Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017

•Transferir como PPTX, PDF•

0 gostou•255 visualizações

How does an enterprise looks like when you talk about security and cloud? Complicated, rigid and challenging to accept cloud based architectures. After working closely with security teams from different companies I identified different approaches and requirements that are standard for enterprises. In this session I want to discuss and share with you lessons learned on how we can map security requirements to Azure.

Tecnologia

1
ENTERPRISE SECURITY
IN PRACTICE
RADU VUNVULEA, OCTOBER 2017
@RADU VUNVULEA

RADU VUNVULEA
Technology Enthusiast
Dreamer
Microsoft Azure MVP
Speaker & Trainer
Writer & Blogger
Idealist Software
Architecture Crafter

DIRECT ACCESS
Same network
Visible between
each other
Easy access and
control

ISOLATION
Restric traffic
Controls what goes
to and from VNET
Isolate from outside

CROSS SYSTEM COMMUNICATION
Specify what can be
exchange between
systems
Full control on
inbound and
outbound traffic
NSG

NETWORK VIRTUAL APPLIANCE
Control security from
only one location
Cross location
synchronization

MONITOR AND AUDIT
All traffic goes
through virtual
appliance
Push audit data to
on-premises system
Firewall, IDS, IPS
UDR

EXTERNAL TRAFFIC CONTROL
Full control of IP
Filtering
Traffic goes through
VPN
S2S
VPN
Internet

IPSEC VPN TERMINATED OUTSIDE FIREWALL
Cannot be done using S2S
VPN
VPN terminated before NGFW,
inside Virtual Gateway
Appliance
VPN

IPSEC VPN TERMINATED OUTSIDE FIREWALL
Cannot be done using S2S
VPN
VPN terminated before NGFW,
inside Virtual Gateway
Appliance
VPN
OpenVPN

IPSEC VPN TERMINATED OUTSIDE FIREWALL
Appliance plays the role of
firewall and VPN Gateway
VPN

DEVICE AUTHENTICATION USING CERTIFICATES
Supported only for Point-to-Site
VPN
Site-to-Site VPN is connected
directly to VPN hardware
certificates

CASCADED VIRTUAL APPLIANCES
Multiple virtual appliances
connected together

VNET TO VNET CONNECTIVITY
Peering – Fast and
reliable
VPN Gateway –
More granular
control of what goes
in or out
Peering /
VPN
Gateway

CENTRAL LOGGING DATA
Activity Logs
Azure Diagnostic Logs
AAD Reporting
VM and Cloud Services
Storage Analytics
Network Security Groups
Application Insights
Security Alert
Configurable, +180 days, 90
days

API AND INFRASTRUCTURE CHANGES
CLOUD SERVICE PROVIDER CAN MAKE CHANGES ONLY AFTER THE NATURE OF CHANGE IS
UNDERSTOOD AND A SECURITY ASSESSMENT IS DONE
YES
• Microsoft announce 12 months in advance any
breaking changes at API or functionality level
NO
• Infrastructure and services change are done on the
fly as long as the API or functionality is not altered

Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017

Mais conteúdo relacionado

Mais procurados

Cisco Connect 2018 Malaysia - Secure data center and mobility solutions

NetworkCollaborators

Sasa milic, cisco advanced malware protection

Dejan Jeremic

Making AI based monitoring a platform feature with the power of BOSH

Mike Villiger

Cisco connect winnipeg 2018 accelerating incident response in organizations...

Cisco Canada

Cloud Access Security Broker (CASB)

rkulandaivel

Cloud Management for WiFi networks

Tanaza

DevSecOps: control and monitoring of zero-day vulnerabilities.

Emerasoft, solutions to collaborate

As security professionals, how can we be sure that we’re ready for 2019? After the last few years, when our practices and conventions have been tested again and again, it’s a little daunting to consider what may face us in the year ahead. Will attackers set their sights on cloud apps? Will hackers join forces with organized crime? Will governments look to the private sector to deal with the skills gap? What will happen to cybersecurity budgets? Join us to get answers to these questions and more.

