Abstract image of a woman sitting on books and studying on a laptop

Securing APIs for ultimate security and privacy with Azure | Codit Webinar

Codit, profile picture
Codit

The document provides a comprehensive guide on securing APIs within Azure, covering aspects such as network protection, API management, and data encryption. It emphasizes the importance of a shared responsibility model, managed service identities for backend security, and implementing multiple layers of security measures. The content is aimed at solution architects and developers looking to enhance the security and privacy of their API services.

Technology
1 of 39
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Securing API’s for ultimate security and privacy Learn how you can secure your API’s end-to-end within Azure 1
Solution Architect Microsoft Azure MVP, Azure Advisor & Microsoft Certified Trainer Your host for today: Toon Vanhoutte 2 @ToonVanhoutte
3
Agenda | Protect your network | Safeguard your API’s | Secure your backends | Shield your data Securing your API’s in Azure 4
Azure Trust Center Securing your API’s in Azure 5
Shared responsibility model Securing your API’s in Azure 6
Scenario: Patient API Securing your API’s in Azure 7 Hospital DB
8 Protect your network
How can we restrict network access? Securing your API’s in Azure 9 | Isolated & private network | Create your own, dedicated private network within the Azure cloud | Control outbound and inbound access from and to that private network | Deploy your Azure resources inside that firewall-protected private network | Multi-tenant cloud network | Use the multi-tenant and shared infrastructure of the Azure cloud | Control inbound access to individual components | Deploy your Azure resources on the public multi-cloud infrastructure Get Patients Test Get Patients Get Patients and more... Get Patients Test Get Patients Get Patients and more...
Virtual Networks Securing your API’s in Azure 10 | Azure services not accessible anymore from public internet | Control external access via Network Security Groups | Establish VPN with on- premises network | Enable more advanced DDoS protection | Configure your own network appliance (WAF, firewall, ...)
Application Gateway - WAF Securing your API’s in Azure 11 | Only supported within a Virtual Network | Protects against web vulnerabilities: | SQL injection, cross site scripting, bots, crawlers, HTTP protocol violations... | Based on OWASP 3.0 core rule set | Integrated with Azure Security Center and Azure Monitor
Virtual Network Service Endpoints Securing your API’s in Azure 12 | Alternative for services that are not supported to run inside a VNET | Azure services not accessible anymore from public internet | Access only allowed from with Virtual Network (or subnet) | Available on most data and messaging services, complete list can be find here
What if you don’t have an isolated VNET? Securing your API’s in Azure 13 | Each individual component is responsible to restrict network access | This is mostly limited to IP restrictions | Many Azure IP restriction implementations rely on the application stack (e.g. IIS), instead of doing this on the network edge. Always combine IP restrictions with another security measure!
How can we restrict network access? Securing your API’s in Azure 14 | Isolated & private network | Multi-layered security | Standard DDoS protection | More network control | Ability to choose network appliance | High bandwidth VPN to on premises | More expensive (dedicated compute) | Less scalable | Not supported by all Azure services | Multi-tenant cloud network | Single point of security failure | Basic DDoS protection | Less network control | Rely on Microsoft’s standard offering | Limited relayed hybrid connectivity | Cheaper (shared infrastructure) | High elasticity | Supported by almost all Azure services
Scenario: Patient API Securing your API’s in Azure 15 Hospital DB VNET IP VNET Service Endpoint Hospital DB IP IP
16 Safeguard your API’s
Secure your API’s Securing your API’s in Azure 17 Patient API C# Doctor API nodeJS Lab API Java Website Each service must implement their own variant of the same security. Each service must share and manage the same credentials. PartnersPartners What if we later need to on board a variety of partners? There’s a need for central security & governance to design for change.
