommended, but good to know
Things you
protect
Stepping
stone
Things
attacker
want
25. STRIDE methodology
Spoofing
Tampering
Repudiation
Information
of
Disclosure
Denial of
Service
Elevation of
Privilege
Pretending to be
something or someone
other than yourself
Modifying something
on data, system
configuration.
Claiming that you didn’t
do something, or were
not responsible
Allowing someone to do
something they’re not
authorized to do
Providing information
to someone not
authorized to see it
Absorbing resources
needed to provide
service
26. STRIDE Analysis - Spoofing
Browser Web Front-
End
SQL
Database
Service/Business
Logic
App Service Storage
Identity
Provider
1
2
3 4
External Entity
Claimtobeadatabaseadmin
27. STRIDE Analysis - Tampering
Browser Web Front-
End
SQL
Database
Service/Business
Logic
App Service Storage
Identity
Provider
1
2
3 4
External Entity
28. STRIDE Analysis - Tampering
Browser Web Front-
End
SQL
Database
Service/Business
Logic
App Service Storage
Identity
Provider
1
2
3 4
External Entity
RepudiatetobeanewDBadmin
29. STRIDE Analysis – Info of Disclosure
Browser Web Front-
End
SQL
Database
Service/Business
Logic
App Service Storage
Identity
Provider
1
2
3 4
External Entity
ReaduserInfotableoverinjection
30. STRIDE Analysis – Denial of Service
Browser Web Front-
End
SQL
Database
Service/Business
Logic
App Service Storage
Identity
Provider
1
2
3 4
External Entity
DenyofSQLserviceoverInternet
31. STRIDE Analysis – Elevation of Privilege
Browser Web Front-
End
SQL
Database
Service/Business
Logic
App Service Storage
Identity
Provider
1
2
3 4
External Entity
ExecuteT-SQLquery
32. • Provide stencils to model your
threats
• Use STRIDE per Interaction
• Analysis View + Threat Lists
provide threats per diagram
Microsoft Threats Modeling Tool
35. • You can build your own identity
• Use Azure Active Directory to
transfer threats to Microsoft
• Bring Trust Center
• Encryption stuff
• Azure AD is your central identity
and access management
• Certificate-based mutual
authentication
Authentication
Web Front-
End
Azure Active
Directory
Azure SQL
Database
36. • Does Azure AD have threat if being used?
• Client ID + Client Secret can be the stepping stone.
• Someone might claim to be an Azure global administrator.
• Someone might claim to be your end-user.
Azure Active Directory Threats?
<appSettings>
<add key="AzureSubscriptionId" value="2ll0cb59-ed12-4755-a3zc-352z212fbafc" />
<add key="AzureTenantId" value="00087603-0fc0-4103-bd94-cdffllfb2226" />
<add key="AzureClientId" value="034boi383-dl20-4bf0-a78d-6d89c7de2d24" />
<add key="AzureClientSecret" value="64x6MsdDBmBg5sfej6z3rMCiUkgfVcZ42L000=" />
</appSettings>
37. • Authenticate to Azure resources via
clientID & clientSecret
• Work with Azure AD B2C
Demo
38. • Azure AD by Managed Service Identity
• Azure Resource Manager
• Azure Key Vault
• Azure Data Lake
• Azure SQL
• Azure Event Hubs
• Azure Service Bus
• Use certificate rather than client ID + client
Secret
• To protect identity
• Enable MFA for your global administrator
• Enable Azure AD Premium to gain benefit of
Conditional Access
Azure Authentication Threat Mitigation
Azure App
Service
http://localhost/oauth2/token
Credentials
3
1
2
Azure Service
Azure (inject and roll credentials)
39. • Identity & Authentication Provider
• Azure Active Directory
• Web boundary
• Azure App Service Plan
• Web Job
• Azure Functions
• API
• Storage
• Azure Storage
• Azure SQL Database (Threat Detection to
mitigate SQL Injection).
• Encryption in transit
Integrity
Web Front-
End
Service/Business
Logic
Azure SQL
Database
Upload
Authorized user
(admin, webmaster)
Allow
Deny
Unauthorized user
40. • What need to be confidential?
