SlideShare ist ein Scribd-Unternehmen logo

UpdateConf 2018: Top 18 Azure security fails and how to avoid them

Karl Ots
Karl Ots

As presented on 22th of November 2018 in Prague. Karl Ots has assessed the security of over 100 Azure solutions. He has found that there are 18 security pitfalls that are common across all industry verticals and company sizes. In this session, he will share what these security pitfalls are, why do they matter and how to mitigate them.

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
@fincooper Top Azure security fails and how to avoid them Karl Ots, Zure Ltd
@fincooper Karl Ots Managing Consultant karl.ots@zure.com • Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
@fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
@fincooper With great power comes great responsibility
@fincooper Security controls for Azure applications Subscriptions and Resource Groups AAD and RBAC ARM Templates, Policies and Locks Logging, Alerting & Auditing Data Encryption Backups & Disaster Recovery Privacy & Compliance Network security
@fincooper Cloud security: reality check
@fincooper Role-Based Access Control Subscription Resource Groups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
@fincooper Privileged Identity Management • Identifies users with administrative privileges • Enables just-in-time administrative access • Generates reports about elevated role access history • Requires Azure AD Premium P2 • For all users in the whole AAD Tenant
@fincooper STRIDE • Azure removes some of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
@fincooper Security fail #1 • Every user is an Owner • …In the Subscription scope • STRIDE threat categorization: • Tampering • Information Disclosure • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner
@fincooper Security fail #2 • Service Principals have too wide privileges • STRIDE threat categorization: • Repudiation • Mitigation: • Service Principal RBAC assignments should follow the least privileged principle • Service Principals should NOT be granted access in the Subscription scope • Service Principals should NOT be granted Owner access in any scope
@fincooper Security fail #3 • Untrusted authorization provider being used • (Microsoft Account, Gmail, unmanaged Azure AD…) • STRIDE threat categorization: • Spoofing • Elevation of Privilege • Mitigation: • Always use trusted Azure AD authentication that is managed by your organization • Monitor Azure Subscription access using AAD PIM
@fincooper Security fail #4 • Unprotected public endpoints • HTTP / RDP / SSH • STRIDE threat categorization: • Information Disclosure • Denial of Service • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints
@fincooper Security fail #5 • Storage access keys used directly • STRIDE threat categorization: • Information Disclosure • Tampering • Repudiation • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
@fincooper Security fail #6 • No monitoring or alerting • STRIDE threat categorization: • Repudiation • Denial of Service • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with with Application Gateway / WAF
@fincooper Security fail #7 • Missing Virtual Machine updates • STRIDE threat categorization: • Information Disclosure • Elevation of Privilege • Mitigation: • Update management • Azure Security Center
@fincooper DEMO “How to avoid them”
@fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
@fincooper Materials • My slides: slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • Microsoft Ignite 2018 session THR2104 Assess your Microsoft Azure security like a pro • STRIDE Threat Modeling Lessons from Star Wars: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/
@fincooper
UpdateConf 2018: Top 18 Azure security fails and how to avoid them

Empfohlen

Top 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themTop 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid them
Karl Ots
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
Karl Ots
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure Sentinel
Robert Crane
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
Ivan Dwyer
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
Ashwin Patil, GCIH, GCIA, GCFE
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
Ivan Dwyer
 

Empfohlen

Top 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid themTop 18 azure security fails and how to avoid them
Top 18 azure security fails and how to avoid them
Karl Ots
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
Karl Ots
 
IglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a proIglooConf 2019 Secure your Azure applications like a pro
IglooConf 2019 Secure your Azure applications like a pro
Karl Ots
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure Sentinel
Robert Crane
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
Ivan Dwyer
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
Ashwin Patil, GCIH, GCIA, GCFE
 
[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR[OWASP Poland Day] Embedding security into SDLC + GDPR
[OWASP Poland Day] Embedding security into SDLC + GDPR
OWASP
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
Ivan Dwyer
 
BeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence GapBeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence Gap
Ivan Dwyer
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
Ivan Dwyer
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
Matt Soseman
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
Teri Radichel
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: Busted
Ivan Dwyer
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Zabeel Institute
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
Apigee | Google Cloud
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Alert Logic
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
Harry McLaren
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
Ivan Dwyer
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRIdentity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Jürgen Ambrosi
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
Alert Logic
 
