Presentation is loading. Please wait.

Presentation is loading. Please wait.

MICROSOFT CONFIDENTIAL Page 1 A Secure Cloud-Computing Platform Azure Partner Architects| 4/11/2011 David McGhee | Windows Azure Platform Technical Specialist.

Similar presentations


Presentation on theme: "MICROSOFT CONFIDENTIAL Page 1 A Secure Cloud-Computing Platform Azure Partner Architects| 4/11/2011 David McGhee | Windows Azure Platform Technical Specialist."— Presentation transcript:

1 MICROSOFT CONFIDENTIAL Page 1 A Secure Cloud-Computing Platform Azure Partner Architects| 4/11/2011 David McGhee | Windows Azure Platform Technical Specialist | Microsoft ANZ |

2 MICROSOFT CONFIDENTIAL Page 2 Agenda What is Azure? Azure Security Operations & Monitoring Additional Learning /questions

3 MICROSOFT CONFIDENTIAL Page 3 Generational Shift Centralized compute & storage, thin clients Technology EconomicBusiness Optimized for efficiency due to high cost High upfront costs for hardware and software PCs and servers for distributed compute, storage, etc. Optimized for agility due to low cost Perpetual license for OS and application software Large DCs, commodity HW, scale-out, devices Order of magnitude better efficiency and agility Pay as you go, and only for what you use

4 MICROSOFT CONFIDENTIAL Page 4 Cloud Impact REDUCED MANAGEMENT NEW ECONOMICS INCREASED PRODUCTIVITY Pay for what you use Lower and predictable costs Shift from capex and opex Accelerate speed to value No patching, maintenance Faster deployment Robust multi-layered security Reliability and fault- tolerance Latest software for users Internet collaboration Anywhere access Instant self-provisioning

5 MICROSOFT CONFIDENTIAL Page 5 IT as a Service Business Requirements End User Config Application Logic Data Schema Operating System Disaster Recovery Virus Control Database Management Load Balancing Identity/Authorisation Middleware Hardware Network Storage Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)

6 MICROSOFT CONFIDENTIAL Page 6 Windows Azure is an internet-scale cloud services platform hosted in Microsoft data centers around the world, proving a simple, reliable and powerful platform for the creation of web applications and services. The Windows Azure Platform

7 MICROSOFT CONFIDENTIAL Page 7 Customer Security Concerns from Cloud- The Inevitable Questions Privileged User Access Regulatory Compliance Is my Data Centre compliant with all international certifications? Data Location Does my provider obey local privacy requirements on behalf of their customers? How does my cloud service provider support me in the case of data failure? What measures are taken by my cloud provider, if illegal activity is found within the Data Centre? How can I get my data back, if the company who owns the Data Centre is absorbed or collapses?

8 MICROSOFT CONFIDENTIAL Page 8 Security and Compliance DATA CENTER FOUNDATION ROBUST SECURITY PROGRAMS WINDOWS AZURE "privacy by default"

9 MICROSOFT CONFIDENTIAL Page 9 North America Europe Asia West Europe South Asia South Central US North Central US East Asia Eastern Europe Data Center Management Security Management Threat & Vulnerability Management, Monitoring & Response Edge Routers, Firewalls, Intrusion Detection, Vulnerability scanning Network perimeter Dual-factor Auth, Intrusion Detection, Vulnerability scanning Internal Network Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt Host Secure Engineering (SDL), Access Control & Monitoring, Anti-Malware Application Access Control & Monitoring, File/Data Integrity Data User Account Mgmt, Training & Awareness, Screening Facility Physical controls, video surveillance, Access Control

10 MICROSOFT CONFIDENTIAL Page 10 The Microsoft Security Development Lifecycle (SDL) Executive commitment  SDL a mandatory policy at Microsoft since 2004 Technology and Process EducationAccountability Ongoing Process Improvements numberseverity Helping to protect customers by reducing the number and severity of software vulnerabilities prior to Release

11 MICROSOFT CONFIDENTIAL Page 11 Platform as a Service Security Model Physical Network Host Application Data On Premises Customer Physical Network Host Application Data Platform as a Service Customer Microsoft

