View
228
Download
2
Category
Preview:
Citation preview
Azure
AgendaAzure Overview
Security
Billing
Identity
Storage
Networking
Compute
EMS
OMS
Azure App Service
Data Insights
http://aka.ms/azuredd
Infrastructure Services
What is Azure?
Platform ServicesSecurity & Management
Web Apps
MobileApps
APIManagement
APIApps
LogicApps
NotificationHubs
Content DeliveryNetwork (CDN)
MediaServices
HDInsight MachineLearning
StreamAnalytics
DataFactory
EventHubs
MobileEngagement
Azure ActiveDirectory
Multi-FactorAuthentication
Automation
Portal
Key Vault
BiztalkServices
HybridConnections
ServiceBus
StorageQueues
Store /Marketplace
HybridOperations
Backup
StorSimple
SiteRecovery
Import/Export
SQLDatabase
DocumentDB
RedisCache Search
Tables
SQL DataWarehouse
Azure AD Connect Health
Azure AD PrivilegedIdentity Management
OperationalInsights
CloudServices
Batch Remote App
ServiceFabric Visual Studio
ApplicationInsights
Azure SDK
Team Project
VM Image Gallery& VM Depot
Azure compute regions
Azure Site Recovery: Protect VMWare and Physical Servers
in Public Preview
Azure Backup Generally Available
Azure API Management Premium simplifies high availability and
massive scale for APIs
ExpressRoute for Office 365
Azure Active Directory Dynamic Membership For Groups
Automatic Password Change for Social Media Shared Accounts
Compute-Intensive A10 and A11 Virtual Machine Instances
Remote Desktop app for Windows Phone support for Gateway
and Remote Resources
Informatica Cloud Agent availability in Linux and Windows Virtual
Machines
Azure DocumentDB Hadoop Connector
Azure HDInsight support for more VM sizes
Enterprise-Grade Array-Based Replication and Disaster Recovery
with ASR and System Center GA
>85%Fortune 500 using Azure
>120,000 New Azure customer subscriptions/month
150BillionAzure SQL query requests
processed/day
120 BillionHits to websites run on Azure
Web App Service
1 out of 4 VMs
Are Linux VMs
715 MillionAzure Active Directory Users
>18 BillionAuthentications/week
Azure momentum
Analyst reports
Cloud Computing
Estimating Cloud Costs
http://azure.microsoft.com/en-us/pricing/calculator/
How we differentiate.
Hybrid Cloud
Enterprise grade
Hyper-scale
Most Comprehensive Hybrid Cloud
Microsoft AzureMicrosoft Azure Stack
Azure Security
16
No one is able to use your
data in a way that you do
not approve.
The confidentiality,
integrity, and availability of
your data is protected.
You have visibility into how
your data is being handled
and used.
Your content is stored and
managed in compliance
with applicable laws,
regulations and standards.
The Microsoft Cloud - A Cloud You Can Trust
Securing the Platform
Security Embedded
in Planning, Design,
Development, &
Deployment
Prevent & Assume
Breach Strategy
Incident Response
Access Policy & Controls
Threat Detection
Forensics
Datacenter Security
Secure Multi-tenancy
Network Protection
DDoS Defense
Data Segregation
Data Protection
Infrastructure security controls
Operational security controls
Strategy
Certifications
Compliance
IncidentResponse (MSRC)
Establish release criteria & sign-off as part of FSR
Guide product teams to meet SDL requirementsAdminister and track security training
Training Requirements Design Implementation Verification Release Response
Education Process Accountability
Ongoing Process Improvements
Security Development Lifecycle
Infrastructure security controls Operational security controls Compliance
Datacenter Security
Perimeter
Computer room
Building
Seismic
bracing
Security
operations center
24X7
security staff
Days of
backup power
Cameras AlarmsTwo-factor access control:
Biometric readers & card readers
Barriers Fencing
Infrastructure security controls Operational security controls Compliance
Isolates customer
environments using the Fabric
Controller
Runs a configuration-hardened
version of Windows Server as
the Host OS
Uses Hyper-V – a battle tested
and enterprise proven
hypervisor
Azure
Storage
SQL
Database
FabricController
Customer
Admin
Guest VM Guest VM
Customer 2
Guest VM
Customer 1Portal
Smart API
End
Users
Host OS
Hypervisor
Microsoft Azure
Secure Multi-tenancy
Infrastructure security controls Operational security controls Compliance
Provides logical isolation
while enabling customer
control
Restricts access from the Internet, permits traffic only to endpoints, and provides load balancing and NAT at the Cloud Access Layer
Private IP addresses are
isolated from other
customers
Customer 2
INTERNET
Isolated Virtual
Networks
Customer 1
Subnet 1 Deployment X Deployment Y
VLAN-to-VLAN
Cloud Access Layer
RDP Endpoint(password access)
Client
Subnet 2 Subnet 3
DNS Server
VPN
Microsoft Azure
Corp 1
Network Protection
Infrastructure security controls Operational security controls Compliance
DDoS Defense System
MSFT Routing Layer
Detection Pipeline
Profile DB
Scrubbing Array
SLB
Application
Attack Traffic
Scrubbed Traffic
Flow Data
Routing Updates
Internet
Azure’s DDoS defense
system is designed not
only to withstand attacks
from the outside, but also
from within.
Azure monitors and
detects internally initiated
DDoS attacks and
removes offending VMs
from the network
Infrastructure security controls Operational security controls Compliance
Stored data accessible only
through claims-based IDM &
access control with private key
Storage blocks are hashed by the
hypervisor to separate accounts
SQL Azure isolates separate
account databases
VM switch at the host level blocks
inter-tenant communication
Azure
Storage
SQL
Database
FabricController
Customer
Admin
Guest VM Guest VM
Customer 2
Guest VM
Customer 1Portal
Smart API
End
Users
Access
Control
Host OS
Hypervisor
Microsoft Azure
Data Segregation
Infrastructure security controls Operational security controls Compliance
Data Protection
Data segregation
Logical isolation segregates each
customer’s data from that of others.
