BRK3490
What are we covering?
• How Azure protects your data
• How you can protect your data
• How you can control and protect your keys using Azure Key Vault
• How to use
Cybersecurity concerns persist
Global attacks are increasing and costs are rising
Cybercrime extracts between 15% and 20% of the
value created by the Internet.1
In the UK, 81% of large corporations and 60% of small
businesses reported a cyberbreach in the past year.2
Total financial losses attributed to security
compromises increased 34% in 2014.3
Impact of cyber attacks could be as much as $3 trillion
in lost productivity and growth.4
Security Development Lifecycle & Operational Security Assurance
Protect
Network, Identity and Data Isolation
Least Privilege / Just-in-Time (JIT) Access
Data Protection – Data Encryption and Key Management
Vulnerability / Update Management
Detect
Auditing and Certification
Live Site Penetration Testing
Centralized Logging and Monitoring
Fraud and Abuse Detection
Respond
Breach Containment
Coordinated Security Response
Customer Notification
Data protection
Azure provides customers with strong data protections – both by default and as
customer options
Data isolation
At-rest data protection
Logical isolation segregates each customer’s
data from that of others is enabled by default.
Customers can implement a range of
encryption options for virtual machines and
storage.
In-transit data protection
Encryption
Industry-standard protocols encrypt data in
transit to/from outside components, as well as
data in transit internally by default.
Data encryption in storage or in transit can be
deployed by the customer to align with best
practices for ensuring confidentiality and
integrity of data.
Data redundancy
Data destruction
Customers have multiple options for
replicating data, including number of copies
and number and location of replication data
centers.
Strict standards for overwriting storage
resources before reuse and the physical
destruction of decommissioned hardware are
by default.
6
Data In Transit – Encryption Options

Microsoft:
• Azure Portal
• Encrypts transactions through Azure Portal
using HTTPS
• Strong Ciphers are used / FIPS 140-2 support
• Import / Export
• Only accepts bitlocker encrypted data disks
• Datacenter to Datacenter
Data in transit
between a user
and the service
Protects user from
interception of their
communication and
helps ensure
transaction integrity
Data in transit
between data
centers
Protects from
bulk interception
of data
End-to-end
encryption of
communications
between users
Protects from
interception or loss
of data in transit
between users
• Encrypts customer data transfer between Azure
datacenters
Customers:
• Storage
• Choose HTTPS for REST API for Storage
• N-Tier Applications
• Encrypt traffic between Web client and server
by implementing TLS on IIS
Azure Data Encryption - Data at Rest
Virtual Machines – Windows and Linux
• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]>
• Partner Volume Encryption – <CloudLink® SecureVM>
SQL Server and SQL Database
• Transparent Data Encryption - <SQL Server OR SQL Database>
• Cell Level Encryption - <SQL Server OR SQL Database>
• Always Encrypted
Azure Storage – Blobs, Tables, Queues
• Application Level Encryption - <Storage Client-Side encryption>
• Cloud Integrated Storage - <StorSimple>
HDInsight
• HDInsight – <Leverages Azure Storage, SQL Azure DB encryption>
Azure Backup Service
• Azure Backup Service – <Leverages Azure Disk Encryption>
K
e
y
s
M
a
n
a
g
e
m
e
n
t
Azure Key
Vault
<Keys and Secrets
controlled by
customers in their
key vault>
Authentication
to Key Vault
<Authentication
to Key Vault is
using Azure AD>
• Enables migration of encrypted VHDs from on-premises to cloud
• Enables encryption on running VM’s and new VM’s
• Key management integrated in customer key vault using HSM
Encryption Scenarios
Azure storage
Machine
Protection elements
Access control: Customer control access to the keys/secrets in their key vault
Monitoring and Logging: Customer collect logs in their storage account
Data Security and Availability: Disks are stored encrypted in customer storage account and are
automatically replicated by Azure storage
1. Customer uploads Encrypted VHD to their Azure
storage account
2. Customer provision encryption key material* in
their key vault and grants access to platform to
provision VM
3. Customer opt into enabling disk encryption.
4. Azure service management updates service model
with encryption and key vault configuration
5. Azure platform provision encrypted VM
Virtual Machine
Azure Storage
Provision
Encrypted
VM
HOST
Customer Key
Vault
AAD
token
* Key Material – BitLocker Encryption Keys [Windows]
, Passphrase [Linux]
AAD
Service
Management
Config
Portal/API
Encrypt
Me
Customer
Disks
Virtual Machine
Azure Storage
Provision
Encrypted
VM
HOST
1. Customer opt into enabling disk encryption and
Customer grant access to Azure platform to
provision encryption key material* in their key vault
2. Azure service management updates service model
with encryption and key vault configuration
3. Azure platform provision encrypted VM
* Key Material – BitLocker Encryption Keys [Windows],
Passphrase [Linux]
Customer Key
Vault
AAD
token
AAD
Service
Management
Config
Portal/API
Encrypt
Me
Secret
Keys
Contoso.BEK [encrypted by ContosoKEK] – BitLocker Windows
ContosoKEK
ContosoPassPhrase [encrypted by ContosoKEK] – Linux
Microsoft Confidential
• Users encrypt their data on the client side before uploading to Azure Storage,
and also decrypt it after downloading
the storage service never sees the
keys and is incapable of decrypting the data



