Data Protection in Microsoft Azure Devendra Tiwari Senior Program Manager Thomas Knudson Senior Program Manager Microsoft Corporation BRK3490 In this Session What are we covering How ID: 461662
Download Presentation The PPT/PDF document "Enabling" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Enabling Data Protection in Microsoft Azure
Devendra Tiwari, Senior Program ManagerThomas Knudson, Senior Program ManagerMicrosoft Corporation
BRK3490Slide3
In this Session
What are we covering?
How
Azure protects your
data
How
you can protect your
data
How
you
can
control and protect your keys using Azure Key Vault
Azure
Data
retention
and deletion
policies
How to use
Azure Access Control and Access Auditing features
What are we NOT covering?
Data Protection Manager
Compliance Controls and Certifications
Privacy, Data classification and Data management
Cryptography
101Slide4
Cybersecurity concerns persist
Global attacks are increasing and costs are rising
Cybercrime extracts between 15% and 20% of the value created by the
Internet.
1
Total financial losses attributed to security compromises increased 34% in
2014.
3
In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past
year.
2
Impact of cyber attacks could
be as
much as $3 trillion in lost productivity and
growth.
4Slide5
Security Development
Lifecycle & Operational Security Assurance
Network, Identity and Data Isolation
Data Protection – Data Encryption and Key Management
Least Privilege
/ Just-in-Time (JIT)
Access
Respond
Protect
Auditing and Certification
Live Site Penetration Testing
Fraud
and Abuse Detection
Centralized Logging and Monitoring
Detect
Breach Containment
Coordinated
Security Response
Customer Notification
Microsoft
Cloud Security
Vulnerability
/ Update ManagementSlide6
Data
protection
Azure
provides customers with strong data protections – both by default and as customer options
6
Data
isolation
Logical isolation segregates each customer’s data from that of
others is enabled by default.
In-transit data protection
Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default.
Data redundancy
Customers have multiple options for replicating data, including number of copies and number and location of replication data centers.
At-rest data protection
Customers can implement a range of encryption options for virtual machines and storage.
Encryption
Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data.
Data destruction
Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default.Slide7
Azure Data Encryption:In-Transit and At-RestSlide8
Data In Transit – Encryption Options
We work to protect your data across all communications stages
Microsoft:
Azure Portal
Encrypts
transactions through Azure Portal using
HTTPS
Strong Ciphers are used / FIPS 140-2 support
Import / Export
Only
accepts
bitlocker encrypted data disks
Datacenter to Datacenter
Encrypts
customer data
transfer between Azure
datacentersCustomers:StorageChoose HTTPS for REST API for StorageN-Tier ApplicationsEncrypt traffic between Web client and server by implementing TLS on IIS
Data in transit between a user and the service
Protects user from interception of their communication and helps ensure transaction integrity
Data in transit
between data centers
Protects from bulk interception of data
End-to-end encryption of communications between users
Protects from interception or loss of data in transit between users
1
2
3Slide9
Azure Key
Vault
<Keys and Secrets controlled by customers in their key vault>
Authentication to Key Vault
<Authentication to Key Vault is using Azure AD>
Azure Data Encryption -
Data at Rest
Keys
ManagementSlide10
What:Windows and Linux
IaaS VM’sEnables migration of encrypted
VHDs
from on-premises to cloud
Enables encryption on running VM’s and new VM’s
Key
management integrated in customer key
vault using HSM
Value Proposition:
VM’s are secured at rest and theft of an image is meaninglessVM’s boot under the policies and keys controlled by organization CSO/CISO
, and they can audit their
usage in Key Vault.
Threats Addressed:
Data breach Loss of Disks, Loss of storage account keys
Azure Disk EncryptionSlide11
Azure Disk
Encryption Scenarios
Machine
Protection elements
Access
control
:
Customer control access to the keys/secrets in their key vault
Monitoring and Logging
: Customer collect logs in their storage account
Data Security and Availability
:
Disks are stored
encrypted in customer
storage account and are automatically replicated by Azure storage
Boot volume
Data volume
Azure storage
Keys/Secrets are protected in customer key vault
Encryption Scenarios
New VM’s from Customer Encrypted VHD’s
New VMs from Azure Gallery
Running
VM/s in AzureSlide12
Azure Disk Encryption
- Customer Encrypted VHD Workflow
Portal/API
HOST
Customer uploads Encrypted VHD to
their Azure storage
account
Customer
provision
encryption key material* in
their key vault and grants access to platform to provision VM
Customer opt into enabling disk encryption.
Azure service management updates service model with encryption and key vault configuration
Azure platform provision encrypted VM
* Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux]
AAD
AAD token
Azure StorageCustomer Key Vault
Virtual Machine
Encrypt Me
Service Management
Config
Customer Disks
Read VHD
Read KeyProvision Encrypted VMSlide13
Azure Disk Encryption
– New VM or Running VM Workflow
Portal/API
HOST
Customer opt into enabling disk
encryption and Customer grant access to Azure platform to provision
encryption
key material
*
in their key vaultAzure service management updates
service model with encryption and key vault configurationAzure platform provision encrypted VM
* Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux]
AAD
AAD token
Azure Storage
Customer Key
Vault
Virtual MachineEncrypt MeService Management
Config
Upload Key
Provision Encrypted VMSlide14
Azure Disk Encryption – Key
Management using Key Vault
Secrets
like BitLocker Encryption Keys [BEK] or Linux
PassPhrase
are
stored protected in
customer
control in their key
vault containerSecrets are encrypted by customer controlled Key Encryption Key [KEK – RSA 2048]Customer grant [explicit] Read or Write access to their key vault container to Azure
to enable disk encryption
Customer specify key vault
uri to allow access to Azure to their keys and secrets
Azure do not have ANY default access to customer key vault for disk encryption
feature
Microsoft Confidential
SecretKeysContoso.BEK [encrypted by ContosoKEK] – BitLocker WindowsContosoPassPhrase [encrypted by ContosoKEK] – LinuxContosoKEKSlide15
Azure Disk Encryption: Running VM scenario demoSlide16
Azure Disk Encryption – Key Vault demoSlide17
Storage Client-Side Encryption - Preview
What is Client-Side Encryption?Allows for encrypting blob, tables and queue dataUsers encrypt their data on the client side before uploading to Azure Storage, and also decrypt it after downloading
Customer maintains control of keys and
the storage service never sees the keys and is incapable of decrypting the data
Integration with Azure Key Vault with customizability to support other key management systems
Why Client-Side Encryption?
Most control over keys
Storage Service never sees the keys you use
Flexibility in key management systems and algorithmsSlide18
Code Sample:
Code Sample:
// Create the
KeyWrapper
to be used for wrapping.
AesCryptoServiceProvider
aes
=
new
AesCryptoServiceProvider
();
SymmetricKeyWrapper
aesKeyWrapper = new
SymmetricKeyWrapper("symencryptionkey"
,
aes
);// Create the encryption policy to be used for upload.
BlobEncryptionPolicy uploadPolicy
= new
BlobEncryptionPolicy(BlobEncryptionMode.FullBlob, aesKeyWrapper, null); // Set the encryption policy on the request options.
BlobRequestOptions
options = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };// Upload the encrypted contents to the blob.blob.UploadFromStream(stream, size, null, options, null);
// Download and decrypt the encrypted contents from the blob.MemoryStream outputStream = new MemoryStream();blob.DownloadToStream
(outputStream, null, options, null);Slide19
Storage –
Cloud Integrated Storage
Hybrid Applications – Windows Server Data Snapshots
Data Encrypted on-premise and backed up in Azure
AES 256 Encryption and Integrity Protected with SHA-256
HashesSlide20
SQL Server, SQL Database Encryption
Encryption Options:Transparent Data Encryption (TDE), Cell Level Encryption (CLE)SQL Server Encrypted BackupsAlways Encrypted
SQL Server Extensible
Key Management (EKM) provider shifts encryption master keys to external key manager
Separation of duties between data and key
management
Azure Key Vault as an EKM
SQL Server Connector enables Azure Key Vault use as an EKM
Customer owned Encryption Master Keys in software or hardware (FIPS Validated HSM) Vault
SQL Server On-prem / Azure VMsSlide21
Key Vault Service
Azure Active Directory
SQL Server Connector to Key Vault
SQL
Server Admin
Security
Operations
Auditor
SQL Server Connector
1. Register
SQL Server
instance
2a. Create Vault
2b. Create Master Key
2c. Give SQL Server
Access to Vault
4. Authenticate
3. Configure SQL
Server Encryption
5. Protect
Keys
6. Audit Key Usage
(coming soon)Slide22
SQL Server TDE with Key Vault demoSlide23
Microsoft Azure
IaaS
SaaS
PaaS
Microsoft Azure Key Vault
Microsoft Confidential
Key Vault offers an easy, cost-effective way to safeguard keys and other secrets used by cloud apps and services using HSMs.
