SlideShare uma empresa Scribd logo

IT Camp 19: Top Azure security fails and how to avoid them

Karl Ots
Karl Ots

As delivered at the IT Camp 19 in Cluj-Napoca, Romania. Karl Ots has assessed the security of over 100 solutions built on the Microsoft Azure cloud. He has found that there are 6 key security pitfalls that are common across all industry verticals and company sizes. In this session, he will share what these security pitfalls are, why do they matter and how to mitigate them.

Tecnologia
1 de 30
Baixar para ler offline
@ITCAMPRO #ITCAMP19Community Conference for IT Professionals Top Azure security fails and how to avoid them Karl Ots
@ITCAMPRO #ITCAMP19Community Conference for IT Professionals Many thanks to our sponsors & partners! GOLD SILVER PARTNERS PLATINUM POWERED BY
@fincooper Karl Ots Chief Consulting Officer karl.ots@zure.com • Cloud & cybersecurity expert • Community leader, speaker, author & patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • zure.ly/karl
@fincooper 13,7 100% 4,5 / 5 3 6. 34 / 38 experts years avg. Azure satisfaction Azure MVPs GPTW
@fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wandered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
@fincooper With great power comes great responsibility
@fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Main toolset includes PowerShell module to scan your Azure platform and resources against best practices from Microsoft Core Services Engineering • Easy to get started with non-intrusive platform scans, expands end-to-end tooling from developer machine to DevSecOps
@fincooper Secure DevOps kit for Azure (AzSK) Run AzSK PowerShell tool Analyze results Improve system security
@fincooper Most fails described in this session can be detected by using AzSK
@fincooper Role Based Access Control AAD Object Role Scope RBAC Assignment
@fincooper Role-Based Access Control Subscription Resource Groups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
@fincooper RBAC Roles • A collection of actions • Microsoft.Compute/virtualMachines/* • Microsoft.Compute/virtualMachines/start/action • Microsoft.Network/virtualNetworks/read • +70 built-in roles for Azure RBAC • e.g. Virtual Machine Contributor, Backup Contributor, Security Reader, etc.
@fincooper Security fail #1 • Unprotected public endpoints • HTTP / RDP / SSH • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints • Configure Service Endpoint Firewalls for PaaS services • AzSK Control ID: • Azure_Subscription_NetSec_Justify_PublicIPs
@fincooper
@fincooper Security fail #2 • Every user is an Owner • …In the Subscription scope • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner • Instead of Owner, use User Access Administrator • AzSK Control ID: • Azure_Subscription_AuthZ_Justify_Admins_Owners
@fincooper Security fail #3 • Untrusted authentication provider being used • (Microsoft Account, Gmail, unmanaged or external Azure AD…) • Mitigation: • Always use trusted Azure AD authentication • Monitor Azure Subscription access using AAD PIM • If necessary, limit AAD Guest user inviting • AzSK control ID: • Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities
@fincooper
@fincooper Security fail #4 • Storage access keys used directly • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Use data pane RBAC roles (new) • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC • AzSK control ID: • Azure_Storage_DP_Rotate_Keys
@fincooper Security fail #5 • Insufficient monitoring and alerting • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with Application Gateway / Web Application Firewall • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection for Azure SQL and Storage Accounts • Enable Service Health Alerts • Enable custom Activity Log Alerts • AzSK control ID’s • Azure_AppService_Configure_Important_Alerts • Azure_Subscription_Config_Azure_Security_Center • Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server
@fincooper Storage Advanced Threat Protection Access from unusual location Application Anomaly Anonymous access Data Exfiltration Unexpected delete Upload Azure Cloud Service package Access permission change Access Inspection Data Exploration
@fincooper
@fincooper
@fincooper
@fincooper
@fincooper Security fail #6 • No network controls for PaaS storage • Mitigation: • Enable Firewall for your storage layer services • When using SAS tokens, enable IP restriction • AzSK Control ID’s: • Azure_CosmosDB_AuthZ_Enable_Firewall • Azure_SQLDatabase_AuthN_Dont_Use_SQL_AuthN • Azure_DataLakeStore_AuthZ_Enable_Firewall
@fincooper
@fincooper
@fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance • Call to action: Use AzSK to scan your environment for security fails!
@fincooper Resources • My slides: zure.ly/karl/slides • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • Microsoft Ignite 2018 session THR2104 Assess your Microsoft Azure security like a pro: • zure.ly/karl/THR2104 • Whitepaper: Develop Secure Applications on Azure: • zure.ly/karl/secureapps
@ITCAMPRO #ITCAMP19Community Conference for IT Professionals Q & A

