architecting for a secure cloud
DESCRIPTION
Michele Leroux Bustamante www.idesign.net 4/26/2017 Michele Leroux Bustamante Chief Architect, IDesign (www.idesign.net) Chief Security Architect, BiTKOO (www.bitkoo.com) Microsoft Regional Director, (www.theregion.com) MVP Connected Systems Publications and Resources: DevProConnections, MSDN, CoDe Magazine, Microsoft whitepapers Learning WCF (O’Reilly 2007/2009) CodePlex (publications, webcasts, code, utilities) Speaker: Tech Ed, PDC, Dev Connections, NDC, etc. www.michelelerouxbustamante.com, www.learningwcf.com ©2009-2010 Michele Leroux Bustamante, IDesign. All rights reserved.TRANSCRIPT
![Page 2: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/2.jpg)
Michele Leroux Bustamante
Chief Architect, IDesign (www.idesign.net)Chief Security Architect, BiTKOO (www.bitkoo.com)
Microsoft Regional Director, (www.theregion.com) MVP Connected Systems
Publications and Resources:DevProConnections, MSDN, CoDe Magazine,
Microsoft whitepapers Learning WCF (O’Reilly 2007/2009)
CodePlex (publications, webcasts, code, utilities)Speaker:
Tech Ed, PDC, Dev Connections, NDC, etc.www.michelelerouxbustamante.com, www.learningwcf.com
![Page 3: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/3.jpg)
Agenda
Benefits and concerns moving to the cloudIT and shared hosting security aspectsApplication architecture security aspectsArchitectural scenarios for Windows Azure Platform featuresTechniques for securing features by scenario
![Page 4: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/4.jpg)
What Drives us to the Cloud?
Reduced capital investmentScale out on demand, pay as you goUnbounded scale for bursts or peak loadsBetter overall IT management strategy Quality of service, zero downtime updatesFocus resources on implementation and business logic
![Page 5: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/5.jpg)
Typical Concerns
Loss of controlReliability of servicesService level commitments and guaranteesAbility to change vendors if dissatisfiedSecurity
![Page 6: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/6.jpg)
Windows Azure Platform Building Blocks
Platform Infrastructure, Equipment, Data Center
Windows Azure Storage
Windows Azure
SQL Azure
Windows Azure AppFabric
![Page 7: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/7.jpg)
IT Security Considerations
Security Aspect Provider BusinessPhysical access to provider facility x
Administrator access to equipment at provider facility x
Patch management x
Virus scanner and other protective measures x
Denial of Service prevention x
Packet filtering x
Administrator access to cloud accounts x
Backup and recovery x x
![Page 8: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/8.jpg)
Shared Hosting Considerations
Security Aspect Provider BusinessIsolation of database instances x
Partition level packet filters x
Protection against malicious tenants x
Prevention of VM jailbreak x
Network access restrictions to VM x
Memory access restrictions between VM x
Remote access to VM x
Administrator access to host environment x
![Page 9: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/9.jpg)
Application Architecture Considerations
Security Aspect Provider BusinessTransfer security x x
Data and content encryption x
Key management x x
Identity management x x
Access control x x
DMZ requirements x x
Architecture tiers and boundaries x
Risk assessment x
Legislative requirements for compliance and audit x
![Page 10: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/10.jpg)
Windows Azure Platform Features
Service
AD FS 2
On Premise DomainAppFabric
Cache
AccessControl
Queues Tables Blobs
REST
SQL AzureAzure Storage
Web Role Worker Role
Cache
Windows Azure
![Page 11: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/11.jpg)
Service Bus
Primarily designed to address connectivity issuesServices may be located behind Private IPs, firewalls, load balancers, proxy servers
Also enhances reliability and scalabilityProvides added security
On PremiseService
![Page 12: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/12.jpg)
Service Bus as DMZ
Service Service Service Service
MVC / REST REST
Browser Browser BrowserWPF
MVC /JQuery AJAX Silverlight
Service
WindowsPhone 7
DMZ
REST / Router Router REST
Corporate Domain
MVCSite
Web FormsSite
![Page 13: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/13.jpg)
Service Bus as DMZ (2)
Service Service Service Service
MVC / REST REST
Browser Browser BrowserWPF
MVC /JQuery AJAX Silverlight
Service
WindowsPhone 7
DMZ
Corporate Domain
AppFabric
MVCSite
Web FormsSite
![Page 14: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/14.jpg)
Service Bus to Data On Premise / Migration
Service
Client
Web Application
AppFabric
Corporate Domain
Windows Azure
![Page 15: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/15.jpg)
Service Bus Security Aspects
Security Aspect Provider BusinessDMZ, DoS prevention Built-in
Transfer security TCP or HTTPS, add message security
Symmetric key authentication Provided by plumbing
