SlideShare uma empresa Scribd logo

Class Project: Security in Microsoft Azure

Transferir como PPTX, PDF
S
saitoserge

This is my class research project which is a presentation about security in Microsoft Azure.

Tecnologia
1 de 20
Pace University IT 612 – Web Server Setup Configuration & Security Student: Yao, Chung-Hui Professor: Dr. Hevel Jean-Baptiste Date: May, 2014 Security in Microsoft Azure 6/10/2014 Enter Your Main Title Here 1
IT 612 – Web Server Setup, Configuration & Security Abstract: Microsoft Azure is a cloud computing platform and infrastructure created by Microsoft. It’s said that 54% of Fortune 500 companies already use Azure. This project will look at the potential threat/attack web applications will face when hosting on Microsoft Azure platform and some of the best practice for secure environment. 6/10/2014 2
IT 612 – Web Server Setup, Configuration & Security Introduction: Hosting application, services, and website on Microsoft Azure means the physical infrastructure is left in the hands of cloud provider. Since we no longer need to secure the network or the host, it is up to the developer to secure the application. We will exam how security is handled differently in cloud platform by reviewing OWASP Top 10 Vulnerabilities from 2013. we will also highlight unique feature in Microsoft Azure help mitigate vulnerabilities. 6/10/2014 3
IT 612 – Web Sever Setup Configuration & Security Background of your study: This topic idea began when I had the opportunity to compare the two different cloud platforms: Amazon Web Service (AWS) and Microsoft Azure. At that time, someone told me that the cloud provider will take care of everything so we do not need to implement any security measure. After learning more about web and internet security from another class, I am interested to explore if we need to apply different security baseline when our web application is hosted on Microsoft Azure 6/10/2014 4
IT 612 – Web Sever Setup Configuration & Security Analysis: OWASP Top 10 • Injection • Broken Authentication and Session • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration 6/10/2014 5
IT 612 – Web Sever Setup Configuration & Security • Sensitive Data Exposure • Missing Function Level Access Control • Cross-Site Request Forgery • Using Components with Known Vulnerabilities • Unvalidated Redirect and Forwards Notable mention • Distributed Denial-of-Service (DDoS) 6/10/2014 6
IT 612 – Web Server Setup, Configuration & Security Injection • Azure will patch SQL • Avoid building connection strings using string concatenation, use SqlConnectionStringBuilder class instead. • Implement “escaping” to validate input • Run SQL query with least privilege possible 6/10/2014 7
IT 612 – Web Server Setup, Configuration & Security Broken Authentication and Session • SSL connection to management portal • Assign random port number for RDP and Powershell to manage VM • Access Control Service (ACS)  authenticate with existing, mature account service such as Google, Yahoo, Facebook account.  developer need to follow recommendation 6/10/2014 8
IT 612 – Web Server Setup, Configuration & Security Cross-Site Scripting (XSS) • Follow same security practice within Azure environment • Validate and sanitize user input • Protect session authentication cookie 6/10/2014 9
IT 612 – Web Server Setup, Configuration & Security Insecure Direct Object References • Isolation  VM to VM within deployment  different deployment within subscription cannot communicate unless assigned to same virtual network • Private IP ACL and Public IP ACL 6/10/2014 10
IT 612 – Web Server Setup, Configuration & Security Security Misconfiguration • VM provisioned from template with strict security baseline • Block inbound connection from internet by default • Have to specifically open ports • Azure Active Directory with Access Control Service fine-tune permission 6/10/2014 11
IT 612 – Web Server Setup, Configuration & Security Sensitive Data Exposure • Encrypt database content or database itself • Built-in firewall in Azure SQL database • Enable encrypted connection (SSL) to Azure SQL Database • Encrypt connection from web server to client • Encrypt session cookies on client side 6/10/2014 12
IT 612 – Web Server Setup, Configuration & Security Missing Function Level Access Control • Azure Active Directory Control  Provide group based or role based entitlement • Microsoft Azure Dashboard  access to logs and status for auditing • Third Party App to audit application workflow  Cerebrata Azure Management Studio 6/10/2014 13
IT 612 – Web Server Setup, Configuration & Security Cross-Site Request Forgery • Follow traditional practice  Set shorter session time  Prevent user from submitting form data multiple times  Implement CAPTCHA before submits 6/10/2014 14
IT 612 – Web Server Setup, Configuration & Security Using Components with Known Vulnerabilities • Azure handle OS Update and Software Patches • Monitor vulnerabilities through public database such as NVD and CVE • NVD listed vulnerability in Azure SDK v 1.3 which has since updated. 6/10/2014 15
IT 612 – Web Server Setup, Configuration & Security Unvalidated Redirect and Forwards • Avoid using redirect and forwards • Validate redirect and forward request • Microsoft Azure isolation restrict destination • Developer should use mapped value within application instead of URL 6/10/2014 16
IT 612 – Web Server Setup, Configuration & Security Distributed Denial-of-Service (DDoS) • Azure has built-in defense against DDoS - limit rate and connection - drop offending VM within environment • Deploy application firewall(Ex. Barracuda) • Windows Azure Traffic Manager; load balance • High-Availability; deploy more instance in case of attack 6/10/2014 17
IT 612 – Web Server Setup Configuration & Security Diagram and others: 6/10/2014 18
IT 612 – Web Sever Setup Configuration & Security Conclusion and other researches: After reviewing OWASP Top 10 vulnerabilities from 2013 and Distributed Denial-of-Service attack, we see that Microsoft Azure does have certain unique features that mitigate some of the vulnerabilities such as Windows Azure Traffic Manager and Access Control Service. We don’t need to worry about securing network or securing the host. But Developers have more responsibility now and need to concentrate on securing the application itself. Code review and code analyze become very important in the cloud platform since now the environment is as secure as the application it host. 6/10/2014 19
IT 612 – Web Server Setup Configuration & Security Q&A 6/10/2014 20