Top 5 predictions webinar

Zscaler

Driven by the mobility, cloud computing, and Internet of Everything megatrends and fueled by increasingly sophisticated cybercriminals, today’s information landscape is more dynamic and more vulnerable than ever before. Join Cisco and Lancope for a complimentary webinar to learn how you can implement a comprehensive, network-enabled approach to cybersecurity. During the webinar we will discuss: Using the Network as a Security Sensor with Lancope’s StealthWatch System and Flexible NetFlow and to obtain visibility at scale, monitor network activity efficiently, discover security incidents quickly, and help achieve compliance. Using the Network as a Security Enforcer with Cisco TrustSec to ensure policy-based access control and network segmentation for containment of the network attacks, assist compliance and reduce risks of data-breaches.

Using Your Network as a Sensor for Enhanced Visibility and Security

Lancope, Inc.

Making AI based monitoring a platform feature with the power of BOSH

VMware Tanzu

SonicWall

NEOTD Tech Events .

2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...

AlgoSec

One of the toughest IT challenges has been figuring out how to allow users to bring their own devices to work while maintaining the security of internal apps. It becomes even more complicated when a good chunk of users are partners, contractors, and other third parties—those who present a disproportionately high security risk. IT teams have begun to leverage a zero trust security strategy that enables third parties and users on unmanaged devices to securely access internal apps. But can such access be accomplished without placing users on the network and without a mobile client?

Three ways-zero-trust-security-redefines-partner-access-ch

Zscaler

Virtualized Firewall: Is it the panacea to secure distributed enterprises?

Zscaler

Many IT teams used an “M&M” approach to design network security: create a hard shell or perimeter around the soft interior. For remote users, traditional L3 VPNs extend that perimeter, placing remote users' endpoints directly onto the enterprise network. This puts the enterprise's network and data at risk from a range of threats - compromised credentials can lead to unintended exposure, as attackers move laterally throughout the network environment.

What Comes After VPN?

Zscaler

Today 34% of enterprises are running applications within Azure Cloud. That's up 14% from last year! The problem is that Enterprise Networking and Security teams still rely on the VPN to provide remote access to the network for their mobile users. The VPN, famous for giving users a poor user experience, breaks the cloud experience, exposes the network to employees while driving costs and complexity when migrating apps to Azure.

Secure access to applications on Microsoft Azure

Zscaler

Securing with Sophos - Sophos Day Belux 2014

Sophos Benelux

Moving from appliances to cloud security with phoenix children's hospital

Zscaler

Migration to cisco next generation firewall

IT Tech

Skybox is a Risk Analytics brain for security management We provide visibility, intelligence and control to help you manage firewalls and changes, minimize vulnerabilities, and deal with threats --- on one common platform With Skybox, you can visualize your network, prioritize risks in minutes, find attack vectors, and save time through security automation. We help you Take Action Fast! How do we do this? Let’s show you how…

RSA 2014: Skybox Security Risk Analytics Overview

Skybox Security

Mais procurados (20)

Cisco Connect 2018 Malaysia - Secure data center and mobility solutions

Sasa milic, cisco advanced malware protection

Making AI based monitoring a platform feature with the power of BOSH

Cisco connect winnipeg 2018 accelerating incident response in organizations...

Cloud Access Security Broker (CASB)

Cloud Management for WiFi networks

DevSecOps: control and monitoring of zero-day vulnerabilities.

Top 5 predictions webinar

Using Your Network as a Sensor for Enhanced Visibility and Security

Making AI based monitoring a platform feature with the power of BOSH

SonicWall

2020 09-30 overcoming the challenges of managing a hybrid environment - aws a...

Three ways-zero-trust-security-redefines-partner-access-ch

Virtualized Firewall: Is it the panacea to secure distributed enterprises?

What Comes After VPN?

