security in windows azure
TRANSCRIPT
![Page 1: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/1.jpg)
Security in Windows Azure
Mihai TataranGeneral Manager, Avaelgo & Avaelgo Training
Microsoft MVP on Windows [email protected]
![Page 2: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/2.jpg)
Agenda
•General considerations on Security•Typical threats and attacks•Applying to Windows Azure•Security Development Lifecycle•How to protect
![Page 3: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/3.jpg)
General considerations
•What to secure: network, host, data, application• Stuff which falls between the cracks• Think about security holistically
•Technology•People
![Page 4: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/4.jpg)
Security frame•We need to organize security knowledge in a set of actionable items• Auditing• Authentication and Authorization• Communication• Configuration Management• Cryptography• Exception Management• Sensitive Data• Session Management• Validation
![Page 5: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/5.jpg)
Threats and attacks• Auditing: • Disclosure of confidential information from log files• Denial of service
• Authentication:• Network eavesdropping• Brute force / dictionary attacks• Cookie replay• Credential theft
• Authorization:• Elevation of privilege• Token stealing
![Page 6: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/6.jpg)
Threats and attacks• Communication:• Failure to encrypt messages• Theft of encryption keys• Man in the middle• Session replay• Data tampering
• Configuration Management:• Unauthorized access to config stores
• Cryptography:• Encryption cracking• Loss of decryption keys
![Page 7: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/7.jpg)
Threats and attacks• Exception Management:
• Information disclosure• Denial of service• Elevation of privilege
• Input validation:• Cross site scripting, Cross site request forgery• SQL Injection• XML bomb
• Sensitive data:• Memory dumping• Sniffing
![Page 8: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/8.jpg)
Applying to Windows Azure – short intro• What is the Cloud• What is Windows Azure • Its advantages and disadvantages
![Page 9: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/9.jpg)
Applying to Windows Azure – what to protect • Virtual Machines• Virtual Network• SQL Database• Azure Storage• Application• Caching • Etc.
![Page 10: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/10.jpg)
Applying to Windows Azure - infrastructure• Port scanning: the only open ports are those defined by us!• Denial of service:
• External: depends on our settings, but the Fabric Controller tries to identify the attacks• Internal: all DOS attacks initiated from internal VMs will result in
removing those VMs from the network
• Spoofing: compromised machines cannot impersonate VMs from the Fabric Controller (broadcast and multicast are blocked, https between VMs and FC)• Sniffing: the Hyper-V switch prevents sniffing from a VM to
another VM on the same host; racks switches block it to other VMs• VMs are untrusted by the Root OS Hypervisor
![Page 11: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/11.jpg)
Applying to Windows Azure - application• Use custom domains instead of myapp.cloudapp.net
and scope cookies to your custom domain; scripting!• Access to Azure Storage using Shared Access
Signatures; attention to REST query injection• SQL Database: pay attention to SQL Injection; no TDE• Auditing -> Azure Tables• Authentication using Azure’s ACS, Azure AD, Windows
Identity Foundation -> rely on existing patterns and user stores!
![Page 12: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/12.jpg)
DEMO• Attacker gets sensitive information from a Windows
Azure Storage account• ARP Poisoning• Sniffing• Just a bit of luck
![Page 13: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/13.jpg)
Conclusion• Azure’s infrastructure is very secured• But our artefacts: app, data, etc. – not necessarily
![Page 14: Security in windows azure](https://reader035.vdocuments.us/reader035/viewer/2022070320/5585a6cfd8b42a7b1a8b4b0f/html5/thumbnails/14.jpg)
References • Azure Security Notes: http://
blogs.msdn.com/b/jmeier/archive/2010/08/03/now-available-azure-security-notes-pdf.aspx