As presented on 22th of November 2018 in Prague.
Karl Ots has assessed the security of over 100 Azure solutions. He has found that there are 18 security pitfalls that are common across all industry verticals and company sizes. In this session, he will share what these security pitfalls are, why do they matter and how to mitigate them.
2. @fincooper
Karl Ots
Managing Consultant
karl.ots@zure.com
• Cloud & cybersecurity expert
• User group and conference organizer, podcast hosts
• Patented inventor
• Working on Azure since 2011
• Helped to secure 100+ Azure applications, from startups to
Fortune 500 enterprises
• linkedin.com/in/karlots
3. @fincooper
What to expect in this session
• Azure security landscape
• Top Azure security fails I have wondered upon in my adventures
• Why are they bad?
• How to fix them?
• Resources to help you secure your Azure environment, regardless of your
current status
5. @fincooper
Security controls for Azure applications
Subscriptions
and Resource
Groups
AAD and RBAC
ARM Templates,
Policies and
Locks
Logging,
Alerting &
Auditing
Data Encryption
Backups &
Disaster
Recovery
Privacy &
Compliance
Network
security
7. @fincooper
Role-Based Access Control
Subscription
Resource Groups
Resources
Owner
Can perform all management
operations for a resource and its
child resources including access
management and granting access
to others.
Contributor
Can perform all management
operations for a resource including
create and delete resources. A
contributor cannot grant access to
other.
Reader
Has read-only access to a resource
and its child resources. A reader
cannot read secrets.
8. @fincooper
Privileged Identity Management
• Identifies users with administrative privileges
• Enables just-in-time administrative access
• Generates reports about elevated role access history
• Requires Azure AD Premium P2
• For all users in the whole AAD Tenant
9. @fincooper
STRIDE
• Azure removes some of the attack surface, as infrastructure and operations
are handled by Microsoft.
• We can use frameworks such as STRIDE to identify threats:
• Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx
Threat Property Definition
Spoofing Authentication Impersonating something or someone else.
Tampering Integrity Modifying data or code.
Repudiation Non-repudiation Claiming to have not performed an action.
Information Disclosure Confidentiality Exposing information to someone not authorized to see it.
Denial of Service Availability Deny or degrade service to users.
Elevation of Privilege Authorization Gain capabilities without proper authorization.
10. @fincooper
Security fail #1
• Every user is an Owner
• …In the Subscription scope
• STRIDE threat categorization:
• Tampering
• Information Disclosure
• Mitigation:
• Default access scope should be Resource Group, not Subscription
• Default RBAC access should be Contributor, not Owner
11. @fincooper
Security fail #2
• Service Principals have too wide privileges
• STRIDE threat categorization:
• Repudiation
• Mitigation:
• Service Principal RBAC assignments should follow the least privileged principle
• Service Principals should NOT be granted access in the Subscription scope
• Service Principals should NOT be granted Owner access in any scope
12. @fincooper
Security fail #3
• Untrusted authorization provider being used
• (Microsoft Account, Gmail, unmanaged Azure AD…)
• STRIDE threat categorization:
• Spoofing
• Elevation of Privilege
• Mitigation:
• Always use trusted Azure AD authentication that is managed by your organization
• Monitor Azure Subscription access using AAD PIM
13. @fincooper
Security fail #4
• Unprotected public endpoints
• HTTP / RDP / SSH
• STRIDE threat categorization:
• Information Disclosure
• Denial of Service
• Mitigation:
• Every public IP is a risk and should be carefully reviewed
• Use Network Security Groups to control access to / from virtual machines
• Use Azure Security Center’s Just-in-time access to dynamically change NSG rules
• Use Web Application Firewall to control access to public HTTP endpoints
14. @fincooper
Security fail #5
• Storage access keys used directly
• STRIDE threat categorization:
• Information Disclosure
• Tampering
• Repudiation
• Mitigation:
• Storage Access Keys should be stored in Azure Key Vault and rotated programmatically
• Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
15. @fincooper
Security fail #6
• No monitoring or alerting
• STRIDE threat categorization:
• Repudiation
• Denial of Service
• Mitigation:
• Configure Activity Log retention, default is only 90 days!
• Enable Application Insight Smart Alerts
• Enable Advanced Treat Protection
• Enable Azure SQL Audit logging
• Monitor all HTTP endpoint traffic with with Application Gateway / WAF
16. @fincooper
Security fail #7
• Missing Virtual Machine updates
• STRIDE threat categorization:
• Information Disclosure
• Elevation of Privilege
• Mitigation:
• Update management
• Azure Security Center
18. @fincooper
Secure DevOps kit for Azure (AzSK)
• Set of tools for assessing the security posture of your Azure environment
• Built by Microsoft Core Services Engineering
• Used to secure 1000+ Azure subscriptions at Microsoft
• Easy to get started with non-intrusive vulnerability scans, expands end-to-
end tooling from developer machine to CI/CD to continuous assurance
19. @fincooper
Materials
• My slides: slideshare.net/karlots
• Secure DevOps Kit for Azure:
• azsk.azurewebsites.net
• Microsoft Ignite 2018 session THR2104 Assess your Microsoft Azure security like a pro
• STRIDE Threat Modeling Lessons from Star Wars:
• youtube.com/watch?v=Y3VQpg04vXo
• Azure Security and Compliance Blueprint (not Azure Blueprint):
• docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview
• Azure Virtual Datacenter:
• docs.microsoft.com/en-us/azure/architecture/vdc/