Download to read offline
Uploaded byKarl Ots
TechDays Finland 2020: Azuren tietoturva haltuun!
The document outlines key cloud security strategies and governance models for Azure, focusing on access control and security guidelines. It discusses role-based access control (RBAC) and its importance in managing user permissions, along with monitoring and auditing security logs. Additionally, it emphasizes implementing effective security policies for databases, Kubernetes services, and other resources to ensure compliance and threat detection.
More Related Content
![[Azure Governance] Lesson 4 : Azure Policy](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson4-azurepolicy-190519183014-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Azure Governance] Lesson 3 : Azure Tags](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson3-azuretags-190207132448-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Azure Governance] Lesson 2 : Azure Locks](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson2-azurelocks-190120120003-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Azure Governance] Lesson 1 : Azure Naming Convention](https://cdn.slidesharecdn.com/ss_thumbnails/azuregovernance-lesson1-azurenamingconvention-181027154955-thumbnail.jpg?width=640&height=640&fit=bounds)
![[RDS /Remote Desktop Services] Lesson 1 : Security Risks & Best Practices You...](https://cdn.slidesharecdn.com/ss_thumbnails/rdssecurity-riskssecuritypracticesyoushouldknow-190112220533-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
- 1.
- 2. @fincooper The balance ofenterprise cloud security
- 3. @fincooper How can weagree on cloud security policies that keep us both competitive & secure?
- 4. @fincooper Security in thecloud adoption journey Cloud Strategy Governance model Security Guidelines • Implementation guidelines • Reference architecture
- 5. @fincooper Key cloud securitydecisions ACCESS CONTROL MONITORING AZURE PLATFORM SECURITY CONTROLS
- 6. @fincooper Key cloud securitydecisions ACCESS CONTROL MONITORING AZURE PLATFORM SECURITY CONTROLS
- 7. @fincooper Understanding Azure Role-BasedAccess Control Scope Azure AD Identity Role RBAC Assignment
- 8.
- 9.
- 10.
- 11. @fincooper RBAC Scope • Role-BasedAccess Control assignments are inherited! • Minimize Subscription-scope assignments • Prefer Resource Group assignments
- 12. @fincooper Authentication considerations • Howdoes Azure access control relate to existing identity management processes? • Separate admin credentials? • Separate Azure AD, such as ContosoAzureAdmins.com? • What about B2B guests?
- 13. @fincooper Access control guidelines,sample RBAC Role Scope Impact Recommendation Owner Resource Group Access to create new resources and to delete resources from the Resource Group. Can assign access to Resource Group. Users must have an account in Contoso’s Azure Active Directory. The account should be provisioned per standard Admin user policies. This is the appropriate role when developing new services.
- 14. @fincooper Access control guidelines,sample RBAC Role Scope Impact Recommendation Owner Resource Group Access to create new resources and to delete resources from the Resource Group. Can assign access to Resource Group. Users must have an account in Contoso’s Azure Active Directory. The account should be provisioned per standard Admin user policies. This is the appropriate role when developing new services. Contributor Resource Group Access to create new resources and to delete resources from the Resource Group. Users must have an account in Contoso’s Azure Active Directory. In case of external partners, the account should be provisioned per standard Contoso policies for external accounts. This is the appropriate partner RBAC role when developing new services.
- 15. @fincooper Access control guidelines,sample RBAC Role Scope Impact Recommendation Owner Resource Group Access to create new resources and to delete resources from the Resource Group. Can assign access to Resource Group. Users must have an account in Contoso’s Azure Active Directory. The account should be provisioned per standard Admin user policies. This is the appropriate role when developing new services. Contributor Resource Group Access to create new resources and to delete resources from the Resource Group. Users must have an account in Contoso’s Azure Active Directory. In case of external partners, the account should be provisioned per standard Contoso policies for external accounts. This is the appropriate partner RBAC role when developing new services. Contributor Individual Resource(s) directly Access to edit and modify resource. No access to create new resources. Appropriate partner RBAC role when partner is responsible for operating and managing the service. Partner users may be invited as Azure AD B2B Guests to Contoso Azure AD.
