Presentation is loading. Please wait.

Presentation is loading. Please wait.

BRK3490 Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created.

Published byAvis Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "BRK3490 Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created."— Presentation transcript:

1

2 BRK3490

3

4 Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created by the Internet. 1 Total financial losses attributed to security compromises increased 34% in 2014. 3 In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past year. 2 Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth. 4

5 Security Development Lifecycle & Operational Security Assurance Network, Identity and Data Isolation Data Protection – Data Encryption and Key Management Least Privilege / Just-in-Time (JIT) Access Respond Protect Auditing and Certification Live Site Penetration Testing Fraud and Abuse Detection Centralized Logging and Monitoring Detect Breach Containment Coordinated Security Response Customer Notification Vulnerability / Update Management

6 Data protection Azure provides customers with strong data protections – both by default and as customer options 6 Data isolation Logical isolation segregates each customer’s data from that of others is enabled by default. In-transit data protection Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication data centers. At-rest data protection Customers can implement a range of encryption options for virtual machines and storage. Encryption Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data destruction Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default.

7

8 Data In Transit – Encryption Options Microsoft: Azure Portal Encrypts transactions through Azure Portal using HTTPS Strong Ciphers are used / FIPS 140-2 support Import / Export Only accepts bitlocker encrypted data disks Datacenter to Datacenter Encrypts customer data transfer between Azure datacenters Customers: Storage Choose HTTPS for REST API for Storage N-Tier Applications Encrypt traffic between Web client and server by implementing TLS on IIS Data in transit between a user and the service Protects user from interception of their communication and helps ensure transaction integrity Data in transit between data centers Protects from bulk interception of data End-to-end encryption of communications between users Protects from interception or loss of data in transit between users

9 Azure Key Vault Authentication to Key Vault Azure Data Encryption - Data at Rest Azure Disk Encryption - Partner Volume Encryption – Virtual Machines – Windows and Linux Transparent Data Encryption - Cell Level Encryption - Always Encrypted SQL Server and SQL Database Application Level Encryption - Cloud Integrated Storage - Azure Storage – Blobs, Tables, Queues HDInsight – HDInsight Azure Backup Service – Azure Backup Service Keys ManagementKeys Management

10

11 Machine Protection elements Access control: Customer control access to the keys/secrets in their key vault Monitoring and Logging: Customer collect logs in their storage account Data Security and Availability: Disks are stored encrypted in customer storage account and are automatically replicated by Azure storage Protection elements Access control: Customer control access to the keys/secrets in their key vault Monitoring and Logging: Customer collect logs in their storage account Data Security and Availability: Disks are stored encrypted in customer storage account and are automatically replicated by Azure storage Azure storage Encryption Scenarios New VM’s from Customer Encrypted VHD’s New VMs from Azure Gallery Running VM/s in Azure Encryption Scenarios New VM’s from Customer Encrypted VHD’s New VMs from Azure Gallery Running VM/s in Azure

12 Portal/API HOST 1.Customer uploads Encrypted VHD to their Azure storage account 2.Customer provision encryption key material * in their key vault and grants access to platform to provision VM 3.Customer opt into enabling disk encryption. 4.Azure service management updates service model with encryption and key vault configuration 5.Azure platform provision encrypted VM * Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux] AAD AAD token Azure Storage Customer Key Vault Virtual Machine Encrypt Me Service Management Config Customer Disks Read VHD Read Key Provision Encrypted VM

13 Portal/API HOST 1.Customer opt into enabling disk encryption and Customer grant access to Azure platform to provision encryption key material * in their key vault 2.Azure service management updates service model with encryption and key vault configuration 3.Azure platform provision encrypted VM * Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux] AAD AAD token Azure Storage Customer Key Vault Virtual Machine Encrypt Me Service Management Config Upload Key Provision Encrypted VM

14 Secrets like BitLocker Encryption Keys [BEK] or Linux PassPhrase are stored protected in customer control in their key vault container Secrets are encrypted by customer controlled Key Encryption Key [KEK – RSA 2048] Customer grant [explicit] Read or Write access to their key vault container to Azure to enable disk encryption Customer specify key vault uri to allow access to Azure to their keys and secrets Azure do not have ANY default access to customer key vault for disk encryption feature Microsoft Confidential SecretKeys Contoso.BEK [encrypted by ContosoKEK] – BitLocker Windows ContosoPassPhrase [encrypted by ContosoKEK] – Linux ContosoKEK

15

16

17

18

19 Storage – Cloud Integrated Storage Hybrid Applications – Windows Server Data Snapshots Data Encrypted on-premise and backed up in Azure AES 256 Encryption and Integrity Protected with SHA- 256 Hashes

20 Encryption Options: Transparent Data Encryption (TDE), Cell Level Encryption (CLE) SQL Server Encrypted Backups Always Encrypted SQL Server Extensible Key Management (EKM) provider shifts encryption master keys to external key manager Separation of duties between data and key management Azure Key Vault as an EKM SQL Server Connector enables Azure Key Vault use as an EKM Customer owned Encryption Master Keys in software or hardware (FIPS Validated HSM) Vault SQL Server On-prem / Azure VMs

21 Key Vault Service Azure Active Directory SQL Server Admin Security Operations Auditor SQL Server Connector 1. Register SQL Server instance 2a. Create Vault 2b. Create Master Key 2c. Give SQL Server Access to Vault 4. Authenticate 3. Configure SQL Server Encryption 5. Protect Keys 6. Audit Key Usage (coming soon)

