Application development and deployment in the traditional datacenter has been a challenge for many organizations primarily due to resource constraints. This has historically led to unfortunate compromises between functionality and security for business applications.
With public cloud providers, we have seen the limitations to technical capabilities fall away; the attainable to the Fortune 500 has become available to organizations of any size.
This yields some exciting new options for the development, deployment and operation of secure applications. Here you will find the presentation deck and recording of webinar.
2. Intro: Your Presenter
Tadd Axon
Microsoft Services Practice
Lead
• MS Practice Lead
• Background in IT Operations,
system architecture,
• Information security, security
& compliance audit
3. Agenda
• Public cloud has changed the (development) world
• Tools to support secure application architecture
• Cloud Provider Capabilities to support security
• Technologies to accelerate secure application development
• The Learning Curve
• Demo
• Q&A – Post an IM anytime
4. Impact of Public Cloud
• Tools, capabilities, and technologies once only available to large
enterprise are now accessible and affordable
• The burden of maintaining the supporting infrastructure for these
is greatly reduced
• Responsibility for delivery of security is split
o Cloud provider has contractual obligation to provide secure foundation and
it serves their best interest to do so, and provide transparency
o Cloud provider shoulders the burden for attracting and retaining security talent
o Cloud consumer focusses on the security of the application versus application
and entire supporting infrastructure
5. Supporting Tools for Secure Applications
TOOL CAPABILITY
Azure Security Center Alerts, Analysis, Recommendations
Azure AD Identity Protection
Alerts, Analysis, Guidance, Policy and
Enforcement
Application Insights Performance metrics, code level issues
Operations Management Suite
Log analytics, assessment, recommended
actions
11. Supporting Capabilities for Secure Applications
CAPABILITY BENEFITS
AZURE RESOURCE
MANAGER
• Template based deployment
• Manage application infrastructure as source code
• Idempotency
• Resource Policy
• Resource Locks
AZURE STORAGE
ENCRYPTION
• Encryption for Data at Rest
• Client side libraries for encryption in transit
12. Supporting Technologies for Secure Applications
• API Management
o Publish APIs rapidly, even from “legacy” services
o Secure access and protect from overuse
• Azure KeyVault
o HSM based storage for secrets (passwords, cryptographic keys)
o Auditable
• Azure SQL
o Azure AD integration for role based access control at the DB level
o Least-privilege design for access to DB services
• Virtual Machine Scale Sets
o Idempotent deployment at scale
o Disposable, ephemeral worker nodes
24. The Learning Curve
• The learning curve for this can appear steep
• There are a multitude of resources
o Sample code and templates to provision resources
o Architecture Guidance
o Development Guidance
o Strong community of MS Partners
Demo – deployment of VM with encrypted storage and all supporting infrastructure
Democratization of capability
Tremendous reduction in the in house skills required to manage and provision – in most cases, the capabilities, tools and technologies are just there to use…
NB – OMS webinar September 8 and 9
Azure Resource Manager enables you to work with the resources in your solution as a group.
You can deploy, update or delete all of the resources for your solution in a single, coordinated operation. You use a template for deployment and that template can work for different environments such as testing, staging and production.
Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment.
Resource Manager provides several benefits:
You can deploy, manage, and monitor all of the resources for your solution as a group, rather than handling these resources individually.
You can repeatedly deploy your solution throughout the development lifecycle and have confidence your resources are deployed in a consistent state.
You can manage your infrastructure through declarative templates rather than scripts.
You can define the dependencies between resources so they are deployed in the correct order.
You can apply access control to all services in your resource group because Role-Based Access Control (RBAC) is natively integrated into the management platform.
You can apply tags to resources to logically organize all of the resources in your subscription.
You can clarify billing for your organization by viewing the rolled-up costs for the entire group or for a group of resources sharing the same tag.
Resource Policy
Azure Resource Manager now allows you to control access through custom policies.
With policies, you can prevent users in your organization from breaking conventions that are needed to manage your organization's resources.
You create policy definitions that describe the actions or resources that are specifically denied.
You assign those policy definitions at the desired scope, such as the subscription, resource group, or an individual resource.
Policies and RBAC work together. To be able to use policy, the user must be authenticated through RBAC. Unlike RBAC, policy is a default allow and explicit deny system.
RBAC focuses on the actions a user can perform at different scopes. For example, a particular user is added to the contributor role for a resource group at the desired scope, so the user can make changes to that resource group.
Policy focuses on resource actions at various scopes. For example, through policies, you can control the types of resources that can be provisioned or restrict the locations in which the resources can be provisioned.
Resource Locks
As an administrator, you may need to lock a subscription, resource group or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly.
CanNotDelete means authorized users can still read and modify a resource, but they can't delete it.
ReadOnly means authorized users can read from a resource, but they can't delete it or perform any actions on it. The permission on the resource is restricted to the Reader role. Applying ReadOnly can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a ReadOnly lock on a storage account will prevent all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations. For another example, placing a ReadOnly lock on an App Service resource will prevent Visual Studio Server Explorer from being able to display files for the resource because that interaction requires write access.
Unlike role-based access control, you use management locks to apply a restriction across all users and roles.
Storage Service Encryption
A new feature of Azure Storage that will encrypt data when it is written to your Azure Storage supporting block blobs, page blobs and append blobs. This feature can be enabled for new storage accounts using the Azure Resource Manager deployment model and is available for all redundancy levels (LRS, ZRS, GRS, RA-GRS). Storage Service Encryption is available for both Standard and Premium Storage, handling encryption, decryption, and key management in a totally transparent fashion. All data is encrypted using 256-bit AES encryption, one of the strongest block ciphers available.
Azure Disk Encryption
A new capability that lets you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage. (in this case, Key Vault stands in for a hardware based TPM
So… why do we care about these?
The ability to rapidly publish and secure APIs enables microservice architecture – applications composed of many small, simpler, single purpose components
This reduces overall complexity of code, and allows very strong controls to be put into place for communications between application components. This also reduces the scope and impact of maintenance and changes
Compare this to monolithic application design, that lacks this ability to segregate communication and process, and where maintenance or changes to a particular functional component mean maintenance on the entire application infrastructure.
With Azure Key Vault, you can encrypt keys and small secrets like passwords using keys stored in hardware security modules (HSMs). For added assurance, you can import or generate keys in HSMs. If you choose to do this, Microsoft will process your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). Key Vault is designed so that Microsoft does not see or extract your keys. Monitor and audit key use with Azure logging—pipe logs into Azure HDInsight or your SIEM for additional analysis and threat detection.
Effectively, application administrators never need to know the credentials used for back end accounts or system to system communications – removing the risk of accidental leakage or intentional malfeasance
Azure SQL is in the early stages of supporting Active Directory security principals for access to databases – this greatly simplifies access control and access management by reusing existing roles and individual identities rather than having to recreate/duplicate them at the DB level or making satisficing choices (i.e. single DB account granted wide permissions to the DB rather than role/user specific level of access)
Virtual Machine Scale Sets
Deploy (and scale based on demand) multiple virtual machines with an identical configuration
Update the underlying model and quietly push updates to running instances
Manage individual instances, including decommissioning malfunctioning or compromised instances (and then patch the model and other running instances) without impairing the performance of the application
TADD
Accountability for the costs
Identify the business owner
Accountability for provisioning and deprovisioning of resources
Process controls
Request -> Approval -> Deployment
Auditability
Identify additional considerations
Sensitivity of data
Regulatory obligations