Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
MICROSOFT AZURE
SECURITY
OVERVIEW
Tom Quinn
Azure Security Specialist, Microsoft
Microsoft Azure
Security and Compliance
Discussion
TomQuinn
AzureSecuritySpecialist
Microsoft Azure
Topics
• Microsoft and Security
• Shared Responsibility
• How does Microsoft Secure the Platform
• Azure R...
EXPERIENCE
• 1M+ Corporate Machines
protected by enterprise IT security
• Multi-platform cloud-first
hybrid enterprise
• D...
Cloud service provider responsibility
Tenant responsibility
Data governance &
rights management
Responsibility SaaS PaaS I...
Microsoft Cloud Security Practices
Microsoft makes security a priority at every step,
from code development to incident re...
42Azure regions
Achieve global scale, in local regions
Trust
US Gov: US Gov Texas and US Gov Arizona
NEWLY ANNOUNCED:
Fran...
Data in Azure
Azure Cloud Storage:
• Object based, durable, massively scalable storage subsystem
• Designed from ground up...
Azure Key
Vault
<Keys and Secrets
controlled by
customers in their
key vault>
Authentication
to Key Vault
<Authentication
...
Microsoft Azure
Enterprise cloud identity – Azure AD
12
AZURE:
• Provides enterprise cloud identity and
access management
...
Microsoft Azure
Customer 1
Azure Virtual Networking
AZURE:
• Allows customers to create
isolated virtual private
networks
...
Microsoft Azure
Microsoft Azure
Grouping of network traffic rules as
security group
Security groups associated with virtua...
VM
Application
Gateway
Azure Traffic Manager (DNS Load Balancer)
Internet
Application
Gateway
Application
Gateway
VMVM VM ...
App
Gateway
Typical Tiered Architecture
App
Gateway
User Defined Routing and Virtual Appliances
Internet
Private
WAN
Microsoft Azure 20
Monitoring & logging
AZURE:
• Performs monitoring & alerting on
security events for the platform
• Enab...
Azure Security Center
Prevent, detect and respond to threats with increased visibility
and control over the security of yo...
Operations Management Suite
Amazon Web
Services
Windows
Server
(VM)
Windows
Server
(VM)
Linux
(VM)
Linux
(VM)
Linux
(VM)
P...
Partner Security Solutions
Microsoft is dedicated to working with partners across the ecosystem
enabling customers to augm...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 1 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 2 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 3 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 4 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 5 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 6 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 7 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 8 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 9 of 17https://docs.microsoft.com/en-us/azur...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 10 of 17https://docs.microsoft.com/en-us/azu...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 11 of 17https://docs.microsoft.com/en-us/azu...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 12 of 17https://docs.microsoft.com/en-us/azu...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 13 of 17https://docs.microsoft.com/en-us/azu...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 14 of 17https://docs.microsoft.com/en-us/azu...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 15 of 17https://docs.microsoft.com/en-us/azu...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 16 of 17https://docs.microsoft.com/en-us/azu...
5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs
Page 17 of 17https://docs.microsoft.com/en-us/azu...
Azure Active Directory Proof
of Concept Playbook
Explore and quickly implement Identity and Access Management scenarios
Ex...
Azure AD Proof of Concept Playbook
2 | P a g e
The information contained in this document represents the current view of M...
Azure AD Proof of Concept Playbook
3 | P a g e
Contents
Executive Summary....................................................
Azure AD Proof of Concept Playbook
4 | P a g e
How to use this Playbook
1. Use the Theme section and pick the area(s) of i...
Azure AD Proof of Concept Playbook
5 | P a g e
Most scenarios in this guide are additive in nature. As a result, they can ...
Azure AD Proof of Concept Playbook
6 | P a g e
Theme – Lots of apps, one identity
Scenario Building Blocks
Integrate SaaS ...
Azure AD Proof of Concept Playbook
7 | P a g e
6. The Sales department wants to audit who accessed Twitter. Bob downloads ...
Azure AD Proof of Concept Playbook
8 | P a g e
Self Service Password Reset
1. Bob is the Azure AD Global admin and enables...
Azure AD Proof of Concept Playbook
9 | P a g e
various sources and follows
through on findings.
Common Prerequisites for a...
Azure AD Proof of Concept Playbook
10 | P a g e
4 You have needed credentials for on
prem and cloud environments
Azure AD ...
Azure AD Proof of Concept Playbook
11 | P a g e
Prerequisites
Id Pre-requisite Resources
1 Assets (Images, Logos, etc.); F...
Azure AD Proof of Concept Playbook
12 | P a g e
Group based licensing
Approximate time to Complete: 10 minutes
Prerequisit...
Azure AD Proof of Concept Playbook
13 | P a g e
Steps
Step Resources
1 Share the tutorial to all actors from Microsoft
Doc...
Azure AD Proof of Concept Playbook
14 | P a g e
Sign Up for Free | HipChat
3 Target set of users to assign the
application...
Azure AD Proof of Concept Playbook
15 | P a g e
SaaS Shared Accounts Configuration
Approximate time to Complete: 30 minute...
Azure AD Proof of Concept Playbook
16 | P a g e
Groups – Delegated Ownership
Approximate time to Complete: 10 minutes
Prer...
Azure AD Proof of Concept Playbook
17 | P a g e
2 Group that is assigned access to
the application in #1 is identified
Bui...
Azure AD Proof of Concept Playbook
18 | P a g e
admins to fully showcase the
capability
Steps
Step Resources
1 Login as a ...
Azure AD Proof of Concept Playbook
19 | P a g e
3 Set the group with POC Users in the
setting “Users who can self-service
...
Azure AD Proof of Concept Playbook
20 | P a g e
Considerations
1. The POC steps in this building block explicitly setting ...
Azure AD Proof of Concept Playbook
21 | P a g e
5 In the external network device, log in to
https://myapps.microsoft.com/<...
Azure AD Proof of Concept Playbook
22 | P a g e
having permissions. This
corresponds to the non-activated
role state.
4 In...
Azure AD Proof of Concept Playbook
23 | P a g e
4 Log in as a global admin to
https://portal.azure.com and open
up the Ide...
Azure AD Proof of Concept Playbook
24 | P a g e
Considerations
1. This capability is part of Azure AD Premium Level 2 and/...
Best Practices for Running
Oracle Database on Amazon
Web Services
January 2018
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Notices
This document is provided for informatio...
Contents
Introduction 1
Oracle Licensing Considerations 2
Amazon RDS License Included 2
Bring Your Own License (BYOL) 3
Ch...
Abstract
Amazon Web Services (AWS) offers you the ability to run your Oracle Database
in a cloud environment. Running Orac...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 1
Introduction
Amazon Web Services (AWS) prov...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 2
considerations for choosing Amazon EC2 or A...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 3
management capabilities. This service model...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 4
cost for the Amazon RDS instance because th...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 5
choice. Depending on your application and y...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 6
Amazon EC2 might be a better choice for you...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 7
The following table describes the basic dif...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 8
Figure 1: Oracle Database in private subnet...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 9
suited for your business needs, see the whi...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 10
For high and consistent IOPS and database ...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 11
Cold HDD volumes (sc1) are suitable for ha...
Amazon Web Services – Best Practices for Running Oracle Database on AWS
Page 12
database performance by using Smart Flash ...
Microsoft Azure Security Cloud & Hybrid Oracle VPN integration playbook
Microsoft Azure Security Cloud & Hybrid Oracle VPN integration playbook
Microsoft Azure Security Cloud & Hybrid Oracle VPN integration playbook
Microsoft Azure Security Cloud & Hybrid Oracle VPN integration playbook
Microsoft Azure Security Cloud & Hybrid Oracle VPN integration playbook
Microsoft Azure Security Cloud & Hybrid Oracle VPN integration playbook
Nächste SlideShare
Wird geladen in …5
×

Microsoft Azure Security Cloud & Hybrid Oracle VPN integration playbook

719 Aufrufe

Veröffentlicht am

Hybrid Cloud Azure and AWS security overview

Veröffentlicht in: Technologie
  • Visit this site: tinyurl.com/sexinarea and find sex in your area for one night)) You can find me on this site too)
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Divorced girl is looking to have a fun! My hair is red and very long, I've got hazel eyes! Hope to see you on -- http://diaria.club/id943684 Copy this link in your browser
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Sex in your area for one night is there tinyurl.com/hotsexinarea Copy and paste link in your browser to visit a site)
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Girls for sex are waiting for you https://bit.ly/2TQ8UAY
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Meetings for sex in your area are there: https://bit.ly/2TQ8UAY
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Microsoft Azure Security Cloud & Hybrid Oracle VPN integration playbook

  1. 1. MICROSOFT AZURE SECURITY OVERVIEW Tom Quinn Azure Security Specialist, Microsoft
  2. 2. Microsoft Azure Security and Compliance Discussion TomQuinn AzureSecuritySpecialist
  3. 3. Microsoft Azure Topics • Microsoft and Security • Shared Responsibility • How does Microsoft Secure the Platform • Azure Regions – Azure Gov Cloud • Securing Customer environment • Data Security • Encryption • Identity • Network Security • Network isolation • First party and third party controls • Hybrid Cloud - VPN and Express Route Connectivity • Logging, Monitoring, and Operations • Azure Security Center and OMS • Partner Security Solutions
  4. 4. EXPERIENCE • 1M+ Corporate Machines protected by enterprise IT security • Multi-platform cloud-first hybrid enterprise • Decades of experience as a global enterprise • Runs on multi-tenant Azure environment, same as you VISIBILITY • Malware largest anti-virus and antimalware service • Clients Windows Updates, Error Reports • Email Outlook.com, Office 365 • Web content Bing, Azure AD • Cloud platform Azure IaaS and PaaS, Azure Security Center EXPERTISE • Development Security established Security Development Lifecycle (SDL) - ISO/IEC 27034-1 • Operational Security for Hyper-scale cloud services • Combatting Cybercrime in the cloud & partnering with law enforcement to disrupt malware • Incident Investigation and recovery for customers Visibility ExpertiseExperience Context Microsoft industry leading security capabilities CONTEXT • Trillions of URLs indexed • Hundreds of Billions of authentications, monthly emails analyzed • Billions of daily web pages scans, Windows devices reporting • Hundreds of Millions of reputation look ups • Millions of daily suspicious files detonations
  5. 5. Cloud service provider responsibility Tenant responsibility Data governance & rights management Responsibility SaaS PaaS IaaS On-prem Client endpoints Account & access management Identity & directory infrastructure Application Network controls Operating system Physical network Physical datacenter CustomerMicrosoft Physical hosts
  6. 6. Microsoft Cloud Security Practices Microsoft makes security a priority at every step, from code development to incident response. Global, 24x7 incident response service that works to mitigate the effects of attacks and malicious activity. Incident Response Defense in Depth Defense in Depth Approach across all cloud services from Physical to app/data layers. Security Development Lifecycle (SDL) Company-wide, mandatory development process that embeds security into every phase of development process. Threat Intelligence Extensive threat intelligence gathering, modelling, analysis and controls incorporated into systems. Identity and Access Focus on Identity Controls and tools including mitigation of internal threat throughout stack including operations. Dedicated security expert “red team” that simulate real-world attacks at network, platform, and application layers, testing the ability of Azure to detect, protect against, and recover from breaches. Assume Breach Simulation
  7. 7. 42Azure regions Achieve global scale, in local regions Trust US Gov: US Gov Texas and US Gov Arizona NEWLY ANNOUNCED: France: France Central and France South Africa: South Africa North and South Africa West
  8. 8. Data in Azure Azure Cloud Storage: • Object based, durable, massively scalable storage subsystem • Designed from ground up by Microsoft • Presents as Blobs, Disks, Tables, Queues and Files • Accessed via REST APIs, Client Libraries and Tools • Access control: • Leverage Symmetric Shared Key Authentication • Trusted service that owns the storage accounts • Shared Access Signature (SAS) Scale: • More than 25 trillion stored objects • 2.5+ Million requests/sec on average Storage System Design and Architecture: • Architecture and design details published and available “Windows Azure Storage – A Highly Available Cloud Storage Service with Strong Consistency
  9. 9. Azure Key Vault <Keys and Secrets controlled by customers in their key vault> Authentication to Key Vault <Authentication to Key Vault is using Azure AD> Azure Data Encryption - Data at Rest • BYO Encryption - <.NET Librabries, Leverage on-prem HSM, etc.> • Always Encrypted Application Layer • SQL Database - <Transparent Data Encryption, Always Encrypted> • HDInsight - <SQL Database> • Azure Backup Service - <Leverages Azure Disk Encryption> PaaS Services • Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]> • Partner Volume Encryption – <CloudLink® SecureVM> • BYO Encryption – <Customer provided> Virtual Machine/OS Layer – Windows, Linux • Azure Storage Service Encryption – <AES-256, Block, Append, and page Blobs> Storage System K e y s M a n a g e m e n t
  10. 10. Microsoft Azure Enterprise cloud identity – Azure AD 12 AZURE: • Provides enterprise cloud identity and access management • Enables single sign-on across cloud applications • Offers Multi-Factor Authentication for enhanced security CUSTOMER: • Centrally manages users and access to Azure, O365, and hundreds of pre- integrated cloud applications • Builds Azure AD into their web and mobile applications • Can extend on-premises directories to Azure AD End Users Active Directory Azure Active Directory Cloud Apps
  11. 11. Microsoft Azure Customer 1 Azure Virtual Networking AZURE: • Allows customers to create isolated virtual private networks CUSTOMER: • Creates Virtual Networks with Subnets and Private IP addresses • Enables communications between their Virtual Networks • Can apply security controls • Can connect to “corpnet” via VPN or Express Route Customer 2 INTERNET Isolated Virtual Networks Subnet 1 Deployment X Deployment Y VNET to VNET Cloud Access RDP Endpoint (password access) Client Subnet 2 Subnet 3 DNS Server VPN Microsoft Azure Corp 1 Isolated Virtual Network
  12. 12. Microsoft Azure Microsoft Azure Grouping of network traffic rules as security group Security groups associated with virtual machines or virtual subnets Controlled access between machines in subnets Controlled access to and from the Internet Network traffic rules updated independent of virtual machines Internet Front End Subnet Back End Subnet Virtual Network NSG Platform Network Control – Network Security Groups (NSG)
  13. 13. VM Application Gateway Azure Traffic Manager (DNS Load Balancer) Internet Application Gateway Application Gateway VMVM VM VM Application Gateway VM VM VM Azure Service What Example Traffic Manager Cross-region redirection & availability http://news.com apac.news.com emea.news.com us.news.com Azure Load Balancer In-region scalability & availability emea.news.com AppGw1 AppGw2 AppGw2 Azure Application Gateway URL/content- based routing & load balancing news.com/topnews news.com/sports news.com/images VMs Web Servers
  14. 14. App Gateway
  15. 15. Typical Tiered Architecture App Gateway
  16. 16. User Defined Routing and Virtual Appliances
  17. 17. Internet Private WAN
  18. 18. Microsoft Azure 20 Monitoring & logging AZURE: • Performs monitoring & alerting on security events for the platform • Enables security data collection via Monitoring Agent or Windows Event Forwarding CUSTOMER: • Configures monitoring • Exports events to SQL Database, HDInsight or a SIEM for analysis • Monitors alerts & reports • Responds to alerts Azure Storage Customer Admin Guest VM Cloud Services Customer VMs Portal SMAPI Guest VM Enable Monitoring Agent Event s Extract event information to SIEM or other Reporting System Event ID Computer Event Description Severity DateTime 1150 Machine1 Example security event 4 04/29/2014 2002 Machine2 Signature Updated Successfully 4 04/29/2014 5007 Machine3 Configuration Applied 4 04/29/2014 1116 Machine2 Example security event 1 04/29/2014 1117 Machine2 Access attempted 1 04/29/2014 SIEM Admin View Alerting & reporting HDInsight Microsoft Azure
  19. 19. Azure Security Center Prevent, detect and respond to threats with increased visibility and control over the security of your Azure resources and advanced analytics, which identify attacks that might otherwise go unnoticed What is the feature? Benefits • Understand the security state of Azure resources • Take control of cloud security with policies that enable you to recommend and monitor security configurations • Make it easy for DevOps to deploy integrated Microsoft and partner security solutions • Find threats with advanced analysis of your security-related events developed using Microsoft’s vast global intelligence assets and expertise • Respond and recover from incidents faster with real-time security alerts • Export security events to a SIEM for further analysis Automatic Log Collection Rome Analytics Engine Analyzes Windows Security Events, IIS Logs, AV Logs, Firewall Logs, Syslog, …
  20. 20. Operations Management Suite Amazon Web Services Windows Server (VM) Windows Server (VM) Linux (VM) Linux (VM) Linux (VM) Private clouds (Azure Stack, Hyper-V, VMware, OpenStack) Windows Server (VM) Windows Server (VM) Windows Server (VM) Windows Server (VM) Linux (VM) Operations Management Suite Log analytics Backup & disaster recovery IT automation Security & compliance • Near real time perf. data collection/monitoring • Linux agents including monitoring integrations • Mobile Apps in Windows, Android and iOS • Custom fields • SOC1 and SOC2 Type 1 Compliant • Automation DSC • Source Control support through GitHub for runbooks • Hybrid support for schedules / test jobs • PowerShell script support on hybrid workers • Linux DSC support • Wire data solution • Azure network analytics solution • Malicious IP detection • Backup >1.6TB support • ASR integration with SQL Always-On public preview • ASR CSP and IaaS V2 support • IaaS v1 & v2 VMs backup • Azure backup server for application workload backups
  21. 21. Partner Security Solutions Microsoft is dedicated to working with partners across the ecosystem enabling customers to augment their security posture Network Virtual Appliances Hosted Network Controls – Firewalls,WAF, Ddos, IDS/IPS, DLP Operations/Management – Monitoring, logging, correlation Penetration Testing Vulnerability assessments/Threat Modeling
  22. 22. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 1 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution Microsof t hybrid identity solutions ! 03/02/2018 " 5 minutes to read Contributors In this article Synchronized identity Pass-through authentication Federated identity (AD FS) Common scenarios and recommendations Next steps Microsoft Azure Active Directory (Azure AD) hybrid identity solutions enable you to synchronize on- premises directory objects with Azure AD while still managing your users on-premises. The first decision to
  23. 23. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 2 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution first decision to make when planning to synchronize your on-premises Windows Server Active Directory with Azure AD is whether you want to use synchronized identity or federated identity. Synchronized identities, and optionally password hashes, enable your users to use the same password to access both on- premises and cloud- based organizational resources. For more advanced scenario requirements, such as single-sign-on (SSO) or on- premises MFA, you need to deploy Active Directory Federation Services (AD FS) to federate identities. There are several options available for configuring hybrid identity. This article
  24. 24. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 3 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution identity. This article provides information to help you choose the best one for your organization based on ease of deployment and your specific identity and access management needs. As you consider which identity model best fits your organization’s needs, you also need to think about time, existing infrastructure, complexity, and cost. These factors are different for every organization, and might change over time. However, if your requirements do change, you also have the flexibility to switch to a different identity model. # Tip These solutions are all delivered by Azure AD
  25. 25. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 4 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution Synchronize d identity Synchronized identity is the simplest way to synchronize on- premises directory objects (users and groups) with Azure AD. While synchronized identity is the easiest and quickest method, your users still need to maintain a separate password for cloud-based resources. To avoid this, you can also (optionally) synchronize a hash of user passwords to your Azure AD directory. Connect.
