My notes from going through https://docs.microsoft.com/en-us/learn/modules/design-for-security-in-azure/
-
Zero trust model: Never assume trust, but continually validate it.
- E.g. don't assume that because a request came from inside the network it can be trusted.
- This approach enforces "Defense in Depth".
-
Azure Security Center provides a solution to implement security and mitigate threats.
- Confidentiality: Principle of least privilege. Restrict access only to individuals explicitly granted access.
- Integrity: Prevent unauthorized changes to data at rest or in transit.
- Availability: Ensure services are available to authorized users.
Some of the stuff in this module is also covered in https://gist.github.com/savishy/bb6c53679aa933857c8b1a7afe66591f#design-for-security.
Each of the Defense in Depth layers can implement one or more of the CIA principles.
- True or false: defense in depth is a strategy aimed to protect you against attacks attempting to gain access to your information?
- True
- False
- True or false: by moving to the cloud, my architecture is fully secure and I can hand off all security responsibilities to my cloud provider?
- True
- False
- More identities = more effort to manage them by end users = greater risk of misplacing or exposing them.
- More effort if a user is locked out, or an employee leaves org etc. Azure AD
- Provides centralized SSO
- can also integrate with your existing on-premises Active Directory (with Azure AD Connect)
- all applications (even on-prem) can share same credentials
- Add rules and policies to control access to applications and data
- MFA
- Something you have: an RSA device or an app that generates OTP
- Something you know: passwords, security questions
- Something you are: biometrics
- Azure AD has MFA Support:
- All global administrators get MFA enabled free of charge
- Other accounts can have MFA enabled by purchasing licenses
- E.g block logins from IPs that are not in a certain range
- Require MFA from IPs outside of work IP range
Azure Application Proxy
- Legacy on-premises applications can be accessed remotely without any code changes.
- Users use MyApps portal to get single-sign-on both to SaaS apps and On-Prem apps.
- remote access does not require opening any inbound connections through the firewall.
- Application Proxy is a cloud application, so you save time and money on infrastructure and maintenance costs.
2 components of Azure Application Proxy
- An external URL
- An on-prem connector agent
Users -> Navigate to URL -> Authenticate with Azure AD -> Connector Agent routes them to the on-premises application
Azure AD B2C
- Allows users to use social identities (e.g. Google login)
- B2C AD directories are distinct from standard Azure AD directories.
Check your knowledge
- Which of the following is NOT a benefit of single sign-on?
- Increased complexity assigning permissions to users
- Fewer IDs and passwords for users to remember
- Lower administration effort when users change roles or leave an organization
- Ensures a consistent password policy across applications
-
Role: collection of access permissions
-
Roles can be granted at individual service level or at a higher scope (e.g. an entire subscription)
-
Roles assigned at a higher scope are inherited by child scopes
-
Management Groups allow grouping subscriptions together and apply policy at an even higher level.
π‘ Users, groups and roles are all stored in Azure AD.
- Additional paid offering
- Manage, control and monitor access to resources in Azure, AD, and other Microsoft services (Office 365)
Providing just-in-time privileged access to Azure AD and Azure resources Assigning time-bound access to resources by using start and end dates Requiring approval to activate privileged roles Enforcing Azure Multi-Factor Authentication (MFA) to activate any role Using justification to understand why users activate Getting notifications when privileged roles are activated Conducting access reviews to ensure that users still need roles Downloading an audit history for an internal or external audit To use PIM, you need one of the following paid or trial licenses:
Azure AD Premium P2 Enterprise Mobility + Security (EMS) E5
- Identity: something that can be authenticated (e.g. a user account, or an application, or a server)
- Principal: An identity that assumes a role. E.g. using
sudo
changes the role of your identity. - Service Principal: A service that uses an identity and that identity can assume certain roles.
- Creation of service principals can be tedious
- Maintenance of SPs is difficult
- Managed identities can be instantly created for a supported Azure service
- Managed identity = an account in Azure AD.
- Azure will take care of authenticating the service and managing the AD account.
- You can manage access for the AD account to other resources.
π‘ not all azure services support managed identities.
- Azure role-based access control can be applied to all but which of the following scopes?
