SlideShare a Scribd company logo

Make your Azure PaaS Deployment More Safe

Download as PPTX, PDF
Thuan Ng
Thuan Ng

This presentation targets to guiding security expert and developer to protect PaaS deployment to eliminate security threats. This also introduces Threat Modeling.

Technology
1 of 61
Make your PaaS Deployment More Safe
• Passionate about software product and security engineering on cloud. • Microsoft MVP (2011 – Now) • Blog at http://thuansoldier.net • Twitter at @nnthuan About Me
• introduce myself as a hacker or script kiddie • blame developers on security unawareness making the software vulnerable • talk about coding security practice • bring information security management (e.g. Compliance, Risk, Regulation…) I’m not going to….
Please interrupt me anytime for open discussion even if I’m wrong
My security principles Security is not a silver bullet Security must come firstly from your awareness Security by default before security by design No pain no gain if you dare
…think about the impact System gets hacked Down service Your data is compromised Operational Impact Business Impact Sell to competitor Down reputation Money loss Why Security?
Is your application imperviable?
• Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001 Certified • Motion Sensor • 24x7 protected Access • Biometric controlled access systems • Video camera surveillance • Anti-passback and map-traps • Security breach alarms • Low-key Appearance Physical Security
Azure Compliance Industry United States Regional
• Azure is unbreakable • Your system is imperviable • No security concern for PaaS because no one has access to any kind of Azure compute like IaaS • Underlying infrastructure takes care network and kind of DDos attack …it does not mean
Understand shared responsibility • Data governance & rights management. • Client endpoints • Account & access management
Threat Modeling Approach
..if IaaS Defense System HAZ Zone Agency Network Your Defense System Virtual Machine
…how about PaaS
• PaaS is a horizontal plane when implementing. • Everything has a dedicated flat. • Designed to leverage platform strengths • No one really wraps each other like IaaS (e.g. vm is wrapped in subnet in virtual network). • Arbitrary only, without systematic approach • Before protecting your PaaS, you need to identify your inherent weakness. • Threat model is an approach to identifying your PaaS deployment’s threats. PaaS Security Challenges
• When you would like to answer some of the following questions: • Where to get started with your PaaS security? • What can go wrong with your building? • What should you do to mitigate those things that can go wrong? • What are structured approach to build a defense framework? • Part of SSDL (Security Software Development Lifecycle) • Repeatable way to identify attack surface • Mitigation and acceptance criteria When thinking about Threat Model for PaaS?
1. Create high-level diagram 2. Identify your valuable assets 3. Create Data Flow Diagram 4. Finding your threats 5. Managing and Address Threats Threat Modeling Process
What are you going to build? Browser App Service SQL Database Browser Web Front- End SQL Database Service/Business Logic
…can be more complex Browser Web Front- End SQL Database Service/Business Logic (iDP) Blob Storage Web Job Pull SharePoint Online What would go wrong? Who control what? Who has right to modify my database? What is attacker’s target? What is potential threat when pulling data from Web Job?
Improving the diagram with boundaries Browser Web Front- End SQL Database Service/Business Logic Blob Storage Web Job Pull SharePoint Online Push App Service Storage
Trust Boundary • Adding trust boundary is to identify attack surface. • Answer who control what • Without trust boundary, your system seems to open largely attack surface. • If there is a ‘talk’, add a boundary • Web master/admin talks to administrator portal • Web talks to business logic • Service instance talks to database Attacker Database Boundary Application Boundary
Defining Data Flow Diagram (DFD) Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity
Defining Data Flow Diagram (DFD) Web Client Web Master Front-End Web Service/API Database Database Admin Data Log External Entity Trust Boundary Data Flow Process Entity Data Store
Approach to drawing DFD • Asset-centric • Things attacker want • Things you want to protect • Stepping stone to either of these • Software-centric • Without software-centric, asset-centric would only focus on system credential and database. • Include not only asset but also other connections and software flows. • Can be either DFD, UML or Swim Lanes Diagram • Attack-centric • Identify potential attackers (from the connection, community, intelligent databases) • Not recommended, but good to know Things you protect Stepping stone Things attacker want
STRIDE methodology Spoofing Tampering Repudiation Information of Disclosure Denial of Service Elevation of Privilege Pretending to be something or someone other than yourself Modifying something on data, system configuration. Claiming that you didn’t do something, or were not responsible Allowing someone to do something they’re not authorized to do Providing information to someone not authorized to see it Absorbing resources needed to provide service
STRIDE Analysis - Spoofing Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity Claimtobeadatabaseadmin
STRIDE Analysis - Tampering Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity
STRIDE Analysis - Tampering Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity RepudiatetobeanewDBadmin
STRIDE Analysis – Info of Disclosure Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity ReaduserInfotableoverinjection
STRIDE Analysis – Denial of Service Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity DenyofSQLserviceoverInternet
STRIDE Analysis – Elevation of Privilege Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity ExecuteT-SQLquery
• Provide stencils to model your threats • Use STRIDE per Interaction • Analysis View + Threat Lists provide threats per diagram Microsoft Threats Modeling Tool
Threats Tree ThreatTrees Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Info of Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
Threat Mitigation Tactics
• You can build your own identity • Use Azure Active Directory to transfer threats to Microsoft • Bring Trust Center • Encryption stuff • Azure AD is your central identity and access management • Certificate-based mutual authentication Authentication Web Front- End Azure Active Directory Azure SQL Database
