BRK3490 What are we covering? • How Azure protects your data • How you can protect your data • How you can control and protect your keys using Azure Key Vault • How to use Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created by the Internet.1 In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past year.2 Total financial losses attributed to security compromises increased 34% in 2014.3 Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth.4 Security Development Lifecycle & Operational Security Assurance Protect Network, Identity and Data Isolation Least Privilege / Just-in-Time (JIT) Access Data Protection – Data Encryption and Key Management Vulnerability / Update Management Detect Auditing and Certification Live Site Penetration Testing Centralized Logging and Monitoring Fraud and Abuse Detection Respond Breach Containment Coordinated Security Response Customer Notification Data protection Azure provides customers with strong data protections – both by default and as customer options Data isolation At-rest data protection Logical isolation segregates each customer’s data from that of others is enabled by default. Customers can implement a range of encryption options for virtual machines and storage. In-transit data protection Encryption Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data redundancy Data destruction Customers have multiple options for replicating data, including number of copies and number and location of replication data centers. Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default. 6 Data In Transit – Encryption Options Microsoft: • Azure Portal • Encrypts transactions through Azure Portal using HTTPS • Strong Ciphers are used / FIPS 140-2 support • Import / Export • Only accepts bitlocker encrypted data disks • Datacenter to Datacenter Data in transit between a user and the service Protects user from interception of their communication and helps ensure transaction integrity Data in transit between data centers Protects from bulk interception of data End-to-end encryption of communications between users Protects from interception or loss of data in transit between users • Encrypts customer data transfer between Azure datacenters Customers: • Storage • Choose HTTPS for REST API for Storage • N-Tier Applications • Encrypt traffic between Web client and server by implementing TLS on IIS Azure Data Encryption - Data at Rest Virtual Machines – Windows and Linux • Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]> • Partner Volume Encryption – <CloudLink® SecureVM> SQL Server and SQL Database • Transparent Data Encryption - <SQL Server OR SQL Database> • Cell Level Encryption - <SQL Server OR SQL Database> • Always Encrypted Azure Storage – Blobs, Tables, Queues • Application Level Encryption - <Storage Client-Side encryption> • Cloud Integrated Storage - <StorSimple> HDInsight • HDInsight – <Leverages Azure Storage, SQL Azure DB encryption> Azure Backup Service • Azure Backup Service – <Leverages Azure Disk Encryption> K e y s M a n a g e m e n t Azure Key Vault <Keys and Secrets controlled by customers in their key vault> Authentication to Key Vault <Authentication to Key Vault is using Azure AD> • Enables migration of encrypted VHDs from on-premises to cloud • Enables encryption on running VM’s and new VM’s • Key management integrated in customer key vault using HSM Encryption Scenarios Azure storage Machine Protection elements Access control: Customer control access to the keys/secrets in their key vault Monitoring and Logging: Customer collect logs in their storage account Data Security and Availability: Disks are stored encrypted in customer storage account and are automatically replicated by Azure storage 1. Customer uploads Encrypted VHD to their Azure storage account 2. Customer provision encryption key material* in their key vault and grants access to platform to provision VM 3. Customer opt into enabling disk encryption. 