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid them
Karl Ots
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
DevOps.com
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 

Was ist angesagt? (20)

BeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence GapBeyondCorp Seattle Meetup: Closing the Adherence Gap
BeyondCorp Seattle Meetup: Closing the Adherence Gap
 
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
Hotels, Hookups and Video Conferencing: A Top 10 Countdown to 2020's Worst Da...
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
BeyondCorp Myths: Busted
BeyondCorp Myths: BustedBeyondCorp Myths: Busted
BeyondCorp Myths: Busted
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
 
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPRIdentity and Data protection with Enterprise Mobility Security in ottica GDPR
Identity and Data protection with Enterprise Mobility Security in ottica GDPR
 
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAASecuring Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
 

Ähnlich wie UpdateConf 2018: Top 18 Azure security fails and how to avoid them

ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
Karl Ots
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
Karl Ots
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseTechorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Karl Ots
 

Ähnlich wie UpdateConf 2018: Top 18 Azure security fails and how to avoid them (20)

IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid themIT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid them
 
Techorama Belgium 2019: top Azure security fails and how to avoid them
Techorama Belgium 2019: top Azure security fails and how to avoid themTechorama Belgium 2019: top Azure security fails and how to avoid them
Techorama Belgium 2019: top Azure security fails and how to avoid them
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
 
FAUG #9: Azure security architecture and stories from the trenches
FAUG #9: Azure security architecture and stories from the trenchesFAUG #9: Azure security architecture and stories from the trenches
FAUG #9: Azure security architecture and stories from the trenches
 
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
 
Top five configuration security errors and how to avoid them - DEM09-S - Chic...
Top five configuration security errors and how to avoid them - DEM09-S - Chic...Top five configuration security errors and how to avoid them - DEM09-S - Chic...
Top five configuration security errors and how to avoid them - DEM09-S - Chic...
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQL
 
Let's Discuss Security with SFWelly
Let's Discuss Security with SFWellyLet's Discuss Security with SFWelly
Let's Discuss Security with SFWelly
 
Building an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance ModelBuilding an Enterprise-Grade Azure Governance Model
Building an Enterprise-Grade Azure Governance Model
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
 
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the EnterpriseTechorama Belgium 2019 - Building an Azure Governance model for the Enterprise
Techorama Belgium 2019 - Building an Azure Governance model for the Enterprise
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
 

Mehr von Karl Ots

TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
Karl Ots
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Karl Ots
 
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
Karl Ots
 
Monitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and whyMonitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and why
Karl Ots
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Karl Ots
 

Mehr von Karl Ots (20)

TechDays Finland 2020: Best practices of securing web applications running on...
TechDays Finland 2020: Best practices of securing web applications running on...TechDays Finland 2020: Best practices of securing web applications running on...
TechDays Finland 2020: Best practices of securing web applications running on...
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
 
IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...IglooConf 2020: Best practices of securing web applications running on Azure ...
IglooConf 2020: Best practices of securing web applications running on Azure ...
 
CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...CloudBurst Malmö: Best practices of securing web applications running on Azur...
CloudBurst Malmö: Best practices of securing web applications running on Azur...
 
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
FAUG Jyväskylä 28.5.2019 - Azure MonitoringFAUG Jyväskylä 28.5.2019 - Azure Monitoring
FAUG Jyväskylä 28.5.2019 - Azure Monitoring
 
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
Azure Low Lands 2018: Monitoring real life Azure applications when to use wha...
 
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
UpdateConf 2018: Monitoring real-life Azure applications: When to use what an...
 
Monitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and whyMonitoring real-life Azure applications: When to use what and why
Monitoring real-life Azure applications: When to use what and why
 
Azure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = AwesomenessAzure Saturday: Security + DevOps + Azure = Awesomeness
Azure Saturday: Security + DevOps + Azure = Awesomeness
 
Navigating in the sea of containers in azure when to choose which service and...
Navigating in the sea of containers in azure when to choose which service and...Navigating in the sea of containers in azure when to choose which service and...
Navigating in the sea of containers in azure when to choose which service and...
 