• Does Azure AD have threat if being used? • Client ID + Client Secret can be the stepping stone. • Someone might claim to be an Azure global administrator. • Someone might claim to be your end-user. Azure Active Directory Threats? <appSettings> <add key="AzureSubscriptionId" value="2ll0cb59-ed12-4755-a3zc-352z212fbafc" /> <add key="AzureTenantId" value="00087603-0fc0-4103-bd94-cdffllfb2226" /> <add key="AzureClientId" value="034boi383-dl20-4bf0-a78d-6d89c7de2d24" /> <add key="AzureClientSecret" value="64x6MsdDBmBg5sfej6z3rMCiUkgfVcZ42L000=" /> </appSettings>
• Authenticate to Azure resources via clientID & clientSecret • Work with Azure AD B2C Demo
• Azure AD by Managed Service Identity • Azure Resource Manager • Azure Key Vault • Azure Data Lake • Azure SQL • Azure Event Hubs • Azure Service Bus • Use certificate rather than client ID + client Secret • To protect identity • Enable MFA for your global administrator • Enable Azure AD Premium to gain benefit of Conditional Access Azure Authentication Threat Mitigation Azure App Service http://localhost/oauth2/token Credentials 3 1 2 Azure Service Azure (inject and roll credentials)
• Identity & Authentication Provider • Azure Active Directory • Web boundary • Azure App Service Plan • Web Job • Azure Functions • API • Storage • Azure Storage • Azure SQL Database (Threat Detection to mitigate SQL Injection). • Encryption in transit Integrity Web Front- End Service/Business Logic Azure SQL Database Upload Authorized user (admin, webmaster) Allow Deny Unauthorized user
• What need to be confidential? • System configuration • Database • HTTP Request • API • Source Code • Use Azure Key Vaults for secret and key management • Encryption at Rest (Azure Blob, SQL Database) • Implement DevOps Security Confidentiality
• An additional protection layer to your secret • Secret should be only • Database connection string • Redis Cache Key • Shared Signature Access • API Key • System/Service Principal Credential • Public certificate (used to encrypt/decrypt with private key) • Key types: • RSA: a 2048-bit RSA key (soft-key) • EC: Elliptic Curve • Certificate is used for encryption/decryption or signing Azure Key Vaults Overview
Azure Key Vaults Flow Azure App Service Database Connection String Retrieve Azure SQL Database Traditional With KV Azure App Service Get access token authorize Check permission Returnsecret Access/query
• Password stripping if storing your private key as a secret • Read more about it (http://thuansoldier.net/?p=7462) • A single point of failure if retrieving secret by client ID and client Secret • Use Azure Managed Service Identity • Use certificated based (where certificate is uploaded in App certificate store) • Azure Key Vaults can be abused as secret-as-a-service • Attractive target to both internal and external attackers Azure Key Vault Threats
• Azure SQL Database • Bring your Own Key (BYOK) • Transparent Data Encryption (TDE) • Azure Blobs Storage • Managed secret (with your own key) • Azure API Management • Inbound Policy Azure Key Vaults Integration
• Create an app service and key vault • Enable MSI • Use AzureServiceTokenProvider to get access token locally var azureServiceTokenProvider = new AzureServiceTokenProvider(); string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/"); • Get authentication callback to be used with KeyVaultClient var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); • Get secret value var secret = await keyVaultClient.GetSecretAsync("secret identifier") App Service + MSI + Key Vault
• Fraud prevention • Well-managed Access Control • Less password, more certificate-based • Who is your administrator? • Only if that administrator uses his phone (MFA) Non-repudiation
• User Credential target via Brute-force attack • Brute-force attack mitigation with Conditional Access • MFA enabled • Web Front-end • Content Network Delivery • Azure Application Gateway • Web configuration (Dynamic, IP filtering…) • SQL Database • Control inbound network (with service endpoint) • Azure API Management Availability
Sample Availability Application Gateway App Service Application Gateway App Service
• RABC on every trust boundary • Azure Subscription • Azure AD • Web, Storage… • Implement DevOps Security to scan subscription access control • Visualize access control programmatically • .NET SDK or REST API. Authorization
• Wrap your PaaS inside a controlled virtual network • Azure App Service Environment (ASE) • Azure API Management • HDInsight • RedisCache • Azure AD DS • Azure Batch • Azure Application Gateway • Control inbound network • Azure Storage • Azure SQL Database One thing you’d be missing Application Gateway API Management Azure App Service Virtual Network Azure SQL Database Allow Azure App Service Deny Azure Managed Services
DevOps Security
• Developer workstation is compromised • Source code leakage • Bad coding security practice • Manual Subscription access control • Discontinuous security scanning Big threats are still existed in development (sample)
DevOps + Security DevOps + Security: DevSecOps Dev Software releases & updates Ops Reliability, performance & scaling Sec Confidentiality, Availability and Integrity • Make sure your code is both manually and dynamically scanned. • Continuous vulnerability assessment • Incorporate with Security Engineer team for better security & protection. • Eliminate double effort for code refactoring after security assessment
DevSecOps Picture (Sample)
DevSecOps Kit for Azure DevSecOps Kit for Azure Subscription Security (Policy, ASC Config, Alerts, RBAC, etc.) Security IntelliSense, Security Verification Test (SVTs) CICD Build/Release Extensions Continuous Assurance Runbooks OMS Solution for Alerting & Monitoring Cloud Risk Governance Scan and remediate security in subscription level with AzSK PowerShell module Integrate IDE extensions & automated security scanning with PowerShell during development. Implement security pipeline with Security extension in VSTS or other 3rd parties. Periodically scan in production to watch for drift Build OMS to visualize security dashboard across DevOps stage Make data-driven improvements to security
1. Scan subscription-level security 2. SecurityIntelliSense during development 3. Setting up security pipeline Demo
DevSecOpoly Game • Created by Mark Miller (https://www.linkedin.com /pulse/devsecopoly- anyone-mark-miller/) • Gameplay is like Monopoly • Entertain with people to step up to DevOps + Security.
• Threat modeling is very helpful for PaaS threat identification. • Download Microsoft Threat Modeling tool here • Transferring your threats to Microsoft Azure as many as possible (cost may increase). • Implement Security Software Development Lifecycle • Refer from Microsoft SDL here • DevOps Security is always recommended. Key takeaways
• Securing PaaS Deployment: https://docs.microsoft.com/en- us/azure/security/security-paas-deployments • OWASP AppSec Pipeline: https://www.owasp.org/index.php/OWASP_AppSec_Pip eline • Secure DevOps Kit for Azure (AzSDK): https://github.com/azsdk/azsdk-docs Additional References
Cloud First = Security First
Q & A

