Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Class Project: Security in Microsoft Azure
1. Pace University
IT 612 – Web Server Setup
Configuration & Security
Student: Yao, Chung-Hui
Professor: Dr. Hevel Jean-Baptiste
Date: May, 2014
Security in Microsoft Azure
6/10/2014 Enter Your Main Title Here 1
2. IT 612 – Web Server Setup,
Configuration & Security
Abstract:
Microsoft Azure is a cloud computing platform and
infrastructure created by Microsoft. It’s said that 54% of
Fortune 500 companies already use Azure. This project will
look at the potential threat/attack web applications will
face when hosting on Microsoft Azure platform and some
of the best practice for secure environment.
6/10/2014 2
3. IT 612 – Web Server Setup, Configuration
& Security
Introduction:
Hosting application, services, and website on
Microsoft Azure means the physical infrastructure is left in
the hands of cloud provider. Since we no longer need to
secure the network or the host, it is up to the developer to
secure the application.
We will exam how security is handled differently in
cloud platform by reviewing OWASP Top 10 Vulnerabilities
from 2013. we will also highlight unique feature in Microsoft
Azure help mitigate vulnerabilities.
6/10/2014 3
4. IT 612 – Web Sever Setup
Configuration & Security
Background of your study:
This topic idea began when I had the opportunity
to compare the two different cloud platforms: Amazon
Web Service (AWS) and Microsoft Azure. At that time,
someone told me that the cloud provider will take care of
everything so we do not need to implement any security
measure. After learning more about web and internet
security from another class, I am interested to explore if
we need to apply different security baseline when our
web application is hosted on Microsoft Azure
6/10/2014 4
5. IT 612 – Web Sever Setup
Configuration & Security
Analysis:
OWASP Top 10
• Injection
• Broken Authentication and Session
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
6/10/2014 5
6. IT 612 – Web Sever Setup
Configuration & Security
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery
• Using Components with Known Vulnerabilities
• Unvalidated Redirect and Forwards
Notable mention
• Distributed Denial-of-Service (DDoS)
6/10/2014 6
7. IT 612 – Web Server Setup, Configuration
& Security
Injection
• Azure will patch SQL
• Avoid building connection strings using string
concatenation, use SqlConnectionStringBuilder
class instead.
• Implement “escaping” to validate input
• Run SQL query with least privilege possible
6/10/2014 7
8. IT 612 – Web Server Setup, Configuration
& Security
Broken Authentication and Session
• SSL connection to management portal
• Assign random port number for RDP and
Powershell to manage VM
• Access Control Service (ACS)
authenticate with existing, mature account service
such as Google, Yahoo, Facebook account.
developer need to follow recommendation
6/10/2014 8
9. IT 612 – Web Server Setup, Configuration
& Security
Cross-Site Scripting (XSS)
• Follow same security practice within Azure
environment
• Validate and sanitize user input
• Protect session authentication cookie
6/10/2014 9
10. IT 612 – Web Server Setup, Configuration
& Security
Insecure Direct Object References
• Isolation
VM to VM within deployment
different deployment within subscription cannot
communicate unless assigned to same virtual
network
• Private IP ACL and Public IP ACL
6/10/2014 10
11. IT 612 – Web Server Setup, Configuration
& Security
Security Misconfiguration
• VM provisioned from template with strict security
baseline
• Block inbound connection from internet by default
• Have to specifically open ports
• Azure Active Directory with Access Control Service
fine-tune permission
6/10/2014 11
12. IT 612 – Web Server Setup, Configuration
& Security
Sensitive Data Exposure
• Encrypt database content or database itself
• Built-in firewall in Azure SQL database
• Enable encrypted connection (SSL) to Azure
SQL Database
• Encrypt connection from web server to client
• Encrypt session cookies on client side
6/10/2014 12
13. IT 612 – Web Server Setup, Configuration
& Security
Missing Function Level Access Control
• Azure Active Directory Control
Provide group based or role based entitlement
• Microsoft Azure Dashboard
access to logs and status for auditing
• Third Party App to audit application workflow
Cerebrata Azure Management Studio
6/10/2014 13
14. IT 612 – Web Server Setup, Configuration
& Security
Cross-Site Request Forgery
• Follow traditional practice
Set shorter session time
Prevent user from submitting form data multiple
times
Implement CAPTCHA before submits
6/10/2014 14
15. IT 612 – Web Server Setup, Configuration
& Security
Using Components with Known Vulnerabilities
• Azure handle OS Update and Software Patches
• Monitor vulnerabilities through public database
such as NVD and CVE
• NVD listed vulnerability in Azure SDK v 1.3
which has since updated.
6/10/2014 15
16. IT 612 – Web Server Setup, Configuration
& Security
Unvalidated Redirect and Forwards
• Avoid using redirect and forwards
• Validate redirect and forward request
• Microsoft Azure isolation restrict destination
• Developer should use mapped value within
application instead of URL
6/10/2014 16
17. IT 612 – Web Server Setup, Configuration
& Security
Distributed Denial-of-Service (DDoS)
• Azure has built-in defense against DDoS
- limit rate and connection
- drop offending VM within environment
• Deploy application firewall(Ex. Barracuda)
• Windows Azure Traffic Manager; load balance
• High-Availability; deploy more instance in case
of attack
6/10/2014 17
18. IT 612 – Web Server Setup
Configuration & Security
Diagram and others:
6/10/2014 18
19. IT 612 – Web Sever Setup
Configuration & Security
Conclusion and other researches:
After reviewing OWASP Top 10 vulnerabilities from
2013 and Distributed Denial-of-Service attack, we see that
Microsoft Azure does have certain unique features that
mitigate some of the vulnerabilities such as Windows Azure
Traffic Manager and Access Control Service. We don’t need
to worry about securing network or securing the host. But
Developers have more responsibility now and need to
concentrate on securing the application itself. Code review
and code analyze become very important in the cloud
platform since now the environment is as secure as the
application it host.
6/10/2014 19
20. IT 612 – Web Server Setup Configuration
& Security
Q&A
6/10/2014 20