API Management 9/05/2019 Securing your API’s in Azure 18 Business expansion Central governance Visibility & insights Data accessibility Centralize security Fast Adoption
Azure API Management Security Securing your API’s in Azure 19 Azure API Management APPS PUBLISHER PORTAL PROXY DEVELOPER PORTAL BACKEND SERVICE Frontdoor Security User interaction: • OAuth2 • Combined with OIDC Machine-to-machine: • API Key • Basic Authentication • Mutual Authentication • OAuth2
Claim based authorization via OAuth2 9/05/2019 Securing your API’s in Azure 20 Authorization Service Azure API Management JWT validation myApp.com Backend API Configuration endpoint Resource Owner Access token ID token Access token ID token Access token
9/05/2019 Securing your API’s in Azure 21
API Management Security Securing your API’s in Azure 22 Azure API Management APPS PUBLISHER PORTAL PROXY DEVELOPER PORTAL BACKEND SERVICE Frontdoor Security User interaction: • OAuth2 • Combined with OIDC Machine-to-machine: • API Key • Basic Authentication • Mutual Authentication • OAuth2 Backdoor Security Any backend API: IP Restriction and • API Key • Basic Authentication • Mutual Authentication Azure resources: • Managed Service Identity
Azure API Management Tiers 9/05/2019 Securing your API’s in Azure 23
Scenario: Patient API Securing your API’s in Azure 24 Hospital DBHospital DB IP+JWT OAuth2 VNET IP+JWT OAuth2 IP VNET IPMSI IP
25 Secure your backends
Managed Service Identity Securing your API’s in Azure 26 | Managed Service Identity is a feature of Azure Active Directory. It provides Azure services with an identity in Azure AD. You can use that identity to authenticate to any service that supports Azure AD authentication. | No more keys or passwords needed to access another Azure resource!!!
Managed Service Identity Securing your API’s in Azure 27 | Supported services (clients) that can get such a managed identity: | VMs, Logic Apps, App Service, Azure Functions, Data Factory V2, Azure API Management, ACI | Complete and updated list can be found here. | Supported services (service) that support Azure AD authentication | ARM, Key Vault, Azure Data Lake, Azure SQL, Event Hubs, Service Bus, Storage | Complete and updated list can be found here.
How to authenticate with other services? Securing your API’s in Azure 28 1. Use Managed Service Identity directly 2. Get access key from Key Vault, via Managed Service Identity 3. Azure DevOps deploys secrets from Key Vault into the client’s config store
Scenario: Patient API Securing your API’s in Azure 29 Hospital DBHospital DB IP+JWT OAuth2 VNET IP+JWT OAuth2 IP VNET IPMSI IPMSIMSI
30 Shield your data
Data in motion Securing your API’s in Azure 31 | Only use encrypted communication channels
Data at rest Securing your API’s in Azure 32 | Server-side encryption model | E.g. SQL Database: Transparent Data Encryption (TDE) | Azure storage administrators cannot read your data, but SQL admins still can | Most Azure services encrypt your data | Some have BYOK option | Client encryption model | E.g. SQL Database: Always Encrypted | Even SQL administrators cannot see your sensitive data | DIY for other Azure services | Local key wrapping against Key Vault
GDPR Securing your API’s in Azure 33 | Most common design strategies to deal with GDPR: | Foresee sufficient procedures: Minimize Hide Separate Inform Get a copy Remove
34 Azure is a lot more than this!
Azure Security Features 9/05/2019 How we integrate! 35 | Azure Security Center | Azure Sentinel | Azure Frontdoor | Secure Devops Kit for Azure | Advanced Threat Protection | SQL Advanced Data Security | Immutable Blob Storage (WORM) | …
36 At Codit, we care about your security!
Arcus Securing your API’s in Azure 37 | Secrets made easy with | OSS library that makes it easier to build secure applications on Azure | Driven by Codit, made available to the community | Available on GitHub | All documentation on security.acrus-azure.net
9/05/2019 Securing your API’s in Azure 38 YesNo Are you already hosting your API’s in Azure? Azure Readiness Assessment Azure Maturity Assessment
39 Thank you! Any questions?