4. Azure service management updates service model with encryption and key vault configuration 5. Azure platform provision encrypted VM Virtual Machine Azure Storage Provision Encrypted VM HOST Customer Key Vault AAD token * Key Material – BitLocker Encryption Keys [Windows] , Passphrase [Linux] AAD Service Management Config Portal/API Encrypt Me Customer Disks Virtual Machine Azure Storage Provision Encrypted VM HOST 1. Customer opt into enabling disk encryption and Customer grant access to Azure platform to provision encryption key material* in their key vault 2. Azure service management updates service model with encryption and key vault configuration 3. Azure platform provision encrypted VM * Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux] Customer Key Vault AAD token AAD Service Management Config Portal/API Encrypt Me Secret Keys Contoso.BEK [encrypted by ContosoKEK] – BitLocker Windows ContosoKEK ContosoPassPhrase [encrypted by ContosoKEK] – Linux Microsoft Confidential • Users encrypt their data on the client side before uploading to Azure Storage, and also decrypt it after downloading the storage service never sees the keys and is incapable of decrypting the data // Create the KeyWrapper to be used for wrapping. AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); SymmetricKeyWrapper aesKeyWrapper = new SymmetricKeyWrapper("symencryptionkey", aes); // Create the encryption policy to be used for upload. BlobEncryptionPolicy uploadPolicy = new BlobEncryptionPolicy(BlobEncryptionMode.FullBlob, aesKeyWrapper, null); // Set the encryption policy on the request options. BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = uploadPolicy }; // Upload the encrypted contents to the blob. blob.UploadFromStream(stream, size, null, options, null); // Download and decrypt the encrypted contents from the blob. MemoryStream outputStream = new MemoryStream(); blob.DownloadToStream(outputStream, null, options, null); Storage – • Hybrid Applications – Windows Server Data Snapshots • Data Encrypted on-premise and backed up in Azure • AES 256 Encryption and Integrity Protected with SHA-256 Hashes • Encryption Options: • • • • Transparent Data Encryption (TDE), Cell Level Encryption (CLE) SQL Server Encrypted Backups Always Encrypted SQL Server Extensible Key Management (EKM) provider shifts encryption master keys to external key manager • Separation of duties between data and key management • Azure Key Vault as an EKM • SQL Server Connector enables Azure Key Vault use as an EKM • Customer owned Encryption Master Keys in software or hardware (FIPS Validated HSM) Vault • SQL Server On-prem / Azure VMs 1. Register SQL Server instance Azure Active Directory Security Operations 4. Authenticate SQL Server Connector SQL Server Admin 3. Configure SQL Server Encryption 2a. Create Vault 2b. Create Master Key 2c. Give SQL Server Access to Vault 5. Protect Keys Key Vault Service 6. Audit Key Usage (coming soon) Auditor Microsoft Azure Key Vault Key Vault offers an easy, cost-effective way to safeguard keys and other secrets used by cloud apps and services using HSMs. Microsoft Azure IaaS PaaS Key Vault Import keys HSM Microsoft Confidential SaaS Enhance data protection and compliance Monitoring Encrypt keys and small secrets like passwords using keys stored in tightly controlled and monitored Hardware Security Modules (HSMs) Import or generate your keys in HSMs for added assurance keys never leave the HSM boundary Comply with regulatory standards for secure key management, including the US Government FIPS 140-2 Level 2 and Common Criteria EAL 4+ Manages keys Deploys application Monitors access to keys Creates a Key Vault. Adds keys , secrets to the Vault. Grants permission to specific application(s) to perform specific operations e.g. decrypt, unwrap. Tells application the URI of the key / secret Reviews usage logs to confirm proper key use and compliance with data security standards Enables usage logs Application program uses key, secret (and may abuse) but never sees the keys Monitor and audit key use through Azure logging – pipe logs into HDInsight or your SIEM for additional analysis (coming soon) Azure Data Encryption - Data at Rest - Recap Virtual Machines – Windows and Linux • Azure Disk Encryption - <BitLocker [Windows], DM-Crypt [Linux]> • Partner Volume Encryption – <CloudLink® SecureVM> SQL Server and SQL Database • Transparent Data Encryption - <SQL Server OR SQL Database> • Cell Level Encryption - <SQL Server OR SQL Database> • Always Encrypted Azure Storage – Blobs, Tables, Queues • Application Level Encryption - <Storage Client-Side encryption> • Cloud Integrated