You manage your keys and secrets
Applications get high performance access to your keys and secrets… on your terms
Import
keys
HSM
Key Vault
Microsoft ConfidentialSlide24
Increased security
HSM protected keys
Compliance
Monitoring
Encrypt keys and small secrets like passwords using keys stored in tightly controlled and monitored Hardware Security Modules (HSMs)
Import or generate your keys in HSMs for added assurance - keys never leave the HSM boundary
Comply with regulatory standards for secure key management, including the US Government FIPS 140-2 Level 2 and Common Criteria EAL 4+
Monitor and audit key use through Azure logging – pipe logs into HDInsight or your SIEM for additional analysis (coming soon)
Enhance data protection and compliance
Security Operations
Developer/IT Pro
Auditor
Manages keys
Deploys application
Monitors access to keys
Creates
a
Key
Vault.
Adds
keys
, secrets
to the
Vault. Grants
permission
to specific application(s) to perform specific operations
e.g
. decrypt,
unwrap.
Enables
usage logs
Tells application the
URI of the key / secret
Application
program
uses key, secret
(and may abuse) but never sees the keys
Reviews usage logs to confirm proper key use and compliance with data security standardsSlide25
Azure Key
Vault
<Keys and Secrets controlled by customers in their key vault>
Authentication to Key Vault
<Authentication to Key Vault is using Azure AD>
Azure Data Encryption -
Data at Rest - Recap
Keys
ManagementSlide26
Is my data gone? Retention/backup
Abandoned Data –
Data retained for 90 days and available if customer comes
back, then subsequently deleted
Customer Deletion – Delete data at anytime
Is my data really gone? Destruction?
Defective
Disks – Destroyed
on-site
Decommission – Azure follows DoD data wiping standardsData Retention and Data DestructionSlide27
Azure Access Control & Auditing Slide28
All data is encrypted, though not done yet
Fundamentals are key!
Mitigate risk of compromised accounts
Multi-Factor Authentication (Azure MFA / Windows Server ADFS)
Limit excessive permissions – least privilege
Azure AD Role Based Access Control (RBAC)
Azure AD Privileged Identity Management (temporary/’JIT’ access controls)
Detect insider compromise or abuse of privileges
Azure auditing and logging
Azure AD anomaly detection and analysisSlide29
Compromised
a
ccounts
Accounts with weak authentication methods (passwords) can be compromised (e.g. spear-phishing)
Secure your user accounts with Azure MFA
Can be used with Azure Active Directory or Windows Server Active Directory Federation Services (ADFS)
Provides a second factor (e.g. phone or device) as a second factor
Secure your user accounts with Smart Cards with Windows Server ADFS & AAD
Use your existing PKI (Smart Card, Virtual Smart Card) to secure accounts by using Azure AD accounts federated to your on premises infrastructureSlide30
On-Premises App
Windows Server
ADFS
Multi-Factor
Authentication
Server
Option: User Azure MFA in Azure Active Directory with Phone Authorization Step
1
Multi-Factor
Authentication
Service
Azure
Active Directory
Option: Use existing on premises ADFS for Smart Card / Virtual Smart Card or Phone Authorization
2
Multi-Factor Authentication FlowSlide31
Limiting Permissions
Permissions to sensitive data should follow ‘least
p
rivilege’ principal – only grant access necessary for role.
Azure RBAC (20 built-in roles, custom coming soon)
General: Readers, Contributors, Owners
Resource Specific: e.g.
VirtualMachine
-Contributor, SQLDB Contributor …
Assign Users, Groups, and Service PrincipalsKey Vault Access ControlVery fine grained access controls to key vaults for user and service principalsCreate, verify, sign, wrap/unwrap, etc. (able to enforce segregation of duties)Slide32
Azure Role Based Access Control
Assign roles to users and groups
at subscription, resource group, or resource
level
Assignments inherit
down the
hierarchy
Use built-in roles with pre-configured permissions 20 built-in rolesCreate custom roles (coming soon)
Subscription
Reader
Contributor
OwnerSlide33
RBAC Example
Resource Group ==
EmployeeBenefitsApp
Virtual Machines, SQL DB, Storage Accounts
EmployeeBenefitsApp
Role Assignments
- Owners == HR IT Admins
- Contributors == HR IT DevOps Team
Readers == HR Benefits TeamSlide34
Controlling privileged accounts
Superuser accounts have special risk and deserve special management.Enable “Just In Time” (JIT) privileged accessReduces attack surfaces from multiple different types of attacks (compromised accounts, XSS, etc.)