Recommended

Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Thuan Ng
 
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...DIWUG
 
Cloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMSCloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMSMorgan Simonsen
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...European Collaboration Summit
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...NCCOMMS
 

Recommended

Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Thuan Ng
 
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...
SPSNL17 - Securing Office 365 and Microsoft Azure like a rock star (or groupi...DIWUG
 
Cloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMSCloud Based Rights Management with Azure RMS
Cloud Based Rights Management with Azure RMSMorgan Simonsen
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...
ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...European Collaboration Summit
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...
O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...NCCOMMS
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...Peter Selch Dahl
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure DevelopersKrunal Trivedi
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...Scott Hoag
 
The Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft AzureThe Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft AzureMicrosoft Azure
 
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...Morgan Simonsen
 
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi RoineO365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi RoineNCCOMMS
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureEuropean Collaboration Summit
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the CloudGWAVA
 
Windowsazureplatform Overviewlatest
Windowsazureplatform OverviewlatestWindowsazureplatform Overviewlatest
Windowsazureplatform Overviewlatestrajramab
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...Joris Faure
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutesBrian Blanchard
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
 
Microsoft azure - the cloud for modern business
Microsoft azure - the cloud for modern businessMicrosoft azure - the cloud for modern business
Microsoft azure - the cloud for modern businessVinh Nguyen Quang
 
