SlideShare uma empresa Scribd logo

Azure Saturday: Security + DevOps + Azure = Awesomeness

Karl Ots
Karl Ots

Slides from my presentation at Azure Saturday on 26.5.2018 in Munich. In this session, I will cover the Secure DevOps Toolkit for Azure, a set of security-related tools, Powershell modules, extensions and automations for Azure. The session is a collection of lessons learned using the Toolkit from real-life projects. After this sessions you will be able to improve the security of your Azure usage from IDE to Operations, regardless of your current state of security and level of cloud adoption.

Tecnologia
1 de 29
Baixar para ler offline
1 Azure Saturday 2018 Security + DevOps + Azure = Awesomeness Karl Ots | Kompozure @fincooper
2 Azure Saturday 2018 Thank you, sponsors!
KARL OTS @ KOMPOZURE • Co-organizer of IglooConf and PolarConf • Podcast host at Cloud Gossip • Working on Azure since 2011 • Patented inventor • Worked with tens of different customers on full-scale Azure projects, from startups to Fortune 500 enterprises Managing Consultant karl.ots@kompozure.com +358 50 480 1102
SECURITY LANDSCAPE • Cloud-based user account attacks have increased 300% YoY (Microsoft Security Intelligence Report, Volume 22) • An attacker is on a victim’s network 99 days on average before they are detected (FireEye/Mandiant report – March 14, 2017) • Average cost of a data breach in 2017 was 4 M $ (IBM security)
WHY AZSK? • Cloud security is hard. • Knowledge of Azure security controls is not widespread. • MS IT wanted to accelerate internal Azure adoption in a controlled way • Approach: avoid reinventing the wheel o Use as much out-of-the-box Azure features as possible o For example: outsource VM controls to Security Center
SECURE DEVOPS KIT FOR AZURE (AZSK)
INSTALLATION
SUBSCRIPTION SECURITYSubscription RBAC provisioning Deploy mandatory and scenario/solution specific accounts/groups on a subscription. Ability to specify and remove deprecated accounts. Alerts setup Configure insights-based alerts for important activities. Runbooks for critical alerts to send SMS with key alert body info. ARM policy setup Deploy and enable ARM policy definitions (e.g., audit/deny use of ASM/v1 resources) ASC setup Configure Azure Security Center by enabling policies, setting security POCs, etc. Resource Locks Ensure that critical enterprise resources have locks deployed on them. Health Check More than a dozen subscription hygiene security checks, including proper provisioning
SUBSCRIPTION HEALTH SCAN Select-AzureRmSubscription -SubscriptionId $subscriptionId # Sub health scan Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId -GeneratePDF Portrait
DEVELOP SECURELY Feature Scenarios/Details Development Security IntelliSense • Get inline support for secure coding right at the point of code creation. • Checks on Azure Best practices, ADAL and common crypto • VS plug-in for C#. • Security IntelliSense extension works on Visual Studio 2015 Update 3 or later.
SECURE INTELLISENSE
“UNIT TEST” AZURE SECURITY Feature Scenarios/Details Development Security IntelliSense • Get inline support for secure coding right at the point of code creation. • Checks on Azure Best practices, ADAL and Crypto • VS plug-in for C#. Security Verification Tests • Scan cloud solutions during early dev and prototyping stages. • Provides a variety of options to define scan targets. • Easy, intuitive reports and detailed logs. Support for 25+ Azure IaaS and PaaS service types.
SECURITY VERIFICATION TESTS Select-AzureRmSubscription -SubscriptionId $subscriptionId # Security Verification Test Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId -GeneratePDF Portrait
DEMO TIME!
DEVOPS • Security Verification Tests (SVTs) in VSTS / on-prem TFS pipeline • SVTs in Jenkins pipeline • AzSK ARM Template Checker
CONTINUOUS ASSURANCE • Run AzSK tests periodically using Azure Automation • Write to Log Analytics • Query with Gusto Query Language • Integrate with your existing systems, such as your SIEM
#### Deploy the AzSK view in the OMS workspace #### Install-AzSKOMSSolution -OMSSubscriptionId $subscriptionId ` -OMSResourceGroup $omsRGName ` -OMSWorkspaceId $omsWSId ` -ViewName $azSkViewName #### Setup AzSK scan data to OMS #### Set-AzSKOMSSettings -OMSWorkspaceID $omsWSId -OMSSharedKey $omskey #### Run AzSK scripts per usual #### Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId #### Run AzSK SVT scan #### Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId SETTING UP CONTINUOUS ASSURANCE
ADVANCED FEATURES • Generate PDF Report • Generate AutoFix Script • AzSK ARM Templates • Customizing the security policies for your organization
DISCUSSION • AzSK is not your magic bullet to tick the security box o AzSK mostly covers “administrative access” in traditional threat models, some “application access” as well o You still have to worry about users, external threats and more o Threat modeling and Defense in Depth approach are your friends! • Carefully analyze the results in the scope of your application – are the recommended controls right for your app?
RESOURCES • Try out the Secure DevOps Kit for Azure! • Installation guide, docs: https://github.com/azsk/DevOpsKit -docs • Controls coverage: http://aka.ms/AzSKosstcp • IT Showcase: http://aka.ms/AzSK/itshowcase • Support: AzSKsupext@microsoft.com
36 Azure Saturday 2018 Azure Saturday 2018 We appreciate your feedback! SLIDESHARE.NET/KARLOTS
KOMPOZURE WE ROAR AT CHALLENGE