• System configuration
• Database
• HTTP Request
• API
• Source Code
• Use Azure Key Vaults for secret and key management
• Encryption at Rest (Azure Blob, SQL Database)
• Implement DevOps Security
Confidentiality
41. • An additional protection layer to your secret
• Secret should be only
• Database connection string
• Redis Cache Key
• Shared Signature Access
• API Key
• System/Service Principal Credential
• Public certificate (used to encrypt/decrypt with private key)
• Key types:
• RSA: a 2048-bit RSA key (soft-key)
• EC: Elliptic Curve
• Certificate is used for encryption/decryption or signing
Azure Key Vaults Overview
42. Azure Key Vaults Flow
Azure App Service
Database
Connection String
Retrieve
Azure SQL
Database
Traditional With KV
Azure App
Service
Get access token
authorize
Check
permission
Returnsecret
Access/query
43. • Password stripping if storing your private key as a secret
• Read more about it (http://thuansoldier.net/?p=7462)
• A single point of failure if retrieving secret by client ID and
client Secret
• Use Azure Managed Service Identity
• Use certificated based (where certificate is uploaded in App certificate
store)
• Azure Key Vaults can be abused as secret-as-a-service
• Attractive target to both internal and external attackers
Azure Key Vault Threats
44. • Azure SQL Database
• Bring your Own Key (BYOK)
• Transparent Data Encryption (TDE)
• Azure Blobs Storage
• Managed secret (with your own key)
• Azure API Management
• Inbound Policy
Azure Key Vaults Integration
45. • Create an app service and key vault
• Enable MSI
• Use AzureServiceTokenProvider to get access token locally
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/");
• Get authentication callback to be used with KeyVaultClient
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
• Get secret value
var secret = await keyVaultClient.GetSecretAsync("secret identifier")
App Service + MSI + Key Vault
46. • Fraud prevention
• Well-managed Access Control
• Less password, more certificate-based
• Who is your administrator?
• Only if that administrator uses his phone (MFA)
Non-repudiation
47. • User Credential target via Brute-force attack
• Brute-force attack mitigation with Conditional Access
• MFA enabled
• Web Front-end
• Content Network Delivery
• Azure Application Gateway
• Web configuration (Dynamic, IP filtering…)
• SQL Database
• Control inbound network (with service endpoint)
• Azure API Management
Availability
52. • Developer workstation is
compromised
• Source code leakage
• Bad coding security practice
• Manual Subscription access
control
• Discontinuous security
scanning
Big threats are still existed in development
(sample)
53. DevOps + Security
DevOps + Security: DevSecOps
Dev
Software releases
& updates
Ops
Reliability,
performance &
scaling
Sec
Confidentiality,
Availability and
Integrity
• Make sure your code is both
manually and dynamically
scanned.
• Continuous vulnerability
assessment
• Incorporate with Security
Engineer team for better
security & protection.
• Eliminate double effort for code
refactoring after security
assessment
55. DevSecOps Kit for Azure
DevSecOps Kit for
Azure
Subscription
Security (Policy,
ASC Config,
Alerts, RBAC,
etc.)
Security
IntelliSense,
Security
Verification Test
(SVTs)
CICD
Build/Release
Extensions
Continuous
Assurance
Runbooks
OMS Solution
for Alerting &
Monitoring
Cloud Risk
Governance
Scan and remediate security in
subscription level with AzSK
PowerShell module
Integrate IDE extensions &
automated security scanning with
PowerShell during development.
Implement security pipeline with
Security extension in VSTS or other
3rd parties.
Periodically scan in
production to watch for
drift
Build OMS to visualize
security dashboard
across DevOps stage
Make data-driven
improvements to
security
57. DevSecOpoly Game
• Created by Mark Miller
(https://www.linkedin.com
/pulse/devsecopoly-
anyone-mark-miller/)
• Gameplay is like
Monopoly
• Entertain with people to
step up to DevOps +
Security.
58. • Threat modeling is very helpful for PaaS threat
identification.
• Download Microsoft Threat Modeling tool here
• Transferring your threats to Microsoft Azure as many as
possible (cost may increase).
• Implement Security Software Development Lifecycle
• Refer from Microsoft SDL here
• DevOps Security is always recommended.
Key takeaways