Azure architecture
Azure architectureAzure architecture
Azure architectureAmal Dev
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Peter Selch Dahl
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityYusuf Hadiwinata Sutandar
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 

More Related Content

What's hot

Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...Peter Selch Dahl
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure DevelopersKrunal Trivedi
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...Scott Hoag
 
The Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft AzureThe Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft AzureMicrosoft Azure
 
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...Morgan Simonsen
 
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi RoineO365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi RoineNCCOMMS
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureEuropean Collaboration Summit
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the CloudGWAVA
 
Windowsazureplatform Overviewlatest
Windowsazureplatform OverviewlatestWindowsazureplatform Overviewlatest
Windowsazureplatform Overviewlatestrajramab
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...Joris Faure
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutesBrian Blanchard
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
 
Microsoft azure - the cloud for modern business
Microsoft azure - the cloud for modern businessMicrosoft azure - the cloud for modern business
Microsoft azure - the cloud for modern businessVinh Nguyen Quang
 
Azure architecture
Azure architectureAzure architecture
Azure architectureAmal Dev
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Peter Selch Dahl
 

What's hot (20)

Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
 
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
SharePoint Conference 2018 - Securing Office 365 and SharePoint Online with A...
 
The Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft AzureThe Basics of Getting Started With Microsoft Azure
The Basics of Getting Started With Microsoft Azure
 
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
NIC 2017 Did you like Azure RMS? You will like Azure Information Protection e...
 
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi RoineO365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
O365Con18 - Deep Dive into Microsoft 365 - Jussi Roine
 
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference ArchitectureECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
ECS19 - Nicki Borell - Microsoft Cybersecurity Reference Architecture
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
 
Protect your data in / with the Cloud
Protect your data in / with the CloudProtect your data in / with the Cloud
Protect your data in / with the Cloud
 
Windowsazureplatform Overviewlatest
Windowsazureplatform OverviewlatestWindowsazureplatform Overviewlatest
Windowsazureplatform Overviewlatest
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
 
From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...From classification to protection of your data, secure your business with azu...
From classification to protection of your data, secure your business with azu...
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutes
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
 
Microsoft azure - the cloud for modern business
Microsoft azure - the cloud for modern businessMicrosoft azure - the cloud for modern business
Microsoft azure - the cloud for modern business
 
Azure architecture
Azure architectureAzure architecture
Azure architecture
 
Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...Managing enterprise applications, permissions, and consent in Azure Active Di...
Managing enterprise applications, permissions, and consent in Azure Active Di...
 
Azure 101
Azure 101Azure 101
Azure 101
 

Similar to Make your Azure PaaS Deployment More Safe

Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Shahar Geiger Maor
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceVignesh Ganesan I Microsoft MVP
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsJason Strate
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfErikHof4
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web AttacksAlert Logic
 

Similar to Make your Azure PaaS Deployment More Safe (20)

Biznet Gio Presentation - Database Security
Biznet Gio Presentation - Database SecurityBiznet Gio Presentation - Database Security
Biznet Gio Presentation - Database Security
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended Events
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 

More from Thuan Ng

Accelerating Digital Transformation With Microsoft Azure And Cognitive Services
Accelerating Digital Transformation With Microsoft Azure And Cognitive ServicesAccelerating Digital Transformation With Microsoft Azure And Cognitive Services
Accelerating Digital Transformation With Microsoft Azure And Cognitive ServicesThuan Ng
 
An initiative to healthcare analytics with office 365 and power bi spsparis2017
An initiative to healthcare analytics with office 365 and power bi spsparis2017An initiative to healthcare analytics with office 365 and power bi spsparis2017
An initiative to healthcare analytics with office 365 and power bi spsparis2017Thuan Ng
 
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...Thuan Ng
 
Lotus Notes Transition To Office 365
Lotus Notes Transition To Office 365Lotus Notes Transition To Office 365
Lotus Notes Transition To Office 365Thuan Ng
 
Search Solution in SharePoint 2013
Search Solution in SharePoint 2013Search Solution in SharePoint 2013
Search Solution in SharePoint 2013Thuan Ng
 
Planning and deploying_share_point_farm_in_azure_gabsg_2016
Planning and deploying_share_point_farm_in_azure_gabsg_2016Planning and deploying_share_point_farm_in_azure_gabsg_2016
Planning and deploying_share_point_farm_in_azure_gabsg_2016Thuan Ng
 
B365 saturday practical guide to building a scalable search architecture in s...
B365 saturday practical guide to building a scalable search architecture in s...B365 saturday practical guide to building a scalable search architecture in s...
B365 saturday practical guide to building a scalable search architecture in s...Thuan Ng
 
