Module 3 - Security, Privacy, Compliance and Trust

Securing Network Connectivity

Defense in Depth

  • Series of mechanisms to slow the advance of an attack and provide alert that can be acted upon, either automatically or manually.
  • CIA:
    • Confidentiality = principle of least privilege = restricts access to only information needed
    • Integrity = prevention of unauthorized changes to information at rest or in transit
      • One-way hashing algorithm
    • Availability = Ensure services are available to authorized users.
      • Denial of service attacks
  • Layers of protection:
    • Physical security
    • Identity and access control = authentication and authorization
    • Perimeter = DDoS protection
    • Networking by segmentation and filtering
    • Compute secures access to VMs
    • Application
  • Shared security = Security is a concern shared by both cloud providers and customers

image-1589892949060.png

Azure Firewall

  • Firewall = a service that grants server access based on source IP of each requests
  • Azure Firewall = managed, cloud-based, network security service that protects VNET resources.
    • Fully stateful
    • Use static public IP address for outgoing traffic so outside firewalls can identify 
  • Azure Application Gateway = also provide a firewall called Web Application Firewall (WAF)

Azure DDoS Protection

  • DDoS attack attempt to overwhelm and exhaust application's resources making it slow or unresponsive
  • DDoS protection leverages the scale and elasticity of Microsoft's global network to distribute and mitigate attack
  • The service protects applications by scrubbing traffic at Azure network edge
  • Service tier:
    • Basic = automatically enabled as part of the platform, same defense as Microsoft's online services
    • Standard = provides additional mitigation tuned specifically to VNet resources using traffic monitoring and ML. Can mitigate these types of attacks:
      • Volumetric attacks = flood the network layer with seemingly legitimate traffic
      • Protocol attacks = by exploiting a weakness in the layer 3 and 4 protocol stack
      • Resource (application) layer attacks = target the traffic packets to disrupt the transmission

Network Security Group (NSG)

  • Network Security Groups allow to filter network traffic to and from Azure resources in VNet.
  • Comprise of inbound and outbound security rules with following properties:
    • Name
    • Priority - lower is higher priority
    • Source or Destination - IP address, range, service tag, or application security group
    • Protocol - TCP, UDP, Any
    • Direction - inbound or outbound
    • Port
    • Action - Allow or deny
  • Some default rules are automatically created to provide a baseline level of security which cannot remove but can override

Application Security Group

  • Application security groups allow you to group VMs and define security policies based on that group without maintaining individual IP addresses
  • This is to minimize the impact if a VM is compromised

Choosing Network Security Solution

  • Perimeter layer - network-based attacks
    • Azure DDoS Protection for large-scale attacks
    • Azure Firewall to identify and alert
  • Networking layer - limit network connectivity to only what is required
    • Segment resources with VNet
    • NSGs with deny by default, limit inbound
  • Combining services:
    • NSG + Azure Firewall
    • Application Gateway WAF + Azure Firewall for web and non-HTTP protocol

Core Azure Identity Services

Authentication and Authorization

  • Authentication (AuthN) - process of establishing the identity - "they are who they say they are"
  • Authorization (AuthZ) - what level of access the person has, what data allowed to access and what can do with it

Azure Active Directory (Azure AD)

  • Azure Active Directory is cloud identity and access management service for both external and internal resources.
  • Provided services:
    • Authentication - verifying identity + self-service password reset, multi-factor authentication (MFA), etc.
    • Single Sign-On (SSO) - user remember only one id and password to access multiple applications. Simplify the security model.
    • Application management - using Azure AD Application Proxy, SSO, My apps portal (Access Panel), SaaS apps.
    • Business to business (B2B) - manage guest users and external partners
    • Business to customer (B2C) - how user sign up, sign in, manage profiles
    • Device Management - for devices accessing your corporate data
  • Those who already using Microsoft 365, Microsoft Office 365, Azure, Microsoft Dynamics CRM Online are already using Azure AD.