More Related Content

PDF
Protect Your Data and Apps in the Public Cloud
Imperva
 
PPTX
CI/CD on pure AWS
Andrey Trubitsyn
 
PPTX
Design Practices for a Secure Azure Solution
Michele Leroux Bustamante
 
PPTX
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
PPTX
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
PDF
24032022 Zero Trust for Developers Pub.pdf
Tomasz Kopacz
 
PPTX
Azure Fundamentals Part 3
CCG
 
PPTX
Azure Security Overview
Allen Brokken
 
Protect Your Data and Apps in the Public Cloud
Imperva
 
CI/CD on pure AWS
Andrey Trubitsyn
 
Design Practices for a Secure Azure Solution
Michele Leroux Bustamante
 
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
24032022 Zero Trust for Developers Pub.pdf
Tomasz Kopacz
 
Azure Fundamentals Part 3
CCG
 
Azure Security Overview
Allen Brokken
 

Similar to Securing APIs for ultimate security and privacy with Azure | Codit Webinar (20)

PDF
Azure Security Overview
David J Rosenthal
 
PDF
azure-security-overview-slideshare-180419183626.pdf
BenAissaTaher1
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
PDF
Global Azure Sydney 2025 - Anupam Ranku.pdf
Anupam Ranku
 
PDF
Grand tour of Azure API Management.pdf
Sherman37
 
PDF
366864108 azure-security
ober64
 
PPTX
Azure Security Compass v1.1 - Presentation.pptx
ZaheerEbrahim5
 
PDF
Microsoft Azure Security Overview
Alert Logic
 
PDF
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
PDF
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
PPTX
Azure Security: How to protect a hybrid PaaS-IaaS solution built entirely in ...
Lorenzo Barbieri
 
PDF
Microsoft Azure Security Infographic
Microsoft Azure
 
PDF
AZ-204: Connect to and consume Azure services and third-party services - Part 1
AzureEzy1
 
PPTX
Securing your cloud perimeter with azure network security brk3185
jtaylor707
 
PDF
Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...
Hamida Rebai Trabelsi
 
PDF
AZ-204 : Implement Azure security
AzureEzy1
 
PPTX
Secure your web app presentation
Frans Lytzen
 
PDF
Modern Authentication With Azure Active Directory For Web Applications Develo...
ikhinesagang32
 
PDF
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
PPTX
Azure from scratch part 2 By Girish Kalamati
Girish Kalamati
 
Azure Security Overview
David J Rosenthal
 
azure-security-overview-slideshare-180419183626.pdf
BenAissaTaher1
 
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Global Azure Sydney 2025 - Anupam Ranku.pdf
Anupam Ranku
 
Grand tour of Azure API Management.pdf
Sherman37
 
366864108 azure-security
ober64
 
Azure Security Compass v1.1 - Presentation.pptx
ZaheerEbrahim5
 
Microsoft Azure Security Overview
Alert Logic
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
NCCOMMS
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
Azure Security: How to protect a hybrid PaaS-IaaS solution built entirely in ...
Lorenzo Barbieri
 
Microsoft Azure Security Infographic
Microsoft Azure
 
AZ-204: Connect to and consume Azure services and third-party services - Part 1
AzureEzy1
 
Securing your cloud perimeter with azure network security brk3185
jtaylor707
 
Azure Spring Clean 2024 event - Azure API Management: Architecting for Perfor...
Hamida Rebai Trabelsi
 
AZ-204 : Implement Azure security
AzureEzy1
 
Secure your web app presentation
Frans Lytzen
 
Modern Authentication With Azure Active Directory For Web Applications Develo...
ikhinesagang32
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
Azure from scratch part 2 By Girish Kalamati
Girish Kalamati
 
Ad

More from Codit (20)

PPTX
Cloud Native Demystified: Build Once, Run Anywhere!
Codit
 
PPTX
Getting started with IoT
Codit
 
PPTX
What's Next for Microsoft's BizTalk Server
Codit
 
PPTX
Introduction to Time Series Analytics with Microsoft Azure
Codit
 
PPTX
CI/CD for a Data Platform
Codit
 
PPTX
AI-Driven Fraud Detection
Codit
 
PPTX
Blockchain in Practice
Codit
 
PPTX
Exploring IoT Edge
Codit
 
PPTX
The Future of Integration | Webinar of the 24th of April 2020
Codit
 
PPTX
Application Autoscaling Made Easy with Kubernetes Event-Driven Autoscaling (K...
Codit
 
PPTX
The Ideal Approach to Application Modernization; Which Way to the Cloud?
Codit
 
PDF
Lessons learned when integrating with Dynamics 365
Codit
 
PDF
Five Reasons IoT Projects Fail - CTO Sam Vanhoutte @ IoT Convention 2019
Codit
 
PDF
Real time Analytics in IoT - Marcel Lattmann Codit Switzerland @.NET Day 2019
Codit
 
PDF
Unlock a Smarter Business with Digital Identity - Sylvia Vandevelde @CONNECT19
Codit
 
PDF
AI as Driver of Transformation - Didier Ongena @CONNECT19
Codit
 
PDF
Extending Operations from On-premises Solutions Towards Hybrid and Cloud - Da...
Codit
 
PDF
Why your business needs an API driven strategy - Massimo Crippa @CONNECT19
Codit
 
PDF
Pushing the boundaries with IoT - Glenn Colpaert @CONNECT19
Codit
 
PDF
The Future of Integration - Toon Vanhoutte @CONNECT19
Codit
 
Cloud Native Demystified: Build Once, Run Anywhere!
Codit
 
Getting started with IoT
Codit
 
What's Next for Microsoft's BizTalk Server
Codit
 
Introduction to Time Series Analytics with Microsoft Azure
Codit
 
CI/CD for a Data Platform
Codit
 
AI-Driven Fraud Detection
Codit
 
Blockchain in Practice
Codit
 
Exploring IoT Edge
Codit
 
The Future of Integration | Webinar of the 24th of April 2020
Codit
 
Application Autoscaling Made Easy with Kubernetes Event-Driven Autoscaling (K...
Codit
 
