Organized crime, nation states, activists, insiders Premera
Blue Cross Anthem Sony Target NSA DoD RSA McDonnell Douglas Saudi
Aramco J.P. Morgan Chase Home Depot 100 U.S. banks
Slide 6
Virtualization Cloud computing Service providers
Slide 7
Enterprise Microsoft, other cloud service provider
SaaSPaaSIaaSPrivate Data governance & rights management Client
endpoints Account & access management Identity & directory
infrastructure Applications Network controls Operating system
Hosting infrastructure Network infrastructure Physical datacenter
Responsibility for security
Slide 8
Administrator privileges will be compromised: social
engineering, bribery, private initiative 50 years ago we gave the
administrator the keys to the kingdom All these attacks exploit
privileged accounts: Stolen admin credentials Insiders Malicious
service provider staff
Slide 9
Principles Trust boundaries Assume breach
Slide 10
Government Enterprises Principles Providers Bad guys Trust
boundaries Assume breach
Slide 11
Slide 12
Slide 13
Fabric, workloads, control plane Fabric manager Workload
manager
Slide 14
Trust plane isolated from fabric, control plane Key
service
Slide 15
Virtual Secure Mode VSM Key service
Slide 16
VSM VM protected at rest, in transit 3. Deliver vTPM key
encrypted to VSM TPM Key service Workload manager HSM
Slide 17
Slide 18
VSM Key service
Slide 19
Trust in the environment VSM Key service
Slide 20
VSM Key service Trust in the environment Regulatory and
compliance domainAzure Office 365 Dynamics CRMIntune ISO 27001:2013
ISO/IEC 27018:2014 U.S. Government Cloud Federal Risk and
Authorization Management Program (FedRAMP) Moderate Family
Educational Rights and Privacy Act (FERPA) N/A Health Insurance
Portability and Accountability Act (HIPAA) Payment Card Industry
(PCI) Data Security Standards (DSS) Level 1 N/A SOC 1 Type 2 (SSAE
16/ISAE 3402) Attestations SOC 2 Type 2 (AT section 101) Criminal
Justice Information Services (CJIS) UK G-cloud Official
Accreditation EU Model Clauses EU Model Contract Clauses (EUMC) EU
Safe Harbor
http://azure.microsoft.com/en-us/support/trust-center/services/
Slide 21
VSM Key service Trust in the environment 1.Attestation request:
TPM public key, VSM public key, UEFI secure boot log, HVCI policy
2.Deliver attestation certificate Attestation service
Slide 22
Slide 23
Variants of the Trust Plane pattern in many systems: The
pattern can be generalized: Azure Key Vault with SQL TDE Azure Key
Vault with Azure Resource Manager Windows Server Guardian for
encrypted VMs Azure Key Vault for encrypted VMs Certificates Data
disksContainers Databases Networks Nested VMs
Slide 24
Slide 25
VSM Protect workload from direct attack
Slide 26
Identity and access control across clouds AD, Azure AD, ADFS
Control plane RBAC Azure portal multi-factor authentication Just in
time, just enough admin Limit administrator privileges in time and
space Elevation request self-service Containment and
auditability
Slide 27
Slide 28
Reduce attack surface Nanoserver Anti-malware & patching
Workload tuning, cluster awareness, orchestration, scheduling
Status and configuration baseline monitoring Harden for common
attacks Pass-the-hash mitigations (LSA In VSM) Next generation
credentials Network Secure enterprise connectivity Network security
groups Third-party network security appliances
Slide 29
With all this protection, are we safe now?
Slide 30
Slide 31
Data sources Fabric Workloads Network Storage, services
Private, hosted and public clouds Cloud-scale analytics Machine
learningThird-party extensibility Behavior Anti-malware Anti-crime
Industry, government
Slide 32
Slide 33
Slide 34
Advanced Threat Analytics analyzes all Active Directory-related
traffic and collects relevant events from SIEM Advanced Threat
Analytics automatically learns all entities behaviors AnalyzeLearn
ATA builds the organizational security graph, detects abnormal
behavior, protocol attacks, and weaknesses, and then constructs an
attack timeline Detect 123
Protect Windows and Linux, current and down- level Cloud
services: directory, key vault, detection, forensics Minimize
workflow impact on tenant, cloud owner Consistency across
clouds
Slide 38
Apply protection, identity management, detection in private
cloud Require assurance from service providers Protect assets in
complex scenarios, e.g. cross-cloud disaster recovery Use detection
services for all workloads Enterprises: Get servers with TPM and
UEFI Assume breach! Offer protection, attestation, identity
management, detection services Leverage Azure services Service
providers: Everybody:
Slide 39
39 NDA Microsoft Confidential Harden the Fabric: Protecting
Tenant Secrets in Hyper-VDean WellsWednesday, May 6 th 3:15 PM 4:30
PM Enabling Data Protection in Microsoft AzureDevendra Tiwari
Thomas Knudson Tuesday, May 5 th 5:00 pm 6:15 PM Protecting Windows
and Microsoft Azure Active Directory with Privileged Access
Management Mark WahlThursday, May 7 th 5:00 PM 6:15 PM How to
Protect Your Corporate Resources from Advanced Attacks Microsoft
Advanced Threat Analysis Deep Dive Demi Albuz Benny Lakunishok
Tuesday, May 5 th 10:45 AM 12:00 PM Security Threat Analysis Using
Microsoft Azure Operational InsightsJoseph ChanThursday, May 7 th
1:30 PM 2:45 PM How Microsoft Active Directory Helps Prevent,
Detect and Remediate Attacks to your Enterprise Alex Weinert David
Howell Friday, May 6th 10:45 12:00 PM
Slide 40
Microsoft Cloud Security for Enterprise Architects Systematic
approach to securing your identities, data, and applications in the
cloud Visio version PDF version
Slide 41
Microsofts Enterprise Cloud Roadmap Resources for IT decision
makers http://aka.ms/CloudArchitecture Map of Microsoft SaaS, PaaS,
IaaS, and private cloud offerings Identity architecture Security
architecture Deployment and integration options for Exchange, Lync,
and SharePoint Azure architecture blueprints Cloud design patterns
Design stencils
Slide 42
Enter session code and remove this box NO PURCHASE NECESSARY.
Open only to event attendees. Winners must be present to win. Game
ends May 9 th, 2015. For Official Rules, see The Cloud and
Enterprise Lounge or myignite.com/challenge