Recomendados

GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud BoundariesGDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
James Anderson
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
Azure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage Overview
Azure Riyadh User Group
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
K.Mohamed Faizal
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
Tudor Damian
 

Recomendados

GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud BoundariesGDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
James Anderson
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
Azure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage OverviewAzure Compute, Networking and Storage Overview
Azure Compute, Networking and Storage Overview
Azure Riyadh User Group
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
K.Mohamed Faizal
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
Amazon Web Services
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
Tudor Damian
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
Allen Brokken
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
CloudHesive
 
AWS Code + AWS Device Farm
AWS Code + AWS Device FarmAWS Code + AWS Device Farm
AWS Code + AWS Device Farm
Amazon Web Services
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
Kangaroot
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
Marcos Oikawa
 
Delivering and optimizing citrix from microsoft azure
Delivering and optimizing citrix from microsoft azure Delivering and optimizing citrix from microsoft azure
Delivering and optimizing citrix from microsoft azure
Marius Sandbu
 
EUC State of the Union 2021
EUC State of the Union 2021EUC State of the Union 2021
EUC State of the Union 2021
Marius Sandbu
 
Azure governance
Azure governanceAzure governance
Azure governance
Udaiappa Ramachandran
 
Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)
Daniel Toomey
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
Aidan Finn
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to Azure
Robert Crane
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
Alert Logic
 
AWS Security
AWS Security AWS Security
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014
Vangelis Koukis
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = AwesomenessCloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
Karl Ots
 
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Get On Top of Azure Resource Security Using Secure DevOps Kit for AzureGet On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Kasun Kodagoda
 

Mais conteúdo relacionado

Mais procurados

Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014
Vangelis Koukis
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 

Mais procurados (20)

Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
 
AWS Code + AWS Device Farm
AWS Code + AWS Device FarmAWS Code + AWS Device Farm
AWS Code + AWS Device Farm
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
 
Delivering and optimizing citrix from microsoft azure
Delivering and optimizing citrix from microsoft azure Delivering and optimizing citrix from microsoft azure
Delivering and optimizing citrix from microsoft azure
 
EUC State of the Union 2021
EUC State of the Union 2021EUC State of the Union 2021
EUC State of the Union 2021
 
Azure governance
Azure governanceAzure governance
Azure governance
 
Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
 
Introduction to Azure
Introduction to AzureIntroduction to Azure
Introduction to Azure
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
AWS Security
AWS Security AWS Security
AWS Security
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 

Semelhante a Azure Saturday: Security + DevOps + Azure = Awesomeness

Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdf
Amazon Web Services
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdf
Amazon Web Services
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
Amazon Web Services
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Amazon Web Services
 
AWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWSAWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWS
Amazon Web Services
 

Semelhante a Azure Saturday: Security + DevOps + Azure = Awesomeness (20)

CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = AwesomenessCloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
 
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Get On Top of Azure Resource Security Using Secure DevOps Kit for AzureGet On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
 
Security + DevOps + Azure = Awesomeness
Security + DevOps + Azure = AwesomenessSecurity + DevOps + Azure = Awesomeness
Security + DevOps + Azure = Awesomeness
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdf
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdf
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
 
Techorama Belgium 2019: top Azure security fails and how to avoid them
Techorama Belgium 2019: top Azure security fails and how to avoid themTechorama Belgium 2019: top Azure security fails and how to avoid them
Techorama Belgium 2019: top Azure security fails and how to avoid them
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
AWS Enterprise Summit London 2015 | Security in the Cloud
AWS Enterprise Summit London 2015 | Security in the CloudAWS Enterprise Summit London 2015 | Security in the Cloud
AWS Enterprise Summit London 2015 | Security in the Cloud
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
Integrating Security into DevOps and CI / CD Environments - Pop-up Loft TLV 2017
 
AWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWSAWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWS
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 

Mais de Karl Ots

TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseTechorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Karl Ots
 
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
Karl Ots
 
Monitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and whyMonitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and why
Karl Ots
 

Mais de Karl Ots (20)

TechDays Finland 2020: Best practices of securing web applications running on...
TechDays Finland 2020: Best practices of securing web applications running on...TechDays Finland 2020: Best practices of securing web applications running on...
TechDays Finland 2020: Best practices of securing web applications running on...
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
 
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
FAUG Jyväskylä 28.5.2019 - Azure MonitoringFAUG Jyväskylä 28.5.2019 - Azure Monitoring
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid them
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseTechorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
 
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
 
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
UpdateConf 2018: Top 18 Azure security fails and how to avoid themUpdateConf 2018: Top 18 Azure security fails and how to avoid them
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
Top 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themTop 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid them
 
FAUG #9: Azure security architecture and stories from the trenches
FAUG #9: Azure security architecture and stories from the trenchesFAUG #9: Azure security architecture and stories from the trenches
FAUG #9: Azure security architecture and stories from the trenches
 
Monitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and whyMonitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and why
 
Navigating in the sea of containers in azure when to choose which service and...
Navigating in the sea of containers in azure when to choose which service and...Navigating in the sea of containers in azure when to choose which service and...
Navigating in the sea of containers in azure when to choose which service and...
 
Kubernetes in Azure
Kubernetes in AzureKubernetes in Azure
Kubernetes in Azure
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Azure Saturday: Security + DevOps + Azure = Awesomeness

