ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid them
1 like476 views
As presented at the (ISC)2 EMEA Secure Summit. Karl Ots has assessed the security of over 100 solutions built on the Microsoft Azure cloud. He has found that there are 6 key security pitfalls that are common across all industry verticals and company sizes. In this session, he will share what these security pitfalls are, why do they matter and how to mitigate them. 1. Upon completion, participant will know the most common threat vectors in real-life Microsoft Azure applications across all industries and company sizes.2. Upon completion, participant will be able to effectively articulate the presented risks to both software developers and technical decision makers.3. Upon completion, participant will be able to remediate the presented risks and focus their security investments in the most effective controls
More Related Content
What's hot (20)
Similar to ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid them (20)
More from Karl Ots (14)
Recently uploaded (20)
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid them
- 1. 15 -16 April 2019 | The Hague
- 2. Top Microsoft Azure security fails and how to avoid them Karl Ots, CISSP 15 -16 April 2019 | The Hague
- 3. @fincooper Karl Ots Managing Consultant karl.ots@zure.com • Cloud & cybersecurity expert • User group and conference organizer • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • zure.ly/karl
- 4. @fincooper 13,7 100% 4,5 / 5 3 6. 32 / 34 experts years avg. Azure satisfaction Azure MVPs GPTW
- 5. What to expect from this session » Azure security landscape » Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? » Resources to help you secure your Azure environment, regardless of your current status
- 6. With great power comes great responsibility
- 7. Secure DevOps kit for Azure (AzSK) » Set of tools for assessing the security posture of your Azure environment » Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft » Easy to get started with non-intrusive platform scans, expands end-to-end tooling from developer machine to DevSecOps
- 8. Security fail #1 » Unprotected public endpoints • HTTP / RDP / SSH » Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints • Configure Service Endpoint Firewalls for PaaS services » AzSK Control ID: • Azure_Subscription_NetSec_Justify_PublicIPs
- 10. Security fail #2 » Every user is an Owner • …In the Subscription scope » Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner • Service Principal RBAC assignments should follow the least privileged principle • Service Principals should NOT be granted access in the Subscription scope • Service Principals should NOT be granted Owner access in any scope » AzSK Control ID: • Azure_Subscription_AuthZ_Justify_Admins_Owners
- 11. Security fail #3 » Custom roles » Mitigation: • Do not use custom RBAC roles • Use careful scoping for built-in RBAC rules » AzSK Control ID: • Azure_Subscription_AuthZ_Custom_RBAC_Roles
- 13. Security fail #4 » Untrusted authorization provider being used • (Microsoft Account, Gmail, unmanaged or external Azure AD…) » Mitigation: • Always use trusted Azure AD authentication that is managed by your organization • Monitor Azure Subscription access using AAD PIM » AzSK control ID: • Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities
- 15. Security fail #5 » Storage access keys used directly » Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Use data pane RBAC roles (new) • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC » AzSK control ID: • Azure_Storage_DP_Rotate_Keys
- 16. Security fail #6 » Insufficient monitoring and alerting » Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection for Azure SQL and Storage Accounts • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with Application Gateway / Web Application Firewall » AzSK control ID’s • Azure_AppService_Configure_Important_Alerts • Azure_Subscription_Config_Azure_Security_Center • Azure_SQLDatabase_Audit_Enable_Threat_Detection_Server
- 18. Resources » My slides: zure.ly/karl/slides » Secure DevOps Kit for Azure: • azsk.azurewebsites.net » Microsoft Ignite 2018 session THR2104 Assess your Microsoft Azure security like a pro: • zure.ly/karl/THR2104 » Whitepaper: Develop Secure Applications on Azure: • zure.ly/karl/secureapps