SharePoint 2013 Document Management Features
SharePoint 2013 Document Management FeaturesSharePoint 2013 Document Management Features
SharePoint 2013 Document Management FeaturesThuan Ng
 
SharePoint 2010 Intranet Presentation
SharePoint 2010 Intranet PresentationSharePoint 2010 Intranet Presentation
SharePoint 2010 Intranet PresentationThuan Ng
 
Make a better social collaboration platform with share point 2013
Make a better social collaboration platform with share point 2013Make a better social collaboration platform with share point 2013
Make a better social collaboration platform with share point 2013Thuan Ng
 
Explanation of sp in crazy way
Explanation of sp in crazy wayExplanation of sp in crazy way
Explanation of sp in crazy wayThuan Ng
 
SharePoint Development with Visual Studio 2012
SharePoint Development with Visual Studio 2012SharePoint Development with Visual Studio 2012
SharePoint Development with Visual Studio 2012Thuan Ng
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenThuan Ng
 
A glance at share point 2013 social features
A glance at share point 2013 social featuresA glance at share point 2013 social features
A glance at share point 2013 social featuresThuan Ng
 
Sp administration-training-prism
Sp administration-training-prismSp administration-training-prism
Sp administration-training-prismThuan Ng
 
Share point 2010 indoctrination
Share point 2010 indoctrinationShare point 2010 indoctrination
Share point 2010 indoctrinationThuan Ng
 
Basics of project management - Week 1
Basics of project management - Week 1Basics of project management - Week 1
Basics of project management - Week 1Thuan Ng
 
Designing service applications architecture
Designing service applications architectureDesigning service applications architecture
Designing service applications architectureThuan Ng
 
Sharepoint 2010 the medicine for your business hsu
Sharepoint 2010 the medicine for your business hsuSharepoint 2010 the medicine for your business hsu
Sharepoint 2010 the medicine for your business hsuThuan Ng
 
Sharepoint 2010 overview for student in university
Sharepoint 2010 overview for student in universitySharepoint 2010 overview for student in university
Sharepoint 2010 overview for student in universityThuan Ng
 

More from Thuan Ng (20)

Accelerating Digital Transformation With Microsoft Azure And Cognitive Services
Accelerating Digital Transformation With Microsoft Azure And Cognitive ServicesAccelerating Digital Transformation With Microsoft Azure And Cognitive Services
Accelerating Digital Transformation With Microsoft Azure And Cognitive Services
 
An initiative to healthcare analytics with office 365 and power bi spsparis2017
An initiative to healthcare analytics with office 365 and power bi spsparis2017An initiative to healthcare analytics with office 365 and power bi spsparis2017
An initiative to healthcare analytics with office 365 and power bi spsparis2017
 
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
ExpertsLive Asia Pacific 2017 - Planning and Deploying SharePoint Server 2016...
 
Lotus Notes Transition To Office 365
Lotus Notes Transition To Office 365Lotus Notes Transition To Office 365
Lotus Notes Transition To Office 365
 
Search Solution in SharePoint 2013
Search Solution in SharePoint 2013Search Solution in SharePoint 2013
Search Solution in SharePoint 2013
 
Planning and deploying_share_point_farm_in_azure_gabsg_2016
Planning and deploying_share_point_farm_in_azure_gabsg_2016Planning and deploying_share_point_farm_in_azure_gabsg_2016
Planning and deploying_share_point_farm_in_azure_gabsg_2016
 
B365 saturday practical guide to building a scalable search architecture in s...
B365 saturday practical guide to building a scalable search architecture in s...B365 saturday practical guide to building a scalable search architecture in s...
B365 saturday practical guide to building a scalable search architecture in s...
 
SharePoint 2013 Document Management Features
SharePoint 2013 Document Management FeaturesSharePoint 2013 Document Management Features
SharePoint 2013 Document Management Features
 
SharePoint 2010 Intranet Presentation
SharePoint 2010 Intranet PresentationSharePoint 2010 Intranet Presentation
SharePoint 2010 Intranet Presentation
 
Make a better social collaboration platform with share point 2013
Make a better social collaboration platform with share point 2013Make a better social collaboration platform with share point 2013
Make a better social collaboration platform with share point 2013
 
Explanation of sp in crazy way
Explanation of sp in crazy wayExplanation of sp in crazy way
Explanation of sp in crazy way
 
SharePoint Development with Visual Studio 2012
SharePoint Development with Visual Studio 2012SharePoint Development with Visual Studio 2012
SharePoint Development with Visual Studio 2012
 
Dynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyenDynamic access control sbc12 - thuan nguyen
Dynamic access control sbc12 - thuan nguyen
 
A glance at share point 2013 social features
A glance at share point 2013 social featuresA glance at share point 2013 social features
A glance at share point 2013 social features
 
Sp administration-training-prism
Sp administration-training-prismSp administration-training-prism
Sp administration-training-prism
 
Share point 2010 indoctrination
Share point 2010 indoctrinationShare point 2010 indoctrination
Share point 2010 indoctrination
 
Basics of project management - Week 1
Basics of project management - Week 1Basics of project management - Week 1
Basics of project management - Week 1
 
Designing service applications architecture
Designing service applications architectureDesigning service applications architecture
Designing service applications architecture
 
Sharepoint 2010 the medicine for your business hsu
Sharepoint 2010 the medicine for your business hsuSharepoint 2010 the medicine for your business hsu
Sharepoint 2010 the medicine for your business hsu
 
Sharepoint 2010 overview for student in university
Sharepoint 2010 overview for student in universitySharepoint 2010 overview for student in university
Sharepoint 2010 overview for student in university
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Make your Azure PaaS Deployment More Safe

  • 2. • Passionate about software product and security engineering on cloud. • Microsoft MVP (2011 – Now) • Blog at http://thuansoldier.net • Twitter at @nnthuan About Me
  • 3. • introduce myself as a hacker or script kiddie • blame developers on security unawareness making the software vulnerable • talk about coding security practice • bring information security management (e.g. Compliance, Risk, Regulation…) I’m not going to….
  • 4. Please interrupt me anytime for open discussion even if I’m wrong
  • 5. My security principles Security is not a silver bullet Security must come firstly from your awareness Security by default before security by design No pain no gain if you dare
  • 6. …think about the impact System gets hacked Down service Your data is compromised Operational Impact Business Impact Sell to competitor Down reputation Money loss Why Security?
  • 8. • Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001 Certified • Motion Sensor • 24x7 protected Access • Biometric controlled access systems • Video camera surveillance • Anti-passback and map-traps • Security breach alarms • Low-key Appearance Physical Security
  • 10. • Azure is unbreakable • Your system is imperviable • No security concern for PaaS because no one has access to any kind of Azure compute like IaaS • Underlying infrastructure takes care network and kind of DDos attack …it does not mean
  • 11. Understand shared responsibility • Data governance & rights management. • Client endpoints • Account & access management
  • 15. • PaaS is a horizontal plane when implementing. • Everything has a dedicated flat. • Designed to leverage platform strengths • No one really wraps each other like IaaS (e.g. vm is wrapped in subnet in virtual network). • Arbitrary only, without systematic approach • Before protecting your PaaS, you need to identify your inherent weakness. • Threat model is an approach to identifying your PaaS deployment’s threats. PaaS Security Challenges
  • 16. • When you would like to answer some of the following questions: • Where to get started with your PaaS security? • What can go wrong with your building? • What should you do to mitigate those things that can go wrong? • What are structured approach to build a defense framework? • Part of SSDL (Security Software Development Lifecycle) • Repeatable way to identify attack surface • Mitigation and acceptance criteria When thinking about Threat Model for PaaS?
  • 17. 1. Create high-level diagram 2. Identify your valuable assets 3. Create Data Flow Diagram 4. Finding your threats 5. Managing and Address Threats Threat Modeling Process
  • 18. What are you going to build? Browser App Service SQL Database Browser Web Front- End SQL Database Service/Business Logic
  • 19. …can be more complex Browser Web Front- End SQL Database Service/Business Logic (iDP) Blob Storage Web Job Pull SharePoint Online What would go wrong? Who control what? Who has right to modify my database? What is attacker’s target? What is potential threat when pulling data from Web Job?
  • 20. Improving the diagram with boundaries Browser Web Front- End SQL Database Service/Business Logic Blob Storage Web Job Pull SharePoint Online Push App Service Storage
  • 21. Trust Boundary • Adding trust boundary is to identify attack surface. • Answer who control what • Without trust boundary, your system seems to open largely attack surface. • If there is a ‘talk’, add a boundary • Web master/admin talks to administrator portal • Web talks to business logic • Service instance talks to database Attacker Database Boundary Application Boundary