Azure Multi-factor Authentication (MFA)

  • Azure MFA verifies identity  by requiring two or more elements for full authentication such as:
    • Something you know - password, answer to security question
    • Something you possess - mobile app, token
    • Something you are - biometric, fingerprint
  • MFA comes with:
    • Azure AD Premium Licenses - both service (cloud) or server (on-premise)
    • Multi-Factor Authentication for Office 365 - part of Office 365 subscription
    • Azure AD Global Admin - MFA is available for sensitive global admin account by default

Security Tools and Features

Azure Security Center

  • Azure Security Center is a monitoring service which can:
    • Provide security recommendations
    • Monitor security settings and automatically apply required security to the new services
    • Perform automatic security assessments
    • Use ML to detect and block malware on VM and services. Can also define a list of apps the can be executed.
    • Analyze and identify potential inbound attack, help investigate threats and post-mortem activity
    • Just-in-time (JIT) access control for ports
  • Azure Security Center Tier:
    • Free - limited to assessments and recommendations of Azure resources only
    • Standard - Full suite. You need to be Owner, Contributor, or Security Admin to upgrade to

Usage Scenarios

  • 1. Incident Response
    • Incident response plan before the attack occur
    • Security Center can be used during three stages:
      • Detect - high-priority security alert
      • Assess - obtain more information about suspicious activity
      • Diagnose - technical investigation + identify containment, mitigation, and workaround
  • 2. Enhance Security
    • Security Policy = sets of controls that are recommended for resources within subscription or resource group
    • When potential security vulnerabilities are identified, it creates recommendations based on the control set in the policy
  • More scenarios can be found here

Key Vault

  • Azure Key Vault is centralized service storing application secrets
  • Usage scenarios:
    • Secret management - password, token, keys, certificates
    • Key management - encryption keys
    • Certificate management - SSL/TLS certificates
    • Secrets backed by Hardware Security Modules (HSMs)
  • Benefits:
    • Centralized - reduce risk of leakage
    • Secured - industry standard algorithms, key length, HSM
    • Monitor - and control access
    • Simplified - Enroll and renew certificates from public CA
    • Integrate with other Azure services - storage account, container registries, event hubs, etc.

Azure Information Protection (AIP)

  • Azure Information Protection (AIP) helps organization classify and (optionally) protect by applying labels either automatically or manually or both
  • Admin can configure a label with rules that detect sensitive data. Tooltip recommends user for labeling.
  • Labeled  content can be tracked and controlled.
  • MSIP can be purchased as a standalone solution or through one of license suites e.g. Microsoft 365 Enterprise
  • More information about pricing is on this page 

Azure Advanced Threat Protection (ATP)

  • Azure ATP identifies , detects, and helps investigate:
    • advanced threats
    • compromised identities
    • malicious insider actions
  • Components:
    • Azure ATP Portal - its own portal to monitor and response to suspicious activity received from ATP sensors
    • Azure ATP sensor - installed on domain controllers and monitors its traffic
    • Azure ATP Cloud service - on cloud and connected to Microsoft's Intelligent security graph
  • Can be purchased as part of EMS license suite (pricing page) or as standalone license.
  • Cannot purchase from Azure portal.

Azure Governance Methodologies

Azure Policy

  • Azure Policy is a service to enforce different rules that effect over your resources to stay complaint with corporate SLA
  • It runs evaluations against resources and scans for those not complaint e.g. allowed SKU size of VM
  • Comes with built-in policy definitions that can be leveraged
  • Can integrate with Azure DevOps by applying CI/CD pipeline policies to pre-deployment and post-deployment stages
  • Can automatically remediate resources and configurations

Implementing Azure Policy

  • 1. Create policy definition - expresses what to evaluate and what action to take, for example:
    • Preventing VM to deploy if it exposes public IP address
    • Allowed storage SKUs
    • Allowed resource type
    • Allowed location
    • Allowed VM SKUs
    • More examples can be found here
  • 2. Assign definition to a scope - policy assignment is definition that assigned to take place within a specific scope
    • Inherited by all child resources
  • 3. Review the evaluation result - it marks resource as complaint or non-complaint
    • Evaluation happens once an hour