Recomendados

Identity Security - Azure Active Directory
Identity Security - Azure Active DirectoryIdentity Security - Azure Active Directory
Identity Security - Azure Active DirectoryEng Teong Cheah
 
Assessing security of your Active Directory
Assessing security of your Active DirectoryAssessing security of your Active Directory
Assessing security of your Active DirectoryAldo Elam Majiah
 
Active Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchActive Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchJochen Kressin
 
Access Security - Hybrid Identity
Access Security - Hybrid IdentityAccess Security - Hybrid Identity
Access Security - Hybrid IdentityEng Teong Cheah
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 

Recomendados

Identity Security - Azure Active Directory
Identity Security - Azure Active DirectoryIdentity Security - Azure Active Directory
Identity Security - Azure Active DirectoryEng Teong Cheah
 
Assessing security of your Active Directory
Assessing security of your Active DirectoryAssessing security of your Active Directory
Assessing security of your Active DirectoryAldo Elam Majiah
 
Active Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchActive Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchJochen Kressin
 
Access Security - Hybrid Identity
Access Security - Hybrid IdentityAccess Security - Hybrid Identity
Access Security - Hybrid IdentityEng Teong Cheah
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and ComplianceKarina Matos
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataAidan Finn
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and ManagementAllen Brokken
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active DirectoryJoonas Westlin
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesJoonas Westlin
 
Azure for beginners series session 4
Azure for beginners series session 4Azure for beginners series session 4
Azure for beginners series session 4Lalit Rawat
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Azure security
Azure securityAzure security
Azure securityLalit Rawat
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database VaultMarco Alamanni
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...Peter Selch Dahl
 
Zero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesZero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesJoonas Westlin
 
Oracle Audit vault
Oracle Audit vaultOracle Audit vault
Oracle Audit vaultuzzal basak
 
Server update management optimization
Server update management optimizationServer update management optimization
Server update management optimizationAllen Brokken
 
Access Security - Enterprise governance
Access Security - Enterprise governanceAccess Security - Enterprise governance
Access Security - Enterprise governanceEng Teong Cheah
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureLETA IT-company
 
Spring security
Spring securitySpring security
Spring securitysakhibarun
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionGabriel Villa
 
How to Build a Modern Social Enterprise
How to Build a Modern Social EnterpriseHow to Build a Modern Social Enterprise
How to Build a Modern Social EnterpriseHARMAN Services
 
Clouding with Microsoft Azure - Omal Perera
Clouding with Microsoft Azure - Omal PereraClouding with Microsoft Azure - Omal Perera
Clouding with Microsoft Azure - Omal PereraOmal Perera
 

