AZURE SECURITY OVERVIEW

Architected for more secure multi-tenancy

Azure
En
• Centrally manages the platform and helps isolate d
User
customer environments using the
s
Fabric Controller Microsoft Azure
Customer
• Runs a configuration-hardened version of Windows Admi
Server as the Host OS n
• Uses Hyper-V, a battle tested and enterprise Portal Customer 1 Customer 2
SMAPI
proven hypervisor
• Runs Windows Server and Linux on Guest
Guest VM Guest VM Guest VM
VMs for platform services Fabric
Controller Hypervisor

Host OS

Customer Azure
Storage

• Manages their environment through service SQL

Database
management interfaces and subscriptions
• Chooses from the gallery or brings their own OS for
their Virtual Machines

2
Monitoring & Alerting
Enable Microsoft Azure AZURE
Monitoring
Agent Customer VMs
• Performs monitoring & alerting on security events for
the platform
• Enables security data collection via Monitoring Agent or
Windows Event Forwarding
Portal
Guest VM Guest VM Cloud Services
SMAPI

Customer
Admin
Events
Azure
HDInsight
CUSTOMER
storage

• Configures monitoring
Extract event information to SIEM or • Exports events to SQL Database, HDInsight or a SIEM for
other reporting system analysis
• Monitors alerts & reports
• Responds to alerts
Alerting &
! reporting

3
Threat Detection
Azure
• Performs big data analysis of logs for
intrusion detection & prevention for the
platform
• Employs denial of service attack prevention
measures for the platform
• Regularly performs penetration testing

Customer
• Can add extra layers of protection by
deploying additional controls, including DOS,
IDS, web application firewalls
• Conducts authorized penetration testing of
their application

4
DDoS System Overview
SUPPORTED DDOS ATTACK PROFILES
Internet
• TCP SYN
• UDP/ICMP/TCP Flood

Routing Updates Profile DB

MSFT Routing
Layer Flow Data
DETECTION PROCESS
Detection Pipeline
• Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded,
Attack Traffic and analyzed in real time to determine attack behavior
Scrubbed Traffic

Scrubbing Array
MITIGATION PROCESS
SLB
• Traffic is re-routed to scrubbers via dynamic routing updates
• Traffic is SYN auth. and rate limited
Application

5
Firewalls
AZURE

Internet Client • Restricts access from the Internet, permits traffic only to
endpoints, and provides load balancing and NAT at the Cloud
Access Layer
Microsoft Azure
• Isolates traffic and provides intrusion defense through a
Cloud Access
distributed firewall
443

Customer 1
Corp Virtual Network
443 CUSTOMER
Firewall Application tier
VPN
• Applies corporate firewall using site-to-site VPN
• Configures endpoints
Logic tier • Defines access controls between tiers and provides additional
protection via the OS firewall

Database tier

6
Network Protection
Virtual Networks
Customers can connect one
or more cloud services
using private IP addresses.
Network Security Groups
Customers can control over
network traffic flowing in
and out of customer services
in Azure.
VPN ExpressRoute
Customers can securely Customers can create
connect to a virtual private connections
network from anywhere. between Azure datacenters
and infrastructure that’s on
your premises or in a
colocation environment.
7
Virtual Networks
Azure INTERNET Client

• Allows customers to create isolated virtual

private networks
Microsoft Azure
RDP Endpoint
Cloud Access (password access)
Customer Customer 1 Customer 2
Deployment X Deployment Y
• Creates Virtual Networks with Subnets and Subnet 1
Subnet 3
Subnet 2
Private IP addresses Corp 1 VPN
• Enables communications between their VNET to
VNET
Virtual Networks
• Can bring their own DNS
• Can domain join their Virtual Machines
DNS Server
Isolated Virtual Networks
Isolated Virtual Network

8
VPN Connections
Azure Microsoft Azure
• Enables connection from customer sites Customer 1
and remote workers to Azure Virtual Deployment X
Networks using Site-to-Site and Point-to-
Site VPNs Customer Site
Site-to-Site VPN
• Offers forced tunneling capabilities to
enable customers to mandate all internet-
bound traffic to go through the Site-to-Site VPN
tunnel
Point-to-Site
VPN