Policy Initiatives

  • An initiative definition is a set of policy definitions
  • Reduce the need to make several initiative definitions for each scope
  • Initiative assignment is initiative definition that assigned to specific scope, like policy assignment
  • Recommended to create initiative even you have only one policy as it will increase over time

Role-Based Access Control (RBAC)

  • RBAC provides fine-grained access management.
  • Grant users only the rights they need to perform their jobs
  • Access Access Control (IAM) blade to view access permissions
  • RBAC uses allow model to allow you to perform certain actions
  • Best practices:
    • Using RBAC to segregate duties instead of granting everybody unrestricted permissions
    • Grant users the lowest privilege level that they need

Resource Locks

  • Resource locks prevent accidental deletion or modification.
  • Available in settings section of any resources
  • Lock level:
    • CanNotDelete - can still read and modify
    • ReadOnly - acts same as Reader role

Azure Blueprints

  • Azure Blueprint define a repeatable set of Azure resources that implement and comply with organization standard, pattern, or requirements.
  • It is a declarative way to orchestrate the deployment of various resource template such as:
    • Role assignments
    • Policy assignments
    • ARM templates
    • Resource groups
  • Process:
    • Create
    • Assign
    • Track assignments
  • Blueprint definition = what should be deployed
  • Blueprint assignment = what was deployed
  • ARM template has no active relationship with the deployed resources
  • Blueprint enables resources to be maintained after deployment and improves auditing and tracking capabilities
  • Blueprint can be used in Azure DevOps which can be associated with specific build artifacts and release pipelines

Subscription Governance

  • Three aspects:
    • Billing - charge back to multiple internal departments
    • Access Control - with Azure AD and RBAC, you can separate subscription for Development and Production
    • Subscription Limits - Each subscription is bounded to some hard limitations e.g. Maximum 10 Express Route circuits per subscription. No flexibility to these limits. More information about limits is on this page.

Monitoring and Reporting

Tags

  • Apply tags to resources to logically organize them into a taxonomy.
  • Each tag comprises of a name and a value pair
  • You can use tags to group resources from different resource group
  • Limitations:
    • Not all resources support tags
    • Most of resources support up to 50 tags. Use JSON string for tag value for more.
    • Tag name is limited to 512 characters
    • Tag value is limited to 256 characters
    • Storage account supports only 128/256 characters
    • VM and VM Scale Sets supports up to 2048 characters for both name and value
    • Tags are not inherited by child resources
  • You can use Azure Policy to enforce tagging values and rules

Azure Monitor

  • Azure Monitor collects, analyze on telemetry of your resources to maximize availability and performance of your applications
  • Data collected:
    • Application monitoring - performance, functionality
    • Guest OS monitoring - OS data from anywhere within or outside Azure
    • Azure resource monitoring - operations of resource
    • Azure subscription monitoring - operations and management of subscription + health and operation of Azure itself
    • Azure tenant monitoring - tenant-level services i.e. Azure AD
  • Diagnostic Settings - Azure starts collecting data once you create resources
    • Activity Logs
    • Metrics
  • Enabling diagnostics you extend the collected data into the actual operation of the resources by adding an agent on compute resource:
    • Enable guest-level monitoring
    • Performance counters
    • Event logs
    • Crash dumps
    • Sink - send diagnostic data to other service
    • Agent - settings

Azure Service Health

  • Azure Service Health provides personalized guidance and support when issues with Azure Services affect you.
  • Can also help to prepare for planned maintenance and changes
  • Comprise of:
    • Azure Status - global view of health status of Azure services with up-to-minute information
    • Service Health - customized dashboard of your services in the regions where you use them
      • Health history kept up to 90 days
      • Health alert can be created to notify
    • Resource Health - diagnose and obtain support when your resources are affect by Azure issue.
      • Current and past state
      • Technical information and support to mitigate problem
      • Personalized dashboard of your resources
      • Showtimes in the past when your resources were unavailable because of Azure service problems