22

23 Microsoft Azure IaaSSaaSPaaS Microsoft Azure Key Vault Microsoft Confidential Import keys HSM Key Vault Microsoft Confidential

24 Monitoring Encrypt keys and small secrets like passwords using keys stored in tightly controlled and monitored Hardware Security Modules (HSMs) Import or generate your keys in HSMs for added assurance - keys never leave the HSM boundary Comply with regulatory standards for secure key management, including the US Government FIPS 140-2 Level 2 and Common Criteria EAL 4+ Monitor and audit key use through Azure logging – pipe logs into HDInsight or your SIEM for additional analysis (coming soon) Enhance data protection and compliance Manages keysDeploys applicationMonitors access to keys Creates a Key Vault. Adds keys, secrets to the Vault. Grants permission to specific application(s) to perform specific operations e.g. decrypt, unwrap. Enables usage logs Tells application the URI of the key / secret Application program uses key, secret (and may abuse) but never sees the keys Reviews usage logs to confirm proper key use and compliance with data security standards

25 Azure Key Vault Authentication to Key Vault Azure Data Encryption - Data at Rest - Recap Azure Disk Encryption - Partner Volume Encryption – Virtual Machines – Windows and Linux Transparent Data Encryption - Cell Level Encryption - Always Encrypted SQL Server and SQL Database Application Level Encryption - Cloud Integrated Storage - Azure Storage – Blobs, Tables, Queues HDInsight – HDInsight Azure Backup Service – Azure Backup Service Keys ManagementKeys Management

26 Is my data gone? Retention/backup Abandoned Data – Data retained for 90 days and available if customer comes back, then subsequently deleted Customer Deletion – Delete data at anytime Is my data really gone? Destruction? Defective Disks – Destroyed on-site Decommission – Azure follows DoD data wiping standards

27

28 All data is encrypted, though not done yet Fundamentals are key! Mitigate risk of compromised accounts Multi-Factor Authentication (Azure MFA / Windows Server ADFS) Limit excessive permissions – least privilege Azure AD Role Based Access Control (RBAC) Azure AD Privileged Identity Management (temporary/’JIT’ access controls) Detect insider compromise or abuse of privileges Azure auditing and logging Azure AD anomaly detection and analysis

29 Compromised accounts Accounts with weak authentication methods (passwords) can be compromised (e.g. spear- phishing) Secure your user accounts with Azure MFA Can be used with Azure Active Directory or Windows Server Active Directory Federation Services (ADFS) Provides a second factor (e.g. phone or device) as a second factor Secure your user accounts with Smart Cards with Windows Server ADFS & AAD Use your existing PKI (Smart Card, Virtual Smart Card) to secure accounts by using Azure AD accounts federated to your on premises infrastructure

30 1 2

31 Limiting Permissions Permissions to sensitive data should follow ‘least privilege’ principal – only grant access necessary for role. Azure RBAC (20 built-in roles, custom coming soon) General: Readers, Contributors, Owners Resource Specific: e.g. VirtualMachine-Contributor, SQLDB Contributor … Assign Users, Groups, and Service Principals Key Vault Access Control Very fine grained access controls to key vaults for user and service principals Create, verify, sign, wrap/unwrap, etc. (able to enforce segregation of duties)

32 Azure Role Based Access Control Assign roles to users and groups at subscription, resource group, or resource level Assignments inherit down the hierarchy Use built-in roles with pre-configured permissions 20 built-in roles Create custom roles (coming soon) Subscription Reader Contributor Owner

33 RBAC Example Resource Group == EmployeeBenefitsApp - Virtual Machines, SQL DB, Storage Accounts EmployeeBenefitsApp Role Assignments - Owners == HR IT Admins - Contributors == HR IT DevOps Team - Readers == HR Benefits Team

34

35 Discover current admin permissions in one view Set temporary authorization policies for Azure AD management roles Global, billing, password, service, and user administrators can use PIM Collect justification & work item reference for every elevation/activation Coming soon – support for Azure RBAC

36

37

38

39

40

41

42

43

44

45

46

47 NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9 th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge

48

49

Download ppt "BRK3490 Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created."

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Microsoft Dynamics AX Technical Conference 2013

Microsoft Dynamics AX Technical Conference 2013
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Futures – Alpha Cloud Deployment and Application Management.

Futures – Alpha Cloud Deployment and Application Management.
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Microsoft Cloud Microsoft Confidential SaaS Office 365 Azure SQL PaaS Azure Storage Azure HDInsight IaaS SQL Server Apache One common problem: “How.

Microsoft Cloud Microsoft Confidential SaaS Office 365 Azure SQL PaaS Azure Storage Azure HDInsight IaaS SQL Server Apache One common problem: “How.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
Microsoft Ignite /16/2017 5:11 PM

Microsoft Ignite /16/2017 5:11 PM
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.

Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.

Pre-adoption concern 60% cited concerns around data security as a barrier to adoption 45% concerned that the cloud would result in a lack of data control.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Understanding Active Directory

Understanding Active Directory
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Cross Platform Mobile Backend with Mobile Services James

Cross Platform Mobile Backend with Mobile Services James

Similar presentations

Ads by Google