Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai
-
Upload
microsoft-techdays-apac -
Category
Documents
-
view
102 -
download
0
Transcript of Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 1/28
Understanding & Implementing
Windows Azure Platform SecurityLai Hoong Fai
Microsoft [email protected]
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 2/28
Agenda
Cloud Security Concerns
Windows Azure Platform Security Model – Compute Services
– Storage
– Identity and Access
– Networking
– Management
Data Center Security and Data Location
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 3/28
S e c u r i t y T a l k
3
Services and Server Platforms
Build Your
Own
We Run it for
You
Scale-out Apps
Massive Scale
Prescribed Hardware
Cost of Operations
Optimized
for
Any Workload or Application
Levels of Scale
Hardware Configurations
Operational Models
Versatile
across…
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 4/28
S e c u r i t y T a l k
4
Platform as a Service Security Model
Physical
Network
Host
Application
Data
Physical
Network
Application
Data
On Premises Platform as a Service
C u s t o
m e r C
u s t o m e r
M i c r o s o f t
Host
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 5/28
S e c u r i t y T a l k
5
Cloud Security Concerns
Where is my data located?
Is the Microsoft Cloud “ secure? ”
Who can see my data? How do you make sure my company data follows “ the rules? ”
What happens if …
“Cloudy with a chance of Rain”, The Economist, March 5, 2010
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 6/28
S e c u r i t y T a l k
6
DataData
Windows Azure Security Layers
PhysicalPhysical
ApplicationApplication
HostHost
NetworkNetwork
Strong storage keys for access control
SSL support for data transfers between all parties
Front-end .NET code running under partial trust
Windows account with least privileges
Windows Server 2008 R2 OS image
Host boundaries enforced by external hypervisor
Host firewall limiting traffic to VMs
VLANs and packet filters in routers
World-class physical security
ISO 27001 and SAS 70 Type II certifications for datacenter
processes
Layer Defenses
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 7/28
S e c u r i t y T a l k
7
Secure by Design
Industry leading software securityassurance process
– Prescriptive yet practical approach
– Proactive – not just “looking for bugs”
– Eliminate security problems early
– Proven results
Protects Windows Azure Platformcustomers by
– Reducing the number of vulnerabilities
– Reducing the severity of vulnerabilities
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 8/28
S e c u r i t y T a l k
8
The Windows Azure Platform is an internet-scale cloud services platform hosted in Microsoft data
centers around the world, proving a simple, reliable and powerful platform for the creation of web
applications and services.
Windows Azure Platform
GENERAL PURPOSE PROGRAMMING LANGUAGES
Windows Azure Platform
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 9/28
S e c u r i t y T a l
k
9
Windows Azure Architecture
Fabric
Controller
Load-balancersLoad-balancers SwitchesSwitches
Services composed of roles, mix andmatch in any topology
Desired state of service
# of role instances, availability and updatedomains, config settings
Agnostic to programming languages
Service
Model
RoleTypes
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 10/28
S e c u r i t y T a l
k
10
Windows Azure Compute Security
Customer code run on dedicated virtual machines (VMs)
VMs isolated by a Hyper-V based hypervisor
All access to network and disk is mediated by a “host” virtual machine
Stripped down, hardened version of
Windows Server 2008 or R2
No persistent storage in the
Compute nodes
Limited number of device drivers
Network connectivity restricted
using host firewall
VM isolation
Web Role Worker Role VM Role
Hyper-V based hypervisor
H o s t V M
Network/Dis
k
Network packet filtering
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 11/28
S e c u r i t y T a l k
11
Windows Azure Compute Security
The VM is the security boundary upon which WindowsAzure security is based
– The host OS and Fabric Controller are trusted by theinfrastructure
– The guest agent and customer code are untrusted
– The Fabric Controller host agent ensures that theVM can only access IP addresses assigned to VMs of the same service
• Allows access to Internet addresses
Fabric Controller uses certificates and network security toauthorize access to datacenter resources
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 12/28
S e c u r i t y T a l k
12
Windows Azure Compute Reliability
Unit of failure based on data center
topology – E.g. top-of -rack switch on a rack of
machines
Windows Azure considers fault
domains when allocating service
roles
– 2 fault domains per service
– Will try and spread instances outacross more than one fault domain
• E.g. won’t put all instances in same
rack
Front-
End-1
Front-End-1
Front-
End-2
Front-End-2
Middle
Tier-2
Middle
Tier-2Middle
Tier-1
Middle
Tier-1
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 13/28
S e c u r i t y T a l k
13
Windows Azure storage is
an application managed
by the Fabric Controller
Windows Azure
applications can use
native storage, SQL Azure,
or even run MySQL within
a VM
Application state is kept in
storage services, so
worker roles can replicate
as needed
Storage Services in Windows Azure
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 14/28
S e c u r i t y T a l k
14
Windows Azure Storage Security
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 15/28
S e c u r i t y T a l k
15
SQL Azure
Relational Database as a Service in Azure
– Built upon the SQL Server engine
–
One logical server per Azure subscription – Abstracts the Logical from the Physical Administration
Server Side Processing of Data
• Aggregation, Stored Procedure, Queries, Joins, Sorts, Views,
Index, etc.