// Create the KeyWrapper to be used for wrapping.
AesCryptoServiceProvider aes = new AesCryptoServiceProvider();
SymmetricKeyWrapper aesKeyWrapper = new SymmetricKeyWrapper("symencryptionkey", aes);


// Create the encryption policy to be used for upload.
BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(BlobEncryptionMode.FullBlob,
aesKeyWrapper, null);









// Set the encryption policy on the request options.
BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy };
// Upload the encrypted contents to the blob.
blob.UploadFromStream(stream, size, null, options, null);
// Download and decrypt the encrypted contents from the blob.
MemoryStream outputStream = new MemoryStream();
blob.DownloadToStream(outputStream, null, options, null);
Storage –
• Hybrid Applications – Windows Server Data Snapshots
• Data Encrypted on-premise and backed up in Azure
• AES 256 Encryption and Integrity Protected with SHA-256
Hashes
• Encryption Options:
•
•
•
•
Transparent Data Encryption (TDE), Cell Level Encryption (CLE)
SQL Server Encrypted Backups
Always Encrypted
SQL Server Extensible Key Management (EKM) provider shifts encryption
master keys to external key manager
• Separation of duties between data and key management
• Azure Key Vault as an EKM
• SQL Server Connector enables Azure Key Vault use as an EKM
• Customer owned Encryption Master Keys in software or hardware (FIPS
Validated HSM) Vault
• SQL Server On-prem / Azure VMs
1. Register SQL
Server instance
Azure Active
Directory
Security
Operations
4. Authenticate
SQL Server
Connector
SQL Server
Admin
3. Configure SQL
Server Encryption
2a. Create Vault
2b. Create Master Key
2c. Give SQL Server
Access to Vault
5. Protect
Keys
Key Vault
Service
6. Audit Key Usage
(coming soon)
Auditor
Microsoft Azure Key Vault
Key Vault offers an easy, cost-effective way to
safeguard keys and other secrets used by
cloud apps and services using HSMs.
Microsoft Azure
IaaS
PaaS
Key Vault
Import
keys
HSM
Microsoft Confidential
SaaS
Enhance data protection and compliance
Monitoring
Encrypt keys and small secrets
like passwords using keys
stored in tightly controlled and
monitored Hardware Security
Modules (HSMs)
Import or generate your keys
in HSMs for added assurance keys never leave the HSM
boundary
Comply with regulatory
standards for secure key
management, including the US
Government FIPS 140-2 Level
2 and Common Criteria EAL 4+
Manages keys
Deploys application
Monitors access to keys
Creates a Key Vault. Adds keys
, secrets to the Vault. Grants
permission to specific
application(s) to perform
specific operations e.g.
decrypt, unwrap.
Tells application the
URI of the key / secret
Reviews usage logs to
confirm proper key use and
compliance with data
security standards
Enables usage logs
Application program
uses key, secret
(and may abuse) but
never sees the keys
Monitor and audit key use
through Azure logging – pipe
logs into HDInsight or your
SIEM for additional analysis
(coming soon)
Azure Data Encryption - Data at Rest - Recap
Virtual Machines – Windows and Linux
• Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]>
• Partner Volume Encryption – <CloudLink® SecureVM>
SQL Server and SQL Database
• Transparent Data Encryption - <SQL Server OR SQL Database>
• Cell Level Encryption - <SQL Server OR SQL Database>
• Always Encrypted
Azure Storage – Blobs, Tables, Queues
• Application Level Encryption - <Storage Client-Side encryption>
• Cloud Integrated Storage - <StorSimple>
HDInsight
• HDInsight – <Leverages Azure Storage, SQL Azure DB encryption>
Azure Backup Service
• Azure Backup Service – <Leverages Azure Disk Encryption>
K
e
y
s
M
a
n
a
g
e
m
e
n
t
Azure Key
Vault
<Keys and Secrets
controlled by
customers in their
key vault>
Authentication
to Key Vault
<Authentication
to Key Vault is
using Azure AD>
• Abandoned Data – Data retained for 90 days and available if customer comes
back, then subsequently deleted
• Customer Deletion – Delete data at anytime
• Defective Disks – Destroyed on-site
• Decommission – Azure follows DoD data wiping standards
Fundamentals are key!
• Mitigate risk of compromised accounts
• Multi-Factor Authentication (Azure MFA / Windows Server ADFS)
• Limit excessive permissions – least privilege
• Azure AD Role Based Access Control (RBAC)
• Azure AD Privileged Identity Management (temporary/’JIT’ access controls)
• Detect insider compromise or abuse of privileges
• Azure auditing and logging
• Azure AD anomaly detection and analysis
Accounts with weak authentication methods
(passwords) can be compromised (e.g. spear-phishing)
• Secure your user accounts with Azure MFA
• Can be used with Azure Active Directory or Windows Server Active Directory
Federation Services (ADFS)
• Provides a second factor (e.g. phone or device) as a second factor
• Secure your user accounts with Smart Cards with
Windows Server ADFS & AAD
• Use your existing PKI (Smart Card, Virtual Smart Card) to secure accounts by
using Azure AD accounts federated to your on premises infrastructure
1
2
Permissions to sensitive data should follow ‘least
privilege’ principal – only grant access necessary for
role.
• Azure RBAC (20 built-in roles, custom coming soon)
• General: Readers, Contributors, Owners
• Resource Specific: e.g. VirtualMachine-Contributor, SQLDB Contributor …
• Assign Users, Groups, and Service Principals
• Key Vault Access Control
• Very fine grained access controls to key vaults for user and service principals
• Create, verify, sign, wrap/unwrap, etc. (able to enforce segregation of duties)
Azure Role Based Access Control
Assign roles to users and groups at
subscription, resource group, or resource
level
Subscription
Assignments inherit down the hierarchy
Use built-in roles with pre-configured
permissions 20 built-in roles
Create custom roles (coming soon)
Reader
Owner
Contributor
Resource Group == EmployeeBenefitsApp
- Virtual Machines, SQL DB, Storage Accounts
EmployeeBenefitsApp Role Assignments
- Owners == HR IT Admins
- Contributors == HR IT DevOps Team
- Readers == HR Benefits Team
Superuser accounts have special risk and deserve
special management.
• Enable “Just In Time” (JIT) privileged access
• Microsoft uses this paradigm to protect Azure
• No standing access
• Temporary, specifically scoped elevations to resolve incidents & provide support
• Customers can now benefit from this learning – Azure AD
Privileged Identity Management
• Discover current admin permissions in one view
• Set temporary authorization policies for Azure AD
management roles
• Global, billing, password, service, and user administrators can use PIM
• Collect justification & work item reference for every
elevation/activation
• Coming soon – support for Azure RBAC





