Abstract image of a woman sitting on books and studying on a laptop

azure-security-overview-slideshare-180419183626.pdf

B
BenAissaTaher1

This document provides information about Microsoft's security practices for its cloud services. It discusses Microsoft's certifications and compliance with standards like ISO 27001, SOC 1, SOC 2, FedRAMP, PCI DSS Level 1, and others. It also summarizes Microsoft's approach to security development, operations, data protection, identity and access management, patching, malware protection, and more. The document is intended to help customers understand how Microsoft secures its cloud platform and builds security into every layer from the physical infrastructure to the software development process.

Technology
1 of 44
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Most read
16
Most read
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Most read
Your vision. Your cloud.
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdf
Trustworthy Computing Initiative Security Development Lifecycle Global Data Center Services Malware Protection Center Microsoft Security Response Center Windows Update 1st Microsoft Data Center Active Directory SOC 1 CSA Cloud Controls Matrix PCI DSS Level 1 FedRAMP/ FISMA UK G-Cloud Level 2 ISO/IEC 27001:2005 HIPAA/ HITECH Digital Crimes Unit SOC 2 E.U. Data Protection Directive https://www.microsoft.com/en-us/TrustCenter
https://cloudsecurityalliance.org/star-registrant/microsoft/ https://cloudsecurityalliance.org/
6 Best practices and guidance Third-party verification Cloud Security Alliance Security intelligence report Compliance packages Trust Center Access to audit reports Security Response Center progress report
7 Restricted Use Azure does not share data with its advertiser- supported services Azure does not mine Customer Data for advertising Read the fine print of other cloud service provider’s privacy statements
Contractual Commitments EU Data Privacy Approval • Microsoft makes strong contractual commitments to safeguard customer data covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses • Enterprise cloud-service specific privacy protections benefit every industry & region • Microsoft meets high bar for protecting privacy of EU customer data • Microsoft offers customers EU Model Clauses for transfer of personal data across international borders • Microsoft’s approach was approved by the Article 29 committee of EU data protection authorities – the first company to obtain this Broad contractual scope
https://www.microsoft.com/en- us/TrustCenter/Privacy/gdpr/readiness?&wt.srch=1&wt.mc_id=AID641639_SEM_CBaJdkAr&msclkid=ed 77bbb912621bf358a6e13cbccd9458
ISO 27001 SOC 1 Type 2 SOC 2 Type 2 FedRAMP/FISMA PCI DSS Level 1 UK G-Cloud Information security standards Effective controls Government & industry certifications Simplified Compliance
11 Security Compliance Strategy Security analytics Risk management best practices Security benchmark analysis Test and audit Security Compliance Framework • Security goals set in context of business and industry requirements • Security analytics & best practices deployed to detect and respond to threats • Benchmarked to a high bar of certifications and accreditations to ensure compliance • Continual monitoring, test and audit • Ongoing update of certifications for new services
12 Program Description ISO/IEC 27001 The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized information security controls defined in this standard. SOC 1 SSAE 16/ISAE 3402 Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type 2 (formerly SAS 70), attesting to the design and operating effectiveness of its controls. SOC 2 Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to security, availability, and confidentiality FedRAMP/FISMA Azure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it meets FedRAMP security standards. PCI DSS Level 1 Azure has been validated for PCI-DSS Level 1 compliance by an independent Qualified Security Assessor (QSA). UK G-Cloud IL2 In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and CloudStore. HIPAA BAA To help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI). Certifications and Programs
Online Services Terms
azure-security-overview-slideshare-180419183626.pdf
Traditional Storage Servers Physical Network Operating System Middleware Virtualization Data Applications Runtime You Manage IaaS Storage Servers Physical Network Operating System Middleware Virtualization Data Applications Runtime Managed by Microsoft You Manage PaaS Managed by Microsoft You Manage Storage Servers Physical Network Operating System Middleware Virtualization Applications Runtime Data SaaS Managed by Microsoft Storage Servers Physical Network Operating System Middleware Virtualization Applications Runtime Data Windows Azure Virtual Machines Windows Server Hyper-V Windows Server Windows Azure PaaS Services Office 365 Dynamics CRM Software Network
https://www.microsoft.com/en- us/trustcenter/security#How-Microsoft-protects-your-data Network Protection Private, isolated network Extend existing topology Private, physical connection Data Protection Data Redundancy Options Encryption - In-Transit and At-Rest Key Vault Identity & Access Manage user identities Multi-factor authentication Role-based access control
https://azure.microsoft.com/en-us/updates/ https://azure.microsoft.com/en-us/status/
