Azure - info.microsoft.com Discovery... · Azure Site Recovery: Protect VMWare and Physical Servers in Public Preview Azure Backup Generally Available Azure API Management Premium

Azure

AgendaAzure Overview

Security

Billing

Identity

Storage

Networking

Compute

EMS

OMS

Azure App Service

Data Insights

http://aka.ms/azuredd

Infrastructure Services

What is Azure?

Platform ServicesSecurity & Management

Web Apps

MobileApps

APIManagement

APIApps

LogicApps

NotificationHubs

Content DeliveryNetwork (CDN)

MediaServices

HDInsight MachineLearning

StreamAnalytics

DataFactory

EventHubs

MobileEngagement

Azure ActiveDirectory

Multi-FactorAuthentication

Automation

Portal

Key Vault

BiztalkServices

HybridConnections

ServiceBus

StorageQueues

Store /Marketplace

HybridOperations

Backup

StorSimple

SiteRecovery

Import/Export

SQLDatabase

DocumentDB

RedisCache Search

Tables

SQL DataWarehouse

Azure AD Connect Health

Azure AD PrivilegedIdentity Management

OperationalInsights

CloudServices

Batch Remote App

ServiceFabric Visual Studio

ApplicationInsights

Azure SDK

Team Project

VM Image Gallery& VM Depot

Azure compute regions

Azure Site Recovery: Protect VMWare and Physical Servers

in Public Preview

Azure Backup Generally Available

Azure API Management Premium simplifies high availability and

massive scale for APIs

ExpressRoute for Office 365

Azure Active Directory Dynamic Membership For Groups

Automatic Password Change for Social Media Shared Accounts

Compute-Intensive A10 and A11 Virtual Machine Instances

Remote Desktop app for Windows Phone support for Gateway

and Remote Resources

Informatica Cloud Agent availability in Linux and Windows Virtual

Machines

Azure DocumentDB Hadoop Connector

Azure HDInsight support for more VM sizes

Enterprise-Grade Array-Based Replication and Disaster Recovery

with ASR and System Center GA

>85%Fortune 500 using Azure

>120,000 New Azure customer subscriptions/month

150BillionAzure SQL query requests

processed/day

120 BillionHits to websites run on Azure

Web App Service

1 out of 4 VMs

Are Linux VMs

715 MillionAzure Active Directory Users

>18 BillionAuthentications/week

Azure momentum

Analyst reports

Cloud Computing

Estimating Cloud Costs

http://azure.microsoft.com/en-us/pricing/calculator/

How we differentiate.

Hybrid Cloud

Enterprise grade

Hyper-scale

Most Comprehensive Hybrid Cloud

Microsoft AzureMicrosoft Azure Stack

Azure Security

16

No one is able to use your

data in a way that you do

not approve.

The confidentiality,

integrity, and availability of

your data is protected.

You have visibility into how

your data is being handled

and used.

Your content is stored and

managed in compliance

with applicable laws,

regulations and standards.

The Microsoft Cloud - A Cloud You Can Trust

Securing the Platform

Security Embedded

in Planning, Design,

Development, &

Deployment

Prevent & Assume

Breach Strategy

Incident Response

Access Policy & Controls

Threat Detection

Forensics

Datacenter Security

Secure Multi-tenancy

Network Protection

DDoS Defense

Data Segregation

Data Protection

Infrastructure security controls

Operational security controls

Strategy

Certifications

Compliance

IncidentResponse (MSRC)

Establish release criteria & sign-off as part of FSR

Guide product teams to meet SDL requirementsAdminister and track security training

Training Requirements Design Implementation Verification Release Response

Education Process Accountability

Ongoing Process Improvements

Security Development Lifecycle

Infrastructure security controls Operational security controls Compliance

Datacenter Security

Perimeter

Computer room

Building

Seismic

bracing

Security

operations center

24X7

security staff

Days of

backup power

Cameras AlarmsTwo-factor access control:

Biometric readers & card readers

Barriers Fencing


Isolates customer

environments using the Fabric

Controller

Runs a configuration-hardened

version of Windows Server as

the Host OS

Uses Hyper-V – a battle tested

and enterprise proven

hypervisor

Azure

Storage

SQL

Database

FabricController

Customer

Admin

Guest VM Guest VM

Customer 2

Guest VM

Customer 1Portal

Smart API

End

Users

Host OS

Hypervisor

Microsoft Azure

Secure Multi-tenancy


Provides logical isolation

while enabling customer

control

Restricts access from the Internet, permits traffic only to endpoints, and provides load balancing and NAT at the Cloud Access Layer

Private IP addresses are

isolated from other

customers

Customer 2

INTERNET

Isolated Virtual

Networks

Customer 1

Subnet 1 Deployment X Deployment Y

VLAN-to-VLAN

Cloud Access Layer

RDP Endpoint(password access)

Client

Subnet 2 Subnet 3

DNS Server

VPN

Microsoft Azure

Corp 1

Network Protection


DDoS Defense System

MSFT Routing Layer

Detection Pipeline

Profile DB

Scrubbing Array

SLB

Application

Attack Traffic

Scrubbed Traffic

Flow Data

Routing Updates

Internet

Azure’s DDoS defense

system is designed not

only to withstand attacks

from the outside, but also

from within.