  26. 26. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 5 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution directory. Synchronizing password hashes enables users to log in to cloud-based organizational resources with the same user name and password that they use on-premises. Azure AD Connect periodically checks your on-premises directory for changes and keeps your Azure AD directory synchronized. When a user attribute or password is changed on-premises Active Directory, it is automatically updated in Azure AD. For most organizations who only need to enable their users to sign in to Office 365, SaaS applications, and other Azure AD- based resources, the default password synchronization option is
  27. 27. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 6 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution option is recommended. If that doesn’t work for you, you'll need to decide between pass-through authentication and AD FS. # Tip User passwords are stored in on- premises Windows Server Active Directory in the form of a hash value that represents the actual user password. A hash value is a result of a one- way mathematical function (the hashing algorithm). There is no method to revert the result of a one-way function to the plain text version of a
  28. 28. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 7 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution version of a password. You cannot use a password hash to sign in to your on- premises network. When you opt to synchronize passwords, Azure AD Connect extracts password hashes from the on-premises Active Directory and applies extra security processing to the password hash before it is synchronized to Azure AD. Password synchronization can also be used together with password write- back to enable self-service password reset in Azure AD. In addition, you can enable single sign-on
  29. 29. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 8 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution Pass- through authenticati on Azure AD pass- through authentication provides a simple password validation solution for Azure AD-based services using your on- premises Active Directory. If security and compliance policies for your single sign-on (SSO) for users on domain- joined computers that are connected to the corporate network. With single sign-on, enabled users only need to enter a username to securely access cloud resources.
  30. 30. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 9 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution policies for your organization do not permit sending users' passwords, even in a hashed form, and you only need to support desktop SSO for domain joined devices, it is recommended that you evaluate using pass-through authentication. Pass- through authentication does not require any deployment in the DMZ, which simplifies the deployment infrastructure when compared with AD FS. When users sign in using Azure AD, this authentication method validates users' passwords directly against your on-premises Active Directory.
  31. 31. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 10 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution With pass-through authentication, there's no need for a complex network infrastructure, and you don't need to store on-premises passwords in the cloud. Combined with single sign-on, pass-through authentication provides a truly integrated experience when signing in to Azure AD or other cloud services. Pass-through authentication is configured with Azure AD Connect, which uses a simple on-premises agent that listens for password validation requests. The agent can be easily deployed to multiple machines to provide high availability and load balancing. Since
  32. 32. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 11 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution all communications are outbound only, there is no requirement for the connector to be installed in a DMZ. The server computer requirements for the connector are as follows: Windows Server 2012 R2 or higher Joined to a domain in the forest through which users are validated Federated identity (AD FS) For more control over how users access Office 365 and other cloud services, you can set up directory synchronization with single sign-on (SSO) using Active Directory Federation
  33. 33. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 12 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution Directory Federation Services (AD FS). Federating your user's sign-ins with AD FS delegates authentication to an on-premises server that validates user credentials. In this model, on-premises Active Directory credentials are never passed to Azure AD. Also called identity federation, this sign- in method ensures that all user authentication is controlled on- premises and allows administrators to implement more rigorous levels of access control. Identity federation with AD FS is the most complicated option and requires deploying additional servers in your on-
  34. 34. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 13 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution servers in your on- premises environment. Identity federation also commits you to providing 24x7 support for your Active Directory and AD FS infrastructure. This high level of support is necessary because if your on- premises Internet access, domain controller, or AD FS servers are unavailable, users can't sign in to cloud services. # Tip If you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password synchronization as a backup in case your AD FS infrastructure
  35. 35. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 14 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution Common scenarios and recommend ations Here are some common hybrid identity and access management scenarios with recommendations as to which hybrid identity option (or options) might be appropriate for each. I need to: PWS and SSO Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically. infrastructure fails.
  36. 36. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 15 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution Set up my tenant for Office 365 hybrid scenarios Enable my users to sign in and access cloud services using their on-premises password Implement single sign-on using corporate credentials Ensure no password hashes are stored in the cloud Enable on- premises multi-factor authentication solutions Support smartcard authentication for my users Display password expiry 4
  37. 37. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 16 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution Password synchronization with single sign- on. Pass-through authentication and single sign- on. Federated single sign-on with AD FS. AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be soft- certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates expiry notifications in the Office Portal and on the Windows 10 desktop 1 2 3 4
  38. 38. 5/3/18, 8(22 AMChoose an Azure hybrid identity solution | Microsoft Docs Page 17 of 17https://docs.microsoft.com/en-us/azure/active-directory/choose-hybrid-identity-solution certificates (including PIV/CAC cards) or Hello for Business (cert- trust). For more information about smartcard authentication support, see this blog. Next steps Learn more in an Azure Proof of Concept environment Install Azure AD Connect Monitor hybrid identity synchronization
  39. 39. Azure Active Directory Proof of Concept Playbook Explore and quickly implement Identity and Access Management scenarios Executive Summary This document provides guidelines to explore different Azure AD capabilities in a Proof of concept (POC). The intended audience of this document is Identity Architects, IT Professionals, and System Integrators.
  40. 40. Azure AD Proof of Concept Playbook 2 | P a g e The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers. © 2016 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft Corp. is strictly prohibited. Microsoft and Windows are either registered trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
  41. 41. Azure AD Proof of Concept Playbook 3 | P a g e Contents Executive Summary.................................................................................................................................................................1 Contents..................................................................................................................................................................................3 How to use this Playbook........................................................................................................................................................4 PoC Ingredients.......................................................................................................................................................................4 Theme .................................................................................................................................................................................4 Environment........................................................................................................................................................................4 Target Users........................................................................................................................................................................5 PoC Implementation...............................................................................................................................................................5 Foundation - Syncing AD to Azure AD.................................................................................................................................5 Theme – Lots of apps, one identity.....................................................................................................................................6 Theme – Increase your security..........................................................................................................................................7 Theme – Scale with Self Service..........................................................................................................................................7 PoC Building Blocks.................................................................................................................................................................8 Catalog of Actors.................................................................................................................................................................8 Common Prerequisites for all building blocks ....................................................................................................................9 Directory Synchronization – Password Hash Sync (PHS) – New Installation......................................................................9 Branding............................................................................................................................................................................10 Group based licensing.......................................................................................................................................................12 SaaS Federated SSO Configuration ...................................................................................................................................12 SaaS Password SSO Configuration ....................................................................................................................................13 SaaS Shared Accounts Configuration................................................................................................................................15 Groups – Delegated Ownership........................................................................................................................................16 SaaS and Identity Lifecycle................................................................................................................................................16 Self Service Password Reset..............................................................................................................................................17 Self Service Access to Application Management..............................................................................................................18 Azure Multi-Factor Authentication with Phone Calls .......................................................................................................19 MFA Conditional Access for SaaS applications .................................................................................................................20 Privileged Identity Management (PIM).............................................................................................................................21 Discovering Risk Events.....................................................................................................................................................22 Deploying Sign-in risk policies...........................................................................................................................................23
  42. 42. Azure AD Proof of Concept Playbook 4 | P a g e How to use this Playbook 1. Use the Theme section and pick the area(s) of interest based on your needs. 2. Scope the PoC by choosing the scenarios that align with your business goals. The shorter the better. We recommend to do it as short and concise as possible to convey the value to the stakeholders while minimizing the complexity to realize it. 3. Use the PoC Implementation section to understand the scenarios, and what would they mean for your environment. In each scenario, we describe how to set it up (what we call building blocks), and how to navigate the scenarios. 4. Each building block explains the pre-requisites needed, as well as an approximate time to complete. This can help you during the planning process. 5. Based on 1-3 Above, define the environment in which to execute. We encourage to strive for a production environment to get a good feel of the experience for your users. 6. When having conflicting requirements, use this helpful tradeoff matrix a. Theme-centric showing of value b. Smoothness to prepare, to set up, and to execute the scenarios c. Minimal time to execute the target scenarios d. As close to production as feasible within your constraints Note: Throughout this document, you will see some specific third party applications and products mentioned as examples for convenience. Azure AD supports thousands of applications in our application gallery that you can use based on your needs and environment. PoC Ingredients Theme Azure AD provides identity and access solutions across multiple areas in the enterprise. We classify the scenarios in the following areas: • Lots of apps, one identity • Increase your security • Scale with Self Service Defining a theme to frame the PoC helps to focus the efforts that resonates with business goals, which oftentimes are the triggers of the interest in a proof of concept in the first place. Environment It is important to determine the details of the environment where you will deliver the PoC. Ideally you can build upon it after the PoC is completed. The target environment is crucial and you should find the right balance between making it as real as possible and the overhead of constraints or extra considerations. The typical environments for PoCs are: • Production: The scenarios will be implemented in your live environment and already deployed Microsoft Cloud services (production AD, Office 365, Azure AD tenant/SSO solution). • User Acceptance Test (UAT)/Dev environment: You have test infrastructure (parallel AD and potentially Azure AD tenant/SSO solution) with test data that resembles production. Typically, the test environment is shared across multiple projects in the enterprise.
  43. 43. Azure AD Proof of Concept Playbook 5 | P a g e Most scenarios in this guide are additive in nature. As a result, they can be deployed in the production tenant without affecting users outside the PoC. Throughout this document, we will be calling out which scenarios would have tenant- wide effect. In those cases, you might want to consider a non-production environment. Target Users It is important to determine the target set of users that will exercise the scenarios, especially when the environment is production or test. The categories of target users for PoC are: • Pilot Users: Real users in the environment that will be using the solution with the account they use for their day to day job functions • Test Users: Test accounts created in the environment Most scenarios in this guide can be exercised by pilot users. Throughout this document, we will be calling out target user considerations if needed. PoC Implementation Foundation - Syncing AD to Azure AD A hybrid identity is the foundation for most of the enterprise customers who already have an on-premises directory. The goal here is to intentionally spend as less time here as possible to show the value of the actual identity and access scenarios. Scenario Building Blocks Extending your on-premises identity to the cloud Directory Synchronization - Password Hash Sync Note: If you already have DirSync/ADSync or earlier versions of Azure AD Connect, this step is optional. Some scenarios in this guide might require newer version of Azure AD Connect. Branding Assigning Azure AD licenses using groups Group based licensing Extending your on-premises identity to the cloud 1. Bob is the Active Directory administrator at Contoso. He gets the requirement to enable identity as a service for a set of users. After execution of Azure AD Connect wizard, the identity of the target users available in the cloud. 2. Bob asks Susie, one of the target users, to access the Azure Active Directory access panel and confirm that she can authenticate. Susie sees a branded login page and an empty access panel which is ready for enabling future application access. Assigning Azure AD licenses using Groups 1. Bob is the Azure AD Global Admin and wants to allocate Azure AD licenses to a specific set of users as part of the initial rollout of Azure AD. 2. Bob creates a group for the pilot users. 3. Bob assigns the licenses to the group 4. Susie, one of the information workers, is added to the security group as part of her job functions 5. After some time, Susie has access to the Azure AD premium license. This will enable more of the POC scenarios later on.
