1. Windows Azure Security Overview Juan Pablo García González Solution Architect DELL Daniel A. Montero González Software Developer Manager DATCO Chile
2. Agenda Introducción Seguridad de la Plataforma Seguridad de Aplicaciones Administración de Identidad Seguridad de Datos Seguridad Física – Data Centers
4. SDL - Ciclo de vida de desarrollo de seguro Los productos Microsoft son desarrollados acorde a los procesos de SDL Enfoque prescriptivo pero práctico Practivo – no solo en «busca de errores» Elimina de forma temprana los problemas Resultados probados Desarrolle sus soluciones según SDL y proteja a sus clientes Reduzca el número de vulnerabilidades Reduzca la gravedad de sus vulnerabilidades
13. El tráfico de Azure pasa entre diferentes firewalls Algunos son administrador por el dueño del servicio mientras otros son manejados por Fabric Firewalls GuestVm Host VM SqlAzure Local Construido entre Firewall
19. Aislamiento en Windows Azure No depende de la seguridad de Windows Depende de la seguridad del Hypervisor, la red expuesta y los controladores de discos La superficie de ataques es minimizada aceptando muy pocos comandos y drivers específicos Un core de CPU es dedicado a un VM particular para evitar ataques «sidechannel» Los discos Guest son VHD en el sistema de archivos del OS root El hypervisor y Os root implementan filtro de paquetes de red para evitar Spoffing y trafico no autorizado hacia las VMs
24. Seguridad del servicio de administración Los clientes utilizan Windows Live ID Hosted Services y storage accounts se administran en la interfaz o con las API utilizandollavespublica y privadageneradapor el usuario Fabric controla las actualizaciones y controlas los nodos de computo y almacenamiento Fabric corre en un HW separado La comunicación es en un canal SSL
29. AppFabric: Control de Acceso 2.0Claims-based, Federated Access Control Service Provee autorización basada en reglas y derechos para: (rules-driven, claims-based): Aplicaciones Web Servicios Web REST Servicios Web SOAP Características Claves Amplio soporte a proveedores de identidad, incluyendo AD FederationServices v2 y proveedores conocidos de identidad Web (Live ID, Facebook, Google, Yahoo) Soporte a protocolos WS-Trust y WS-Federation Configurable a través de un nuevo portal Web de Administración
31. Seguridad de Datos Los datos de usuarios está en HW separado en Storage accounts El acceso a los datos es solo con la secretkey de la cuenta Políticas de control de acceso a los Blob puede ser adjunta utilizando «Shared Access Signatures» El acceso a los datos es utilizando SSL
32. Blob Storage Security Model Signs Reference Storage Access Key Full Control Shared Access Signatures: Read / Write Delete / List Container Level Access Policie: Read / Write Delete / List ¿Público? Container ACL Azure Storage blob and container
33. Confiabilidad Windows Azure Storage Los datos son replicados en 3 Storage físicos distintos y en diferentes datacenter AzureApplication AzureApplication Data onPremises
34. Cifrado de datos en Azure Es soportado con código propio Aplicación cliente Almacena la llave Local Browser no tiene La llave, no puede Leer la data
36. Seguridad en SQL Azure Solo se soportan autentificación SQL Se debe proveer el usuario en cada conexión Reset del password no obliga a reconectarse a los clientes Cada 60 minutos se debe volver a autentificar Cuando el aprovisionamiento SqlAzure crea una cuenta de nievel de servidor, similar SA Esta cuenta se usa para crear otras cuentas El puerto 1433 debe ser abierto en el firewall local Se deben registrar las IP de acceso
40. Data Center – Seguridad Física Certificados SAS70 y ISO27001 Procesos Certificados en SAS70 Sensores de Movimiento Accesos protegidos 24 x 7 Control de acceso biométrico a sistemas Vigilancia de Cámaras de Video Alarmas de violación de seguridad
41. Windows Azure Platform Data Centers North America Region Europe Region Asia Pacific Region N. Europe N. Central – U.S. W. Europe S. Central – U.S. E. Asia S.E. Asia 6 datacenters across 3 continents Simply select your data center of choice when deploying an application
44. Windows Azure Security Overview Juan Pablo García González Solution Architect DELL Daniel A. Montero González Software Developer Manager DATCO Chile
Hinweis der Redaktion
Welcome and speaker’s introductionSet expectations that the session is going to be about identity and access control for applications targeting the Windows Azure platform, as opposed to the services themselves (SQL Azure, Windows Azure management calls, etc.)