Secure access to applications on Microsoft Azure

Securing with Sophos - Sophos Day Belux 2014

Moving from appliances to cloud security with phoenix children's hospital

Migration to cisco next generation firewall

RSA 2014: Skybox Security Risk Analytics Overview

Semelhante a Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017

Una conoscenza approfondita dei vari aspetti legati al networking di Azure è fondamentale per implementare cloud ibridi in modo sicuro e allo stesso tempo funzionale. In questa sessione saranno esplorati a 360° gli elementi chiave da tenere in considerazione per realizzare architetture di rete ibride, sfruttando al meglio i vari servizi offerti dalla piattaforma Azure, al fine di realizzare la miglior integrazione con l’ambiente on-premises, senza mai trascurare la sicurezza. Durante l’intervento si scenderà nel dettaglio di architetture di rete ibride avanzate, mostrando esempi reali, frutto di un'esperienza diretta sul campo. By Francesco Molfese

CCI2019 - Architecting and Implementing Azure Networking

walk2talk srl

Trisul for Managed Security Service Providers

trisulnsm

Trisul for Managed Security Service Providers

Vivek Rajagopalan

Genian NAC provides network surveillance and performs ongoing compliance checks to ensure that all connected devices are automatically identified, classified, authorized, and given policy-based access control. It also provides all the major features that network managers expect, such as IP Address Management (IPAM), Desktop Configuration Management, WLAN access control, automated IT security operation, IT asset management, and much more. Genians NAC provides both on-premise and cloud-based deployment options, providing for ease of deployment and ongoing management.

Genian NAC Overview

GENIANS, INC.

ISE_2.1_BDM_v3a.pptx

Yaser330700

What is SASE and How Can Partners Talk About it?

QOS Networks

Eximbank security presentation

laonap166

App gate sdp_use_case_secure_cloud_access

Cristian Garcia G.

Palo Alto Networks SASE Deck. A SASE (secure access service edge) architecture combines networking and security as a service functions into a single cloud-delivered service at the network edge. In short, a SASE architecture identifies users and devices, enables secure access, delivers secure access to the appropriate applications, while providing network security from the cloud to protect users, applications, and data regardless of where they are. Combined with Prisma SD-WAN, Palo Alto Networks offers the industry's most complete SASE solution.

palo-alto-networks-sase-overview-deck.pptx

infoeliechahine

Securing the Internet of Things in Smart Buildings!

Memoori

Forcepoint SD-WAN and NGFW + IPS

Larry Austin

Ras pro

choiceone

Ras pro

Datarobotics

Software-defined networking has come onto the scene and changed the way we think about moving packets throughout a network. But it has also morphed into multiple definitions and approaches, driven by both vendors and enterprise customers. But how does security fit into this picture? This talk will discuss the convergence of SDN and security and will try to make sense of them both. Learning Objectives: 1: Understand all types of SDN. 2: Understand SDN and security. 3: Understand how a secure SDN makes a network safer. (Source: RSA Conference USA 2018)

SDN and Security: A Marriage Made in Heaven. Or Not.

Priyanka Aash

2019 10-app gate sdp 101 09a

Cristian Garcia G.

Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda

Plain Concepts

Ad enterprise datasheet

Advantec Distribution

ClearPass_Customer_Presentation

RoanVillalobos1

Air defense services_platform_spec_sheet

Advantec Distribution

Shadow IT

Risk Analysis Consultants, s.r.o.

Semelhante a Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017 (20)

CCI2019 - Architecting and Implementing Azure Networking

Trisul for Managed Security Service Providers

Genian NAC Overview

ISE_2.1_BDM_v3a.pptx

What is SASE and How Can Partners Talk About it?

Eximbank security presentation

App gate sdp_use_case_secure_cloud_access

palo-alto-networks-sase-overview-deck.pptx

Securing the Internet of Things in Smart Buildings!

Forcepoint SD-WAN and NGFW + IPS

Ras pro

SDN and Security: A Marriage Made in Heaven. Or Not.