In-transit data protection
Industry-standard protocols encrypt data
in transit to/from outside components, as
well as data in transit internally by default.
Data redundancy
Customers have multiple options for
replicating data, including number of
copies and number and location of
replication datacenters.
At-rest data protection
Customers can implement a range of
encryption options for virtual machines
and storage.
Encryption
Data encryption in storage or in transit
can be deployed by the customer to align
with best practices for ensuring
confidentiality and integrity of data.
Data destruction
When customers delete data or leave
Azure, Microsoft follows procedures to
render the previous customer’s data
inaccessible.
Infrastructure security controls Operational security controls Compliance
Prevent & Assume Breach
• Secure Development
Lifecycle
• Physical security controls
• Operational security
controls
Prevent breach
• Bug Bounty Program
• War game exercises
• Live site penetration testing
Prevent Breach is a defensive strategy
aimed at predicting and preventing a
security breach
The Assume Breach strategy, unique to
Microsoft, is a key operational practice
that hardens cloud services
Leverages Microsoft’s vast threat
intelligence
Includes state of the art security
monitoring and response
Assume breach
Infrastructure security controls Operational security controls Compliance
Incident Response
Event Detected
Security TeamEngaged
Security Event Confirmed
EventStart
DevOps Engaged
Incident Assessment
Determine Customer Impact
Azure CustomerNotification
Customer ProcessStep 1
Determine Affected
Customers
Customer Notification
In-depth 9-step incident response process
Focus on containment & recovery
Makes contractual commitments regarding
customer notification + provides forensics
Infrastructure security controls Operational security controls Compliance
Pre-screened Admin
requests access
Leadership grants
temporary privilege
No standing access to the platform and no access to customer Virtual Machines
Grants least privilege required to complete task; access requests are audited and logged
Multi-factor authentication required for all administration
Just-in-Time &
Role-Based
Access
Microsoft Corporate Network
Microsoft Azure
BLOBSTABLES QUEUES
DRIVES
Access Policy & Controls
Infrastructure security controls Operational security controls Compliance
Provides big data analysis of logs for
intrusion detection & prevention for the
platform
Employs denial of service attack
prevention measures for the platform
Regularly performs penetration testing
Customer Environment
Application Tier
Logic Tier
Database Tier
Virtual Network
INTERNET
VPNCorp 1
Cloud Access & Firewall Layer
THREAT DETECTION: DOS/IDS Layer
DOS/IDS Layer
DOS/IDS Layer
DOS/IDS Layer
End Users
Microsoft Azure
Threat Detection
Infrastructure security controls Operational security controls Compliance
Provides coordination,
analysis of logs and VHD
images in the event of
platform-level incident
Provides forensic data to
customers when needed
Forensics
!! !
Infrastructure security controls Operational security controls Compliance
Security
analytics
Risk management
best practices
Security
benchmark
analysis
Test and
audit
Security
Compliance
Framework
• Security goals set in context of business and industry requirements
• Security analytics & best practices deployed to detect and respond to threats
• Benchmarked to a high bar of certifications and accreditations to ensure compliance
• Continual monitoring, test and audit
• Ongoing update of certifications for new services
Security Compliance Strategy
Infrastructure security controls Operational security controls Compliance
Program Description
ISO/IEC 27001The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized
information security controls defined in this standard.
SOC 1
SSAE 16/ISAE 3402
Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type
2 (formerly SAS 70), attesting to the design and operating effectiveness of its controls.
SOC 2Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to
security, availability, and confidentiality
FedRAMP/FISMAAzure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management
Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it
meets FedRAMP security standards.
PCI DSS Level 1 Azure has been validated for PCI-DSS Level 1 compliance by an independent Qualified Security Assessor (QSA).
UK G-Cloud IL2In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft
and its partner offerings on the current G-Cloud procurement Framework and CloudStore.
HIPAA BAATo help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA
Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI).
Certifications & Programs
Infrastructure security controls Operational security controls Compliance
Azure Compliance• The largest compliance portfolio in the industry
HIPAA / HITECH
FedRAMP JAB P-ATO
FIPS 140-2 FERPA DISA Level 2 ITAR-readyCJIS21 CFRPart 11
IRS 1075 Section 508 VPAT
ISO 27001 PCI DSS Level 1SOC 1 Type 2 SOC 2 Type 2 ISO 27018Cloud Controls
Matrix
Content Delivery and
Security Association
Shared
Assessments
European Union
Model Clauses
United Kingdom
G-Cloud
Singapore
MTCS Level 3
Australian
Signals
Directorate
Japan
Financial Services
China Multi
Layer Protection
Scheme
China
CCCPPF
New
Zealand
GCIO
China
GB 18030
EU Safe
HarborENISA
IAF
Infrastructure security controls Operational security controls Compliance
General Availability
₼₾₦€¥Billing
Slice and dice by…•EA portal level
• Departments
• Accounts
• Subscriptions
•Subscription level• Resource groups
•Resource level• Tagging
• Naming convention
•Manual mapping…
Example 1 – Bank 100 000+ employees
Benefits
•Simplified financial management• Cost by app
• Cost by application owner
• Cost by resources
• Accelerated and reliable deployments
•Compliant separation of duties
•Consistent role / right model
EA Billing API
Azure Usage and Billing Portalhttps://blogs.msdn.microsoft.com/mustafakasap/2016/07/14/welcome-azure-usage-and-billing-portal/
Recommended