  • 22. Defining Data Flow Diagram (DFD) Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity
  • 23. Defining Data Flow Diagram (DFD) Web Client Web Master Front-End Web Service/API Database Database Admin Data Log External Entity Trust Boundary Data Flow Process Entity Data Store
  • 24. Approach to drawing DFD • Asset-centric • Things attacker want • Things you want to protect • Stepping stone to either of these • Software-centric • Without software-centric, asset-centric would only focus on system credential and database. • Include not only asset but also other connections and software flows. • Can be either DFD, UML or Swim Lanes Diagram • Attack-centric • Identify potential attackers (from the connection, community, intelligent databases) • Not recommended, but good to know Things you protect Stepping stone Things attacker want
  • 25. STRIDE methodology Spoofing Tampering Repudiation Information of Disclosure Denial of Service Elevation of Privilege Pretending to be something or someone other than yourself Modifying something on data, system configuration. Claiming that you didn’t do something, or were not responsible Allowing someone to do something they’re not authorized to do Providing information to someone not authorized to see it Absorbing resources needed to provide service
  • 26. STRIDE Analysis - Spoofing Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity Claimtobeadatabaseadmin
  • 27. STRIDE Analysis - Tampering Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity
  • 28. STRIDE Analysis - Tampering Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity RepudiatetobeanewDBadmin
  • 29. STRIDE Analysis – Info of Disclosure Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity ReaduserInfotableoverinjection
  • 30. STRIDE Analysis – Denial of Service Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity DenyofSQLserviceoverInternet
  • 31. STRIDE Analysis – Elevation of Privilege Browser Web Front- End SQL Database Service/Business Logic App Service Storage Identity Provider 1 2 3 4 External Entity ExecuteT-SQLquery
  • 32. • Provide stencils to model your threats • Use STRIDE per Interaction • Analysis View + Threat Lists provide threats per diagram Microsoft Threats Modeling Tool
  • 33. Threats Tree ThreatTrees Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Info of Disclosure Confidentiality Denial of Service Availability Elevation of Privilege Authorization
  • 35. • You can build your own identity • Use Azure Active Directory to transfer threats to Microsoft • Bring Trust Center • Encryption stuff • Azure AD is your central identity and access management • Certificate-based mutual authentication Authentication Web Front- End Azure Active Directory Azure SQL Database
  • 36. • Does Azure AD have threat if being used? • Client ID + Client Secret can be the stepping stone. • Someone might claim to be an Azure global administrator. • Someone might claim to be your end-user. Azure Active Directory Threats? <appSettings> <add key="AzureSubscriptionId" value="2ll0cb59-ed12-4755-a3zc-352z212fbafc" /> <add key="AzureTenantId" value="00087603-0fc0-4103-bd94-cdffllfb2226" /> <add key="AzureClientId" value="034boi383-dl20-4bf0-a78d-6d89c7de2d24" /> <add key="AzureClientSecret" value="64x6MsdDBmBg5sfej6z3rMCiUkgfVcZ42L000=" /> </appSettings>
  • 37. • Authenticate to Azure resources via clientID & clientSecret • Work with Azure AD B2C Demo
  • 38. • Azure AD by Managed Service Identity • Azure Resource Manager • Azure Key Vault • Azure Data Lake • Azure SQL • Azure Event Hubs • Azure Service Bus • Use certificate rather than client ID + client Secret • To protect identity • Enable MFA for your global administrator • Enable Azure AD Premium to gain benefit of Conditional Access Azure Authentication Threat Mitigation Azure App Service http://localhost/oauth2/token Credentials 3 1 2 Azure Service Azure (inject and roll credentials)
  • 39. • Identity & Authentication Provider • Azure Active Directory • Web boundary • Azure App Service Plan • Web Job • Azure Functions • API • Storage • Azure Storage • Azure SQL Database (Threat Detection to mitigate SQL Injection). • Encryption in transit Integrity Web Front- End Service/Business Logic Azure SQL Database Upload Authorized user (admin, webmaster) Allow Deny Unauthorized user
  • 40. • What need to be confidential? • System configuration • Database • HTTP Request • API • Source Code • Use Azure Key Vaults for secret and key management • Encryption at Rest (Azure Blob, SQL Database) • Implement DevOps Security Confidentiality
  • 41. • An additional protection layer to your secret • Secret should be only • Database connection string • Redis Cache Key • Shared Signature Access • API Key • System/Service Principal Credential • Public certificate (used to encrypt/decrypt with private key) • Key types: • RSA: a 2048-bit RSA key (soft-key) • EC: Elliptic Curve • Certificate is used for encryption/decryption or signing Azure Key Vaults Overview