Monitoring Applications and Services

  • Azure Monitor includes features for deeper look into your applications, such as:
    • Application Insights
    • Container Insights
  • Four categories:
    • Analyze
      • Application Insights - leverages Log Analytics
      • Azure Monitor for Containers - performance visibility of controllers, nodes, containers through metrics API
      • Azure Monitor for VMs - Windows or Linux, Both Azure and non-Azure VMs
    • Response - sending texts or emails
      • Alert - rules based on metrics or logs
      • Autoscale - create rules that use metrics, you can specify minimum and maximum of instances
    • Visualize - leverages other Azure services for publishing data for different audiences, include:
      • Dashboard
      • Views
      • Power BI
    • Integrate with other systems for customized solutions

Privacy, Compliance and Data Protection Standards

Compliance Terms and Requirements

  • Questions to ask cloud provider:
    • How complaint is the cloud provider when handling sensitive data?
    • How complaint are the services offered by the cloud provider?
    • How can I deploy solutions that have accreditation or compliance requirements?
  • Microsoft Compliance Framework enables Microsoft to design and build using common set of controls, streamlining compliance across a range of regulations
  • Offerings:
    • CJIS = FBI's Criminal Justice Information Services for law enforcement personnel
    • CSA STAR Certification = based on ISO/IEC 27001 cloud security 
    • General Data Protection Regulation (GPDR) = European privacy law released May 25, 2018
      • Rules on companies or any organization that collect and analyze data tied to EU residents regardless of locations.
    • EU Model Clauses = transfer personal data outside of EU
      • This allows customers to move data freely through Microsoft's cloud regions
    • HIPAA = Health Insurance Portability and Accountability Act regulates patient Protected Health Information (PHI).
      • Azure offers customers a HIPAA Business Associate Agreement (BAA)
      • Microsoft offers a BAA as a contract addendum
    • ISO/IEC 27018 covering the processing of personal information by cloud service providers
    • Multi-Tier Cloud Security (MTCS) Singapore - Microsoft receives for all three IaaS, PaaS, SaaS
    • Service Organization Controls (SOC) 1, 2, and 3 - audited at least annually against SOC report framework by 3rd-party provider
    • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) - voluntary framework
      • Best practices to manage cybersecurity-related risks
    • UK Government G-Cloud - certification for services used by government entities in the United Kingdom
  • Microsoft provides the most comprehensive set of compliance offerings. More detail can be found here.

Microsoft Privacy Statement

Trust Center

  • Trust Center is a website resource  containing information and detail about:
    • How Microsoft implements and supports security, privacy, compliance, and transparency in all products and services
    • Provides support and resources for legal and compliance community

Service Trust Portal

  • Service Trust Portal (STP) hosts the Compliance Manager service i.e. the public site for publishing audit reports and other compliance-related information
  • Companion feature to the Trust Center:
    • Access audit reports
    • Access compliance guides
    • Access trust documents
  • You must sign in ans accept Non-disclosure Agreement (NDA) to access materials

Compliance Manager

  • Compliance Manager is workflow-based risk assessment dashboard within Trust Portal
  • Enable you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft cloud services
  • Provide on-going risk assessments with scores
  • Provide recommended actions you can take to improve regulatory compliance
  • The actions in the dashboard is recommendation only. Should not interpreted as a guarantee of compliance.

Azure Government Services

  • Azure Government is a separated instance of Azure services that addresses the security and compliance osf US federal agencies, state, and local governments, and their solution providers.
  • Physical separation from non-US government instances
  • Located only in the US
  • Six datacenter regions
  • There are some differences of services provided in these regions
  • Detail available here

Azure China 21Vianet

  • Azure China is operated by 21Vianet
  • Physically separated instance located in China
  • Independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet")
  • Required by Chinese regulations (China Telecommunication Regulation) that all cloud services (IaaS and PaaS) must have telecom permits. Only local companies with <50% foreign investment qualify for the permit.
  • You need to rehost or refactor to operate in China region