– Supports Familiar Relational T-SQL Programming Model
Accessible through existing APIs
• ADO .Net, ODBC, etc. – Easy to use Schema Migration and Data Migration tools
available
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 16/28
S e c u r i t y T a l k
16
Multiple front-endservers receiving
client connectionsData stored in three
replicas
– Reads are
completed at theprimary
– Writes are
replicated to aquorum of secondaries
Replica 1
Replica 2
Replica 3
DB
Single Logical
Database
Multiple Physical
Replicas
Multiple
Secondaries
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 17/28
S e c u r i t y T a l k
17
Identity and Access Management
Active Directory Other Providers
WS-* and SAML
On Premises
Use of Active Directory identities
and groups through federation
Enables seamless access
experience with othercorporate applications
tied to AD
Integration with 3rd
party systems through
WS-* and SAML 2.0
open standards
Single sign-on with
popular Internet identity
providers
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 18/28
S e c u r i t y T a l k
18
AppFabric Access Control 2.0
Provides rules-driven, claims-based authorization for:
– Web applications
– REST Web services
– SOAP Web services
Key features
– Broad identity provider support, including AD Federation Services v2and popular Web identity providers (Live ID, Facebook, Google,Yahoo)
– WS-Trust and WS-Federation protocol support
– Full integration with Windows Identity Foundation (WIF) – Configurable through new management web portal
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 19/28
Demo #1Demo #1
AppFabric ACSAppFabric ACS
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 20/28
S e c u r i t y T a
l k
20
Windows Azure Management
Public REST interfaces
Service Management and Diagnostics APIs
• Deployment and life cycle management
• Diagnostics and logging
PowerShell
• Enable building of sophisticateddeployment scripts
System Center integrationRemote Desktop interface
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 21/28
S e c u r i t y T a
l k
21
Windows Azure Management Security
Customers create Windows Azure subscription usingLive ID credentials
Hosted services and storage accounts managedthrough Live ID or a Service Management API overSSL with certificate-based mutual authentication
Fabric controllers updates and manages the computerand storage nodes – Fabric controllers run on separate hardware than the
compute or storage services
– Communication between Fabric controllers andmanaged nodes are authenticated and encrypted usingSSL
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 22/28
Demo #2Demo #2
ManagementManagement
SecuritySecurity
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 23/28
S e c u r i t y T a
l k
23
Data Center Security
24x7 secured access
Electronically controlled access
systems
Video camera surveillance
Motion sensors
Security breach alarms
24x7 secured access
Electronically controlled access
systems
Video camera surveillance
Motion sensors
Security breach alarms
WorldWorld--Class Physical SecurityClass Physical Security
ISO/IEC 27001:2005
SAS 70 Type II
ISO/IEC 27001:2005
SAS 70 Type II
Industry CertificationsIndustry Certifications
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 24/28
S e c u r i t y T a
l k
24
North America Europe AsiaWest Europe
North Europe
South Asia
South
Central US
North
Central US
Microsoft complies with all applicable laws regarding cross-border datatransfer including EU and US Safe Harbor requirements
East Asia
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 25/28
S e c u r i t y T a
l k
25
Call to Action
1. Sign up and deploy your first app on Windows AzurePlatform - http://bit.ly/tBavpE
2.Activate your Windows Azure benefit for MSDNSubscribers - http://bit.ly/qT0HW9
– How to activate - http://bit.ly/r1ONwn
3. Download Windows Azure SDK and Tools-http://bit.ly/odmOEy
4. Attend a 1-day Windows Azure Discovery Workshop onNov 12. Email
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 26/28
S e c u r i t y T a
l k
26
Summary
Cloud Security Concerns
Windows Azure Platform Security Model
– Compute Services
– Storage
– Identity and Access
– Networking
– Management
Data Center Security and Data Location
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 27/28
References• Windows Azure Security Guidance -
http://bit.ly/uU2w5I
• ACS Samples and Documentation - http://bit.ly/rTX93K• Microsoft Global Foundation Services (GFS) -
http://bit.ly/sfvoci• GFS Infrastructure videos - http://bit.ly/rqhAEA• Security Resources for Windows Azure -
http://bit.ly/rIulDp• Real World Windows Azure Security -
http://bit.ly/uo6Mwo• Windows Azure Training courses - http://bit.ly/uC8oYo
5/11/2018 Understanding and Implementing Windows Azure Platform Security_Lai Hoong Fai - slidepdf.com
http://slidepdf.com/reader/full/understanding-and-implementing-windows-azure-platform-securitylai-hoong-fai 28/28
Thank YouThank YouQ&AQ&A