12 MICROSOFT CONFIDENTIAL Page 12 LayerDefences Data Strong storage keys for access control SSL support for data transfers between all parties Application Front-end.NET code running under partial trust Windows account with least privileges Host Stripped down version of Windows Server 2008 OS Host boundaries enforced by external hypervisor Network Host firewall limiting traffic to VMs VLANs and packet filters in routers Physical World-class physical security ISO 27001and SAS 70 Type II certification for data centre processes

13 MICROSOFT CONFIDENTIAL Page 13 1 Physical – Tailored to run applications

14 MICROSOFT CONFIDENTIAL Page 14 2 Network - Access Paths

15 MICROSOFT CONFIDENTIAL Page 15 3 Host – Execution Environment Customer code run on dedicated virtual machines (VMs) VMs isolated by a Hyper-V based hypervisor All access to network and disk is mediated by a “root” virtual machine Network/Disk Hypervisor 1, 2, 4 or 8 CPUs, up to 14GB of memory Stripped down, hardened version of Windows Server 2008 Three virtual hard disks Limited number of device drivers Network connectivity restricted using host firewall Hyper-V based hypervisor

16 MICROSOFT CONFIDENTIAL Page 16 4 Application - Identity and Access Management Active Directory Other Providers WS-* and SAML On Premises Use of Active Directory identities and groups through federation Enable seamless access experience with other corporate applications tied to AD Integration with 3 rd party systems through WS-* and SAML 2.0 open standards In the next release of AppFabric Access Control Services (ACS 2.0), single sign-on with popular Internet identity providers

17 MICROSOFT CONFIDENTIAL Page 17 5 Data - Storage Services Security Customer data stored on separate hardware from the Windows Azure Compute VMs, organized into storage accounts Access to data in a specific account is only granted to entities having the secret key for that account – Storage access keys are randomly generated when the storage account is created (or later at the request of the customer) – A storage account may have two active keys at any given time to support key rollover Data access can be protected using SSL encryption

18 MICROSOFT CONFIDENTIAL Page 18 5 Data - Windows Azure Storage Reliability Data is replicated within Windows Azure to three separate physical nodes for high availability Azure Physical Storage Application X Customer On-premises Storage

19 MICROSOFT CONFIDENTIAL Page 19 Security Design considerations Practices: – Secure design – Secure coding – Threat management Design patterns – Azure Connect – Service Bus – Access Control

20 MICROSOFT CONFIDENTIAL Page 20 Service Management Market

21 MICROSOFT CONFIDENTIAL Page 21 All running roles will be continuously monitored If role is not running, we will detect and initiate corrective action >99.9% Instance monitoring and restart Database is connected to the internet gateway All databases will be continuously monitored >99.9% Database availability >99.9% Service bus and access control endpoints will have external connectivity Message operation requests processed successfully Service bus and access control availability Your service is connected and reachable via web. Internet facing roles will have external connectivity >99.95% Compute connectivity >99.9% Storage service will be available/ reachable (connectivity) Your storage requests will be processed successfully Storage availability Service Level Agreements >99.9% Service will respond to client requests and deliver the requested content without error Content delivery network

22 MICROSOFT CONFIDENTIAL Page 22 Q&A?

23 MICROSOFT CONFIDENTIAL Page Overview World-Class Support World-Class Security Carrier-Class Data Centers Operational Best Practices World-Class Architecture Application Specific Hardware We proactively monitor outbound access to detect common cases (port scans, spam)

24 MICROSOFT CONFIDENTIAL Page 24 Visit Microsoft.com/Azure to view the following whitepapers concerning security and the Windows Azure PlatformMicrosoft.com/Azure Windows Azure Security Overview Security Best Practices For Developing Windows Azure Applications Security Guidelines for SQL Azure Microsoft Security Development Lifecycle Next steps to learn more about Windows Azure Platform Security Get involved in the Windows Azure Platform community Microsoft Essentials Windows Azure Platform Security Essentials: Module 1 - Security Architecture Windows Azure Platform Security Essentials: Module 2 – Identity Access Management Windows Azure Platform Security Essentials: Module 3 – Storage Access Windows Azure Platform Security Essentials: Module 4 – Secure Development

25 MICROSOFT CONFIDENTIAL Page 25 Thank You


Download ppt "MICROSOFT CONFIDENTIAL Page 1 A Secure Cloud-Computing Platform Azure Partner Architects| 4/11/2011 David McGhee | Windows Azure Platform Technical Specialist."

Similar presentations


Ads by Google