Mais conteúdo relacionado

Mais procurados

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataAidan Finn
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and ManagementAllen Brokken
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active DirectoryJoonas Westlin
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesJoonas Westlin
 
Azure for beginners series session 4
Azure for beginners series session 4Azure for beginners series session 4
Azure for beginners series session 4Lalit Rawat
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...Peter Selch Dahl
 
Zero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesZero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesJoonas Westlin
 
Oracle Audit vault
Oracle Audit vaultOracle Audit vault
Oracle Audit vaultuzzal basak
 
Server update management optimization
Server update management optimizationServer update management optimization
Server update management optimizationAllen Brokken
 
Access Security - Enterprise governance
Access Security - Enterprise governanceAccess Security - Enterprise governance
Access Security - Enterprise governanceEng Teong Cheah
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureLETA IT-company
 
Spring security
Spring securitySpring security
Spring securitysakhibarun
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAidan Finn
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionGabriel Villa
 

Mais procurados (20)

Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
 
Programming with Azure Active Directory
Programming with Azure Active DirectoryProgramming with Azure Active Directory
Programming with Azure Active Directory
 
Zero Credential Development with Managed Identities
Zero Credential Development with Managed IdentitiesZero Credential Development with Managed Identities
Zero Credential Development with Managed Identities
 
Azure for beginners series session 4
Azure for beginners series session 4Azure for beginners series session 4
Azure for beginners series session 4
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Azure security
Azure securityAzure security
Azure security
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
 
Zero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resourcesZero Credential Development with Managed Identities for Azure resources
Zero Credential Development with Managed Identities for Azure resources
 
Oracle Audit vault
Oracle Audit vaultOracle Audit vault
Oracle Audit vault
 
Server update management optimization
Server update management optimizationServer update management optimization
Server update management optimization
 
Access Security - Enterprise governance
Access Security - Enterprise governanceAccess Security - Enterprise governance
Access Security - Enterprise governance
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual Infrastructure
 
Spring security
Spring securitySpring security
Spring security
 
Azure Networking - The First Technical Challenge
Azure Networking - The First Technical ChallengeAzure Networking - The First Technical Challenge
Azure Networking - The First Technical Challenge
 
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion PreventionSQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
 

Destaque

How to Build a Modern Social Enterprise
How to Build a Modern Social EnterpriseHow to Build a Modern Social Enterprise
How to Build a Modern Social EnterpriseHARMAN Services
 
Clouding with Microsoft Azure - Omal Perera
Clouding with Microsoft Azure - Omal PereraClouding with Microsoft Azure - Omal Perera
Clouding with Microsoft Azure - Omal PereraOmal Perera
 
A Quick Introduction to Microsoft Azure Public Cloud
A Quick Introduction to Microsoft Azure Public CloudA Quick Introduction to Microsoft Azure Public Cloud
A Quick Introduction to Microsoft Azure Public CloudZNetLive
 
Aws compete latest (00000005) js
Aws compete latest (00000005) jsAws compete latest (00000005) js
Aws compete latest (00000005) jsSoHo Dragon
 
Microsoft cloud profitability scenarios
Microsoft cloud profitability scenariosMicrosoft cloud profitability scenarios
Microsoft cloud profitability scenariosMedhy Sandjak
 
Introduzione al cloud computing e microsoft azure
Introduzione al cloud computing e microsoft azureIntroduzione al cloud computing e microsoft azure
Introduzione al cloud computing e microsoft azureAngelo Gino Varrati
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure
 
Microsoft Azure Explained - Hitesh D Kesharia
Microsoft Azure Explained - Hitesh D KeshariaMicrosoft Azure Explained - Hitesh D Kesharia
Microsoft Azure Explained - Hitesh D KeshariaHARMAN Services
 
Extending your Data center to the cloud with windows Azure
Extending your Data center to the cloud with windows AzureExtending your Data center to the cloud with windows Azure
Extending your Data center to the cloud with windows AzureMohamed Gaafar
 
The Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft AzureThe Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft AzureAptera Inc
 
Integrating Cloudera & Microsoft Azure
Integrating Cloudera & Microsoft AzureIntegrating Cloudera & Microsoft Azure
Integrating Cloudera & Microsoft AzureXpand IT
 

Destaque (16)