- 16. @fincooper Other Access controlconsiderations • Break-the-glass account • Central accounts • Continuous Deployment access • Azure AD roles
- 17. @fincooper Key cloud securitydecisions ACCESS CONTROL MONITORING AZURE PLATFORM SECURITY CONTROLS
- 18.
- 19.
- 20.
- 21. @fincooper Azure Activity Logs •Contain lowest level audit trail for all Azure Resource Manager events • Configure Activity log retention from the default 90 days • Beware of noise level!
- 22. @fincooper Activity log noise– example from prod Activity Log severity Weekly log events Informational 13 000 Warning 30 Error 99 Critical 2
- 23. @fincooper Custom Activity Logalerts • Data pane access key usage • Key Vault access policy changes • Kubernetes cluster credentials listing
- 24. @fincooper Security Center –advanced threat protection Management pane access from unusual location Windows VM event log was cleared A new user was added to the sudoers group Web fingerprinting detected New high privileges role detected in AKS Potential malware uploaded to a storage account Suspicious incoming RDP network activity Unusual operation pattern in a Key Vault Unusual amount of data extracted from a Cosmos DB account
- 25. @fincooper Audit logging • EnableAudit logging for Azure-native security services, such as Key Vault and Web Application Firewall • Decide on log store strategy – distributed and / or centralized?
- 26. @fincooper Central log collection Azure Security Center EventHub AzureAccount 1 Azure Account 2 Azure Account 3 SOC Application Host Infrastructure Platform Azure Security Center Application Insight Azure Monitor Azure Health Backup Activity Logs Application Host Infrastructure Platform Azure Security Center Application Insight Azure Monitor Azure Health Backup Activity Logs Application Host Infrastructure Platform Azure Security Center Application Insight Azure Monitor Azure Health Backup Activity Logs
- 27. @fincooper Key cloud securitydecisions ACCESS CONTROL MONITORING AZURE PLATFORM SECURITY CONTROLS
- 28. @fincooper Azure platform securitycontrols Subscriptions and Resource Groups AAD and RBAC ARM Templates, Policies and Locks Logging, Alerting & Auditing Data Encryption Backups & Disaster Recovery Privacy & Compliance Network security
- 29. @fincooper Azure Policy Azure ResourceManager Create, Read, Update, Delete
- 30. @fincooper Azure Policy • ComplementsAzure Role-Based Access Control • Enforces security controls • Enables monitoring
- 31. @fincooper Key Azure Policydecisions • Customize Security Center default Security policies • Usage of dynamic Compliance policies?
- 32.
- 33. @fincooper Build your ownsecurity policy
- 34. @fincooper Key Azure Policydecisions • Customize Security Center default Security policies • Usage of dynamic Compliance policies? • Use custom Security policies, and if yes, which?
- 35.
- 36. @fincooper Key Vault SecurityPolicies • Prevent self-signed certificate usage • Flag expiring certificates • Manage encryption requirements, such as minimum key size or requirement for HSM-backed keys
- 37. @fincooper Azure SQL DatabaseSecurity Policies • Do not use SQL Authentication. Use AAD-authentication instead • Enable SQL Server threat detection with email admins option.
- 38. @fincooper Azure Kubernetes ServiceSecurity Policies • Pod Security Policies should be defined on Kubernetes Services • Authorized IP ranges should be defined on Kubernetes Services • Enforce HTTPS ingress in Kubernetes Service
- 39. @fincooper Your network inAzure Internet Cross premises Connectivity Virtual Network Virtual Network Virtual Network Virtual Network
- 40.
- 41. @fincooper Materials • These slides.Zure.ly/karl/slides • Security compass: • aka.ms/AzureSecurityCompass • CIS Foundation controls for Azure: azure.microsoft.com/en-us/resources/cis-microsoft-azure-foundations-security- benchmark/ • Secure DevOps Kit for Azure: • azsk.azurewebsites.net/ • LinkedIn Learning: