How Secure is Your

Azure Cloud Environment?

Top 5 Pitfalls to Avoid When Implementing Azure

Blaine Biekert
Lead, Cloud Security Services
Revolutionary Security

© 2020 Revolutionary Security, LLC All Rights Reserved.

 Agenda
1 Cloud Brief
• Current global landscape
• How the cloud is different
2 Top 5 Pitfalls to avoid
• What are they
• How to mitigate
“Let’s talk about
outpacing cyber threats.”
3 Roadmap to Secure Azure
Blaine Biekert
• How to recognize your weaknesses
• Steps forward for success

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 Azure Security

Cloud Brief

© 2020 Revolutionary Security, LLC All Rights Reserved. REVSEC.COM

 Current Landscape
Immediate impact of the global pandemic

Business disruption
Massive cloud consumption increase
Cyber impact – same attacks, increased success

“Cloud computing is again in the

spotlight as one of the key factors in
surviving the pandemic.”
Blaine Biekert

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 Cloud is different.

Different perimeter
Often code deployments

Lift-and-shift is not the answer

“Cloud is just like everything else;

nothing like anything else.”
Blaine Biekert

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 Azure Security

Top 5 Pitfalls

“Misconfiguration is the single biggest

challenge you will face in the cloud. Period.”
Blaine Biekert

© 2020 Revolutionary Security, LLC All Rights Reserved. REVSEC.COM

 PITFALL #1: RESPONSIBILITY

Who’s on first?

“If you are not securing your

access and data, you may as
well leave everyone’s purses
and wallets on the sidewalk.”
Blaine Biekert Source: https://www.wsj.com/articles/human-error-often-the-culprit-in-cloud-data-breaches-11566898203

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #1: RESPONSIBILITY

You are responsible. Fix the Misconfiguration

Shared responsibility model

Create a RACI
Include SLAs

Be specific

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #1: RESPONSIBILITY

You are responsible. Fix the Misconfiguration

Shared responsibility model
Shared responsibility model
Microsoft Customer

RESPONSIBILITY ALWAYS RETAINED BY CUSTOMER

Create a RACI RESPONSIBILITY VARIES BY SERVICE TYPE

Include SLAs

Be specific RESPONSIBILITY TRANSFERS TO CLOUD PROVIDER

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 PITFALL #2: GOVERNANCE

Fast and loose.

Immature governance has consequences

Unprotected sprawl
Limited visibility
Missing security controls
“Without proper governance,
cloud systems are a virtual Unknown gaps
playground with limited visibility.”
Blaine Biekert

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #2: GOVERNANCE

Don’t be cheap. Fix the Misconfiguration

Invest in the integrated security bundle

Add technical enforcement for compliance

Use Azure policies

Leverage ARM templates

Add cloud to your Enforce and manage with Azure Blueprints

governance model
Log and monitor everything

Automate and self-heal

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 PITFALL #3: CHANGE MANAGEMENT

Time waits for no man.

“The cloud will remind you how fast

change management should be.”
Blaine Biekert

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #3: CHANGE MANAGEMENT

Keep up. Fix the Misconfiguration

Move to a secure
SDLC and leverage Leverage ARM templates – infrastructure as code
infrastructure as code

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #3: CHANGE MANAGEMENT

Keep up. Fix the Misconfiguration

Move to a secure
SDLC and leverage Leverage ARM templates – Infrastructure as Code
infrastructure as code Keep change management in source control

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #3: CHANGE MANAGEMENT

Keep up. Fix the Misconfiguration

Move to a secure
SDLC and leverage Leverage ARM templates – Infrastructure as Code
infrastructure as code Keep change management in source control
Leverage a Secure SDCL process

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #3: CHANGE MANAGEMENT

Keep up. Fix the Misconfiguration

Move to a secure
SDLC and leverage Leverage ARM templates – Infrastructure as Code
infrastructure as code Keep change management in source control
Leverage a Secure SDCL process
Deploy pipelines with integrated approvals

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 PITFALL #4: WEB APPS & APIS

No {REST} for the weary.

Even secure APIs could be one
misconfiguration away from becoming
public-facing

… Meet Opened Door

Closed Window…

“Of all the targets for cloud

threat actors, misconfigurations
from API’s will top the list.”
Blaine Biekert

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #4: WEB APPS & APIS

Shift gears. Fix the Misconfiguration

Use a secure SDLC with code review
Leverage firewalls, load balancers,
and web application firewalls
Use API management
Strictly control who can add application
permissions to web applications
Practice safe coding
techniques especially for SHIFT LEFT
web applications and APIs

REQUIREMENT DESIGN DEVELOPMENT TEST PRODUCTION

ANALYSIS
© 2020 Revolutionary Security, LLC All Rights Reserved. & MAINTENANCE
REVSEC.COM
 PITFALL #5: IAM & DATA PROTECTION

Your VPN is showing.

VPNs are outdated
MFA is underutilized
Data is not being encrypted properly

“Identity is your new perimeter.

Protect it.”
Blain Biekert

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PITFALL #5: IAM & DATA PROTECTION

Get MFA. Fix the Misconfiguration

Enable MFA immediately
Turn on and use Privileged Identity Management
Leverage Azure Information Protection
Auto encrypt sensitive (or all) files

Protect the new perimeter

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
IN SUMMARY

Avoid the pitfalls. 1 Ambiguous responsibility

2 Immature governance

3 Slow change management

4 Insecure web applications and APIs

5 Resistance to IAM & data protection

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 Path Forward

Roadmap to Secure Azure

© 2020 Revolutionary Security, LLC All Rights Reserved. REVSEC.COM

 1 Identify weaknesses
Evaluate talent
Perform technology gap assessment

Perform a POC

2 Chart a path forward

“Everything must be made
as simple as possible,
but not one bit simpler.” 30 90 +
Albert Einstein Rapid Advanced Build &
Configuration Protections Mature

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 PATH FORWARD: 30 DAYS
Security management Powerful Quick Wins
Threat protection
Accomplish quickly with
Identity and access management
low impact to users
Information protection

Rapid Configuration:
• Basic admin protections
• Logging and analytics
• Basic identity protections
• Tenant configuration
• Prepare stakeholders

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 PATH FORWARD: 90 DAYS
Security management Enhanced Capabilities
Threat protection
Longer planning and implementation but
Identity and access management
greatly increase your security posture.
Information protection

Advanced Protections:
• Admin accounts
• Data and user accounts
• Visibility into compliance,
threat, and user needs
• Adapt and implement default
policies and protections

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 PATH FORWARD: BEYOND
Security management Next Level
Threat protection
Important security measures
Identity and access management
that build on previous work.
Information protection

Build & Mature:

• Adjust and refine key policies and
controls
• Extend protections to on-premises
dependencies
• Integrate with business and security
processes (legal, insider threat, etc.)

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
PRO TIP SUMMARY

Chart your path. 30 Rapid Configuration

• Start with a budget
• Determine number of clouds
• Utilize all the free stuff you can

90 Advanced Protections
• Exhaust integrated options first
• Verify the impact of enabling
additional services

+ Build & Mature

• Align with overall governance strategy
• Ensure continual assessment
by skilled individual

© 2020 Revolutionary
© 2020
Security,
Revolutionary
LLC All Rights
Security,
Reserved.
LLC All Rights Reserved. REVSEC.COM
 Outpace cyber threats with us.

Contact Blaine Biekert

Lead, Cloud Security Services
Revolutionary Security
[email protected]

© 2020 Revolutionary Security, LLC All Rights Reserved. REVSEC.COM