Recomendados

FAUG Jyväskylä 28.5.2019 - Azure Monitoring
FAUG Jyväskylä 28.5.2019 - Azure MonitoringFAUG Jyväskylä 28.5.2019 - Azure Monitoring
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
Karl Ots
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid them
Karl Ots
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseTechorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
Techorama Belgium 2019: top Azure security fails and how to avoid them
Techorama Belgium 2019: top Azure security fails and how to avoid themTechorama Belgium 2019: top Azure security fails and how to avoid them
Techorama Belgium 2019: top Azure security fails and how to avoid them
Karl Ots
 
TechDays Finland 2020: Best practices of securing web applications running on...
TechDays Finland 2020: Best practices of securing web applications running on...TechDays Finland 2020: Best practices of securing web applications running on...
TechDays Finland 2020: Best practices of securing web applications running on...
Karl Ots
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...
Karl Ots
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...
Karl Ots
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 

Recomendados

FAUG Jyväskylä 28.5.2019 - Azure Monitoring
FAUG Jyväskylä 28.5.2019 - Azure MonitoringFAUG Jyväskylä 28.5.2019 - Azure Monitoring
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
Karl Ots
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid them
Karl Ots
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseTechorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 
Techorama Belgium 2019: top Azure security fails and how to avoid them
Techorama Belgium 2019: top Azure security fails and how to avoid themTechorama Belgium 2019: top Azure security fails and how to avoid them
Techorama Belgium 2019: top Azure security fails and how to avoid them
Karl Ots
 
TechDays Finland 2020: Best practices of securing web applications running on...
TechDays Finland 2020: Best practices of securing web applications running on...TechDays Finland 2020: Best practices of securing web applications running on...
TechDays Finland 2020: Best practices of securing web applications running on...
Karl Ots
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...
Karl Ots
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...
Karl Ots
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Get On Top of Azure Resource Security Using Secure DevOps Kit for AzureGet On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Kasun Kodagoda
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
Containerization with Azure
Containerization with AzureContainerization with Azure
Containerization with Azure
Pranav Ainavolu
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Karl Ots
 
Build modern and intelligent applications using Azure Database for PostgreSQL
Build modern and intelligent applications using Azure Database for PostgreSQLBuild modern and intelligent applications using Azure Database for PostgreSQL
Build modern and intelligent applications using Azure Database for PostgreSQL
Microsoft Tech Community
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessAzure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = Awesomeness
Karl Ots
 
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = AwesomenessCloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
Karl Ots
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
Udaiappa Ramachandran
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Remediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelRemediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinel
Samik Roy
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
Amazon Web Services
 
Recipe for good secrets management
Recipe for good secrets managementRecipe for good secrets management
Recipe for good secrets management
Kevin Gilpin
 
Azure governance
Azure governanceAzure governance
Azure governance
Udaiappa Ramachandran
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
arnaudlh
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform Vault
Shrivatsa Upadhye
 
Securing your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory EnterpriseSecuring your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory Enterprise
DevOps.com
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
John Varghese
 
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
azuredayit
 
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
UpdateConf 2018: Top 18 Azure security fails and how to avoid themUpdateConf 2018: Top 18 Azure security fails and how to avoid them
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
Karl Ots
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
Karl Ots
 

Mais conteúdo relacionado

Mais procurados

Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Karl Ots
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
Amazon Web Services
 
Securing your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory EnterpriseSecuring your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory Enterprise
DevOps.com
 

