UpdateConf 2018: Top 18 Azure security fails and how to avoid them
1 like143 views
The document discusses common security failures in Azure and provides strategies for avoiding them. It covers issues such as overly permissive user roles, inadequate monitoring, and unprotected endpoints while offering mitigation techniques like implementing role-based access control and utilizing security tools. The author emphasizes the need for proper management and monitoring to secure Azure environments effectively.
More Related Content
![[OWASP Poland Day] Embedding security into SDLC + GDPR](https://cdn.slidesharecdn.com/ss_thumbnails/owaspday2017-michalkurek-171003211147-thumbnail.jpg?width=560&fit=bounds)
Similar to UpdateConf 2018: Top 18 Azure security fails and how to avoid them (20)
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
- 1. @fincooper Top Azure security fails and how to avoid them Karl Ots, Zure Ltd
- 2. @fincooper Karl Ots Managing Consultant [email protected] • Cloud & cybersecurity expert • User group and conference organizer, podcast hosts • Patented inventor • Working on Azure since 2011 • Helped to secure 100+ Azure applications, from startups to Fortune 500 enterprises • linkedin.com/in/karlots
- 3. @fincooper What to expect in this session • Azure security landscape • Top Azure security fails I have wondered upon in my adventures • Why are they bad? • How to fix them? • Resources to help you secure your Azure environment, regardless of your current status
- 4. @fincooper With great power comes great responsibility
- 5. @fincooper Security controls for Azure applications Subscriptions and Resource Groups AAD and RBAC ARM Templates, Policies and Locks Logging, Alerting & Auditing Data Encryption Backups & Disaster Recovery Privacy & Compliance Network security
- 6. @fincooper Cloud security: reality check
- 7. @fincooper Role-Based Access Control Subscription Resource Groups Resources Owner Can perform all management operations for a resource and its child resources including access management and granting access to others. Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to other. Reader Has read-only access to a resource and its child resources. A reader cannot read secrets.
- 8. @fincooper Privileged Identity Management • Identifies users with administrative privileges • Enables just-in-time administrative access • Generates reports about elevated role access history • Requires Azure AD Premium P2 • For all users in the whole AAD Tenant
- 9. @fincooper STRIDE • Azure removes some of the attack surface, as infrastructure and operations are handled by Microsoft. • We can use frameworks such as STRIDE to identify threats: • Good set of tools at https://www.microsoft.com/en-us/SDL/adopt/tools.aspx Threat Property Definition Spoofing Authentication Impersonating something or someone else. Tampering Integrity Modifying data or code. Repudiation Non-repudiation Claiming to have not performed an action. Information Disclosure Confidentiality Exposing information to someone not authorized to see it. Denial of Service Availability Deny or degrade service to users. Elevation of Privilege Authorization Gain capabilities without proper authorization.
- 10. @fincooper Security fail #1 • Every user is an Owner • …In the Subscription scope • STRIDE threat categorization: • Tampering • Information Disclosure • Mitigation: • Default access scope should be Resource Group, not Subscription • Default RBAC access should be Contributor, not Owner
- 11. @fincooper Security fail #2 • Service Principals have too wide privileges • STRIDE threat categorization: • Repudiation • Mitigation: • Service Principal RBAC assignments should follow the least privileged principle • Service Principals should NOT be granted access in the Subscription scope • Service Principals should NOT be granted Owner access in any scope
- 12. @fincooper Security fail #3 • Untrusted authorization provider being used • (Microsoft Account, Gmail, unmanaged Azure AD…) • STRIDE threat categorization: • Spoofing • Elevation of Privilege • Mitigation: • Always use trusted Azure AD authentication that is managed by your organization • Monitor Azure Subscription access using AAD PIM
- 13. @fincooper Security fail #4 • Unprotected public endpoints • HTTP / RDP / SSH • STRIDE threat categorization: • Information Disclosure • Denial of Service • Mitigation: • Every public IP is a risk and should be carefully reviewed • Use Network Security Groups to control access to / from virtual machines • Use Azure Security Center’s Just-in-time access to dynamically change NSG rules • Use Web Application Firewall to control access to public HTTP endpoints
- 14. @fincooper Security fail #5 • Storage access keys used directly • STRIDE threat categorization: • Information Disclosure • Tampering • Repudiation • Mitigation: • Storage Access Keys should be stored in Azure Key Vault and rotated programmatically • Restrict access to Microsoft.Storage/storageAccounts/listkeys/action using RBAC
- 15. @fincooper Security fail #6 • No monitoring or alerting • STRIDE threat categorization: • Repudiation • Denial of Service • Mitigation: • Configure Activity Log retention, default is only 90 days! • Enable Application Insight Smart Alerts • Enable Advanced Treat Protection • Enable Azure SQL Audit logging • Monitor all HTTP endpoint traffic with with Application Gateway / WAF
- 16. @fincooper Security fail #7 • Missing Virtual Machine updates • STRIDE threat categorization: • Information Disclosure • Elevation of Privilege • Mitigation: • Update management • Azure Security Center
- 17. @fincooper DEMO “How to avoid them”
- 18. @fincooper Secure DevOps kit for Azure (AzSK) • Set of tools for assessing the security posture of your Azure environment • Built by Microsoft Core Services Engineering • Used to secure 1000+ Azure subscriptions at Microsoft • Easy to get started with non-intrusive vulnerability scans, expands end-to- end tooling from developer machine to CI/CD to continuous assurance
- 19. @fincooper Materials • My slides: slideshare.net/karlots • Secure DevOps Kit for Azure: • azsk.azurewebsites.net • Microsoft Ignite 2018 session THR2104 Assess your Microsoft Azure security like a pro • STRIDE Threat Modeling Lessons from Star Wars: • youtube.com/watch?v=Y3VQpg04vXo • Azure Security and Compliance Blueprint (not Azure Blueprint): • docs.microsoft.com/en-us/azure/security/blueprints/gdpr-paaswa-overview • Azure Virtual Datacenter: • docs.microsoft.com/en-us/azure/architecture/vdc/
- 20. @fincooper