  44. 44. Azure AD Proof of Concept Playbook 6 | P a g e Theme – Lots of apps, one identity Scenario Building Blocks Integrate SaaS Applications – Federated SSO SaaS Federated SSO Configuration Groups - Delegated Ownership Integrate SaaS Applications– Password SSO SaaS Password SSO Configuration SSO and Identity Lifecycle Events SaaS and Identity Lifecycle Secure Access to Shared Accounts SaaS Shared Accounts Configuration Integrate SaaS Applications – Federated SSO 1. Bob is the Azure AD Global Admin and receives a request from the Marketing department to enable access to their ServiceNow Instance. Bob finds the step-by-step tutorial in Azure AD documentation and follows it, and delegates the assignment of users to the app to Kevin, the head of Marketing team. 2. Kevin logs in as the owner of ServiceNow entitlements and assigns Susie to the app. Kevin also notices that Susie’s profile was created in ServiceNow automatically 3. Susie is an information worker in the Marketing department. She logs in to azure AD and finds all SaaS applications she is assigned to in myapps portal. From there, she seamlessly gets access to ServiceNow. 4. The Marketing department wants to audit who accessed ServiceNow. Bob downloads an activity report and shares it with Kevin over email. SSO and Identity Lifecycle Events 1. Susie takes a leave of absence, and by corporate policy the on-premises AD account is temporary disabled. Susie now can’t log in to Azure AD and therefore can’t access ServiceNow. 2. Susie makes a lateral move from Marketing to Sales. Kevin removes her access from ServiceNow. Susie logs in the azure ad myapps and she no longer sees the ServiceNow Tile. After 10 minutes, Kevin confirms that Susie account was disabled from ServiceNow Management console. Integrate SaaS Applications– Password SSO 1. Bob configures access to Atlassian HipChat. HipChat has Password SSO integration and grant access to Susie 2. Susie logs in to the myapps portal and sees a link to download the Azure AD IE browser extension, which she downloads 3. Upon clicking, she gets prompted for her HipChat username and password credentials. This is a one-time operation, and after completing it she has access to HipChat 4. A few days later, Susie opens myapps portal and clicks HipChat again. This time around, she gets seamless access 5. Kevin, the HipChat app owner, wants to audit who accessed the application. Bob downloads an audit report and shares it with Kevin over email. Secure Access to Shared Accounts 1. Bob is tasked to secure the shared Twitter handle for members of the Sales team. He adds Twitter as an SSO application, and assigns it to the security group of the Sales Team. He was given the credentials to the shared account and he supplies it in the system. 2. Sharing Twitter credentials is no longer trusted due to multiple people knowing it. Bob enables automatic rollover of the Twitter password. 3. Susie, a member of the Sales team, logs in to the myapps portal and sees a link to download the Azure AD IE browser extension. She installs it. 4. Upon clicking she get access directly to Twitter. She does not know the password. 5. Arnold is also part of the sales team. He has the same experience as Susie in steps 3-4
  45. 45. Azure AD Proof of Concept Playbook 7 | P a g e 6. The Sales department wants to audit who accessed Twitter. Bob downloads an activity report and shares it with Kevin over email. Theme – Increase your security Scenario Building Blocks Secure administrator account access Azure MFA with Phone Calls Secure access for applications Conditional Access for SaaS applications Enable Just In Time administration Privileged Identity Management Protect identities based on risk Discovering risk events Deploying Sign-in risk policies Secure administrator account access 1. Bob is the Azure AD Global Administrator. He has identified Stuart as a co-administrator of the service. 2. Bob configures Stuart’s account to always require MFA to improve the security posture 3. Stuart logs in to the Azure management portal, and notices that he needs to register his phone number to continue the login 4. Subsequent logins from Stuart are now protected with Multi-Factor Authentication, and he now gets a phone call to verify his identity. Secure access to applications 1. Kevin is the business owner of ServiceNow. The company now wants those users to login with MFA when accessing outside the corporate network. 2. Bob, our Azure AD Global admin, adds a conditional access policy to the ServiceNow application to enable MFA for outside access 3. Susie, our information worker, logs in my apps portal and clicks the ServiceNow tile. She is now challenged with MFA. Enable Just in time (JIT) administration 1. Bob and Stuart are Azure AD Global Admins. They want to enable JIT access to the management roles and also to keep records on the usage of the privileged roles. 2. Bob enables PIM in the Azure AD tenant and becomes the security administrator. He changes both himself and Stuart’s global admin role membership from permanent to eligible. 3. Bob and Stuart now require to activate their role through the Azure Portal before doing any changes to Azure AD Configuration. Protect Identities based on risk 1. Susie, an information worker attempts logging in from a tor browser. 2. Bob checks the Azure AD identity protection dashboard, and sees Susie’s login from an anonymous IP address. The security team wants to challenge such accesses users with MFA 3. Bob enables Azure AD Identity Protection Policy to challenge MFA for medium or higher risk events 4. Time goes by, and Susie logs in from Tor browser again. This time, she will see the MFA challenge Theme – Scale with Self Service Scenario Building Blocks Self Service Password Reset Self Service Password Reset Self Service Access to Applications Self Service Access to Applications
  46. 46. Azure AD Proof of Concept Playbook 8 | P a g e Self Service Password Reset 1. Bob is the Azure AD Global admin and enables Self Service Password Management to a subset of users, including Susie. 2. Susie logs in to myapps portal and see a message to register her security information for future password reset events. 3. Fast forward a few days, Susie forgets her password, and resets it through Azure AD portal Self Service Access to Applications 1. Kevin is the business owner of ServiceNow. He wants users to “sign up” for it on demand, instead of adding them all at once 2. Bob, our Azure AD Global admin, modifies the ServiceNow application to enable self service requests 3. Susie, our information worker, logs in my apps portal and clicks the “Add more applications” button and see ServiceNow as one of the recommended applications. Then she navigates back to my apps portal and see the ServiceNow application. PoC Building Blocks Catalog of Actors Actor Description PoC Responsibility Identity Architecture / development team This team is usually the one that designs the solution, implements prototypes, drives approvals and finally hands off to operations They provide the environments and are the ones evaluating the different scenarios from the manageability perspective On-Premises Identity Operations team Manages the different identity sources on-premises: Active Directory Forests, LDAP directories, HR systems, and Federation Identity Providers. Provide access to onpremises resources needed for the PoC scenarios. They should be involved as little as possible Application Technical Owners Technical owners of the different cloud apps and services that will integrate with Azure AD Provide details on SaaS applications (potentially instances for testing) Azure AD Global Admin Manages the Azure AD configuration Provide credentials to configure the synchronization service. Usually the same team as Identity Architecture during PoC but separate during the operations phase Database team Owners of the Database infrastructure Provide access to SQL environment (ADFS of Azure AD Connect) for specific scenario preparations. They should be involved as little as possible Network team Owners of the Network infrastructure Provide required access at the network level for the synchronization servers to properly access the data sources and cloud services (firewall rules, ports opened, ipsec rules etc.) Security team Defines the security strategy, analyzes security reports from Provide target security evaluation scenarios
  47. 47. Azure AD Proof of Concept Playbook 9 | P a g e various sources and follows through on findings. Common Prerequisites for all building blocks Below are some pre-requisites needed for any POC with Azure AD Premium. Id Pre-requisite Resources 1 Azure AD tenant defined with a valid azure subscription https://azure.microsoft.com/en-us/documentation/articles/active-directory- howto-tenant/ Note: If you already have an environment with Azure AD Premium licenses, you can get a zero cap subscription by navigating to https://aka.ms/accessaad Learn more at: https://blogs.technet.microsoft.com/enterprisemobility/2016/02/26/azure-ad- mailbag-azure-subscriptions-and-azure-ad-2/ and https://technet.microsoft.com/en- us/library/dn832618.aspx 2 Domains defined and verified https://azure.microsoft.com/en-us/documentation/articles/active-directory-add- domain/ Note: Some workloads such as Power BI could have provisioned an azure AD tenant under the covers. To check if a given domain is associated to a tenant, navigate to https://login.microsoftonline.com/<domain>/v2.0/.well-known/openid-configuration. If you get a successful response, then the domain is already assigned to a tenant and take over might be needed. If this is the case, please contact Microsoft for further guidance. Learn more about the takeover options at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-self-service- signup/ 3 Azure AD Premium or EMS trial Enabled https://azure.microsoft.com/en-us/trial/get-started-active-directory/ 4 You have assigned Azure AD Premium or EMS licenses to PoC users https://azure.microsoft.com/en-us/documentation/articles/active-directory- licensing-what-is/ 5 Azure AD Global Admin credentials Assigning administrator roles in Azure Active Directory 6 Optional but strongly recommended: Parallel lab environment as a fallback Azure AD Connect: Prerequisites and hardware Directory Synchronization – Password Hash Sync (PHS) – New Installation Approximate time to Complete: 1 hour for less than 1,000 PoC users Prerequisites Id Pre-requisite Resources 1 Server to Run Azure AD Connect Azure AD Connect: Prerequisites and hardware 2 Target POC users, in the same domain and part of a security group, and OU Azure AD Connect: Custom installation 3 Azure AD Connect Features needed for the POC are identified Azure AD Connect: Integrating your on-premises identities with Azure Active Directory -- Configure Sync Features
  48. 48. Azure AD Proof of Concept Playbook 10 | P a g e 4 You have needed credentials for on prem and cloud environments Azure AD Connect: Accounts and permissions Steps Step Resources 1 Download the latest version of Azure AD Connect Download Microsoft Azure Active Directory Connect from Official Microsoft Download Center 2 Install Azure AD Connect with the simplest path – Express 1. Filter to the target OU to minimize the Sync Cycle time 2. Choose target set of users in the on-premises group. 3. Deploy the features needed by the other POC Themes Azure AD Connect: Custom installation: Domain and OU filtering Azure AD Connect: Custom installation: Group based filtering Azure AD Connect: Integrating your on-premises identities with Azure Active Directory -- Configure Sync Features 3 Open the Azure AD Connect UI and see the running profiles completed (Import, sync, and export) Azure AD Connect sync: Scheduler 4 Open the azure management portal, go to the Users tab and see that the users appear, marked properly as coming from “on premises directory” Administer your Azure AD directory Azure classic portal Considerations 1. Please look at the security considerations of password hash sync here. If password hash sync for pilot production users is definitively not an option, then consider the following alternatives: a. Create test users in the production domain. Make sure you don’t synchronize any other account b. Move to an UAT environment 2. If you want to pursue federation, it is worthwhile to understand the costs associated a federated solution with on premises Identity Provider beyond the POC and measure that against the benefits you are looking for: a. It is in the critical path so you have to design for high availability b. It is an on-premises service you need to capacity plan c. It is an on-premises service you need to monitor/maintain/patch Learn more: a. Understanding Office 365 identity and Azure Active Directory - Federated Identity Branding Approximate time to Complete: 15 minutes
  49. 49. Azure AD Proof of Concept Playbook 11 | P a g e Prerequisites Id Pre-requisite Resources 1 Assets (Images, Logos, etc.); For best visualization make sure the assets have the recommended sizes. Add company branding to your sign-in and Access Panel pages | What elements can I customize? 2 Optional: If the environment has an AD FS server, access to the server to customize web theme Customizing the AD FS Sign-in Pages 3 Optional: If the environment has an AD FS server, credentials to manage AD FS server are required AD FS Requirements 4 Client computer to perform end user login experience 5 Optional: Mobile devices to validate experience 6 Optional: access to PC, and target mobile devices Steps Step Resources 1 Go to azure management portal and select your directory Azure classic portal 2 Navigate the customization experience Add company branding to your sign-in and Access Panel pages - Configure your directory with company branding 3 Upload the assets for the login page (hero logo, small logo, labels, etc.). Optionally if you have AD FS, align the same assets with AD FS login pages Add company branding to your sign-in and Access Panel pages - Customizable Elements 4 Wait a couple of minutes for the change to fully take effect 5 Login with the POC user credential to https://myapps.microsoft.com/<yourdomain> 6 Confirm the look and feel in browser Add company branding to your sign-in and Access Panel pages - Access Panel Page customization Add company branding to your sign-in and Access Panel pages - Testing and examples 7 Optionally, confirm the look and feel in other devices Considerations • If the old look and feel remains after the customization then flush the browser client cache, and retry the operation.
