2. Agenda
Trusted Cloud (What Microsoft Does for You)
Azure Security and Identity Capabilities (What You Can Do to Secure a Cloud Solution)
Security Guidance (How You Can Secure a Cloud Solution)
Questions
What’s Next…
4. We build security into Microsoft products and services from
the start. That’s how we deliver a comprehensive, agile
platform to better protect your endpoints, move faster to
detect threats, and respond to security breaches across even
the largest of organizations.
Prevent identity
compromise
Expand device
controls
Secure apps
and data
Safeguard
infrastructure
Detect
threats using the scale and
intelligence of the cloud,
machine learning and
behavioral monitoring.
Respond
more quickly and
comprehensively, and
empower our customers
with insights that are
actionable and holistic.
Protect
all endpoints – from
sensors and datacenters
to identities and SaaS
applications.
5. TRANSPARENCY
SECURITY
COMPLIANCE
PRIVACY & CONTROL
RELIABILITY
We’ll help you keep your data secure
You know what we are doing with your data
We manage your data in accordance with the law
Your data is private and under your control
We provide enterprise grade uptime for cloud services
Microsoft is committed – to providing a cloud you can
trust. We take very seriously our commitment to
protect customers in a cloud-first world. We follow a
set of standards and best practices to ensure that our
cloud services are reliable and perform as you need
them to. And we actively partner with a wide range of
industry and government entities to establish
confidence and trust in the wider cloud ecosystem.
Platform
PartnersIntelligence
6. • Microsoft does not provide any government with
direct, unfettered access to customers’ data
• Microsoft does not provide any government
with encryption keys or assist their efforts to break
our encryption
• Microsoft does not engineer back doors into our
products
• Microsoft has never provided business or
government data in response to a national security
order
• Microsoft will contest any attempt by the US
government to disclose customer content stored
exclusively overseas
7. The scope of Microsoft’s threat intelligence spans trillions of
signals from billions of data points.
300 billion
Authentications
processed monthly
600,000
Known spam email
addresses tracked
250 million
Windows Defender users
worldwide
600 million
Computers reporting
monthly
200 billion
Messages scanned
monthly
8.5+ billion
Bing web-page scans per
month
1 billion
Enterprise and consumer
customers
200+
Cloud services
9. Microsoft is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance. Our broad
suite of cloud products and services are all built from the ground up to address the most rigorous security and privacy demands of
our customers.
https://www.microsoft.com/en-us/TrustCenter/Compliance
10. "Data [in the Microsoft Cloud] is
housed in a bunker that's got the
highest possible standards of security
and encrypted transit of data." Murray
Gardiner, Business Director, Temenos
"We chose Microsoft because it has a
strong commitment to the criminal
justice and public security market."
Frank Barret, Director of Cloud
Services, MorphoTrak
"UL trusts Microsoft to help create a
future that is safe and to help us
innovate at the speed of our
customers." Bob Jamieson, Information
Security Director, UL
11. Azure Security and Identity Capabilities
What You Can Do to Secure a Cloud Solution
12. • Security Center
• Key Vault
• Anti-Malware
• Log Analytics
• Operations
Management Suite
• Disk Encryption
• Storage Service
Encryption
• File Shares with SMB
3.0 Encryption
• Storage Analytics
• StorSimple
Identity and
Access
Management
DatabaseGeneral
• Active Directory (AD)
• AD B2C
• AD B2B Collaboration
• AD Domain Services
• AD Conditional Access
• AD Identity Protection
• AD Privileged Identity
• Role Based Access
Control (RBAC)
• Multi-Factor
Authentication
Storage
• Authentication
• Firewall
• Cell Level Encryption
• Column Level
Encryption
• Always Encryption
• Transparent Data
Encryption
• Database Auditing
Networking
• Firewall
• Virtual Networks
• Network Security
Groups
• VPN
• Application Gateway
• ExpressRoute
• Application Proxy
Delivering experiences securely requires a partnership between our platform services and how you enact security policies and
controls. Microsoft Azure has the tools empowering you to deliver secure experiences and services to your customers.