2019 10-app gate sdp 101 09a

Protección y acceso a tu información y aplicaciones en Azure y O365 – Barracuda

Ad enterprise datasheet

ClearPass_Customer_Presentation

Air defense services_platform_spec_sheet

Shadow IT

Último

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

ICT role in 21st century education and its challenges

rafiqahmad00786416

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017

1. 1 ENTERPRISE SECURITY IN PRACTICE RADU VUNVULEA, OCTOBER 2017 @RADU VUNVULEA

2. ENTERPRISE AND SECURITY

4. RADU VUNVULEA Technology Enthusiast Dreamer Microsoft Azure MVP Speaker & Trainer Writer & Blogger Idealist Software Architecture Crafter

6. SANDBOX Group resources Control Manage

7. DIRECT ACCESS Same network Visible between each other Easy access and control

8. ISOLATION Restric traffic Controls what goes to and from VNET Isolate from outside

9. NSG – TIPS AND TRICKS

10.

11. CROSS SYSTEM COMMUNICATION Specify what can be exchange between systems Full control on inbound and outbound traffic NSG

12.

13. NETWORK VIRTUAL APPLIANCE Control security from only one location Cross location synchronization

14. MONITOR AND AUDIT All traffic goes through virtual appliance Push audit data to on-premises system Firewall, IDS, IPS UDR

15.

16. EXTERNAL TRAFFIC CONTROL Full control of IP Filtering Traffic goes through VPN S2S VPN Internet

17. IPSEC VPN TERMINATED OUTSIDE FIREWALL Cannot be done using S2S VPN VPN terminated before NGFW, inside Virtual Gateway Appliance VPN

18. IPSEC VPN TERMINATED OUTSIDE FIREWALL Cannot be done using S2S VPN VPN terminated before NGFW, inside Virtual Gateway Appliance VPN OpenVPN

19. IPSEC VPN TERMINATED OUTSIDE FIREWALL Appliance plays the role of firewall and VPN Gateway VPN

20. DEVICE AUTHENTICATION USING CERTIFICATES Supported only for Point-to-Site VPN Site-to-Site VPN is connected directly to VPN hardware certificates

21. CASCADED VIRTUAL APPLIANCES Multiple virtual appliances connected together

22. VNET TO VNET CONNECTIVITY Peering – Fast and reliable VPN Gateway – More granular control of what goes in or out Peering / VPN Gateway

23.

24. CENTRAL LOGGING DATA Activity Logs Azure Diagnostic Logs AAD Reporting VM and Cloud Services Storage Analytics Network Security Groups Application Insights Security Alert Configurable, +180 days, 90 days

25. MONITOR AND REACT - OMS

26.

27. API AND INFRASTRUCTURE CHANGES CLOUD SERVICE PROVIDER CAN MAKE CHANGES ONLY AFTER THE NATURE OF CHANGE IS UNDERSTOOD AND A SECURITY ASSESSMENT IS DONE YES • Microsoft announce 12 months in advance any breaking changes at API or functionality level NO • Infrastructure and services change are done on the fly as long as the API or functionality is not altered

28.

29. IDENTITY AND ACCESS MANAGEMENT

30. AZURE ACTIVE DIRECTORY

31.

32. Mitigation

Notas do Editor

Images: https://pixabay.com/en/snail-slug-shell-animal-nature-918899/ https://pixabay.com/en/chain-rust-iron-metal-macro-rusty-566778/ https://pixabay.com/en/directory-traffic-note-shield-road-641914/
https://docs.microsoft.com/en-us/azure/security/azure-log-audit Activity Logs - config Azure Diagnostic Logs - config AAD Reporting – 180 days VM and Cloud Services - config Color map: Configurable +180 days 90 days Storage Analytics - config Network Security Groups – 1 year Application Insights – 90 days Security Alert - config
Migrate to on-prem
https://azure.microsoft.com/en-us/blog/an-introduction-to-eai-bridges/
https://azure.microsoft.com/en-us/blog/an-introduction-to-eai-bridges/
Picture source: https://pixabay.com/en/sting-free-snuff-snuff-2-in-1-snuff-2526043/

Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017

Semelhante a Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017 (20)

Último

Último (20)

Azure Enterprise Security in Practice Radu Vunvulea Codecamp Cluj Napoca Nov 2017

Notas do Editor