The Ideal Approach to Application Modernization; Which Way to the Cloud?
Codit
 
Lessons learned when integrating with Dynamics 365
Codit
 
Five Reasons IoT Projects Fail - CTO Sam Vanhoutte @ IoT Convention 2019
Codit
 
Real time Analytics in IoT - Marcel Lattmann Codit Switzerland @.NET Day 2019
Codit
 
Unlock a Smarter Business with Digital Identity - Sylvia Vandevelde @CONNECT19
Codit
 
AI as Driver of Transformation - Didier Ongena @CONNECT19
Codit
 
Extending Operations from On-premises Solutions Towards Hybrid and Cloud - Da...
Codit
 
Why your business needs an API driven strategy - Massimo Crippa @CONNECT19
Codit
 
Pushing the boundaries with IoT - Glenn Colpaert @CONNECT19
Codit
 
The Future of Integration - Toon Vanhoutte @CONNECT19
Codit
 
Ad

Recently uploaded (20)

PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PPTX
TEXTILE technology diploma scope and career opportunities
kriti38
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
TEXTILE technology diploma scope and career opportunities
kriti38
 
Five Habits of High-Impact Board Members
OnBoard
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
Configure Apache Mutual Authentication
Antonino Piraino
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 

Securing APIs for ultimate security and privacy with Azure | Codit Webinar

  • 1. Securing API’s for ultimate security and privacy Learn how you can secure your API’s end-to-end within Azure 1
  • 2. Solution Architect Microsoft Azure MVP, Azure Advisor & Microsoft Certified Trainer Your host for today: Toon Vanhoutte 2 @ToonVanhoutte
  • 3. 3
  • 4. Agenda | Protect your network | Safeguard your API’s | Secure your backends | Shield your data Securing your API’s in Azure 4
  • 5. Azure Trust Center Securing your API’s in Azure 5
  • 6. Shared responsibility model Securing your API’s in Azure 6
  • 7. Scenario: Patient API Securing your API’s in Azure 7 Hospital DB
  • 9. How can we restrict network access? Securing your API’s in Azure 9 | Isolated & private network | Create your own, dedicated private network within the Azure cloud | Control outbound and inbound access from and to that private network | Deploy your Azure resources inside that firewall-protected private network | Multi-tenant cloud network | Use the multi-tenant and shared infrastructure of the Azure cloud | Control inbound access to individual components | Deploy your Azure resources on the public multi-cloud infrastructure Get Patients Test Get Patients Get Patients and more... Get Patients Test Get Patients Get Patients and more...
  • 10. Virtual Networks Securing your API’s in Azure 10 | Azure services not accessible anymore from public internet | Control external access via Network Security Groups | Establish VPN with on- premises network | Enable more advanced DDoS protection | Configure your own network appliance (WAF, firewall, ...)
  • 11. Application Gateway - WAF Securing your API’s in Azure 11 | Only supported within a Virtual Network | Protects against web vulnerabilities: | SQL injection, cross site scripting, bots, crawlers, HTTP protocol violations... | Based on OWASP 3.0 core rule set | Integrated with Azure Security Center and Azure Monitor
  • 12. Virtual Network Service Endpoints Securing your API’s in Azure 12 | Alternative for services that are not supported to run inside a VNET | Azure services not accessible anymore from public internet | Access only allowed from with Virtual Network (or subnet) | Available on most data and messaging services, complete list can be find here
  • 13. What if you don’t have an isolated VNET? Securing your API’s in Azure 13 | Each individual component is responsible to restrict network access | This is mostly limited to IP restrictions | Many Azure IP restriction implementations rely on the application stack (e.g. IIS), instead of doing this on the network edge. Always combine IP restrictions with another security measure!
  • 14. How can we restrict network access? Securing your API’s in Azure 14 | Isolated & private network | Multi-layered security | Standard DDoS protection | More network control | Ability to choose network appliance | High bandwidth VPN to on premises | More expensive (dedicated compute) | Less scalable | Not supported by all Azure services | Multi-tenant cloud network | Single point of security failure | Basic DDoS protection | Less network control | Rely on Microsoft’s standard offering | Limited relayed hybrid connectivity | Cheaper (shared infrastructure) | High elasticity | Supported by almost all Azure services
  • 15. Scenario: Patient API Securing your API’s in Azure 15 Hospital DB VNET IP VNET Service Endpoint Hospital DB IP IP