Kubernetes in Azure
Kubernetes in AzureKubernetes in Azure
Kubernetes in Azure
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
 
Azure security architecture / FAUG JKL 15.2.2018
Azure security architecture / FAUG JKL 15.2.2018Azure security architecture / FAUG JKL 15.2.2018
Azure security architecture / FAUG JKL 15.2.2018
 
Securing Azure Infrastructure
Securing Azure InfrastructureSecuring Azure Infrastructure
Securing Azure Infrastructure
 
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = AwesomenessCloudBrew 2017 - Security + DevOps + Azure = Awesomeness
CloudBrew 2017 - Security + DevOps + Azure = Awesomeness
 
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
Monitoring advanced Azure PaaS workloads in the enterprise - Level: 200
 
Building globally scalable media solutions with Azure Media Services part 2
Building globally scalable media solutions with Azure Media Services part 2Building globally scalable media solutions with Azure Media Services part 2
Building globally scalable media solutions with Azure Media Services part 2
 
Security + DevOps + Azure = Awesomeness
Security + DevOps + Azure = AwesomenessSecurity + DevOps + Azure = Awesomeness
Security + DevOps + Azure = Awesomeness
 
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
Sovellusmodernisoinnin webinaarisarja, osa 3: modernisoidun sovelluksen integ...
 
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
Sovellusmodernisoinnin webinaarisarja, osa 2: liiketoimintasovelluksen modern...
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

UpdateConf 2018: Top 18 Azure security fails and how to avoid them

  • 1. @fincooper Top Azure security fails and how to avoid them Karl Ots, Zure Ltd
  • 2. @fincooper Karl Ots Managing Consultant karl.ots@zure.com • Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
  • 3. @fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
  • 4. @fincooper With great power comes great responsibility
  • 5. @fincooper Security controls for Azure applications Subscriptions and Resource Groups AAD and RBAC ARM Templates, Policies and Locks Logging, Alerting & Auditing Data Encryption Backups & Disaster Recovery Privacy & Compliance Network security
  • 7. @fincooper Role-Based Access Control Subscription Resource Groups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
  • 8. @fincooper Privileged Identity Management • Identifies users with administrative privileges • Enables just-in-time administrative access • Generates reports about elevated role access history • Requires Azure AD Premium P2 • For all users in the whole AAD Tenant
  • 9. @fincooper STRIDE • Azure removes some of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
  • 10. @fincooper Security fail #1 • Every user is an Owner • …In the Subscription scope • STRIDE threat categorization: • Tampering • Information Disclosure • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner
  • 11. @fincooper Security fail #2 • Service Principals have too wide privileges • STRIDE threat categorization: • Repudiation • Mitigation: • Service Principal RBAC assignments should follow the least privileged principle • Service Principals should NOT be granted access in the Subscription scope • Service Principals should NOT be granted Owner access in any scope
  • 12. @fincooper Security fail #3 • Untrusted authorization provider being used • (Microsoft Account, Gmail, unmanaged Azure AD…) • STRIDE threat categorization: • Spoofing • Elevation of Privilege • Mitigation: • Always use trusted Azure AD authentication that is managed by your organization • Monitor Azure Subscription access using AAD PIM
  • 13. @fincooper Security fail #4 • Unprotected public endpoints • HTTP / RDP / SSH • STRIDE threat categorization: • Information Disclosure • Denial of Service • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints
  • 14. @fincooper Security fail #5 • Storage access keys used directly • STRIDE threat categorization: • Information Disclosure • Tampering • Repudiation • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
  • 15. @fincooper Security fail #6 • No monitoring or alerting • STRIDE threat categorization: • Repudiation • Denial of Service • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with with Application Gateway / WAF
  • 16. @fincooper Security fail #7 • Missing Virtual Machine updates • STRIDE threat categorization: • Information Disclosure • Elevation of Privilege • Mitigation: • Update management • Azure Security Center
  • 18. @fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
  • 19. @fincooper Materials • My slides: slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • Microsoft Ignite 2018 session THR2104 Assess your Microsoft Azure security like a pro • STRIDE Threat Modeling Lessons from Star Wars: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/