Customer Computers
Behind Firewall

• Configures the VPN client in Windows

Isolated Virtual Network
• Manages certificates, policies, and user
access
Remote Workers

9
ExpressRoute Connections
AZURE

Microsoft Azure • Offers private fiber connections via ExpressRoute

• Enables access to Compute, Storage, and other Azure services
Customer 1
ExpressRoute
Site 1 Peer Deployment X

CUSTOMER
• Can establish connections to Azure at an ExpressRoute location
(Exchange Provider facility)
WAN • Can directly connect to Azure from your existing WAN network
Site 2
(such as an MPLS VPN) provided by a network service provider
• Can now authorize other Azure accounts to use a common
Isolated Virtual
Network
ExpressRoute circuit
• Manages certificates, policies, and user access

10
Identity & Access Management
AZURE
• Uses Azure AD to govern access to the management portal with
granular access controls for users and groups on subscription or
resource groups
• Provides enterprise cloud identity and access management for
end users
Azure • Enables single sign-on across cloud applications
Active Directory Cloud apps • Offers Multi-Factor Authentication for enhanced security

CUSTOMER
• Centrally manages users and access to Azure, O365, and
hundreds of pre-integrated cloud applications
• Builds Azure AD into their web and mobile applications
Active End Users & • Can extend on-premises directories to Azure AD
Directory Administrators

11
Azure Incident Response

• Leverages a 9-step incident

response process
DevOps
Engaged
Security • Focuses on containment &
Team recovery
Event
Engaged
Detected • Analyzes logs and VHD images in
Incident
Security Customer Customer the event of platform-level incident
Event Assessment
Event Notification Process
Confirmed Step 1
and provides forensics information
Start to customers when needed
Determine
Affected Determine Azure
• Makes contractual commitments
Customer Impact
Customers Customer regarding customer notification
Notification

12
Azure Security Center
 Gain visibility and control
Set Policy &
Monitor  Integrated security, monitoring,
Understand Deploy
policy management
Current
State
Integrated
Solutions Continue
 Built in threat detections and
learning alerts
Deploy &
Visibility &
Detect
 Works with broad ecosystem of
Control
security solutions
Find threats
that might Respond &
go recover faster
unnoticed

Encryption Secure Networking Partner Solutions

Customer Data
When a customer utilizes Azure, they own their data.

Control over
Customers choose data location and replication options.
data location

Control over access Strong authentication, carefully logged “just in time” support
to data access, and regular audits.

Encryption key Customers have the flexibility to generate and manage their
management own encryption keys.

Control over When customers delete data or leave Azure, Microsoft follows procedures
data deletion to render the previous customer’s data inaccessible.

24
Choice of Data Location & Replication
AZURE:
 Provides 3 copies of data
in each datacenter

 Offers geo-replication in a
datacenter 400+ miles
away

CUSTOMER:
 Chooses where data
resides

 Configures data replication

options
Data Protection

Data segregation At-rest data protection

Logical isolation segregates each customer’s data Customers can implement a range of encryption
from that of others. options for virtual machines and storage.

In-transit data protection Encryption

Industry-standard protocols encrypt data in transit Data encryption in storage or in transit can be
to/from outside components, as well as data in deployed by the customer to align with best
transit internally by default. practices for ensuring confidentiality and integrity
of data.

Data redundancy Data destruction

Customers have multiple options for replicating When customers delete data or leave Azure,
data, including number of copies and number and Microsoft follows procedures to render the
location of replication datacenters. previous customer’s data inaccessible.

16
Data Segregation
Storage Isolation
End • Access is through Storage account keys and Shared Access Signature
(SAS) keys
Users
• Storage blocks are hashed by the hypervisor to separate accounts
Customer Microsoft Azure
Admin

Portal
SMAPI
Customer 1 Customer 2
SQL Isolation
Guest VM
Guest VM Guest VM • SQL Database isolates separate databases using SQL accounts
Fabric
Controller Hyperviso
r Host
OS
Azure
Storage

Access
SQL
Database
Network Isolation
Control • VM switch at the host level blocks inter-tenant communication

17
Microsoft Azure Key Vault
Key Vault offers an easy, cost-effective way
to safeguard keys and other secrets used by Microsoft Azure
cloud apps and services using HSMs.