How to Build a Modern Social Enterprise
How to Build a Modern Social EnterpriseHow to Build a Modern Social Enterprise
How to Build a Modern Social Enterprise
 
Clouding with Microsoft Azure - Omal Perera
Clouding with Microsoft Azure - Omal PereraClouding with Microsoft Azure - Omal Perera
Clouding with Microsoft Azure - Omal Perera
 
A Quick Introduction to Microsoft Azure Public Cloud
A Quick Introduction to Microsoft Azure Public CloudA Quick Introduction to Microsoft Azure Public Cloud
A Quick Introduction to Microsoft Azure Public Cloud
 
Intro to Azure Webjobs
Intro to Azure WebjobsIntro to Azure Webjobs
Intro to Azure Webjobs
 
Aws compete latest (00000005) js
Aws compete latest (00000005) jsAws compete latest (00000005) js
Aws compete latest (00000005) js
 
Microsoft cloud profitability scenarios
Microsoft cloud profitability scenariosMicrosoft cloud profitability scenarios
Microsoft cloud profitability scenarios
 
Introduzione al cloud computing e microsoft azure
Introduzione al cloud computing e microsoft azureIntroduzione al cloud computing e microsoft azure
Introduzione al cloud computing e microsoft azure
 
Intro to cloud computing
Intro to cloud computingIntro to cloud computing
Intro to cloud computing
 
Microsoft Azure Overview
Microsoft Azure OverviewMicrosoft Azure Overview
Microsoft Azure Overview
 
Microsoft Azure Security Infographic
Microsoft Azure Security InfographicMicrosoft Azure Security Infographic
Microsoft Azure Security Infographic
 
Microsoft Azure Explained - Hitesh D Kesharia
Microsoft Azure Explained - Hitesh D KeshariaMicrosoft Azure Explained - Hitesh D Kesharia
Microsoft Azure Explained - Hitesh D Kesharia
 
Extending your Data center to the cloud with windows Azure
Extending your Data center to the cloud with windows AzureExtending your Data center to the cloud with windows Azure
Extending your Data center to the cloud with windows Azure
 
The Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft AzureThe Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft Azure
 
Integrating Cloudera & Microsoft Azure
Integrating Cloudera & Microsoft AzureIntegrating Cloudera & Microsoft Azure
Integrating Cloudera & Microsoft Azure
 
Azure Cloud PPT
Azure Cloud PPTAzure Cloud PPT
Azure Cloud PPT
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 

Semelhante a Class Project: Security in Microsoft Azure

Cloud computing & windows azure intro
Cloud computing & windows azure introCloud computing & windows azure intro
Cloud computing & windows azure introHaddy El-Haggan
 
Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows AzureHaddy El-Haggan
 
Top 20 azure interview questions
Top 20 azure interview questionsTop 20 azure interview questions
Top 20 azure interview questionsShivamSharma909
 
Tour to Azure Security Center
Tour to Azure Security CenterTour to Azure Security Center
Tour to Azure Security CenterLalit Rawat
 
SQL ON Azure (decision-matrix)
SQL ON Azure (decision-matrix)SQL ON Azure (decision-matrix)
SQL ON Azure (decision-matrix)PARIKSHIT SAVJANI
 
Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013sqlserver.co.il
 
Geek Sync | Taking Your First Steps to the Cloud—Building a Hybrid Model
Geek Sync | Taking Your First Steps to the Cloud—Building a Hybrid ModelGeek Sync | Taking Your First Steps to the Cloud—Building a Hybrid Model
Geek Sync | Taking Your First Steps to the Cloud—Building a Hybrid ModelIDERA Software
 
[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutio...
[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutio...[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutio...
[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutio...K data
 
Latest Microsoft Azure Solutions and Announcements - Presented by atidan june...
Latest Microsoft Azure Solutions and Announcements - Presented by atidan june...Latest Microsoft Azure Solutions and Announcements - Presented by atidan june...
Latest Microsoft Azure Solutions and Announcements - Presented by atidan june...David J Rosenthal
 
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdfMicrosoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdfpriyanshamadhwal2
 
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdfMicrosoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdfInfosec train
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewNeeraj Kumar
 
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanNCCOMMS
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Cisco Data Center Orchestration Solution
Cisco Data Center Orchestration SolutionCisco Data Center Orchestration Solution
Cisco Data Center Orchestration SolutionCisco Canada
 