Azure monitors and

detects internally initiated

DDoS attacks and

removes offending VMs

from the network


Stored data accessible only

through claims-based IDM &

access control with private key

Storage blocks are hashed by the

hypervisor to separate accounts

SQL Azure isolates separate

account databases

VM switch at the host level blocks

inter-tenant communication

Azure

Storage

SQL

Database

FabricController

Customer

Admin

Guest VM Guest VM

Customer 2

Guest VM

Customer 1Portal

Smart API

End

Users

Access

Control

Host OS

Hypervisor

Microsoft Azure

Data Segregation


Data Protection

Data segregation

Logical isolation segregates each

customer’s data from that of others.

In-transit data protection

Industry-standard protocols encrypt data

in transit to/from outside components, as

well as data in transit internally by default.

Data redundancy

Customers have multiple options for

replicating data, including number of

copies and number and location of

replication datacenters.

At-rest data protection

Customers can implement a range of

encryption options for virtual machines

and storage.

Encryption

Data encryption in storage or in transit

can be deployed by the customer to align

with best practices for ensuring

confidentiality and integrity of data.

Data destruction

When customers delete data or leave

Azure, Microsoft follows procedures to

render the previous customer’s data

inaccessible.


Prevent & Assume Breach

• Secure Development

Lifecycle

• Physical security controls

• Operational security

controls

Prevent breach

• Bug Bounty Program

• War game exercises

• Live site penetration testing

Prevent Breach is a defensive strategy

aimed at predicting and preventing a

security breach

The Assume Breach strategy, unique to

Microsoft, is a key operational practice

that hardens cloud services

Leverages Microsoft’s vast threat

intelligence

Includes state of the art security

monitoring and response

Assume breach


Incident Response

Event Detected

Security TeamEngaged

Security Event Confirmed

EventStart

DevOps Engaged

Incident Assessment

Determine Customer Impact

Azure CustomerNotification

Customer ProcessStep 1

Determine Affected

Customers

Customer Notification

In-depth 9-step incident response process

Focus on containment & recovery

Makes contractual commitments regarding

customer notification + provides forensics


Pre-screened Admin

requests access

Leadership grants

temporary privilege

No standing access to the platform and no access to customer Virtual Machines

Grants least privilege required to complete task; access requests are audited and logged

Multi-factor authentication required for all administration

Just-in-Time &

Role-Based

Access

Microsoft Corporate Network

Microsoft Azure

BLOBSTABLES QUEUES

DRIVES

Access Policy & Controls


Provides big data analysis of logs for

intrusion detection & prevention for the

platform

Employs denial of service attack

prevention measures for the platform

Regularly performs penetration testing

Customer Environment

Application Tier

Logic Tier

Database Tier

Virtual Network

INTERNET

VPNCorp 1

Cloud Access & Firewall Layer

THREAT DETECTION: DOS/IDS Layer

DOS/IDS Layer

DOS/IDS Layer

DOS/IDS Layer

End Users

Microsoft Azure

Threat Detection


Provides coordination,

analysis of logs and VHD

images in the event of

platform-level incident

Provides forensic data to

customers when needed

Forensics

!! !


Security

analytics

Risk management

best practices

Security

benchmark

analysis

Test and

audit

Security

Compliance

Framework

• Security goals set in context of business and industry requirements

• Security analytics & best practices deployed to detect and respond to threats

• Benchmarked to a high bar of certifications and accreditations to ensure compliance

• Continual monitoring, test and audit

• Ongoing update of certifications for new services

Security Compliance Strategy


Program Description

ISO/IEC 27001The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized

information security controls defined in this standard.

SOC 1

SSAE 16/ISAE 3402

Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type

2 (formerly SAS 70), attesting to the design and operating effectiveness of its controls.

SOC 2Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to

security, availability, and confidentiality

FedRAMP/FISMAAzure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management

Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it

meets FedRAMP security standards.

PCI DSS Level 1 Azure has been validated for PCI-DSS Level 1 compliance by an independent Qualified Security Assessor (QSA).

UK G-Cloud IL2In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft

and its partner offerings on the current G-Cloud procurement Framework and CloudStore.

HIPAA BAATo help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA

Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI).

Certifications & Programs


Azure Compliance• The largest compliance portfolio in the industry

HIPAA / HITECH

FedRAMP JAB P-ATO

FIPS 140-2 FERPA DISA Level 2 ITAR-readyCJIS21 CFRPart 11

IRS 1075 Section 508 VPAT

ISO 27001 PCI DSS Level 1SOC 1 Type 2 SOC 2 Type 2 ISO 27018Cloud Controls

Matrix

Content Delivery and

Security Association

Shared

Assessments

European Union

Model Clauses

United Kingdom

G-Cloud

Singapore

MTCS Level 3

Australian

Signals

Directorate

Japan

Financial Services

China Multi

Layer Protection

Scheme

China

CCCPPF

New

Zealand

GCIO

China

GB 18030

EU Safe

HarborENISA

IAF


http://www.asd.gov.au/infosec/irap/index.htm

https://www.fisc.or.jp/

General Availability

₼₾₦€¥Billing

Slice and dice by…•EA portal level

• Departments

• Accounts

• Subscriptions

•Subscription level• Resource groups

•Resource level• Tagging

• Naming convention

•Manual mapping…

Example 1 – Bank 100 000+ employees

Benefits

•Simplified financial management• Cost by app

• Cost by application owner

• Cost by resources

• Accelerated and reliable deployments

•Compliant separation of duties

•Consistent role / right model

EA Billing API

Azure Usage and Billing Portalhttps://blogs.msdn.microsoft.com/mustafakasap/2016/07/14/welcome-azure-usage-and-billing-portal/

Documents

Azure - info.microsoft.com Discovery... · Azure Site Recovery: Protect VMWare and Physical Servers in Public Preview Azure Backup Generally Available Azure API Management Premium