Mais procurados (20)

Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Get On Top of Azure Resource Security Using Secure DevOps Kit for AzureGet On Top of Azure Resource Security Using Secure DevOps Kit for Azure
Get On Top of Azure Resource Security Using Secure DevOps Kit for Azure
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
 
Containerization with Azure
Containerization with AzureContainerization with Azure
Containerization with Azure
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
 
Build modern and intelligent applications using Azure Database for PostgreSQL
Build modern and intelligent applications using Azure Database for PostgreSQLBuild modern and intelligent applications using Azure Database for PostgreSQL
Build modern and intelligent applications using Azure Database for PostgreSQL
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessAzure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = Awesomeness
 
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = AwesomenessCloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
Remediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelRemediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinel
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
Recipe for good secrets management
Recipe for good secrets managementRecipe for good secrets management
Recipe for good secrets management
 
Azure governance
Azure governanceAzure governance
Azure governance
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform Vault
 
Securing your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory EnterpriseSecuring your AWS Deployments with Spinnaker and Armory Enterprise
Securing your AWS Deployments with Spinnaker and Armory Enterprise
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
 
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
 

Semelhante a IT Camp 19: Top Azure security fails and how to avoid them

Monitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and whyMonitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and why
Karl Ots
 
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAz 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
 
Tokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
 

Semelhante a IT Camp 19: Top Azure security fails and how to avoid them (20)

UpdateConf 2018: Top 18 Azure security fails and how to avoid them
UpdateConf 2018: Top 18 Azure security fails and how to avoid themUpdateConf 2018: Top 18 Azure security fails and how to avoid them
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
Top 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themTop 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid them
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQL
 
Monitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and whyMonitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and why
 
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoringAz 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
 
FAUG #9: Azure security architecture and stories from the trenches
FAUG #9: Azure security architecture and stories from the trenchesFAUG #9: Azure security architecture and stories from the trenches
FAUG #9: Azure security architecture and stories from the trenches
 
Tokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 OverviewTokyo Azure Meetup #4 - Build 2016 Overview
Tokyo Azure Meetup #4 - Build 2016 Overview
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
 
MySQL enterprise edition
MySQL enterprise edition MySQL enterprise edition
MySQL enterprise edition
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Secure your Azure Web App 2019
Secure your Azure Web App 2019Secure your Azure Web App 2019
Secure your Azure Web App 2019
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
10 tips for hardening your system
10 tips for hardening your system10 tips for hardening your system
10 tips for hardening your system
 
10 tips for hardening your system
10 tips for hardening your system10 tips for hardening your system
10 tips for hardening your system
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_Sentinel
 

Mais de Karl Ots

UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
Karl Ots
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Karl Ots
 

Mais de Karl Ots (11)

UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
 
Navigating in the sea of containers in azure when to choose which service and...
Navigating in the sea of containers in azure when to choose which service and...Navigating in the sea of containers in azure when to choose which service and...
Navigating in the sea of containers in azure when to choose which service and...
 
Kubernetes in Azure
Kubernetes in AzureKubernetes in Azure
Kubernetes in Azure
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
 
Azure security architecture / FAUG JKL 15.2.2018
Azure security architecture / FAUG JKL 15.2.2018Azure security architecture / FAUG JKL 15.2.2018
Azure security architecture / FAUG JKL 15.2.2018
 
Securing Azure Infrastructure
Securing Azure InfrastructureSecuring Azure Infrastructure
Securing Azure Infrastructure
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
 
Building globally scalable media solutions with Azure Media Services part 2
Building globally scalable media solutions with Azure Media Services part 2Building globally scalable media solutions with Azure Media Services part 2
Building globally scalable media solutions with Azure Media Services part 2
 
Security + DevOps + Azure = Awesomeness
Security + DevOps + Azure = AwesomenessSecurity + DevOps + Azure = Awesomeness
Security + DevOps + Azure = Awesomeness
 
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
 
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Último (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