http://azure.microsoft.com/en-us/support/trust-center/
http://azure.microsoft.com/en-us/services/active-directory/
http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure
http://azure.microsoft.com/en-us/services/multi-factor-authentication/
http://blogs.technet.com/b/ad/archive/2015/05/04/azure-cloud-app-discovery-ga-and-ournew-privileged-identity-management-service.aspx

http://www.microsoft.com/en-us/server-cloud/products/storsimple/

http://msdn.microsoft.com/en-us/library/bb934049.aspx

http://blogs.msdn.com/b/alwaysonpro/archive/2014/01/28/how-to-enable-tdeencryption-on-a-database-in-an-availability-group.aspx

http://azure.microsoft.com/en-us/services/sql-database/

http://technet.microsoft.com/en-us/library/jj647767.aspx

http://msdn.microsoft.com/en-us/library/System.Security.Cryptography(v=vs.110).aspx

http://blogs.msdn.com/b/windowsazurestorage/archive/2015/04/28/clientside-encryption-for-microsoft-azure-storage-preview.aspx
NO PURCHASE NECESSARY. Open only to event attendees.
Winners must be present to win. Game ends May 9th, 2015.
For Official Rules, see The Cloud and Enterprise Lounge or
myignite.com/challenge
http://myignite.microsoft.com