  • 42. Azure Key Vaults Flow Azure App Service Database Connection String Retrieve Azure SQL Database Traditional With KV Azure App Service Get access token authorize Check permission Returnsecret Access/query
  • 43. • Password stripping if storing your private key as a secret • Read more about it (http://thuansoldier.net/?p=7462) • A single point of failure if retrieving secret by client ID and client Secret • Use Azure Managed Service Identity • Use certificated based (where certificate is uploaded in App certificate store) • Azure Key Vaults can be abused as secret-as-a-service • Attractive target to both internal and external attackers Azure Key Vault Threats
  • 44. • Azure SQL Database • Bring your Own Key (BYOK) • Transparent Data Encryption (TDE) • Azure Blobs Storage • Managed secret (with your own key) • Azure API Management • Inbound Policy Azure Key Vaults Integration
  • 45. • Create an app service and key vault • Enable MSI • Use AzureServiceTokenProvider to get access token locally var azureServiceTokenProvider = new AzureServiceTokenProvider(); string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/"); • Get authentication callback to be used with KeyVaultClient var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); • Get secret value var secret = await keyVaultClient.GetSecretAsync("secret identifier") App Service + MSI + Key Vault
  • 46. • Fraud prevention • Well-managed Access Control • Less password, more certificate-based • Who is your administrator? • Only if that administrator uses his phone (MFA) Non-repudiation
  • 47. • User Credential target via Brute-force attack • Brute-force attack mitigation with Conditional Access • MFA enabled • Web Front-end • Content Network Delivery • Azure Application Gateway • Web configuration (Dynamic, IP filtering…) • SQL Database • Control inbound network (with service endpoint) • Azure API Management Availability
  • 49. • RABC on every trust boundary • Azure Subscription • Azure AD • Web, Storage… • Implement DevOps Security to scan subscription access control • Visualize access control programmatically • .NET SDK or REST API. Authorization
  • 50. • Wrap your PaaS inside a controlled virtual network • Azure App Service Environment (ASE) • Azure API Management • HDInsight • RedisCache • Azure AD DS • Azure Batch • Azure Application Gateway • Control inbound network • Azure Storage • Azure SQL Database One thing you’d be missing Application Gateway API Management Azure App Service Virtual Network Azure SQL Database Allow Azure App Service Deny Azure Managed Services
  • 52. • Developer workstation is compromised • Source code leakage • Bad coding security practice • Manual Subscription access control • Discontinuous security scanning Big threats are still existed in development (sample)
  • 53. DevOps + Security DevOps + Security: DevSecOps Dev Software releases & updates Ops Reliability, performance & scaling Sec Confidentiality, Availability and Integrity • Make sure your code is both manually and dynamically scanned. • Continuous vulnerability assessment • Incorporate with Security Engineer team for better security & protection. • Eliminate double effort for code refactoring after security assessment
  • 55. DevSecOps Kit for Azure DevSecOps Kit for Azure Subscription Security (Policy, ASC Config, Alerts, RBAC, etc.) Security IntelliSense, Security Verification Test (SVTs) CICD Build/Release Extensions Continuous Assurance Runbooks OMS Solution for Alerting & Monitoring Cloud Risk Governance Scan and remediate security in subscription level with AzSK PowerShell module Integrate IDE extensions & automated security scanning with PowerShell during development. Implement security pipeline with Security extension in VSTS or other 3rd parties. Periodically scan in production to watch for drift Build OMS to visualize security dashboard across DevOps stage Make data-driven improvements to security
  • 56. 1. Scan subscription-level security 2. SecurityIntelliSense during development 3. Setting up security pipeline Demo
  • 57. DevSecOpoly Game • Created by Mark Miller (https://www.linkedin.com /pulse/devsecopoly- anyone-mark-miller/) • Gameplay is like Monopoly • Entertain with people to step up to DevOps + Security.
  • 58. • Threat modeling is very helpful for PaaS threat identification. • Download Microsoft Threat Modeling tool here • Transferring your threats to Microsoft Azure as many as possible (cost may increase). • Implement Security Software Development Lifecycle • Refer from Microsoft SDL here • DevOps Security is always recommended. Key takeaways
  • 59. • Securing PaaS Deployment: https://docs.microsoft.com/en- us/azure/security/security-paas-deployments • OWASP AppSec Pipeline: https://www.owasp.org/index.php/OWASP_AppSec_Pip eline • Secure DevOps Kit for Azure (AzSDK): https://github.com/azsdk/azsdk-docs Additional References
  • 60. Cloud First = Security First
  • 61. Q & A