13. A comprehensive identity and access management solution for the cloud that provides a robust set of capabilities to manage users
and groups and help secure access to applications including Microsoft online services like Office 365 and a world of non-Microsoft
SaaS applications. It combines core directory services, advanced identity governance and application access management.
Single sign-on to any cloud app
Works with multiple platforms and
devices
Integrates with on-premises Active
Directory
Enterprise scale and SLA
Enforce multi-factor authentication
Centrally manage users and access
to Azure, O365, and thousands of
pre-integrated SaaS solutions
14. A highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of
identities. Your consumers can log on to all your applications through fully customizable experiences by using their existing social
accounts or by creating new credentials.
Improve connection with your consumers
Pay only for what you use
Scale to hundreds of millions of
consumers
Help protect your consumers’ identities
Let consumers use their social media
accounts
Customizable workflows for consumer
interactions
15. Provides a consolidated view into risk events and potential vulnerabilities affecting your organization’s identities. Based on risk
events, Identity Protection calculates a user risk level for each user, enabling you to configure risk-based policies to automatically
protect the identities of your organization.
Brute force attacks
Leaked credentials
Infected devices
Suspicious sign-in
activities
Improve connection with your consumers
Pay only for what you use
Scale to hundreds of millions of
consumers
Help protect your consumers’ identities
Let consumers use their social media
accounts
Customizable workflows for consumer
interactions
16. Discover, restrict and monitor privileged identities and their access to resources but also enforce on-demand, just in time
administrative access when needed. .
See which users are Azure AD
administrators
Enable on-demand, "just in
time" administrative access to
Microsoft Online Services like
Office 365 and Intune
Get reports about administrator
access history and changes in
administrator assignments
Get alerts about access to a
privileged role
17. Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while meeting user demand for a simple
sign-in process. It delivers strong authentication via a range of verification methods, including phone call, text message, or mobile
app verification.
Protect sensitive data and applications
both on-premises and in the cloud with
Multi Factor Authentication
Can use Active Directory (on-premises)
with Azure Active Directory (in cloud) to
enable single sign-on, a single directory,
and centralized identity management
Multi Factor Authentication can be
implemented with Phone Factor or with
AD on-premises
Active Directory
Microsoft Azure
Active Directory
18. Safeguard cryptographic keys and other secrets used by cloud apps and services. With Azure Key Vault, you can encrypt keys and
small secrets like passwords using keys stored in hardware security modules (HSMs).
Microsoft Azure
IaaS SaaSPaaS
Import
keys
HSM
KeyVault
Increase security and control over keys
and passwords
Create and import encryption keys in
minutes
Applications have no direct access to keys
Use FIPS 140-2 Level 2 validated HSMs
Reduce latency with cloud scale and
global redundancy
Simplify and automate tasks for SSL/TLS
certificates
19. Azure Security Center helps you prevent, detect and respond to threats with increased visibility and control over the security of all
your Azure resources. It provides a central view of security across your subscriptions, and enables you to set policies and monitor
security configurations.
Visibility &
Control
Deploy &
Detect
Set Policy &
Monitor
Understand
Current
State
Deploy
Integrated
Solutions
Respond &
recover faster
Find
threats
that
might go
unnoticed
Continue
learning
Threat detection using advanced
analytics
Asset discovery and ongoing security
assessment (OS configurations,
system updates, SQL Db
configurations, virtual network
configurations)
Actionable security recommendations
with easy remediation
Security policy for IT governance
Integrated management and
monitoring
of partner security solutions
20. Virtual machines
• Kaspersky
• Trend Micro
Active Directory
integrations
• Symantec
• McAfee
Antimalware
• aiScaler
• Barracuda
• Check Point
• Riverbed
• Cohesive Networks
• F5
• Cisco
• CloudFlare
• Imperva
• Fortinet
• Stormshield
• Palo Alto Networks
• Brocade
Networking
security
• CloudLink
• Townsend
Security
Encryption
• Alert Logic
• Derdack
• Nagios
• Imperva
• Dome9
• Trend Micro
Monitoring
and alerts
• Kaspersky
• Barracuda
• Trend Micro
• GreatHorn
Messaging
Security
• Waratek
• DataSunrise
• Tinfoil Security
• CipherPoint
• Hewlett Packard
Enterprise
Application
Security
• Login People
• Auth0
Authentication
In addition to the robust security capabilities built into Azure, the Azure Marketplace offers a rich array of additional security
products built by our partners for Azure.