 You manage your keys and secrets

IaaS PaaS SaaS

 Applications get high performance Key

Vault
access to your keys and secrets… on
your terms
Import
keys

HSM
Encryption in Transit
Azure
• Encrypts most communication between
Azure datacenters
• Encrypts transactions through Azure Portal
Azure
using HTTPS Datacenter
• Supports FIPS 140-2

Azure

Customer Portal
Azure
Datacenter
• Can choose HTTPS for REST
API (recommended)
• Configures HTTPS endpoints for
application running in Azure
• Encrypts traffic between Web client and
server by implementing TLS on IIS

19
Encryption at Rest
Virtual Machines
• Data drives – full disk encryption using BitLocker
• Boot drives – BitLocker and partner solutions
• SQL Server – Transparent Data and Column Level Encryption
Virtual
Machines SQL TDE BitLocker Partners EFS • Files & folders – EFS in Windows Server

Storage
• BitLocker encryption of drives using Azure Import/Export service
Storage •
BitLocker StorSimple StorSimple with AES-256 encryption
• Server-side encryption of Blob Storage using AES-256
• Client-side encryption w/.NET and Java support

Applications
Applications .NET Crypto RMS SDK
• Client Side encryption through .NET Crypto API
• RMS Service and SDK for file encryption by your applications

20
Data Encryption

Layer Encryption support Key Management Comments

• .NET encryption API Managed by customer .NET Cryptography documentation

Application • RMS SDK – encrypt data by using RMS Managed by customer via on-prem RMS
RMS SDK documentation
SDK key management service or RMS online
• SQL TDE/CLE on SQL server on Azure
Managed by customers SQL TDE/CLE documentation
IAAS servers
• SQL Azure TDE and Column Encryption
Managed by customers
Platform features in progress
Supports AES-256 to encrypt data in
• StorSimple – provides primary, backup,
Managed by customers StorSimple
archival
StorSimple link and documentation
• BitLocker support for data volumes
BitLocker for fixed or removable
• Partner solutions for system volume
System Managed by customers volumes
encryption
BitLocker commandline tool
• BitLocker support
• Import/Export of xstore data onto
Others Managed by customers Import/export step by step blog
drives can be protected by BitLocker

21
Data Destruction
Data Deletion Disk Handling
• Index immediately removed from primary • NIST 800-88 compliant processes are
location used for destruction of defective disks
• Geo-replicated copy of the data (index)
removed asynchronously
• Customers can only read from disk space
they have written to

22
Azure Compliance
CSA Cloud
Controls
Matrix HIPAA/
HITECH
AU IRAP Singapore
SOC UK G-Cloud OFFICIAL Accreditation MCTS CDSA
SOC 2 CJIS
1

2010 201 2012 2015

2013 2014
1
ISO/IEC FISMA FedRAMP ISO/IEC
EU Data PCI DSS
27001:2005 ATO P-ATO 27018
Protection Level 1
Operations Directive
Security
Assurance
Compliance Framework
Continual evaluation,
Compliance certifications benchmarking, adoption, Independent verification Access to audit reports Best practices
test & audit

Microsoft maintains a team Compliance strategy helps Ongoing verification by Microsoft shares audit Prescriptive guidance on
of experts focused on customers address business third-party audit firms. report findings and securing data, apps, and
ensuring that Azure meets objectives and industry compliance packages with infrastructure in Azure
its own compliance standards & regulations, customers. makes it easier for
obligations, which helps including ongoing customers to achieve
customers meet their own evaluation and adoption of compliance.
compliance requirements. emerging standards and
practices.

24
Security Partners
In addition to the robust security capabilities built into Azure, the Azure Marketplace offers
a rich array of additional security products built by our partners for Azure.
Networking Monitoring Messaging Application
Antimalware Encryption Authentication
security and Security Security
alerts
Virtual machines • Alert Logic • CloudLink • Alert Logic • Kaspersky • Waratek • Login People
• Kaspersky • aiScaler • Townsend Security • Derdack • Barracuda
• Trend Micro • Barracuda • Nagios • Trend Micro
Active Directory • Check Point
integrations
• Riverbed
• Symantec
• McAfee • Cohesive
Networks

25
 Messaging
Antimalware Authentication
Security

THANK YOU

26