Key management Rollover provided Requires process
Key protection Provide encryption
![Page 16: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/16.jpg)
Service Bus Security
Service
Client
AppFabric
Corporate Domain
EvilClient
AccessControl
Encrypt+
Encrypt
signed request
encryptmessage
decryptmessage
TCP / HTTPS
HTTPS
Service Bus Recommendations:•Require relay credential•Encrypt keys at client•Try to use TCP relay for performance and cost savings•Add message security for highly sensitive data•Use negotiation for encryption certificate over HTTP
![Page 17: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/17.jpg)
SQL Azure
Relational data store in the cloud (SQL Server 2008 R2)TDS support (client connections)REST-based Management APIProtected by:
Firewall RulesSQL Server authentication (not Windows)Certificate authentication
![Page 18: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/18.jpg)
Relational Data On Premise / In The Cloud
Service
Client
Web / WorkerRole
AppFabric
Corporate Domain
Windows Azure
SQL Azure
![Page 19: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/19.jpg)
SQL Azure Security Aspects
Security Aspects Provider BusinessData isolation Physical server Database instance
Data loss prevention Internal backup Backup/recover process required
Data retention policy 90 days
Geographic restrictions Choose region for storage only
Transfer restrictions may exclude cloud
Administrative access control Portal admin
Firewall access rules / Windows Azure access Portal or scripted
REST-API access Certificate authN
Transfer security HTTPS required
Data protection Encryption, hashing
User access Trusted subsystem model is best
![Page 20: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/20.jpg)
SQL Azure Security
Service Web / WorkerRole
Corporate Domain Windows Azure
SQL Azure
Table BTable A Masteruserlogin useruser
Web PortalSQL Server
ManagementStudio
RESTClient
SSRS
Allow Microsoft Services+ User Credentials
Administrative
IP Address + User Credentials
Portal Admin
IP Address + DB Admin
IP Address + Certificate
RESTAPI
SSIS
AS
Firewall Rules
IP Address + Service User
SQL Azure Recommendations:• Use portal admin to create DB admin accounts and manage
firewall rules• Use DB admin accounts to configure schema and users• Use trusted subsystem users to reduce attack surface• Automate with the REST API where possible
![Page 21: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/21.jpg)
SQL Azure Data Protection
encryptdataAApplication
Windows Azure
SQL Azure
Encrypt
Encrypt
Encrypt
decryptdata
computehashAApplication
Hash
Hash
Hash
computehash
userinput
Hash
comparehash
SQL Azure Recommendations (2):• Limit access to hashing and encryption material • Use asymmetric encryption, cert store to protect keys, limited access• Protect hashing material by encrypting config
![Page 22: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/22.jpg)
Windows Azure & Windows Azure Storage
Compute, Storage and Management servicesHost web applications and servicesApplications can leverage non-relational tables, queues or blob storage
Replace relational database or use tables to complimentHost large media contentOptionally distribute via Content Delivery Network (CDN)Mount drives for migration approach
Go all-in or scale out specific features
![Page 23: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/23.jpg)
Windows Azure & Windows Azure StorageWindows Azure
Windows Azure Storage
Queues Tables Blobs
REST
Web Role Worker Role
![Page 24: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/24.jpg)
Application
Windows Azure Storage
Windows Azure
Windows Azure Storage
Queues Tables Blobs
REST
StorageClient
Application
RESTUri
![Page 25: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/25.jpg)
Windows Azure Storage Security Aspects
Security Aspect Provider BusinessData isolation Physical server Partitioning
Data loss prevention Internal backup Backup/recover process required
Data retention policy 90 days
Geographic restrictions Choose region for storage only
Transfer restrictions may exclude cloud
Administrative access control Portal admin
Data protection Encryption, hashing, MD5 signatures
Transfer security HTTPS
Symmetric key authentication Use tools or manual
Key management Rollover provided Requires process
Key protection Provide encryption
Access restrictions Internal containers
![Page 26: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/26.jpg)
Windows Azure Storage Security
Windows Azure Storage
Queues Tables Blobs
REST
ServiceWeb / WorkerRole
Corporate DomainWindows Azure Remote Client
Client App
Administration
ManagementTools
WebPortal
HTTPS HTTPS HTTPS HTTPS HTTPS
Symmetric Key
![Page 27: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/27.jpg)
Windows Azure Storage Tiers
Windows Azure Storage
Queues Tables Blobs
REST
Service
Client App
WebPortal
Symmetric Key
encryptkey
rollkeys
Remote Client
WindowsAzure
Administration
HTTPS HTTPS
Azure Storage Recommendations:
• Never ship keys to non-owned clients