22. Different types of workloads have varying security requirements.
Your responsibility for security is based on the type of cloud service.
Compute Security
• Encrypt virtual disk & disk storage
• OS hardening
• Install antimalware
• Software updates management
Network Security
• Implement network isolation
• Deploy DMZ for network zoning
• Control routing behavior
• Control and limit endpoint access
Identity Management
• Centralize identity management
• Use multi-factor authentication
• Use a key management solution
Data and Storage Security
• Protect data in transit
• Encrypt data at rest
System Resiliency
• Implement best practices for high
availability
• Implement disaster recovery plans
• Establish backup strategies
Operational Security
• Secure administrative access
• Use role-based access control
• Implement credential lifecycle
management policies
• Centralize monitoring and systems
management
23. NSG NSG NSG
We start with a typical web application deployed using Azure Virtual
Machines – with a web/application server, a database server, and files
stored in Azure Storage.
Load Balancer
Blob Storage
Azure Portal
Key VaultMulti-Factor
Authentication
Active
Directory
Security
Center
Operations
Management
Suite
Application
Insights
Content Delivery
Network
Application
Gateway
Traffic Manager
VPN Gateway
ExpressRoute
DNS
2. Add Virtual Machine as firewall appliance
3. Add Virtual networks, network security groups (NSG)
4. Add VM instances in Availability Sets
5. Store keys and secrets in Key Vault
6. Manage identities with Active Directory
7. Add Multi-Factor Authentication
8. Instrument application with Application Insights
9. Integrate application, diagnostics, and system logs with OMS
10. Use Security Center for centralized security management
And other capabilities can also be used to further
enhance the architecture
Virtual Machine
(web/app server)
Virtual Machine
(database server)
Virtual Machine
(firewall appliance)
VMs in avail. set
(firewall appliance)
VMs in avail. set
(web/app server)
VMs in avail. set
(database server)
1. Implement data encryption (in transit and at rest)
• Virtual Machine Disk Encryption
• SQL Server Transparent Data Encryption (TDE)
• Blob Storage Service Encryption (SSE)
24. Learn more about our approach to security at www.microsoft.com/security
Discover more about our principled approach at www.microsoft.com/trustcenter
Explore our certifications at www.microsoft.com/TrustCenter/Compliance
Take an in-depth view of our global datacenters at www.microsoft.com/datacenters
Read about best practices from our Cyber Defense Operations Center at
blogs.microsoft.com/microsoftsecure/2017/01/17/microsofts-cyber-defense-operations-center-shares-best-practices/
Read more about Azure as the Trusted Cloud at azure.microsoft.com/trustcenter
Learn about Azure security capabilities and best practices at docs.microsoft.com/en-us/azure/security/
Innovations in Windows 10, Office 365, Microsoft Azure, and Microsoft Enterprise Mobility Suite (EMS) work in tandem with each other, and with partner solutions from across the security ecosystem to deliver a holistic, agile, security platform. Combined with insights from the intelligent security graph, these security features are designed to help prevent the accidental or intentional loss of corporate data, prevent password related attacks, and prevent and respond to the installation of malware on a machine or in your environment.
$1 billion is invested annually by Microsoft to advance our efforts on security, data protection and risk management
3,500+ security-focused professionals are employed by Microsoft. The Center brings together over 50 cybersecurity experts and data scientists in a centralized hub that is tightly connected to these globally-distributed security professionals.t
We take seriously our commitment to safeguard our customers’ data, to protect their right to make decisions about that data, and to be transparent about what happens to that data. We are guided by a set of “Trusted Cloud Principles,” that articulate our vision of what enterprise organizations are entitled to expect from their cloud provider:
Security: The confidentiality, integrity, and availability of your data is secured. Microsoft cloud services are designed, developed, and operated to help ensure that your data is secure.