  50. 50. Azure AD Proof of Concept Playbook 12 | P a g e Group based licensing Approximate time to Complete: 10 minutes Prerequisites Id Pre-requisite Resources 2 All POC users are part of a security group (either cloud or on- premises) Managing groups in Azure Active Directory Steps Step Resources 1 Log in as a global admin in the Azure management portal Azure classic portal 2 Assign the licenses to the security group with POC users. Simplified License Assignment with Azure AD and EMS – Enterprise Mobility and Security Blog Considerations • Since the POC will have potentially more scenarios, it is good to have all of them in a security group to assign the license to those users. • The current functionality assigns all service plans within the license. For EMS licenses, this means access to all components in the suite (i.e. Azure AD Premium, Intune and Azure RMS) SaaS Federated SSO Configuration Approximate time to Complete: 20 minutes Prerequisites Id Pre-requisite Resources 1 test environment of the SaaS application available. In this guide, we use ServiceNow as an example. We strongly recommend to use a test instance to minimize friction on navigating existing data quality and mappings. Go to https://developer.servicenow.com/app.do#!/home to start the process of getting a test instance 2 Admin access to the ServiceNow management console Tutorial: Azure Active Directory integration with ServiceNow 3 Target set of users to assign the application to. A security group containing the POC users is recommended. IF creating the group is not feasible, then assign the users to directly to the application for the POC Azure AD and Applications: Assigning Users to an Application
  51. 51. Azure AD Proof of Concept Playbook 13 | P a g e Steps Step Resources 1 Share the tutorial to all actors from Microsoft Documentation Tutorial: Azure Active Directory integration with ServiceNow 2 Set a working meeting and follow the tutorial steps with each actor. Tutorial: Azure Active Directory integration with ServiceNow 3 Assign the app to the group identified in the Prerequisites. If the POC has conditional access in the scope, you can revisit that later and add MFA, and similar. Note this will kick in the provisioning process (if configured) Azure AD and Applications: Assigning Users to an Application Managing groups in Azure Active Directory 4 Wait for a few minutes while provisioning completes. In the meantime, you can check on the provisioning reports How can I track the progress of the current provisioning Job? 5 Log in to https://myapps.microsoft.com/<yourdomain> as a test user that has access Introduction to the Access Panel 6 Click on the tile for the application that was just created. Confirm access Launching Applications 7 Optionally, you can check the application usage reports. Note there is some latency, so you need to wait some time to see the traffic in the reports. View your access and usage reports Azure Active Directory Reporting Latencies Considerations 1. If the target application is not present in the gallery, then you can use bring your own app. Learn more: • Configuring single sign-on to applications that are not in the Azure Active Directory application gallery SaaS Password SSO Configuration Approximate time to Complete: 15 minutes Prerequisites Id Pre-requisite Resources 1 test environment for SaaS applications. An example of Password SSO is HipChat and Twitter. For any other application, you need the exact URL of the page with html sign in form. HipChat on Microsoft Azure Marketplace Twitter on Microsoft Azure Marketplace 2 Test accounts for the applications. Sign up for Twitter
  52. 52. Azure AD Proof of Concept Playbook 14 | P a g e Sign Up for Free | HipChat 3 Target set of users to assign the application to. A security group contained the users is recommended. Azure AD and Applications: Assigning Users to an Application Managing groups in Azure Active Directory 4 Local administrator access to a computer to deploy the Access Panel Extension for IE/Chrome or Firefox Access Panel Extension for IE Access Panel Extension for Chrome Access Panel Extension for Firefox Steps Step Resources 1 Sign up for a test account Sign up for Twitter Sign Up for Free | HipChat 2 Configure the application in Azure AD 3 Assign the app to the group identified in the Prerequisites. Azure AD and Applications: Assigning Users to an Application 4 Log in to https://myapps.microsoft.com/<yourdomain> as a test user that has access Introduction to the Access Panel 5 Install the browser extension Access Panel Extension for IE Access Panel Extension for Chrome Access Panel Extension for Firefox 6 Supply the application credential Introduction to the Access Panel – Launching Applications 7 Click on the tile for the application that was just created. Introduction to the Access Panel – Launching Applications 8 Close the browser and repeat the login. This time around the user should see seamless access to the application. Introduction to the Access Panel – Launching Applications 9 Optionally, you can check the application usage reports. Note there is some latency, so you need to wait some time to see the traffic in the reports. View your access and usage reports Azure Active Directory Reporting Latencies Considerations 1. If the target application is not present in the gallery, then you can use bring your own app. Learn more: a. Configuring single sign-on to applications that are not in the Azure Active Directory application gallery Keep in mind the following requirements: • Application should have a known login URL • The sign in page should contain an HTML form with one more text fields that the browser extensions can auto-populate. At the minimum, it should contain username and password. 2. The IE extension can deployed at scale via group policy at : https://azure.microsoft.com/en- us/documentation/articles/active-directory-saas-ie-group-policy/
  53. 53. Azure AD Proof of Concept Playbook 15 | P a g e SaaS Shared Accounts Configuration Approximate time to Complete: 30 minutes Prerequisites Id Pre-requisite Resources 1 the list of target applications and the exact sign in URLS ahead of time. As an example, you can use Twitter. Sign up for Twitter 2 Shared credential for this SaaS applications. Sharing accounts using Azure AD Azure AD automated password roll-over for Facebook, Twitter and LinkedIn now in preview! – Enterprise Mobility and Security Blog 3 Credentials for at least two team members who will access the same account. They must be part of a security group Azure AD and Applications: Assigning Users to an Application 4 Local administrator access to a computer to deploy the Access Panel Extension for IE/Chrome Access Panel Extension for IE Access Panel Extension for Chrome Access Panel Extension for Firefox Steps Step Resources 1 Configure the SaaS application adding What is application access and single sign-on with Azure Active Directory? 2 setting up the access to a security group and map to a shared account Sharing accounts using Azure AD 3 If using Twitter, Facebook or LinkedIn, set up and discuss the password rollover capabilities Azure AD automated password roll-over for Facebook, Twitter and LinkedIn now in preview! – Enterprise Mobility and Security Blog 4 Log in as different users that log in as the same shared account. Introduction to the Access Panel – Launching Applications View your access and usage reports 5 Optionally, you can check the application usage reports. Note there is some latency, so you need to wait some time to see the traffic in the reports. View your access and usage reports Azure Active Directory Reporting Latencies Considerations 1. If the target application is not present in the gallery, then you can use bring your own app. Learn more: a. Configuring single sign-on to applications that are not in the Azure Active Directory application gallery Keep in mind the following requirements: • Application should have a known login URL • The sign in page should contain an HTML form with one more text fields that the browser extensions can auto-populate. At the minimum, it should contain username and password.