Also prevents common operational mistakes “I thought I was deleting the test tenant”
Enhances
monitoring of admin
activity – and understanding of how often privileged access is used
Microsoft uses this paradigm to protect Azure
No standing access
Temporary, specifically scoped elevations to resolve incidents & provide support
Customers can now benefit from this learning – Azure AD Privileged Identity ManagementSlide35
Discover current admin permissions in one viewSet temporary authorization policies for Azure AD management roles
Global, billing, password, service, and user administrators can use PIMCollect justification & work item reference for every elevation/activationComing soon – support for Azure RBAC
Azure AD PIM Slide36
Simple view of all admin role assignments
Track overall % of permanent vs. temporary authorizations
Set policies to transition permanent role assignments
to temporary assignments
View permissions & set policiesSlide37
Request role activation / elevationSimple process for accounts to activate their role assignment
Permissions automatically removed at end of policy durationCollect justification (and optional work item ID + source)Slide38
Effective auditing is foundational for monitoring user activity (and thus detecting attacks) Azure management operations are auditedOperation
User / client / source IP addressAvailable in UI or query service management APIAzure Active Directory management auditAll tenant admin activity logged – these are the ‘global’ admins, largest impact if compromisedAzure AD PIM admin activations audit
Auditing & loggingSlide39
Management AuditingSlide40
Management Auditing – Detail
Operation, user, client IP, and success/failure are audited
All logs available via REST APIs as well for import into SIEM systems:
GET
https://management.core.windows.net/<subscription-id>/operations Slide41
Monitoring admin elevations with PIM
See clearly who is regularly using admin permissions, and reasons
Supports overall oversight and role/permission management programSlide42
Azure AD login anomaly detection
Detect potentially comprised accounts (impossible travel)
Detect potential brute force attempts
Get active notificationsSlide43
Question: How many of you can enumerate all permissions in your entire environment?This is a really challenging problem
With Azure Resource Manager & RBAC, this is now trivialEasily export and analyze all permissions in your whole environment
Auditing permissionsSlide44
Microsoft Azure helps you enable data protection: Trusted cloud platformProvide broad support for encryption solutions to
encrypt your dataAllow control of your encryption keys and storageAllow securing and managing admin accountsAllow auditing, logging, and advanced detection tools for monitoring accounts
In Closing..Slide45
BRK2706 – Introduction to Microsoft Azure Key VaultBRK2482 – Data Center Security and AssuranceBRK2570 – Overview of Microsoft SQL Server Security Futures
BRK3457 – Harden the Fabric, Protecting Tenant Secrets in Hyper-VBRK3336 – Running Linux in AzureBRK2707 – Roles Based Access Control for Microsoft AzureBRK3873 – Protecting Windows and Microsoft Azure Active Directory with Privileged Access Management
Related Sessions at IgniteSlide46
Azure Trust Center (security and privacy):
http://azure.microsoft.com/en-us/support/trust-center/Azure Active Directory: http://azure.microsoft.com/en-us/services/active-directory/
Azure
RBAC:
http://
azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure
Azure MFA:
http://azure.microsoft.com/en-us/services/multi-factor-authentication
/
Azure PIM: http://blogs.technet.com/b/ad/archive/2015/05/04/azure-cloud-app-discovery-ga-and-our-new-privileged-identity-management-service.aspx StorSimple: http://www.microsoft.com/en-us/server-cloud/products/storsimple/SQL Server TDE: http://msdn.microsoft.com/en-us/library/bb934049.aspxAlways On with TDE: http://blogs.msdn.com/b/alwaysonpro/archive/2014/01/28/how-to-enable-tde-encryption-on-a-database-in-an-availability-group.aspxAzure SQL DB: http://azure.microsoft.com/en-us/services/sql-database/BitLocker tools: http://technet.microsoft.com/en-us/library/jj647767.aspxEncrypting with .Net: http://msdn.microsoft.com/en-us/library/System.Security.Cryptography(v=vs.110).aspxStorage Client-Side Encryption: http
://blogs.msdn.com/b/windowsazurestorage/archive/2015/04/28/client-side-encryption-for-microsoft-azure-storage-preview.aspxLearning referencesSlide47
Ignite Azure
Challenge Sweepstakes
Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!
Aka.ms/
MyAzureChallenge
Enter this session code online
: BRK3490
NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9
th
, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challengeSlide48
Visit
Myignite
at
http://myignite.microsoft.com
or download and use the
Ignite
Mobile
App
with
the QR code above.
Please evaluate this sessionYour feedback is important to us!Slide49
Questions