Privacy & Control: No one is able to use your data in a way that you do not approve. Microsoft prioritizes your data privacy; our commercial cloud customers own their data and we don’t use it to deliver targeted advertising
Compliance: You can meet your regulatory obligations. This means we support you with certified compliance credentials, backed by third-party audits.
Transparency: You understand how your data is being handled and used. This means we provide an appropriate level of transparency into security, privacy and compliance practices and actions to help protect your information.
Reliability means more to Microsoft than just making dependable software and services. It also means investing in processes and technology to improve reliability, focusing on every customer’s experience, and maintaining active partnerships with a wide variety of software and hardware companies.
Here’s what we’re doing about it:
Our datacenters and services are resilient by design: Our datacenters and services are designed to run 24x7x365, are architected for fast identification and testing of probable failures and have mechanisms that allow rapid recovery from such failures, based on industry standards and practices.
We provide you with service health information, including planned maintenance. Microsoft provides a range of dashboards, feeds and notification mechanisms to help customers to get access to information in the event of a planned or unplanned service impacting event.
We adhere to industry standard best practices and certifications to help ensure reliability. Microsoft leverages industry standard practices and processes to maintain the health of the services we provide, including as a component of compliance requirements. These include service level agreements that are financially backed.
We offer our customers many tools to help build resiliency into applications hosted on Azure:
High Availability: https://azure.microsoft.com/en-us/documentation/articles/resiliency-disaster-recovery-high-availability-azure-applications/
Disaster recovery: https://azure.microsoft.com/en-us/solutions/disaster-recovery
Backup / archiving: https://azure.microsoft.com/en-us/solutions/backup-archive/
Monitoring and Management: https://www.microsoft.com/en-us/cloud-platform/operations-management-suite
Strong security protects customer content from unauthorized access by using state-of-the-art industry technology, best practices and certifications. Secure cloud solutions are the result of comprehensive planning, intelligent design, and efficient operations. Microsoft makes security a priority at every step, from code development to incident response.
At the end of the day, all of that is for this – empowering you to deliver secure experiences and services to your customers.
Delivering experiences securely requires a partnership between our platform services and how you enact security policies and controls.
Slide script:
Azure Active Directory is a comprehensive identity and access management solution for the cloud that provides a robust set of capabilities to manage users and groups and help secure access to applications including Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications. It combines core directory services, advanced identity governance and application access management. Azure Active Directory also offers a rich standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules.
AZURE:
Uses Azure AD to govern access to the management portal with granular access controls for users and groups on subscription or resource groups
Provides enterprise cloud identity and access management
Enables single sign-on across cloud applications
Offers Multi-Factor Authentication for enhanced security
CUSTOMER:
Centrally manages users and access to Azure, O365, and hundreds of pre-integrated cloud applications
Builds Azure AD into their web and mobile applications
Can extend on-premises directories to Azure AD through synchronization
Slide script:
Azure Active Directory (Azure AD) provides an easy way for your business to manage identity and access, both in the cloud and on-premises. Your users can use one work or school account for single sign-on to any cloud and on-premises web application, using their favorite device, including iOS, Mac OS X, Android, and Windows devices. Your organization can protect sensitive data and applications both on-premises and in the cloud with integrated multi-factor authentication ensuring secure local and remote access. Or extend your on-premises directories so that information workers can use a single organizational account to securely and consistently access their corporate resources.
You can use Two Factor Authentication or DevOPs access to your production services. For Two Factor Authentication, you can implement it with Phone Factor or with AD on-premises.
Azure Security Center helps you prevent, detect and respond to threats with increased visibility and control over the security of all your Azure resources. It provides a central view of security across your subscriptions, and enables you to set policies and monitor security configurations. Policy-driven recommendations guide resource owners through the process of implementing security controls and enable rapid deployment of integrated Microsoft and partner security solutions. Security-related events from across your Azure deployments are automatically collected and analyzed using Microsoft global threat intelligence and expertise to identify actual threats and reduce false alarms. The resulting real-time alerts offer insights into the attack campaign and suggest ways to remediate and recover quickly.
Partner with peers, work with industry alliances, and work with governments