  54. 54. Azure AD Proof of Concept Playbook 16 | P a g e Groups – Delegated Ownership Approximate time to Complete: 10 minutes Prerequisites Id Pre-requisite Resources 1 SaaS application (Federated SSO or Password SSO) has been already configured Building block: SaaS Federated SSO Configuration 2 Cloud Group that is assigned access to the application in #1 is identified Building block: SaaS Federated SSO Configuration 3 Credentials for the group owner are available Managing access to resources with Azure Active Directory groups 4 Credentials for the information worker accessing the apps has been identified Introduction to the Access Panel – Launching Applications Steps Step Resources 1 Identify the group that has been granted access to the application, and configure the owner Managing owners for a group 2 Log in as the group owner, see the group membership Introduction to the Access Panel Manage your groups 3 Add the information worker you want to test Managing groups in Azure Active Directory – How do I add or remove individual users in a security group? 4 Log in as the information worker, confirm the tile is available Introduction to the Access Panel – Launching Applications Considerations 1. If the application has provisioning enabled, you might need to wait a few minutes for the provisioning to complete before accessing the application as the information worker. SaaS and Identity Lifecycle Approximate time to Complete: 15 minutes Prerequisites Id Pre-requisite Resources 1 SaaS application has been already configured Building block: SaaS Federated SSO Configuration
  55. 55. Azure AD Proof of Concept Playbook 17 | P a g e 2 Group that is assigned access to the application in #1 is identified Building block: SaaS Federated SSO Configuration 3 Credentials for the information worker accessing the apps has been identified Steps Step Resources 1 Remove the user from the group the app is assigned to Managing groups in Azure Active Directory – How do I add or remove individual users in a security group? 2 Wait for a few minutes for de- provisioning Automated SaaS App User Provisioning in Azure AD - How does automated provisioning work? 3 On a separate browser session, log in as the information worker to my apps portal and confirm that tile is missing Accessing the Access Panel 4 Check the provisioning reports to show the de-provisioning happened. Also, check the management console of the SaaS app to see the status update of the user. Automated SaaS App User Provisioning in Azure AD – How can I track the progress of the current provisioning Job? Considerations 1. Extrapolate the POC scenario to leavers and/or leave of absence scenarios. If the user gets disabled in on- premises AD or removed, there is no longer a way to log in to the SaaS application. Self Service Password Reset Approximate time to Complete: 15 minutes Prerequisites Id Pre-requisite Resources 1 Enable self service password management in your tenant. Enable users to reset or change their AD Passwords 2 Enable password write-back to manage passwords from on- premises. Note this requires specific Azure AD Connect versions Password Writeback prerequisites 3 Identify the POC users that will use this functionality, and make sure they are members of a security group. The users must be non- Customize: Azure AD Password Management – Restrict Access to password reset
  56. 56. Azure AD Proof of Concept Playbook 18 | P a g e admins to fully showcase the capability Steps Step Resources 1 Login as a global admin Azure classic portal 2 Determine the password reset policy. For POC purposes, you can use phone call and Q & A. It is recommended to enable registration to be required on login to access panel Getting Started: Azure AD Password Management – Configure Password Reset Policy 3 Log out and log in as an information worker Accessing the Access Panel 4 Supply the Self-Service Password Reset data as configured per step 2 http://aka.ms/ssprsetup 5 Close the browser 6 Start over the login process as the information worker you used in step 4 Accessing the Access Panel 7 Reset the password How to update your own password using Azure Active Directory 8 Try logging in with your new password to Azure AD as well as to on-premises resources Considerations 1. If upgrading the Azure AD Connect is going to cause friction, then consider using it against cloud accounts or make it a demo against a separate environment 2. The administrators have a different policy and using the admin account to reset the password might taint the POC and cause confusion. Make sure you use a regular user account to test the reset operations Self Service Access to Application Management Approximate time to Complete: 10 minutes Prerequisites Id Pre-requisite Resources 1 Identify POC users that will request access to the applications, as part of the security group Building block: SaaS Federated SSO Configuration 2 Target Application deployed Building block: SaaS Federated SSO Configuration Steps Step Resources 1 Login as a global admin Azure classic portal 2 Turn on delegated group management Making a group available for end user self-service
  57. 57. Azure AD Proof of Concept Playbook 19 | P a g e 3 Set the group with POC Users in the setting “Users who can self-service for security groups” Making a group available for end user self-service 4 Locate the target application, and turn on self-service application access Configuring Self-Service application access 5 Login as the information worker to my apps portal Accessing the Access Panel 6 Notice the “add applications” tile and click in it … notice that the target application appears Accessing the Access Panel Considerations 1. The applications chosen might have provisioning requirements, so going immediately to the app might cause some errors. If the application chosen supports provisioning with azure ad and it is configured, you might use this as an opportunity to show the whole flow working end to end. See the building block for federated SSO applications for further recommendations Azure Multi-Factor Authentication with Phone Calls Approximate time to Complete: 10 minutes Prerequisites Id Pre-requisite Resources 1 Identify POC users that will use MFA 2 Phone with good reception for MFA challenge Methods available for multi-factor authentication Steps Step Resources 1 Login as a global admin Azure classic portal 2 Navigate to the MFA portal Getting started with Microsoft Azure Multi-Factor Authentication in the cloud 3 In the “Service Settings”, select call to phone as one of the methods chosen Getting started with Microsoft Azure Multi-Factor Authentication in the cloud 4 In the “User” settings select the POC users Getting started with Microsoft Azure Multi-Factor Authentication in the cloud 5 Login as the POC user, and walk through the proof-up process Accessing the Access Panel
  58. 58. Azure AD Proof of Concept Playbook 20 | P a g e Considerations 1. The POC steps in this building block explicitly setting MFA for a user on all logins. There are other tools such as Conditional Access, and Identity Protection that engage MFA on more targeted scenarios. This will be something to consider when moving from POC to production. 2. The POC steps in this building block are explicitly using Phone Calls as the MFA method for expedience. As you transition from POC to production, we recommend using applications such as the Microsoft Authenticator as your second factor whenever possible. Learn more: DRAFT NIST Special Publication 800-63B MFA Conditional Access for SaaS applications Approximate time to Complete: 10 minutes Prerequisites Id Pre-requisite Resources 1 Identify POC users to target the policy. These users should be in a security group to scope the conditional access policy Building block: SaaS Federated SSO Configuration 2 SaaS application has been already configured Building block: SaaS Federated SSO Configuration 3 POC users are already assigned to the application Building block: SaaS Federated SSO Configuration 4 Credentials to the POC user are available Building block: SaaS Federated SSO Configuration 5 POC user is registered for MFA. Using a phone with Good reception http://aka.ms/ssprsetup 6 Device in the internal network. IP Address configured in the internal address range Find your ip address: https://www.bing.com/search?q=what%27s+my+ip 7 Device in the external network (can be a phone using the carrier’s mobile network) Steps Step Resources 1 Login as a global admin Azure classic portal 2 Navigate to the SaaS application configuration Azure Conditional Access for SaaS Apps 3 Deploy the conditional access policy to require MFA access from external network. It is recommended to scope this policy to security group that contains the POC users Azure Conditional Access for SaaS Apps 4 In the internal network device, log in to https://myapps.microsoft.com/<domain> . Notice no MFA challenge happened Accessing the Access Panel
  59. 59. Azure AD Proof of Concept Playbook 21 | P a g e 5 In the external network device, log in to https://myapps.microsoft.com/<domain>. Notice that MFA challenge happened Accessing the Access Panel Considerations 1. IF you are using federation, you can use the on-prem Identityt Provider (IdP) to communicate the inside/outside corporate network state with claims. You can use this technique without having to manage the list of IP addresses which might be complex to assess and manage in large organizations. In that setup, you need account for the “network roaming” scenario (a user logging from the internal network, and while logged in switches locations such as a coffee shop) and make sure you understand the implications. Privileged Identity Management (PIM) Approximate time to Complete: 15 minutes Prerequisites Id Pre-requisite Resources 1 Identify the global admin that will be part of the POC for PIM The Azure AD Privileged Identity Management security wizard 2 Identify the global admin that will become the Security Administrator The Azure AD Privileged Identity Management security wizard Roles in PIM 3 Register the global admins with MFA. Make sure to use a phone with good reception Getting started with Microsoft Azure Multi-Factor Authentication in the cloud 4 Optional: Confirm if the global admins have email access to exercise email notifications in PIM Configure the role activation settings Steps Step Resources 1 Login to https://portal.azure.com as a global admin (GA) and bootstrap the PIM blade. The Global Admin that performs this step is seeded as the security administrator. Let’s call this actor GA1 The Azure AD Privileged Identity Management security wizard 2 Identify the global admin and move them from permanent to eligible. This should be a separate admin from the one used in step 1 for clarity. Let’s call this actor GA2 How to add or remove a user role How to manage role activation settings 3 Now, log in as GA2 to https://manage.windowsazure.com. Navigate to the Users tab and notice the message about not
  60. 60. Azure AD Proof of Concept Playbook 22 | P a g e having permissions. This corresponds to the non-activated role state. 4 In a new tab and in the same session as step 3, navigate now to https://portal.azure.com and add the PIM blade to the dashboard. Add the Privileged Identity Management application 5 Request activation to the Global Administrator role Activate a role 6 Go back to the original tab in step 3, and click the refresh button in the browers. Note that you now have access to the management console when clicking the Users tab. 7 Optionally, if your global administrators have email enabled, you can check GA1 and GA2’s inbox and see the notification of the role being activated 8 Check the audit history and observe the report to confirm the elevation of GA2 is shown. Review role activity Considerations 3. This capability is part of Azure AD Premium Level 2 and/or EMS E5 Discovering Risk Events Approximate time to Complete: 20 minutes Prerequisites Id Pre-requisite Resources 1 Device with Tor browser downloaded and installed Download Tor Browser 2 Access to POC user to do the login Azure Active Directory Identity Protection playbook Steps Step Resources 1 Open tor browser Download Tor 2 Log in to https://myapps.microsoft.com with the POC user account Simulating Risk Events 3 Wait 5-7 minutes Simulating Risk Events
  61. 61. Azure AD Proof of Concept Playbook 23 | P a g e 4 Log in as a global admin to https://portal.azure.com and open up the Identity Protection blade https://aka.ms/aadipgetstarted 5 Open the risk events blade. You should see an entry under “Sign-ins from anonymous IP addresses” Simulating Risk Events Considerations 1. This capability is part of Azure AD Premium Level 2 and/or EMS E5 2. You can discuss other risk events as well Deploying Sign-in risk policies Approximate time to Complete: 10 minutes Prerequisites Id Pre-requisite Resources 1 Device with Tor browser downloaded and installed Download Tor 2 Access as a POC user to do the login testing Sign-in risk 3 POC user is registered with MFA. Make sure to use a phone with good reception Building Block: Azure Multi-Factor Authentication with Phone Calls Steps Time to complete: 10 minutes Step Resources 1 Log in as a global admin to https://portal.azure.com and open up the Identity Protection blade https://aka.ms/aadipgetstarted 2 Enable a sign-in risk policy as follows: • Assigned to: POC user • Conditions: Sign in risk medium or higher (sign-in from anonymous location is deemed as a medium risk level) • Controls: Require MFA Sign-in risk 3 Open tor browser Download Tor 4 Log in to https://myapps.microsoft.com with the POC user account Accessing the Access Panel 5 Notice the MFA challenge Risky sign-in recovery
  62. 62. Azure AD Proof of Concept Playbook 24 | P a g e Considerations 1. This capability is part of Azure AD Premium Level 2 and/or EMS E5 2. You can discuss other risk events as well. Learn more: Types of risk events detected by Azure Active Directory Identity Protection 3. For more step by step guidance on other Azure AD Identity Protection Scenarios, check Azure Active Directory Identity Protection playbook
  63. 63. Best Practices for Running Oracle Database on Amazon Web Services January 2018
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.