- Subscription
- Resource group
- Files and folders within a Linux filesystem
- Resource
- True or false: a managed identity for Azure resources could be assigned to a virtual machine to give it rights to start and stop other virtual machines.
- True
- False
Types of encryption
- Symmetric same key used to encrypt and decrypt data.
- Assymmetric uses 2 keys (key pair).
- Public or Private key can encrypt
- Only private key can decrypt
Approaches of encryption
- At rest
- in transit
- Refers to encrypting data at rest.
- At rest = data stored in a DB, file storage, storage account etc.
- This ensures that if an attacker obtains a hard drive (or VHD for e.g.) the data cannot be decrypted without the keys.
- Referes to encrypting data in transit
- e.g. sending data over a network
π‘ It help the decision-making process to identify and classify data as Restricted, Moderate, Public. This then allows you to decide what level of encryption to apply.
π‘ Encryption for data in the physical disks.
- Storage Service Encryption
- For data at rest.
- All Azure Storage services i.e. Azure Managed Disks, Blob Storage, Files, Queues, Tables
- All performance tiers (Standard and Premium)
- Both deployment models (Resource Manager and Classic)
- AES 256-bit
- Enabled by default, no additional code or features needed.
- By default, Microsoft manages the encryption key - but you can provide your own key if needed.
π‘ SSE won't help if someone gets access to the Azure subscription and therefore, the VHDs attached to your VM.
- Uses Bitlocker feature of Windows, and DM-Crypt feature of Linux
- Encryption keys can be managed in Azure Key Vault
- Azure Security Center will alert you if you have unencrypted VMs.
π‘ For databases
- Enabled by default for all newly deployed Azure SQL databases
- Uses a Unique encryption key per logical SQL Server
- By default, Azure-managed keys. Bring your own keys and store them in Azure Key Vault.
"SQL Server Always Encrypted" feature is designed for personal information or financial data.
- Install a client driver
- Driver performs encryption and decryption
- Rewrites T-SQL queries to encrypt data passed to the DB
- DB will always work with encrypted data.
- Cloud based secret storage
- Each "vault" is backed by a Hardware Security Module (HSM)
- Vaults can handle requesting and renewing TLS certificates.
- Azure AD identities can be given access to key vault secrets
- i.e. applications can acquire the secrets they need without needing to hardcode them
- Azure Backup uses AES256
- Encryption key is generated from passphrase configured by administrator
- True or false: only Windows virtual machines can use Azure Disk Encryption
True
False 2. When classifying data, which of the following is a factor?
Level of risk posed to customers if exposed
Method of data transport
Whether the data is stored on virtual machines or in a database
The amount of data stored
π‘ This is for outer-most i.e. Internet-facing layer.
-
Use Azure Security Center to identify internet-facing resources that are at risk.
- E.g. resources without NSGs
- resources that are not behind firewall
-
Application Gateway: a layer 7 load balancer + WAF (Web Application Firewall)
- Has rules from OWASP 3.0 or 2.2.9 rule sets.
- Protects against XSS / SQL Injection
-
Network Virtual Appliance (NVA)
- Increased complexity of configuration, however additional customizability.
-
Azure DDoS Protection
- Azure Monitor metrics will notify you within a few minutes of attack detection.
π‘ This i for inner layer within a VNet.
- NSGs operate at layer 3 and 4.
- E.g. one NSG for each environment, or one NSG per tier.
- VNet Service Endpoints: allow you to isolate Azure services to allow communication only from Vnets.
- Connecting Azure VNet to on-prem network
- By default VNets are isolated; peering allows them to be connected.
- Peering is not transitive;
VNetA -peer- VNetB -peer- VNetC
does not implyVNetA -peer- VNetC
.
- Azure network security groups can be used to secure communication between which of the following?
Communication between Azure virtual machines and the internet
Communication between Azure virtual machines within a VNet
Communication between Azure virtual machines and systems in an on-premises network
All of the above 2. Which of the following is not a method for protecting internet facing services from network attacks?
Azure DDoS
Azure Application Gateway WAF
Azure Disk Encryption
A network virtual appliance