Security embedded in planning, design, development, & deployment Rigorous controls to prevent, detect, contain, & respond to threats Hardening cloud services through simulated real-world attacks Global, 24x7 incident response to mitigate effects of attacks Design and Operations Operational security controls Assume breach Incident response Software Development Lifecycle (SDL) https://www.microsoft.com/en-us/trustcenter/security//designopsecurity
azure-security-overview-slideshare-180419183626.pdf
Service security starts with physical data center Cameras 24X7 security staff Barriers Fencing Alarms Two-factor access control: Biometric readers & card readers Security operations center Days of backup power Seismic bracing Building Perimeter Computer room https://www.microsoft.com/en-us/cloud-platform/global-datacenters
Architected for Secure Multi-tenancy AZURE: • Centrally manages the platform and isolates customer environments using the Fabric Controller • Runs a configuration-hardened version of Windows Server as the Host OS • Uses Hyper-V Windows Server 2012 R2 - a battle tested and enterprise proven hypervisor • Runs Windows Server on Guest VMs for platform services CUSTOMER: • Manages their environment through service management interfaces and subscriptions • Chooses from the gallery or brings their own OS for their Virtual Machines Azure Storage SQL Database Fabric Controller Customer Admin Guest VM Guest VM Customer 2 Guest VM Customer 1 Portal Smart API End Users Host OS Hypervisor Microsoft Azure
ExpressRoute Connections Customer 1 Isolated Virtual Network Deployment X Microsoft Azure Site 1 ExpressRoute Peer Site 2 WAN AZURE: • Offers private WAN connections via ExpressRoute • Enables access to Compute, Storage, and other Azure services CUSTOMERS: • Can establish connections to Azure at an ExpressRoute location (Exchange Provider facility) • Can directly connect to Azure from your existing WAN network (such as a MPLS VPN) provided by a network service provider • Manages certificates, policies, and user access https://azure.microsoft.com/en-us/services/expressroute/
VPN Connections Customer 1 Isolated Virtual Network Deployment X Microsoft Azure VPN Remote Workers Customer Site Computers Behind Firewall AZURE: • Enables connection from customer sites and remote workers to Azure Virtual Networks using Site-to-Site and Point-to-Site VPNs CUSTOMERS: • Configures the P2S VPN client in Windows • Manages certificates, policies, and user access https://azure.microsoft.com/en-us/services/vpn-gateway/
Firewall Protection Customer 1 Application Tier Logic Tier Database Tier Virtual Network Cloud Access Layer AZURE: • Controls access from the Internet, permits traffic only to endpoints, and provides load balancing and NAT at the Cloud Access Layer • Isolates traffic and provides intrusion defense through a distributed firewall • Defines access controls between tiers and provides additional protection via the OS firewall CUSTOMER • Applies corporate firewall using site-to- site VPN Client 443 443 VPN Corp Firewall INTERNET Microsoft Azure https://www.microsoft.com/en-us/trustcenter/security/networksecurity
• Enables network segmentation & DMZ scenarios • Access Control Lists & Network traffic rules as security group • Security groups associated with Virtual machines, Network Interfaces, or virtual machine subnets (not GW subnet) • Rules define a 5-tuple • Rules are separated into Inbound and Outbound rules • Rules applied in order of priority • Network traffic rules updated independent of Virtual machines • Controlled access to and from Internet Virtual Network Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 VPN GW Internet On Premises 10.0/16 S2S VPNs https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
Encryption in Transit AZURE: • Encrypts most communication between Azure datacenters • Encrypts transactions through Azure Portal using HTTPS • Supports FIPS 140-2 ciphers CUSTOMER: • Can choose HTTPS for REST API (recommended) for Storage • Configures HTTPS endpoints for application running in Azure • Encrypts traffic between Web client and server by implementing TLS on IIS Azure Portal Azure Data Center Azure Data Center https://www.microsoft.com/en-us/trustcenter/security/encryption
AZURE: • Applies regularly scheduled updates to the platform • Releases critical patches immediately • Rigorously reviews & tests all changes CUSTOMER: • Applies similar patch management strategies for their Virtual Machines Patch Management Monthly MSRC Patch Review Patching Rollout Scanning Audit Validation • Monitor 100,000+ vulnerability reports • Sourced from customers & worldwide network of security researchers • Prioritize critical updates • Monthly OS releases with patches • Reconciliation report • Resolution summary • Scanning & reporting of all Azure VMs • Track & remediate any findings
Antivirus/Antimalware AZURE: • Performs monitoring & alerting of antimalware events for the platform • Enables real time protection, on- demand scanning, and monitoring via Microsoft Antimalware for Cloud Services and Virtual Machines CUSTOMER: • Configures Microsoft Antimalware or an AV/AM solution from a partner • Extracts events to SIEM • Monitors alerts & reports • Responds to incidents Azure Storage Customer Admin Guest VM Cloud Services Customer VMs Portal Smart API Guest VM Enable & configure antimalware Events Extract Antimalware Health Events to SIEM or other Reporting System Event ID Computer Event Description Severity DateTime 1150 Machine1 Client in Healthy State 4 04/29/2014 2002 Machine2 Signature Updated Successfully 4 04/29/2014 5007 Machine3 Configuration Applied 4 04/29/2014 1116 Machine2 Malware Detected 1 04/29/2014 1117 Machine2 Malware Removed 1 04/29/2014 SIEM Admin View Alerting & reporting Microsoft Azure
azure-security-overview-slideshare-180419183626.pdf
Identity and Access Management with Azure AD AZURE: • Provides enterprise cloud identity and access management • Enables single sign-on across cloud applications • Offers Multi-Factor Authentication for enhanced security CUSTOMER: • Centrally manages users and access to Azure, O365, and hundreds of pre- integrated cloud applications • Builds Azure AD into their web and mobile applications • Can extend on-premises directories to Azure AD through synchronization End Users Active Directory Azure Active Directory Cloud Apps https://www.microsoft.com/en-us/trustcenter/security/identity
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
Azure RBAC Enforcement Model https://docs.microsoft.com/en-us/azure/azure-policy/azure-policy-introduction
Microsoft Employee Access Management Pre-screened Admin requests access Leadership grants temporary privilege • No standing access to the platform and no access to customer Virtual Machines • Grants least privilege required to complete task • Multi-factor authentication required for all administration • Access requests are audited and logged Just in Time & Role-Based Access Microsoft Corporate Network Microsoft Azure BLOBS TABLES QUEUES DRIVES
azure-security-overview-slideshare-180419183626.pdf
Blobs Files Disks Tables Queues Object storage Access via REST File storage Access via SMB, REST IaaS VM VHD/ disks Access via REST NOSQL storage Access via REST Reliable Messaging Access via REST Streaming & random object access scenarios Lift n shift scenarios Persistent disks for VMs Premium option KeyValue Store Scheduling async tasks
Hardware Datacenter Region https://docs.microsoft.com/en-us/azure/architecture/resiliency/high-availability-azure-applications
Encryption at Rest Virtual Machines: • Boot and Data drives – Azure Disk Encryption • SQL Server – Transparent Data Encryption • Files & folders - EFS in Windows Server Storage: • Blob Storage encryption • Bitlocker encryption of drives for import/export of data • StorSimple with AES-256 encryption Applications: • Client Side encryption through .NET Crypto API • RMS SDK for file encryption by your applications https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
Azure Key Vault Resource Providers Data Encryption Keys (DEK) Customer Owned Service Owned Key Encryption Keys (KEK) Azure Active Directory https://azure.microsoft.com/en-us/services/key-vault/
Data Deletion Data Destruction • Wiping is NIST 800-88 compliant • Defective disks are destroyed at the datacenter • Immediately removed from primary location • Geo-replicated copy of the data removed asynchronously • Customers can only read from disk space they have written to Disk Handling https://blogs.msdn.microsoft.com/walterm/2014/09/04/mic rosoft-azure-data-security-data-cleansing-and-leakage/
azure-security-overview-slideshare-180419183626.pdf
Monitoring and Logging AZURE: • Performs monitoring & alerting of security events for the platform • Enables security data collection via Monitoring Agent or Windows Event Forwarding CUSTOMER: • Configures monitoring • Exports events to SQL Database, HDInsight or a SIEM for analysis • Monitors alerts & reports • Responds to incidents Azure Storage Customer Admin Guest VM Cloud Services Customer VMs Portal Smart API Guest VM Enable Monitoring Agent Events Extract event information to SIEM or other Reporting System Event ID Computer Event Description Severity DateTime 1150 Machine1 Example security event 4 04/29/2014 2002 Machine2 Signature Updated Successfully 4 04/29/2014 5007 Machine3 Configuration Applied 4 04/29/2014 1116 Machine2 Example security event 1 04/29/2014 1117 Machine2 Access attempted 1 04/29/2014 SIEM Admin View Alerting & reporting HDInsight Microsoft Azure https://www.microsoft.com/en-us/trustcenter/security/auditingandlogging
AZURE: • Provides big data analysis of logs for intrusion detection & prevention for the platform • Employs denial of service attack prevention measures for the platform • Regularly performs penetration testing CUSTOMER: • Can add extra layers of protection by deploying additional controls, including web application firewalls • Conducts penetration testing of their applications Threat Detection Customer Environment Application Tier Logic Tier Database Tier Virtual Network INTERNET VPN Corp 1 Cloud Access & Firewall Layer THREAT DETECTION: DOS/IDS Layer DOS/IDS Layer DOS/IDS Layer DOS/IDS Layer End Users Microsoft Azure https://www.microsoft.com/en-us/trustcenter/security/threatmanagement
Built-in Azure, no setup required • Automatically discover and monitor security of Azure resources Gain insights for hybrid resources • Easily onboard resources running in other clouds and on-premises https://azure.microsoft.com/en-us/services/security-center/
https://www.microsoft.com/en-us/trustcenter/security#How- Microsoft-protects-your-data

More Related Content

PDF
Microsoft Security Overview
David J Rosenthal
 
PDF
Microsoft 365 eEnterprise E5 Overview
David J Rosenthal
 
PPTX
Microsoft Azure Technical Overview
gjuljo
 
PDF
Azure Security Overview
David J Rosenthal
 
PDF
Microsoft Azure Security Overview
Alert Logic
 
PDF
Azure 101
Korry Lavoie
 
PPTX
Azure Stack Fundamentals
Cenk Ersoy
 
PPTX
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
sayyedghazali
 
Microsoft Security Overview
David J Rosenthal
 
Microsoft 365 eEnterprise E5 Overview
David J Rosenthal
 
Microsoft Azure Technical Overview
gjuljo
 
Azure Security Overview
David J Rosenthal
 
Microsoft Azure Security Overview
Alert Logic
 
Azure 101
Korry Lavoie
 
Azure Stack Fundamentals
Cenk Ersoy
 
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
sayyedghazali
 

What's hot (20)

PPTX
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Nicholas Vossburg
 
PPTX
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
PDF
Cloud Computing: Overview and Examples
Eueung Mulyana
 
PDF
AZ-900 Azure Fundamentals.pdf
ssuser5813861
 
PPTX
Azure sentinel
Marius Sandbu
 
PPTX
Azure security and Compliance
Karina Matos
 
PDF
Secure Messages with IBM WebSphere MQ Advanced Message Security
Morag Hughson
 
PDF
Azure fundamentals
Alexandre BERGERE
 
PPTX
Azure Active Directory - An Introduction
Venkatesh Narayanan
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PPTX
Azure fundamentals
Raju Kumar
 
PDF
Microsoft 365 Enterprise Security with E5 Overview
David J Rosenthal
 
PPTX
Azure Migrate
Mustafa
 
PPTX
Azure Security Overview
Allen Brokken
 
PDF
Microsoft Azure - Introduction to microsoft's public cloud
Atanas Gergiminov
 
PPT
Role based access control - RBAC
Ajit Dadresa
 
PPTX
Azure Identity and access management
Dinusha Kumarasiri
 
PPTX
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
PPTX
Microsoft 365 and Microsoft Cloud App Security
Albert Hoitingh
 
PPTX
Microsoft Defender for Endpoint
Cheah Eng Soon
 
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Nicholas Vossburg
 
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Cloud Computing: Overview and Examples
Eueung Mulyana
 
AZ-900 Azure Fundamentals.pdf
ssuser5813861
 
Azure sentinel
Marius Sandbu
 
Azure security and Compliance
Karina Matos
 
Secure Messages with IBM WebSphere MQ Advanced Message Security
Morag Hughson
 
Azure fundamentals
Alexandre BERGERE
 
Azure Active Directory - An Introduction
Venkatesh Narayanan
 
Cloud Security
AWS User Group Bengaluru
 
Azure fundamentals
Raju Kumar
 
Microsoft 365 Enterprise Security with E5 Overview
David J Rosenthal
 
Azure Migrate
Mustafa
 
Azure Security Overview
Allen Brokken
 
Microsoft Azure - Introduction to microsoft's public cloud
Atanas Gergiminov
 
Role based access control - RBAC
Ajit Dadresa
 
Azure Identity and access management
Dinusha Kumarasiri
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
Microsoft 365 and Microsoft Cloud App Security
Albert Hoitingh
 
Microsoft Defender for Endpoint
Cheah Eng Soon
 
Ad

Similar to azure-security-overview-slideshare-180419183626.pdf (20)

PDF
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
PDF
366864108 azure-security
ober64
 
PPTX
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
PPTX
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
PPTX
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)
Jeremy Gray
 
PDF
Tour to Azure Security Center
Lalit Rawat
 
PPTX
Azure security
Lalit Rawat
 
PPTX
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
walk2talk srl
 
PPTX
Azure Security Compass v1.1 - Presentation.pptx
ZaheerEbrahim5
 
PDF
Microsoft Azure Security Infographic
Microsoft Azure
 
PDF
Microsoft Azure Cloud Services
David J Rosenthal
 
PDF
Building a Secure and Compliant Azure Virtual Data Center
Patrick Sklodowski
 
PDF
Azure 13 effective security controls for iso 27001 compliance
Erlinkencana
 
PDF
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
PPTX
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Thuan Ng
 
PPTX
Implementing Zero Trust strategy with Azure
Dinusha Kumarasiri
 
PDF
AZ-900 Summary with all information that
FadiAlkanani1
 
PPTX
Fortaleça seu Nível de Segurança com Microsoft Azure
Francisco Ferreira
 
PDF
Azure security infographic 2014 sec
Kesavan Munuswamy
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
366864108 azure-security
ober64
 
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)
Jeremy Gray
 
Tour to Azure Security Center
Lalit Rawat
 
Azure security
Lalit Rawat
 
CCI2018 - Azure Security Center - Stato dell’arte e roadmap
walk2talk srl
 
Azure Security Compass v1.1 - Presentation.pptx
ZaheerEbrahim5
 
Microsoft Azure Security Infographic
Microsoft Azure
 
Microsoft Azure Cloud Services
David J Rosenthal
 
Building a Secure and Compliant Azure Virtual Data Center
Patrick Sklodowski
 
Azure 13 effective security controls for iso 27001 compliance
Erlinkencana
 
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Thuan Ng
 
Implementing Zero Trust strategy with Azure
Dinusha Kumarasiri
 
AZ-900 Summary with all information that
FadiAlkanani1
 
Fortaleça seu Nível de Segurança com Microsoft Azure
Francisco Ferreira
 
Azure security infographic 2014 sec
Kesavan Munuswamy
 
Ad

Recently uploaded (20)

PDF
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
PDF
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
PDF
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
PPTX
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
PDF
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
PDF
Altius execution marketplace concept.pdf
Wandor
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PDF
Decision Optimization - From Theory to Practice
Eray Cakici
 
PDF
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
PDF
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
PDF
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
PDF
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
PDF
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
PPTX
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
PDF
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 
Introduction to MCP and A2A Protocols: Enabling Agent Communication
Maxim Salnikov
 
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
Electrocardiogram sequences data analytics and classification using unsupervi...
IAESIJAI
 
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
Human Computer Interaction Miterm Lesson
JasperGarcia9
 
Altius execution marketplace concept.pdf
Wandor
 
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
Decision Optimization - From Theory to Practice
Eray Cakici
 
5-Ways-AI-is-Revolutionizing-Telecom-Quality-Engineering.pdf
Kalilur Rahman
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
Kalilur Rahman
 
Aug23rd - Mulesoft Community Workshop - Hyd, India.pdf
Ravi Tamada
 
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
yatharthjutt100311
 

azure-security-overview-slideshare-180419183626.pdf

  • 4. Trustworthy Computing Initiative Security Development Lifecycle Global Data Center Services Malware Protection Center Microsoft Security Response Center Windows Update 1st Microsoft Data Center Active Directory SOC 1 CSA Cloud Controls Matrix PCI DSS Level 1 FedRAMP/ FISMA UK G-Cloud Level 2 ISO/IEC 27001:2005 HIPAA/ HITECH Digital Crimes Unit SOC 2 E.U. Data Protection Directive https://www.microsoft.com/en-us/TrustCenter
  • 6. 6 Best practices and guidance Third-party verification Cloud Security Alliance Security intelligence report Compliance packages Trust Center Access to audit reports Security Response Center progress report
  • 7. 7 Restricted Use Azure does not share data with its advertiser- supported services Azure does not mine Customer Data for advertising Read the fine print of other cloud service provider’s privacy statements
  • 8. Contractual Commitments EU Data Privacy Approval • Microsoft makes strong contractual commitments to safeguard customer data covered by HIPAA BAA, Data Processing Agreement, & E.U. Model Clauses • Enterprise cloud-service specific privacy protections benefit every industry & region • Microsoft meets high bar for protecting privacy of EU customer data • Microsoft offers customers EU Model Clauses for transfer of personal data across international borders • Microsoft’s approach was approved by the Article 29 committee of EU data protection authorities – the first company to obtain this Broad contractual scope
  • 10. ISO 27001 SOC 1 Type 2 SOC 2 Type 2 FedRAMP/FISMA PCI DSS Level 1 UK G-Cloud Information security standards Effective controls Government & industry certifications Simplified Compliance
  • 11. 11 Security Compliance Strategy Security analytics Risk management best practices Security benchmark analysis Test and audit Security Compliance Framework • Security goals set in context of business and industry requirements • Security analytics & best practices deployed to detect and respond to threats • Benchmarked to a high bar of certifications and accreditations to ensure compliance • Continual monitoring, test and audit • Ongoing update of certifications for new services
  • 12. 12 Program Description ISO/IEC 27001 The ISO/IEC 27001:2005 certificate validates that Azure has implemented the internationally recognized information security controls defined in this standard. SOC 1 SSAE 16/ISAE 3402 Azure has also been audited against the Service Organization Control (SOC) reporting framework for SOC 1 Type 2 (formerly SAS 70), attesting to the design and operating effectiveness of its controls. SOC 2 Azure has been audited for SOC 2 Type 2, which includes a further examination of Azure controls related to security, availability, and confidentiality FedRAMP/FISMA Azure has received Provisional Authorization to Operate from the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB), having undergone the assessments necessary to verify that it meets FedRAMP security standards. PCI DSS Level 1 Azure has been validated for PCI-DSS Level 1 compliance by an independent Qualified Security Assessor (QSA). UK G-Cloud IL2 In the United Kingdom, Azure has been awarded Impact Level 2 (IL2) accreditation, further enhancing Microsoft and its partner offerings on the current G-Cloud procurement Framework and CloudStore. HIPAA BAA To help customers comply with HIPAA and HITECH Act security and privacy provisions, Microsoft offers a HIPAA Business Associate Agreement (BAA) to healthcare entities with access to Protected Health Information (PHI). Certifications and Programs
  • 15. Traditional Storage Servers Physical Network Operating System Middleware Virtualization Data Applications Runtime You Manage IaaS Storage Servers Physical Network Operating System Middleware Virtualization Data Applications Runtime Managed by Microsoft You Manage PaaS Managed by Microsoft You Manage Storage Servers Physical Network Operating System Middleware Virtualization Applications Runtime Data SaaS Managed by Microsoft Storage Servers Physical Network Operating System Middleware Virtualization Applications Runtime Data Windows Azure Virtual Machines Windows Server Hyper-V Windows Server Windows Azure PaaS Services Office 365 Dynamics CRM Software Network
  • 16. https://www.microsoft.com/en- us/trustcenter/security#How-Microsoft-protects-your-data Network Protection Private, isolated network Extend existing topology Private, physical connection Data Protection Data Redundancy Options Encryption - In-Transit and At-Rest Key Vault Identity & Access Manage user identities Multi-factor authentication Role-based access control
  • 18. Security embedded in planning, design, development, & deployment Rigorous controls to prevent, detect, contain, & respond to threats Hardening cloud services through simulated real-world attacks Global, 24x7 incident response to mitigate effects of attacks Design and Operations Operational security controls Assume breach Incident response Software Development Lifecycle (SDL) https://www.microsoft.com/en-us/trustcenter/security//designopsecurity
  • 20. Service security starts with physical data center Cameras 24X7 security staff Barriers Fencing Alarms Two-factor access control: Biometric readers & card readers Security operations center Days of backup power Seismic bracing Building Perimeter Computer room https://www.microsoft.com/en-us/cloud-platform/global-datacenters
  • 21. Architected for Secure Multi-tenancy AZURE: • Centrally manages the platform and isolates customer environments using the Fabric Controller • Runs a configuration-hardened version of Windows Server as the Host OS • Uses Hyper-V Windows Server 2012 R2 - a battle tested and enterprise proven hypervisor • Runs Windows Server on Guest VMs for platform services CUSTOMER: • Manages their environment through service management interfaces and subscriptions • Chooses from the gallery or brings their own OS for their Virtual Machines Azure Storage SQL Database Fabric Controller Customer Admin Guest VM Guest VM Customer 2 Guest VM Customer 1 Portal Smart API End Users Host OS Hypervisor Microsoft Azure
  • 22. ExpressRoute Connections Customer 1 Isolated Virtual Network Deployment X Microsoft Azure Site 1 ExpressRoute Peer Site 2 WAN AZURE: • Offers private WAN connections via ExpressRoute • Enables access to Compute, Storage, and other Azure services CUSTOMERS: • Can establish connections to Azure at an ExpressRoute location (Exchange Provider facility) • Can directly connect to Azure from your existing WAN network (such as a MPLS VPN) provided by a network service provider • Manages certificates, policies, and user access https://azure.microsoft.com/en-us/services/expressroute/
  • 23. VPN Connections Customer 1 Isolated Virtual Network Deployment X Microsoft Azure VPN Remote Workers Customer Site Computers Behind Firewall AZURE: • Enables connection from customer sites and remote workers to Azure Virtual Networks using Site-to-Site and Point-to-Site VPNs CUSTOMERS: • Configures the P2S VPN client in Windows • Manages certificates, policies, and user access https://azure.microsoft.com/en-us/services/vpn-gateway/
  • 24. Firewall Protection Customer 1 Application Tier Logic Tier Database Tier Virtual Network Cloud Access Layer AZURE: • Controls access from the Internet, permits traffic only to endpoints, and provides load balancing and NAT at the Cloud Access Layer • Isolates traffic and provides intrusion defense through a distributed firewall • Defines access controls between tiers and provides additional protection via the OS firewall CUSTOMER • Applies corporate firewall using site-to- site VPN Client 443 443 VPN Corp Firewall INTERNET Microsoft Azure https://www.microsoft.com/en-us/trustcenter/security/networksecurity
  • 25. • Enables network segmentation & DMZ scenarios • Access Control Lists & Network traffic rules as security group • Security groups associated with Virtual machines, Network Interfaces, or virtual machine subnets (not GW subnet) • Rules define a 5-tuple • Rules are separated into Inbound and Outbound rules • Rules applied in order of priority • Network traffic rules updated independent of Virtual machines • Controlled access to and from Internet Virtual Network Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 VPN GW Internet On Premises 10.0/16 S2S VPNs https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg
  • 26. Encryption in Transit AZURE: • Encrypts most communication between Azure datacenters • Encrypts transactions through Azure Portal using HTTPS • Supports FIPS 140-2 ciphers CUSTOMER: • Can choose HTTPS for REST API (recommended) for Storage • Configures HTTPS endpoints for application running in Azure • Encrypts traffic between Web client and server by implementing TLS on IIS Azure Portal Azure Data Center Azure Data Center https://www.microsoft.com/en-us/trustcenter/security/encryption
  • 27. AZURE: • Applies regularly scheduled updates to the platform • Releases critical patches immediately • Rigorously reviews & tests all changes CUSTOMER: • Applies similar patch management strategies for their Virtual Machines Patch Management Monthly MSRC Patch Review Patching Rollout Scanning Audit Validation • Monitor 100,000+ vulnerability reports • Sourced from customers & worldwide network of security researchers • Prioritize critical updates • Monthly OS releases with patches • Reconciliation report • Resolution summary • Scanning & reporting of all Azure VMs • Track & remediate any findings
  • 28. Antivirus/Antimalware AZURE: • Performs monitoring & alerting of antimalware events for the platform • Enables real time protection, on- demand scanning, and monitoring via Microsoft Antimalware for Cloud Services and Virtual Machines CUSTOMER: • Configures Microsoft Antimalware or an AV/AM solution from a partner • Extracts events to SIEM • Monitors alerts & reports • Responds to incidents Azure Storage Customer Admin Guest VM Cloud Services Customer VMs Portal Smart API Guest VM Enable & configure antimalware Events Extract Antimalware Health Events to SIEM or other Reporting System Event ID Computer Event Description Severity DateTime 1150 Machine1 Client in Healthy State 4 04/29/2014 2002 Machine2 Signature Updated Successfully 4 04/29/2014 5007 Machine3 Configuration Applied 4 04/29/2014 1116 Machine2 Malware Detected 1 04/29/2014 1117 Machine2 Malware Removed 1 04/29/2014 SIEM Admin View Alerting & reporting Microsoft Azure
  • 30. Identity and Access Management with Azure AD AZURE: • Provides enterprise cloud identity and access management • Enables single sign-on across cloud applications • Offers Multi-Factor Authentication for enhanced security CUSTOMER: • Centrally manages users and access to Azure, O365, and hundreds of pre- integrated cloud applications • Builds Azure AD into their web and mobile applications • Can extend on-premises directories to Azure AD through synchronization End Users Active Directory Azure Active Directory Cloud Apps https://www.microsoft.com/en-us/trustcenter/security/identity
  • 32. Azure RBAC Enforcement Model https://docs.microsoft.com/en-us/azure/azure-policy/azure-policy-introduction
  • 33. Microsoft Employee Access Management Pre-screened Admin requests access Leadership grants temporary privilege • No standing access to the platform and no access to customer Virtual Machines • Grants least privilege required to complete task • Multi-factor authentication required for all administration • Access requests are audited and logged Just in Time & Role-Based Access Microsoft Corporate Network Microsoft Azure BLOBS TABLES QUEUES DRIVES
  • 35. Blobs Files Disks Tables Queues Object storage Access via REST File storage Access via SMB, REST IaaS VM VHD/ disks Access via REST NOSQL storage Access via REST Reliable Messaging Access via REST Streaming & random object access scenarios Lift n shift scenarios Persistent disks for VMs Premium option KeyValue Store Scheduling async tasks
  • 37. Encryption at Rest Virtual Machines: • Boot and Data drives – Azure Disk Encryption • SQL Server – Transparent Data Encryption • Files & folders - EFS in Windows Server Storage: • Blob Storage encryption • Bitlocker encryption of drives for import/export of data • StorSimple with AES-256 encryption Applications: • Client Side encryption through .NET Crypto API • RMS SDK for file encryption by your applications https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
  • 38. Azure Key Vault Resource Providers Data Encryption Keys (DEK) Customer Owned Service Owned Key Encryption Keys (KEK) Azure Active Directory https://azure.microsoft.com/en-us/services/key-vault/
  • 39. Data Deletion Data Destruction • Wiping is NIST 800-88 compliant • Defective disks are destroyed at the datacenter • Immediately removed from primary location • Geo-replicated copy of the data removed asynchronously • Customers can only read from disk space they have written to Disk Handling https://blogs.msdn.microsoft.com/walterm/2014/09/04/mic rosoft-azure-data-security-data-cleansing-and-leakage/
  • 41. Monitoring and Logging AZURE: • Performs monitoring & alerting of security events for the platform • Enables security data collection via Monitoring Agent or Windows Event Forwarding CUSTOMER: • Configures monitoring • Exports events to SQL Database, HDInsight or a SIEM for analysis • Monitors alerts & reports • Responds to incidents Azure Storage Customer Admin Guest VM Cloud Services Customer VMs Portal Smart API Guest VM Enable Monitoring Agent Events Extract event information to SIEM or other Reporting System Event ID Computer Event Description Severity DateTime 1150 Machine1 Example security event 4 04/29/2014 2002 Machine2 Signature Updated Successfully 4 04/29/2014 5007 Machine3 Configuration Applied 4 04/29/2014 1116 Machine2 Example security event 1 04/29/2014 1117 Machine2 Access attempted 1 04/29/2014 SIEM Admin View Alerting & reporting HDInsight Microsoft Azure https://www.microsoft.com/en-us/trustcenter/security/auditingandlogging
  • 42. AZURE: • Provides big data analysis of logs for intrusion detection & prevention for the platform • Employs denial of service attack prevention measures for the platform • Regularly performs penetration testing CUSTOMER: • Can add extra layers of protection by deploying additional controls, including web application firewalls • Conducts penetration testing of their applications Threat Detection Customer Environment Application Tier Logic Tier Database Tier Virtual Network INTERNET VPN Corp 1 Cloud Access & Firewall Layer THREAT DETECTION: DOS/IDS Layer DOS/IDS Layer DOS/IDS Layer DOS/IDS Layer End Users Microsoft Azure https://www.microsoft.com/en-us/trustcenter/security/threatmanagement
  • 43. Built-in Azure, no setup required • Automatically discover and monitor security of Azure resources Gain insights for hybrid resources • Easily onboard resources running in other clouds and on-premises https://azure.microsoft.com/en-us/services/security-center/