  65. 65. Contents Introduction 1 Oracle Licensing Considerations 2 Amazon RDS License Included 2 Bring Your Own License (BYOL) 3 Choosing Between Amazon RDS and Amazon EC2 for Your Oracle Database 4 Architecting for Security and Performance 6 Network Configuration 6 Amazon EC2 Instance Type 8 Database Storage 9 Backup Storage 12 Management 13 Automation 13 Oracle AMIs 13 AWS EC2 Systems Manager 14 Conclusion 14 Contributors 14 Further Reading 15 Document Revisions 16
  66. 66. Abstract Amazon Web Services (AWS) offers you the ability to run your Oracle Database in a cloud environment. Running Oracle Database in the AWS Cloud is very similar to running Oracle Database in your data center. To a database administrator or developer, there are no differences between the two environments. However, there are a number of AWS platform considerations relating to security, storage, compute configurations, management, and monitoring that will help you get the best out of your Oracle Database implementation on AWS. This whitepaper provides best practices for achieving optimal performance, availability, and reliability, and lowering the total cost of ownership (TCO) while running Oracle Database on AWS. The target audience for this whitepaper includes database administrators, enterprise architects, systems administrators, and developers who would like to run their Oracle Database on AWS.
  67. 67. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 1 Introduction Amazon Web Services (AWS) provides a comprehensive set of services and tools for deploying Oracle Database on the reliable and secure AWS Cloud infrastructure. AWS offers its customers two options for running Oracle Database on AWS: • Using Amazon Relational Database Service (Amazon RDS) for Oracle,1 which is a managed database service that helps simplify the provisioning and management of Oracle databases. Amazon RDS makes it easy to set up, operate, and scale a relational database in the cloud by automating installation, disk provisioning and management, patching, minor version upgrades, failed instance replacement, as well as backup and recovery tasks. The Multi-AZ feature of Amazon RDS operates two databases in multiple Availability Zones with synchronous replication, thus creating a highly available environment with automatic failover. The push-button scaling feature of Amazon RDS allows you to easily scale the database instance up or down for better cost management and performance. Amazon RDS also comes with a License Included service model,2 which allows you to pay per use by the hour. • Running a self-managed Oracle Database directly on Amazon Elastic Compute Cloud (Amazon EC2). This option gives you full control over the setup of the infrastructure and database environment. Running the database on Amazon EC2 is very similar to running the database on your own server. You have full control of the database and have operating system-level access, so you can run monitoring and management agents and use your choice of tools for data replication, backup, and restoration. Furthermore, you have the ability to use every optional module available in Oracle Database. However, this option requires you to set up, configure, manage, and tune all the components, including Amazon EC2 instances, storage volumes, scalability, networking, and security, based on AWS architecture best practices. In the fully managed Amazon RDS service, this is all taken care of for you. Whether you choose to run a self-managed Oracle Database on Amazon EC2 or the fully managed Amazon RDS for Oracle, following the best practices discussed in this whitepaper will help you get the most out of your Oracle Database implementation on AWS. We’ll discuss Oracle licensing options,
  68. 68. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 2 considerations for choosing Amazon EC2 or Amazon RDS for your Oracle Database implementation, and how to optimize network configuration, instance type, and database storage in your implementation. Oracle Licensing Considerations Oracle Database licensing on AWS is based on the size of the instance on which the database is installed. For information about Oracle Database licensing, see Licensing Oracle Software in the Cloud Computing Environment3 on the Oracle website. A few key points to consider are: • As stated in Amazon EC2 Instance Types page,4 each vCPU is a hyperthread of an Intel Xeon core except for T2 and m3.medium. For Oracle Enterprise Edition every two vCPUs of hyperthreaded instance equate to a licensing requirement of one Oracle processor license. For non-hyperthreaded instances, each vCPU equate to one Oracle processor license. • Oracle Database Standard Edition may only be licensed on instances that have up to 16 Amazon vCPUs. • Oracle Standard Edition One and Standard Edition Two may only be licensed on instances up to 8 Amazon vCPUs. • For Oracle Database Standard Edition, Standard Edition One, or Standard Edition Two, every four Amazon vCPUs used (rounded up to the nearest multiple of four) equate to a licensing requirement of one socket, which is considered equivalent to an Oracle processor license. Any discussion of Oracle licensing policies and costs in this whitepaper is for informational purposes only and is based on the information available at the time of publication. For more specific information, users should consult their own Oracle license agreements. Amazon RDS License Included You have the option to include the cost of the Oracle Database license in the hourly price of the Amazon RDS service if you use the License Included service model. In this case, you do not need to purchase Oracle licenses separately; the Oracle Database software has been licensed by AWS. License Included per-hour pricing includes software, underlying hardware resources, and Amazon RDS
  69. 69. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 3 management capabilities. This service model optimizes license costs, and gives you flexibility when scaling your Amazon RDS instances up or down. You can take advantage of hourly pricing with no upfront fees or long-term commitments. In addition, you can purchase Amazon RDS Reserved Instances under one-year or three-year reservation terms. With Reserved Instances, you can make a low, one-time payment up front for each database instance, and then pay a significantly discounted hourly usage rate. Note: The hourly license for the License Included model in Amazon RDS is available only for Oracle Standard Edition One and Standard Edition Two. For other editions of Oracle Database on Amazon RDS and any edition of Oracle Database on Amazon EC2, you need to use your own license (that is, acquire a license from Oracle), as discussed in the following section. Since you are paying for the Oracle license only for the hours in which you use Amazon RDS, the License Included option may help you reduce overall licensing costs for development and testing environments that are active only during business hours. For most businesses, the total business hours per week (10 x 5 = 50 hours) is only about 30% of the total hours in a week (24 x 7 = 168 hours), so this service model could result in considerable savings. This service model also gives you the flexibility to resize the instance based on your needs, because the license is included in the instance cost. In cases where your regular capacity requirements are much smaller than periodic, predictable spikes, this service model allows you to scale up to absorb the additional capacity needed, and scale down to save on cost. For example, you might have databases that require the performance of a db.m3.large instance for most days of the month except for the last three days. During the last three days of the month, your database might be heavily used due to payroll processing and month-end closing. In this scenario, you can use Oracle Database on Amazon RDS based on the db.m3.large instance type throughout the month, scale up to db.m3.2xlarge for the last three days, and then scale down again. This could translate to 65% or more cost savings compared to using the db.m3.2xlarge instance for the whole month. Bring Your Own License (BYOL) If you already own Oracle Database licenses, you can use the BYOL service model to run your Oracle databases on Amazon RDS. This will result in a lower
  70. 70. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 4 cost for the Amazon RDS instance because the cost of the Oracle license isn’t included. The BYOL model is designed for customers who prefer to use their existing Oracle Database licenses or purchase new licenses directly from Oracle. If you want to use Oracle Database Enterprise Edition or Standard Edition with Amazon RDS, or run your own self-managed Oracle Database on Amazon EC2, BYOL is the only supported option. Oracle License Portability to AWS Subject to the terms and conditions of the specific license agreement, Oracle licenses may be portable to AWS. In other words, your existing licenses can be transferred for use on AWS. These include: • Server-based licenses (based on CPUs used) • Enterprise License Agreements (ELA) • Unlimited License Agreements (ULA) • Business Process Outsourcing (BPO) licenses • Oracle PartnerNetwork (OPN) licenses • Named User Plus licenses Additional conditions or limitations (including possible costs) may be applicable for licenses that are ported to AWS. Please check your specific license agreement for additional details and limitations. Oracle licensing applies similarly to Oracle Database on Amazon RDS and on Amazon EC2 with the exception that hourly licensing is available only on Amazon RDS. Choosing Between Amazon RDS and Amazon EC2 for Your Oracle Database Both Amazon RDS and Amazon EC2 offer different advantages for running Oracle Database. Amazon RDS is easier to set up, manage, and maintain than running Oracle Database in Amazon EC2, and lets you focus on other tasks rather than the day-to-day administration of Oracle Database. Alternatively, running Oracle Database in Amazon EC2 gives you more control, flexibility, and
  71. 71. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 5 choice. Depending on your application and your requirements, you might prefer one over the other. If you are migrating multiple Oracle databases to AWS, you will find that some of them are a great fit for Amazon RDS while others are better suited to run directly on Amazon EC2. Many AWS customers use a combination of Amazon RDS and Amazon EC2 for their Oracle Database workloads. Amazon RDS might be a better choice for you if: • You want to focus on your business and applications, and have AWS take care of the undifferentiated heavy lifting tasks such as provisioning of the database, management of backup and recovery tasks, management of security patches, minor Oracle version upgrades, and storage management. • You need a highly available database solution and want to take advantage of the push-button, synchronous Multi-AZ replication offered by Amazon RDS, without having to manually set up and maintain a standby database. • You would like to have synchronous replication to a standby instance for high availability for Oracle Database Standard Edition One or Standard Edition Two. • You want to pay for the Oracle license as part of the instance cost on an hourly basis instead of making a large upfront investment. • Your database size and IOPS needs are less than the RDS Oracle limits. See the documentation for the current maximum. • You don’t want to manage backups and, most importantly, point-in-time recoveries of your database. • You would rather focus on high-level tasks, such as performance tuning and schema optimization, rather than the daily administration of the database. • You want to scale the instance type up or down based on your workload patterns without being concerned about licensing and the complexity involved.