  • 17. Secure your API’s Securing your API’s in Azure 17 Patient API C# Doctor API nodeJS Lab API Java Website Each service must implement their own variant of the same security. Each service must share and manage the same credentials. PartnersPartners What if we later need to on board a variety of partners? There’s a need for central security & governance to design for change.
  • 18. API Management 9/05/2019 Securing your API’s in Azure 18 Business expansion Central governance Visibility & insights Data accessibility Centralize security Fast Adoption
  • 19. Azure API Management Security Securing your API’s in Azure 19 Azure API Management APPS PUBLISHER PORTAL PROXY DEVELOPER PORTAL BACKEND SERVICE Frontdoor Security User interaction: • OAuth2 • Combined with OIDC Machine-to-machine: • API Key • Basic Authentication • Mutual Authentication • OAuth2
  • 20. Claim based authorization via OAuth2 9/05/2019 Securing your API’s in Azure 20 Authorization Service Azure API Management JWT validation myApp.com Backend API Configuration endpoint Resource Owner Access token ID token Access token ID token Access token
  • 21. 9/05/2019 Securing your API’s in Azure 21
  • 22. API Management Security Securing your API’s in Azure 22 Azure API Management APPS PUBLISHER PORTAL PROXY DEVELOPER PORTAL BACKEND SERVICE Frontdoor Security User interaction: • OAuth2 • Combined with OIDC Machine-to-machine: • API Key • Basic Authentication • Mutual Authentication • OAuth2 Backdoor Security Any backend API: IP Restriction and • API Key • Basic Authentication • Mutual Authentication Azure resources: • Managed Service Identity
  • 23. Azure API Management Tiers 9/05/2019 Securing your API’s in Azure 23
  • 24. Scenario: Patient API Securing your API’s in Azure 24 Hospital DBHospital DB IP+JWT OAuth2 VNET IP+JWT OAuth2 IP VNET IPMSI IP
  • 26. Managed Service Identity Securing your API’s in Azure 26 | Managed Service Identity is a feature of Azure Active Directory. It provides Azure services with an identity in Azure AD. You can use that identity to authenticate to any service that supports Azure AD authentication. | No more keys or passwords needed to access another Azure resource!!!
  • 27. Managed Service Identity Securing your API’s in Azure 27 | Supported services (clients) that can get such a managed identity: | VMs, Logic Apps, App Service, Azure Functions, Data Factory V2, Azure API Management, ACI | Complete and updated list can be found here. | Supported services (service) that support Azure AD authentication | ARM, Key Vault, Azure Data Lake, Azure SQL, Event Hubs, Service Bus, Storage | Complete and updated list can be found here.
  • 28. How to authenticate with other services? Securing your API’s in Azure 28 1. Use Managed Service Identity directly 2. Get access key from Key Vault, via Managed Service Identity 3. Azure DevOps deploys secrets from Key Vault into the client’s config store
  • 29. Scenario: Patient API Securing your API’s in Azure 29 Hospital DBHospital DB IP+JWT OAuth2 VNET IP+JWT OAuth2 IP VNET IPMSI IPMSIMSI
  • 31. Data in motion Securing your API’s in Azure 31 | Only use encrypted communication channels
  • 32. Data at rest Securing your API’s in Azure 32 | Server-side encryption model | E.g. SQL Database: Transparent Data Encryption (TDE) | Azure storage administrators cannot read your data, but SQL admins still can | Most Azure services encrypt your data | Some have BYOK option | Client encryption model | E.g. SQL Database: Always Encrypted | Even SQL administrators cannot see your sensitive data | DIY for other Azure services | Local key wrapping against Key Vault
  • 33. GDPR Securing your API’s in Azure 33 | Most common design strategies to deal with GDPR: | Foresee sufficient procedures: Minimize Hide Separate Inform Get a copy Remove
  • 34. 34 Azure is a lot more than this!
  • 35. Azure Security Features 9/05/2019 How we integrate! 35 | Azure Security Center | Azure Sentinel | Azure Frontdoor | Secure Devops Kit for Azure | Advanced Threat Protection | SQL Advanced Data Security | Immutable Blob Storage (WORM) | …
  • 36. 36 At Codit, we care about your security!
  • 37. Arcus Securing your API’s in Azure 37 | Secrets made easy with | OSS library that makes it easier to build secure applications on Azure | Driven by Codit, made available to the community | Available on GitHub | All documentation on security.acrus-azure.net
  • 38. 9/05/2019 Securing your API’s in Azure 38 YesNo Are you already hosting your API’s in Azure? Azure Readiness Assessment Azure Maturity Assessment
  • 39. 39 Thank you! Any questions?