  • 1. 1 Azure Saturday 2018 Security + DevOps + Azure = Awesomeness Karl Ots | Kompozure @fincooper
  • 2. 2 Azure Saturday 2018 Thank you, sponsors!
  • 3. KARL OTS @ KOMPOZURE • Co-organizer of IglooConf and PolarConf • Podcast host at Cloud Gossip • Working on Azure since 2011 • Patented inventor • Worked with tens of different customers on full-scale Azure projects, from startups to Fortune 500 enterprises Managing Consultant karl.ots@kompozure.com +358 50 480 1102
  • 4.
  • 5. SECURITY LANDSCAPE • Cloud-based user account attacks have increased 300% YoY (Microsoft Security Intelligence Report, Volume 22) • An attacker is on a victim’s network 99 days on average before they are detected (FireEye/Mandiant report – March 14, 2017) • Average cost of a data breach in 2017 was 4 M $ (IBM security)
  • 6. WHY AZSK? • Cloud security is hard. • Knowledge of Azure security controls is not widespread. • MS IT wanted to accelerate internal Azure adoption in a controlled way • Approach: avoid reinventing the wheel o Use as much out-of-the-box Azure features as possible o For example: outsource VM controls to Security Center
  • 7.
  • 8. SECURE DEVOPS KIT FOR AZURE (AZSK)
  • 10. SUBSCRIPTION SECURITYSubscription RBAC provisioning Deploy mandatory and scenario/solution specific accounts/groups on a subscription. Ability to specify and remove deprecated accounts. Alerts setup Configure insights-based alerts for important activities. Runbooks for critical alerts to send SMS with key alert body info. ARM policy setup Deploy and enable ARM policy definitions (e.g., audit/deny use of ASM/v1 resources) ASC setup Configure Azure Security Center by enabling policies, setting security POCs, etc. Resource Locks Ensure that critical enterprise resources have locks deployed on them. Health Check More than a dozen subscription hygiene security checks, including proper provisioning
  • 11.
  • 12.
  • 13. SUBSCRIPTION HEALTH SCAN Select-AzureRmSubscription -SubscriptionId $subscriptionId # Sub health scan Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId -GeneratePDF Portrait
  • 14.
  • 15. DEVELOP SECURELY Feature Scenarios/Details Development Security IntelliSense • Get inline support for secure coding right at the point of code creation. • Checks on Azure Best practices, ADAL and common crypto • VS plug-in for C#. • Security IntelliSense extension works on Visual Studio 2015 Update 3 or later.
  • 17. “UNIT TEST” AZURE SECURITY Feature Scenarios/Details Development Security IntelliSense • Get inline support for secure coding right at the point of code creation. • Checks on Azure Best practices, ADAL and Crypto • VS plug-in for C#. Security Verification Tests • Scan cloud solutions during early dev and prototyping stages. • Provides a variety of options to define scan targets. • Easy, intuitive reports and detailed logs. Support for 25+ Azure IaaS and PaaS service types.
  • 18. SECURITY VERIFICATION TESTS Select-AzureRmSubscription -SubscriptionId $subscriptionId # Security Verification Test Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId -GeneratePDF Portrait
  • 20. DEVOPS • Security Verification Tests (SVTs) in VSTS / on-prem TFS pipeline • SVTs in Jenkins pipeline • AzSK ARM Template Checker
  • 21. CONTINUOUS ASSURANCE • Run AzSK tests periodically using Azure Automation • Write to Log Analytics • Query with Gusto Query Language • Integrate with your existing systems, such as your SIEM
  • 22. #### Deploy the AzSK view in the OMS workspace #### Install-AzSKOMSSolution -OMSSubscriptionId $subscriptionId ` -OMSResourceGroup $omsRGName ` -OMSWorkspaceId $omsWSId ` -ViewName $azSkViewName #### Setup AzSK scan data to OMS #### Set-AzSKOMSSettings -OMSWorkspaceID $omsWSId -OMSSharedKey $omskey #### Run AzSK scripts per usual #### Get-AzSKSubscriptionSecurityStatus -SubscriptionId $subscriptionId #### Run AzSK SVT scan #### Get-AzSKAzureServicesSecurityStatus -SubscriptionId $subscriptionId SETTING UP CONTINUOUS ASSURANCE
  • 23.
  • 24.
  • 25. ADVANCED FEATURES • Generate PDF Report • Generate AutoFix Script • AzSK ARM Templates • Customizing the security policies for your organization
  • 26. DISCUSSION • AzSK is not your magic bullet to tick the security box o AzSK mostly covers “administrative access” in traditional threat models, some “application access” as well o You still have to worry about users, external threats and more o Threat modeling and Defense in Depth approach are your friends! • Carefully analyze the results in the scope of your application – are the recommended controls right for your app?
  • 27. RESOURCES • Try out the Secure DevOps Kit for Azure! • Installation guide, docs: https://github.com/azsk/DevOpsKit -docs • Controls coverage: http://aka.ms/AzSKosstcp • IT Showcase: http://aka.ms/AzSK/itshowcase • Support: AzSKsupext@microsoft.com
  • 28. 36 Azure Saturday 2018 Azure Saturday 2018 We appreciate your feedback! SLIDESHARE.NET/KARLOTS
  • 29. KOMPOZURE WE ROAR AT CHALLENGE