Semelhante a Class Project: Security in Microsoft Azure (20)

Cloud computing & windows azure intro
Cloud computing & windows azure introCloud computing & windows azure intro
Cloud computing & windows azure intro
 
Security on Windows Azure
Security on Windows AzureSecurity on Windows Azure
Security on Windows Azure
 
A to z for sql azure databases
A to z for sql azure databasesA to z for sql azure databases
A to z for sql azure databases
 
Top 20 azure interview questions
Top 20 azure interview questionsTop 20 azure interview questions
Top 20 azure interview questions
 
SQL Database on Azure
SQL Database on AzureSQL Database on Azure
SQL Database on Azure
 
Tour to Azure Security Center
Tour to Azure Security CenterTour to Azure Security Center
Tour to Azure Security Center
 
SQL ON Azure (decision-matrix)
SQL ON Azure (decision-matrix)SQL ON Azure (decision-matrix)
SQL ON Azure (decision-matrix)
 
Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013Windows azure sql_database_security_isug012013
Windows azure sql_database_security_isug012013
 
Geek Sync | Taking Your First Steps to the Cloud—Building a Hybrid Model
Geek Sync | Taking Your First Steps to the Cloud—Building a Hybrid ModelGeek Sync | Taking Your First Steps to the Cloud—Building a Hybrid Model
Geek Sync | Taking Your First Steps to the Cloud—Building a Hybrid Model
 
[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutio...
[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutio...[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutio...
[2016 데이터 그랜드 컨퍼런스] 5 1(보안,품질). 웨어밸리 data security challenges and its solutio...
 
Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 Solutions
 
Latest Microsoft Azure Solutions and Announcements - Presented by atidan june...
Latest Microsoft Azure Solutions and Announcements - Presented by atidan june...Latest Microsoft Azure Solutions and Announcements - Presented by atidan june...
Latest Microsoft Azure Solutions and Announcements - Presented by atidan june...
 
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdfMicrosoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
 
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdfMicrosoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
Microsoft_Azure_Security_Technologies_Exam_AZ-500_Course_Content.pdf
 
Part 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An OverviewPart 01: Azure Virtual Networks – An Overview
Part 01: Azure Virtual Networks – An Overview
 
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa ToromanO365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
10052016115136.pptx
10052016115136.pptx10052016115136.pptx
10052016115136.pptx
 
Cisco Data Center Orchestration Solution
Cisco Data Center Orchestration SolutionCisco Data Center Orchestration Solution
Cisco Data Center Orchestration Solution
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Class Project: Security in Microsoft Azure