Port Scanning/ Service EnumerationThe only ports open and addressable (internally or externally) on a Windows Azure VM are those explicitly defined in the Service Definition file. Windows Firewall is enabled on each VM in addition to enhanced VM switch packet filtering, which blocks unauthorized traffic Denial of Service Windows Azure’s load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out. On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs). VIP traffic is routed through Windows Azure’s load-balancing infrastructure. Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.Windows Azure is also reviewing additional Distributed Denial of Service (DDoS) solutions available from Microsoft Global Foundation Services to help further protect against Denial of Service attacks.SpoofingVLANs are used to partition the internal network and segment it in a way that prevents compromised nodes from impersonating trusted systems such as the Fabric Controller. At the Hypervisor VM Switch, additional filters are in place to block broadcast and multicast traffic, with the exception of what is needed to maintain DHCP leases. Furthermore, the channel used by the Root OS to communicate with the Fabric Controller is encrypted and mutually authenticated over an HTTPS connection, and it provides a secure transfer path for configuration and certificate information that cannot be intercepted.Eavesdropping / Packet SniffingThe Hypervisor’s Virtual Switch prevents sniffer-based attacks against other VMs on the same physical host. Top-of-rack switches will be used to restrict which IP and MAC addresses can be used by the VMs and therefore mitigate spoofing attacks on internal networks. To sniff the wire inside the Windows Azure cloud environment, an attacker would first need to compromise a VM tenant in a way that elevated the attacker to an administrator on the VM, then use a vulnerability in the hypervisor to break into the physical machine root OS and obtain system account privileges. At that point the attacker would only be able to see traffic inbound to the compromised host destined for the dynamic IP addresses of the VM guests controlled by the hypervisor. Multi-tenant hosting and side-channel attacksInformation disclosure attacks (such as sniffing) are less severe than other forms of attack inside the Windows Azure datacenter because virtual machines are inherently untrusted by the Root OS Hypervisor. Microsoft has done a great deal of analysis to determine susceptibility to side-channel attacks. Timing attacks are the most difficult to mitigate. With timing attacks, an application carefully measures how long it takes some operations to complete and infers what is happening on another processor. By detecting cache misses, an attacker can figure out which cache lines are being accessed in code. With certain crypto implementations involving lookups from large tables, knowing the pattern of memory accesses - even at the granularity of cache lines - can reveal the key being used for encryption. While seemingly far-fetched, such attacks have been demonstrated under controlled conditions. There are a number of reasons why side-channel attacks are unlikely to succeed in Windows Azure: An attack works best in the context of hyper-threading, where the two threads share all of their caches. Many current CPUs implement fully independent cores, each with a substantial private cache. The CPU chips that Windows Azure runs on today have four cores per chip and share caches only in the third tier.Windows Azure runs on nodes containing pairs of quad-core CPUs, so there are three other CPUs sharing the cache, and seven CPUs sharing the memory bus. This level of sharing leads to a great deal of noise in any signal from one CPU to another because actions of multiple CPUs tend to obfuscate the signal.Windows Azure generally dedicates CPUs to particular VMs. Any system that takes advantage of the fact that few servers keep their CPUs busy all the time, and implements more logical CPUs than physical CPUs, might open the possibility of context switches exposing cache access patterns. Windows Azure operates differently. VMs can migrate from one CPU to another, but are unlikely to do so frequently enough to offer an attacker any information.
Slide ObjectiveUnderstand that Microsoft has a long history in running data centres and online applications. Bing, Live, Hotmail etc….Understand the huge amount of innovation going on at the data center levelSpeaking Points:Microsoft is one of the largest operators of datacenters in the worldYears of ExperienceLarge scale trustworthy environmentsDriving for cost and environmental efficientlyWindows Azure runs in 3 regions and 6 datacenters todayData center innovation is driving improved reliability and efficiencyPUE = Power Usage Effectiveness = Total Facility power/IT Systems Power = Indication of efficiency of DCUnder 1.8 is very good, modern cloud DCs approaching 1.2Multi-billion dollar datacenter investment700,000+ square foot Chicago and the 300,000+ square foot Dublin, Ireland data centersMicrosoft cloud services provide the reliability and security you expect for your business: 99.9% uptime SLA, 24/7 support. Microsoft understands the needs of businesses with respect to security, data privacy, compliance and risk management, and identity and access control. Microsoft datacenters are ISO 27001:2005 accredited, with SAS 70 Type I and Type II attestations.Notes:http://www.globalfoundationservices.com/http://blogs.msdn.com/the_power_of_software/archive/2008/06/20/microsoft-s-pue-experience-years-of-experience-reams-of-data.aspxhttp://blogs.msdn.com/the_power_of_software/archive/2008/06/27/part-2-why-is-energy-efficiency-important.aspx
Welcome and speaker’s introductionSet expectations that the session is going to be about identity and access control for applications targeting the Windows Azure platform, as opposed to the services themselves (SQL Azure, Windows Azure management calls, etc.)