Storage - <StorSimple> HDInsight • HDInsight – <Leverages Azure Storage, SQL Azure DB encryption> Azure Backup Service • Azure Backup Service – <Leverages Azure Disk Encryption> K e y s M a n a g e m e n t Azure Key Vault <Keys and Secrets controlled by customers in their key vault> Authentication to Key Vault <Authentication to Key Vault is using Azure AD> • Abandoned Data – Data retained for 90 days and available if customer comes back, then subsequently deleted • Customer Deletion – Delete data at anytime • Defective Disks – Destroyed on-site • Decommission – Azure follows DoD data wiping standards Fundamentals are key! • Mitigate risk of compromised accounts • Multi-Factor Authentication (Azure MFA / Windows Server ADFS) • Limit excessive permissions – least privilege • Azure AD Role Based Access Control (RBAC) • Azure AD Privileged Identity Management (temporary/’JIT’ access controls) • Detect insider compromise or abuse of privileges • Azure auditing and logging • Azure AD anomaly detection and analysis Accounts with weak authentication methods (passwords) can be compromised (e.g. spear-phishing) • Secure your user accounts with Azure MFA • Can be used with Azure Active Directory or Windows Server Active Directory Federation Services (ADFS) • Provides a second factor (e.g. phone or device) as a second factor • Secure your user accounts with Smart Cards with Windows Server ADFS & AAD • Use your existing PKI (Smart Card, Virtual Smart Card) to secure accounts by using Azure AD accounts federated to your on premises infrastructure 1 2 Permissions to sensitive data should follow ‘least privilege’ principal – only grant access necessary for role. • Azure RBAC (20 built-in roles, custom coming soon) • General: Readers, Contributors, Owners • Resource Specific: e.g. VirtualMachine-Contributor, SQLDB Contributor … • Assign Users, Groups, and Service Principals • Key Vault Access Control • Very fine grained access controls to key vaults for user and service principals • Create, verify, sign, wrap/unwrap, etc. (able to enforce segregation of duties) Azure Role Based Access Control Assign roles to users and groups at subscription, resource group, or resource level Subscription Assignments inherit down the hierarchy Use built-in roles with pre-configured permissions 20 built-in roles Create custom roles (coming soon) Reader Owner Contributor Resource Group == EmployeeBenefitsApp - Virtual Machines, SQL DB, Storage Accounts EmployeeBenefitsApp Role Assignments - Owners == HR IT Admins - Contributors == HR IT DevOps Team - Readers == HR Benefits Team Superuser accounts have special risk and deserve special management. • Enable “Just In Time” (JIT) privileged access • Microsoft uses this paradigm to protect Azure • No standing access • Temporary, specifically scoped elevations to resolve incidents & provide support • Customers can now benefit from this learning – Azure AD Privileged Identity Management • Discover current admin permissions in one view • Set temporary authorization policies for Azure AD management roles • Global, billing, password, service, and user administrators can use PIM • Collect justification & work item reference for every elevation/activation • Coming soon – support for Azure RBAC http://azure.microsoft.com/en-us/support/trust-center/ http://azure.microsoft.com/en-us/services/active-directory/ http://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure http://azure.microsoft.com/en-us/services/multi-factor-authentication/ http://blogs.technet.com/b/ad/archive/2015/05/04/azure-cloud-app-discovery-ga-and-ournew-privileged-identity-management-service.aspx http://www.microsoft.com/en-us/server-cloud/products/storsimple/ http://msdn.microsoft.com/en-us/library/bb934049.aspx http://blogs.msdn.com/b/alwaysonpro/archive/2014/01/28/how-to-enable-tdeencryption-on-a-database-in-an-availability-group.aspx http://azure.microsoft.com/en-us/services/sql-database/ http://technet.microsoft.com/en-us/library/jj647767.aspx http://msdn.microsoft.com/en-us/library/System.Security.Cryptography(v=vs.110).aspx http://blogs.msdn.com/b/windowsazurestorage/archive/2015/04/28/clientside-encryption-for-microsoft-azure-storage-preview.aspx NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge http://myignite.microsoft.com