  72. 72. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 6 Amazon EC2 might be a better choice for you if: • You need full control over the database, including SYS/SYSTEM user access, or you need access at the operating system level. • Your database size exceeds the 80% of current maximum database size in Amazon RDS. • You need to use Oracle features or options that are not currently supported by Amazon RDS. See the documentation for currently supported options in Amazon RDS Oracle • Your database IOPS needs are higher than the current IOPS limit. See the documentation for the current IOPS limit. • You need a specific Oracle Database version that is not supported by AmazonRDS. For more information, see Oracle Database Editions.5 Architecting for Security and Performance Whether you choose to run Oracle Database on Amazon RDS or Amazon EC2, optimizing every component of the infrastructure will enhance security, performance, and reliability. In the following sections, we’ll discuss best practices for optimizing network configuration, instance type, and database storage in an Oracle Database implementation on AWS. Network Configuration With Amazon Virtual Private Cloud (Amazon VPC), you can provision a logically isolated section of the AWS Cloud that is dedicated to your account. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, security settings, and configuration of route tables and network gateways. A subnet is a range of IP addresses in your Amazon VPC. You can launch AWS resources into a subnet that you select. Use a public subnet for resources that must be connected to the Internet, and a private subnet for resources that won't be connected to the Internet. To protect the AWS resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (ACLs).
  73. 73. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 7 The following table describes the basic differences between security groups and network ACLs. Security Group Network ACL Operates at the instance level (first layer of defense) Operates at the subnet level (second layer of defense) Supports allow rules only Supports allow rules and deny rules Stateful: Return traffic is automatically allowed, regardless of any rules Stateless: Return traffic must be explicitly allowed by rules Evaluates all rules before deciding whether to allow traffic Processes rules in numerical order when deciding whether to allow traffic Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group) Amazon VPC provides isolation, additional security, and the ability to separate Amazon EC2 instances into subnets, and allows the use of private IP addresses. All of these are important in database implementation. Deploy the Oracle Database instance in a private subnet and allow only application servers within the Amazon VPC, or a Bastion host within the Amazon VPC, to access the database instance. Create appropriate security groups that allow access only to specific IP addresses through the designated ports. These recommendations apply to Oracle Database regardless of whether you’re using Amazon RDS or Amazon EC2.
  74. 74. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 8 Figure 1: Oracle Database in private subnet of an Amazon VPC Amazon EC2 Instance Type AWS has a large number of Amazon EC2 instance types available, so you can choose the instance type that best fits your workload. However, not all the available instance types are best suited for running Oracle Database. If you use Amazon RDS for your Oracle Database, AWS filters out some of the instance types based on best practices, and gives you the various options in T- class, M-class and R-class instances. We recommend that you choose db.m- based or r-based Amazon RDS instances for any enterprise database workloads. For the latest information about RDS instances, see Amazon RDS for Oracle Database Pricing.6 Your choice of the Amazon RDS instance type should be based on the database workload and the Oracle Database licenses available. If you’re running your self-managed database on Amazon EC2, you have many more choices available for the Amazon EC2 instance type. This is often one of the reasons users opt to run Oracle Database on Amazon EC2 instead of using Amazon RDS. Very small instance types are not suitable because Oracle Database is resource-intensive when it comes to CPU usage. Instances with a larger memory footprint help improve database performance by providing better caching and a bigger system global area (SGA). We recommend that you choose instances that have a good balance of memory and CPU. Choose the instance type that matches the Oracle Database licenses you are planning to use and the architecture you are planning to implement. For architectures best
  75. 75. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 9 suited for your business needs, see the whitepaper Advanced Architectures for Oracle Database on Amazon EC2.7 Oracle Database uses disk storage heavily for read/write operations, so we highly recommend that you use only instances optimized for Amazon Elastic Block Store (Amazon EBS). Amazon EBS-optimized instances deliver dedicated throughput between Amazon EC2 and Amazon EBS. Bandwidth and throughput to the storage subsystem is crucial for good database performance. Choose instances with higher network performance for better database performance. The following instance families are best suited for running Oracle Database on Amazon EC2. Instance Family Features M family • EBS-optimized by default at no additional cost • Support for Enhanced Networking8 • Balance of compute, memory, and network resources X family • Lowest price per GiB of RAM • SSD Storage and EBS-optimized by default and at no additional cost • Ability to control processor C-state and P-state configuration R family • Optimized for memory-intensive applications • High-frequency Intel Xeon E5-2686 v4 (Broadwell) Processors • DDR4 Memory • Support for Enhanced Networking I family • Optimized for low latency, very high random I/O performance, high sequential read throughput and provide high IOPS at a low cost • NVMe SSD ephemeral storage • Support for TRIM9 • Support for Enhanced Networking Database Storage Most users typically use Amazon EBS for database storage. For some very high- performance architectures, you can use instance storage SSDs, but they should be augmented with Amazon EBS storage for reliable persistence. For details about this architecture, see the Advanced Architectures for Oracle Database on Amazon EC2 whitepaper.
  76. 76. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 10 For high and consistent IOPS and database performance, we highly recommend using General Purpose (GP2) volumes or Provisioned IOPS (PIOPS) volumes. GP2 and PIOPS volumes are available for both Amazon EC2 and Amazon RDS. See the documentation for the latest limits of IOPS per volume for both GP2 and PIOPS volume types. GP2 volumes provide an excellent balance of price and performance for most database needs. When your database requires higher IOPS than what GP2 can provide, PIOPS volumes are the right choice. For PIOPS volumes, you specify an IOPS rate when you create the volume, and Amazon EBS delivers within 10% of the provisioned IOPS performance 99.9% of the time over a given year. The ratio of IOPS provisioned to the volume size requested can be a maximum of 30. For example, to get 3,000 IOPS your volume size should be at least 100 GB. Similar to PIOPS volumes, GP2 volumes are also SSD-based, but the IOPS you get from GP2 volumes can vary from a baseline IOPS up to a maximum burstable 3,000 IOPS per volume. This works very well for most database workloads because the IOPS performance needed from the database varies many times during a period of time based on the load size and the number of queries being executed. General Purpose (SSD) volume performance is governed by volume size, which dictates the base performance level of the volume and how quickly it accumulates I/O credits. Larger volumes have higher base performance levels and accumulate I/O credits faster. I/O credits represent the available bandwidth that your General Purpose (SSD) volume can use to burst large amounts of I/O when more than the base performance is needed. The more credits your volume has for I/O, the more time it can burst beyond its base performance level and the better it performs when more performance is needed. Throughput optimized HDD volumes (st1) offers low-cost HDD volume designed for intensive workloads which require less IOPS but high throughput. Oracle databases used for data warehouses and data analytics purposes can leverage st1 volumes. Any log processing or data staging areas like Oracle external tables or external BLOB storage which require high throughput can leverage st1 volumes. Throughput optimized (st1) volumes can handle max 500 IOPS per volume.
  77. 77. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 11 Cold HDD volumes (sc1) are suitable for handling legacy systems which are kept around for the purposes of occasional reference or archive purposes. These systems are accessed less frequently and a few scans are performed per day on the volume. A good approach is to estimate the amount of IOPS consistently needed for your database, and allocate enough GP2 storage to obtain that many IOPS. Any additional IOPS needed for periodic spikes should be covered by the burst performance based on the available credits. For information about estimation methods you can use to determine the IOPS needs of your Oracle Database, see the Determining the IOPS Needs for Oracle Database on AWS whitepaper.10 The burst duration of a volume is dependent on the size of the volume, the burst IOPS required, and the credit balance when the burst begins. If you notice that your volume performance is frequently limited to the base level (due to an empty I/O credit balance), you should consider using a larger General Purpose (SSD) volume (with a higher base performance level) or switching to a Provisioned IOPS (SSD) volume for workloads that require sustained IOPS performance greater than 10,000 IOPS. For additional details about GP2 volumes, see the Amazon EBS User Guide.11 For Amazon RDS, General Purpose (SSD) storage delivers a consistent baseline of 3 IOPS per provisioned GB and provides the ability to burst up to 3,000 IOPS. If you are already using magnetic storage for Amazon RDS, you can convert to General Purpose (SSD) storage, but you will encounter a short availability impact when doing so. Using Provisioned IOPS, you can provision up to the current maximum storage limit and the maximum IOPS per database instance. Your actual realized IOPS may vary from the amount you provisioned based on your database workload, instance type, and database engine. For more information, see Factors That Affect Realized IOPS Rates in the Amazon RDS User Guide.12 For Oracle Database on Amazon EC2, stripe multiple volumes together for more IOPS and larger capacity. You can use multiple Amazon EBS volumes individually for different data files, but striping them together allows better balancing and scalability. Oracle Automatic Storage Management (ASM) can be used for striping. Keep data files, log files, and binaries on separate Amazon EBS volumes, and take snapshots of log file volumes on a regular basis. Choosing an instance type with local SSD storage allows you to boost the
  78. 78. Amazon Web Services – Best Practices for Running Oracle Database on AWS Page 12 database performance by using Smart Flash Cache (that is, if the operating system is Oracle Linux) and by using local storage for temporary files and table spaces. Backup Storage Most Oracle Database users take regular hot and cold backups. Cold backups are taken while the database is shut down, whereas hot backups are taken while the database is active. AWS native storage services offer a choice of solutions for your needs. Amazon S3 Store your hot and cold backups in Amazon Simple Storage Service (Amazon S3) for high durability and easy access. You can use AWS Storage Gateway file interface to directly back up the database to Amazon S3. AWS Storage Gateway file interface provides an NFS mount for S3 buckets. Oracle RMAN backups written into the NFS mount is automatically copied to S3 buckets by the AWS Storage Gateway instance. Amazon Glacier Amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. You can use lifecycle policies in Amazon S3 to move older backups to Amazon Glacier for long-term archiving. Amazon Glacier offers three options for data retrieval with varying access times and costs: Expedited, Standard, and Bulk retrievals. For more information about these options, see Amazon Glacier FAQs.13 Amazon EFS Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with Amazon EC2 instances in the AWS Cloud. With Amazon EFS, storage capacity is elastic, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it. Backups stored in EFS can be shared with NFS options (read/write, read-only) to other EC2 instances. Amazon EFS uses bursting model for EFS performance. Accumulated burst credits give the file system permission to drive throughput above its baseline rate. A file system can drive throughput continuously at its baseline rate. Whenever it's inactive or driving throughput below its baseline rate, the file system accumulates burst credits. Amazon EFS is useful when you

×