  • 1. Pace University IT 612 – Web Server Setup Configuration & Security Student: Yao, Chung-Hui Professor: Dr. Hevel Jean-Baptiste Date: May, 2014 Security in Microsoft Azure 6/10/2014 Enter Your Main Title Here 1
  • 2. IT 612 – Web Server Setup, Configuration & Security Abstract: Microsoft Azure is a cloud computing platform and infrastructure created by Microsoft. It’s said that 54% of Fortune 500 companies already use Azure. This project will look at the potential threat/attack web applications will face when hosting on Microsoft Azure platform and some of the best practice for secure environment. 6/10/2014 2
  • 3. IT 612 – Web Server Setup, Configuration & Security Introduction: Hosting application, services, and website on Microsoft Azure means the physical infrastructure is left in the hands of cloud provider. Since we no longer need to secure the network or the host, it is up to the developer to secure the application. We will exam how security is handled differently in cloud platform by reviewing OWASP Top 10 Vulnerabilities from 2013. we will also highlight unique feature in Microsoft Azure help mitigate vulnerabilities. 6/10/2014 3
  • 4. IT 612 – Web Sever Setup Configuration & Security Background of your study: This topic idea began when I had the opportunity to compare the two different cloud platforms: Amazon Web Service (AWS) and Microsoft Azure. At that time, someone told me that the cloud provider will take care of everything so we do not need to implement any security measure. After learning more about web and internet security from another class, I am interested to explore if we need to apply different security baseline when our web application is hosted on Microsoft Azure 6/10/2014 4
  • 5. IT 612 – Web Sever Setup Configuration & Security Analysis: OWASP Top 10 • Injection • Broken Authentication and Session • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration 6/10/2014 5
  • 6. IT 612 – Web Sever Setup Configuration & Security • Sensitive Data Exposure • Missing Function Level Access Control • Cross-Site Request Forgery • Using Components with Known Vulnerabilities • Unvalidated Redirect and Forwards Notable mention • Distributed Denial-of-Service (DDoS) 6/10/2014 6
  • 7. IT 612 – Web Server Setup, Configuration & Security Injection • Azure will patch SQL • Avoid building connection strings using string concatenation, use SqlConnectionStringBuilder class instead. • Implement “escaping” to validate input • Run SQL query with least privilege possible 6/10/2014 7
  • 8. IT 612 – Web Server Setup, Configuration & Security Broken Authentication and Session • SSL connection to management portal • Assign random port number for RDP and Powershell to manage VM • Access Control Service (ACS)  authenticate with existing, mature account service such as Google, Yahoo, Facebook account.  developer need to follow recommendation 6/10/2014 8
  • 9. IT 612 – Web Server Setup, Configuration & Security Cross-Site Scripting (XSS) • Follow same security practice within Azure environment • Validate and sanitize user input • Protect session authentication cookie 6/10/2014 9
  • 10. IT 612 – Web Server Setup, Configuration & Security Insecure Direct Object References • Isolation  VM to VM within deployment  different deployment within subscription cannot communicate unless assigned to same virtual network • Private IP ACL and Public IP ACL 6/10/2014 10
  • 11. IT 612 – Web Server Setup, Configuration & Security Security Misconfiguration • VM provisioned from template with strict security baseline • Block inbound connection from internet by default • Have to specifically open ports • Azure Active Directory with Access Control Service fine-tune permission 6/10/2014 11
  • 12. IT 612 – Web Server Setup, Configuration & Security Sensitive Data Exposure • Encrypt database content or database itself • Built-in firewall in Azure SQL database • Enable encrypted connection (SSL) to Azure SQL Database • Encrypt connection from web server to client • Encrypt session cookies on client side 6/10/2014 12
  • 13. IT 612 – Web Server Setup, Configuration & Security Missing Function Level Access Control • Azure Active Directory Control  Provide group based or role based entitlement • Microsoft Azure Dashboard  access to logs and status for auditing • Third Party App to audit application workflow  Cerebrata Azure Management Studio 6/10/2014 13
  • 14. IT 612 – Web Server Setup, Configuration & Security Cross-Site Request Forgery • Follow traditional practice  Set shorter session time  Prevent user from submitting form data multiple times  Implement CAPTCHA before submits 6/10/2014 14
  • 15. IT 612 – Web Server Setup, Configuration & Security Using Components with Known Vulnerabilities • Azure handle OS Update and Software Patches • Monitor vulnerabilities through public database such as NVD and CVE • NVD listed vulnerability in Azure SDK v 1.3 which has since updated. 6/10/2014 15
  • 16. IT 612 – Web Server Setup, Configuration & Security Unvalidated Redirect and Forwards • Avoid using redirect and forwards • Validate redirect and forward request • Microsoft Azure isolation restrict destination • Developer should use mapped value within application instead of URL 6/10/2014 16
  • 17. IT 612 – Web Server Setup, Configuration & Security Distributed Denial-of-Service (DDoS) • Azure has built-in defense against DDoS - limit rate and connection - drop offending VM within environment • Deploy application firewall(Ex. Barracuda) • Windows Azure Traffic Manager; load balance • High-Availability; deploy more instance in case of attack 6/10/2014 17
  • 18. IT 612 – Web Server Setup Configuration & Security Diagram and others: 6/10/2014 18
  • 19. IT 612 – Web Sever Setup Configuration & Security Conclusion and other researches: After reviewing OWASP Top 10 vulnerabilities from 2013 and Distributed Denial-of-Service attack, we see that Microsoft Azure does have certain unique features that mitigate some of the vulnerabilities such as Windows Azure Traffic Manager and Access Control Service. We don’t need to worry about securing network or securing the host. But Developers have more responsibility now and need to concentrate on securing the application itself. Code review and code analyze become very important in the cloud platform since now the environment is as secure as the application it host. 6/10/2014 19
  • 20. IT 612 – Web Server Setup Configuration & Security Q&A 6/10/2014 20