IT Camp 19: Top Azure security fails and how to avoid them

  • 1. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Top Azure security fails and how to avoid them Karl Ots
  • 2. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Many thanks to our sponsors & partners! GOLD SILVER PARTNERS PLATINUM POWERED BY
  • 3. @fincooper Karl Ots Chief Consulting Officer karl.ots@zure.com • Cloud & cybersecurity expert • Community leader, speaker, author & patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • zure.ly/karl
  • 4. @fincooper 13,7 100% 4,5 / 5 3 6. 34 / 38 experts years avg. Azure satisfaction Azure MVPs GPTW
  • 5. @fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wandered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
  • 6. @fincooper With great power comes great responsibility
  • 7. @fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Main toolset includes PowerShell module to scan your Azure platform and resources against best practices from Microsoft Core Services Engineering • Easy to get started with non-intrusive platform scans, expands end-to-end tooling from developer machine to DevSecOps
  • 8. @fincooper Secure DevOps kit for Azure (AzSK) Run AzSK PowerShell tool Analyze results Improve system security
  • 9. @fincooper Most fails described in this session can be detected by using AzSK
  • 10. @fincooper Role Based Access Control AAD Object Role Scope RBAC Assignment
  • 11. @fincooper Role-Based Access Control Subscription Resource Groups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
  • 12. @fincooper RBAC Roles • A collection of actions • Microsoft.Compute/virtualMachines/* • Microsoft.Compute/virtualMachines/start/action • Microsoft.Network/virtualNetworks/read • +70 built-in roles for Azure RBAC • e.g. Virtual Machine Contributor, Backup Contributor, Security Reader, etc.
  • 13. @fincooper Security fail #1 • Unprotected public endpoints • HTTP / RDP / SSH • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints • Configure Service Endpoint Firewalls for PaaS services • AzSK Control ID: • Azure_Subscription_NetSec_Justify_PublicIPs
  • 15. @fincooper Security fail #2 • Every user is an Owner • …In the Subscription scope • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner • Instead of Owner, use User Access Administrator • AzSK Control ID: • Azure_Subscription_AuthZ_Justify_Admins_Owners
  • 16. @fincooper Security fail #3 • Untrusted authentication provider being used • (Microsoft Account, Gmail, unmanaged or external Azure AD…) • Mitigation: • Always use trusted Azure AD authentication • Monitor Azure Subscription access using AAD PIM • If necessary, limit AAD Guest user inviting • AzSK control ID: • Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities
  • 18. @fincooper Security fail #4 • Storage access keys used directly • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Use data pane RBAC roles (new) • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC • AzSK control ID: • Azure_Storage_DP_Rotate_Keys
  • 19. @fincooper Security fail #5 • Insufficient monitoring and alerting • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with Application Gateway / Web Application Firewall • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection for Azure SQL and Storage Accounts • Enable Service Health Alerts • Enable custom Activity Log Alerts • AzSK control ID’s • Azure_AppService_Configure_Important_Alerts • Azure_Subscription_Config_Azure_Security_Center • Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server
  • 20. @fincooper Storage Advanced Threat Protection Access from unusual location Application Anomaly Anonymous access Data Exfiltration Unexpected delete Upload Azure Cloud Service package Access permission change Access Inspection Data Exploration
  • 25. @fincooper Security fail #6 • No network controls for PaaS storage • Mitigation: • Enable Firewall for your storage layer services • When using SAS tokens, enable IP restriction • AzSK Control ID’s: • Azure_CosmosDB_AuthZ_Enable_Firewall • Azure_SQLDatabase_AuthN_Dont_Use_SQL_AuthN • Azure_DataLakeStore_AuthZ_Enable_Firewall
  • 28. @fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance • Call to action: Use AzSK to scan your environment for security fails!
  • 29. @fincooper Resources • My slides: zure.ly/karl/slides • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • Microsoft Ignite 2018 session THR2104 Assess your Microsoft Azure security like a pro: • zure.ly/karl/THR2104 • Whitepaper: Develop Secure Applications on Azure: • zure.ly/karl/secureapps
  • 30. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Q & A