• Avoid shipping keys to remote clients
• Encrypt keys config
![Page 28: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/28.jpg)
Blob Storage Integrity
Windows Azure Storage
Blob Container
Service
validatesignature
WindowsAzure
MD5Hash +
MD5Hash +
Blob Storage Recommendations:
• For very large media uploads and/or mission critical data use MD5 validation to ensure integrity
![Page 29: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/29.jpg)
Blob Storage Shared Access Signatures
Service
Public Blob Access
createupdatedelete
read
Service
Public Container Access
createupdatedeleteread
list
Service
Private Container
createupdatedeleteread
list
list
Service
Private Container
readaccessfor limited timewithsharedaccesskey
sharedaccess
policy
Browser Client
Shared AccessSignature (SAS)
>1 hour requiresauthenticationheader in request(no browser)
Blob Storage Recommendations (2):• Never allow public access to container• Allow public read to blob links if appropriate for the application, try
to use SAS for this purpose to limit exposure
![Page 30: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/30.jpg)
.NET FW 3.5 SP1 / .NET FW 4
CAS Policy NT Security Policy
Web Role
ASP.NET / MVC
AJAX / JQuery Silverlight
WCF
.NET Code
Worker Role
.NET Code
Tables QueuesBlobs
Windows Azure Architecture
WCF
![Page 31: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/31.jpg)
Application Architecture TiersWindow Azure
Queues Tables Blobs
REST
Azure Storage SQL Azure
Web Role
Web Application
Web Role
WCF Service
Worker Role
WCFService
Worker Role
WCF Service
ExternalEndpoint
ExternalEndpoint
InternalEndpoint
InternalEndpoint
![Page 32: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/32.jpg)
Added Security with Service Bus
Window Azure
Web Role
Web Application
Web Role
WCF Service
Worker Role
WCFService
Worker Role
WCF Service
InternalEndpoint
InternalEndpoint
Client
Service Bus
Service
Corporate Domain
Client
![Page 33: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/33.jpg)
Scaling Out Compute Cycles
Window Azure
WorkerRole
Web Role
WCF Service
Service Bus
Service
Corporate Domain
Client
Compute Queue
REST
Azure Storage
WCFService
write to queue pull from queue
![Page 34: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/34.jpg)
Scaling Out Compute Cycles (2)
WorkerRole
Web Role
WCF ServiceService
Client
Compute Queue
REST
WCFService
write to queue pull from queue
WorkerRole
WCFService
WorkerRole
WCFServiceWorker
RoleWCF
Service
![Page 35: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/35.jpg)
Scaling Out Media Access
Service
Corporate Domain
Client
BlobContainer
REST
Azure Storage
BlobContainer
BlobContainer
Azure Storage
CDNCache
CDNCache
CDNCache
![Page 36: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/36.jpg)
Web Application Security Aspects
Security Aspect Provider BusinessDNS attack prevention Built-in
Transfer security HTTPS
Privilege elevation prevention ACLs Partial trust
Cross Site Scripting (XSS) prevention ASP.NET features and custom
Cross domain call prevention Silverlight configuration
SQL injection prevention ASP.NET features and parameterized queries
Authentication models Forms, Identity Federation
![Page 37: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/37.jpg)
WCF Service Security Aspects
Security Aspect Provider BusinessDNS attack prevention Built-in
Transfer security HTTPS or TCP, add message security
Privilege elevation prevention ACLs Partial trust
SQL injection prevention Parameterized queries
Endpoint privacy Internal endpoints, Service Bus
Authentication models UserName, Certificate, Identity Federation
![Page 38: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/38.jpg)
Identity Federation Benefits
Decouple authentication mechanism from applications and servicesGo claims-basedReduce IT pain and risk related to provisioning and de-provisioning users Extend trust to users across domain, corporate and Internet boundariesSupport Single Sign-On (SSO)
![Page 39: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/39.jpg)
Passive Federation
Browser
Azure HostedWeb Site STS
LoginPage
1
2
5
3
4
![Page 40: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/40.jpg)
Active Federation
STS Azure HostedService
WindowsClient
1 2 3
![Page 41: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/41.jpg)
STS On Premise
STS
Azure HostedService
WindowsClient
DMZ
![Page 42: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/42.jpg)
Windows Users Behind DMZ
ADFS V2
Azure HostedService
WindowsClient
DMZ
ADFS V2
DomainServer
AD Users
![Page 43: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/43.jpg)
Access Control and MainstreamIdentity Providers
RelyingPartyWeb
AccessControl
Yahoo! WindowsLive
Browser
1 25
3
4
![Page 44: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/44.jpg)
Access Control and EnterpriseIdentity Providers
RelyingPartyWeb
AccessControl
Yahoo! WindowsLive
Browser
1 25
Enterprise Identity Provider
3
4
![Page 45: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/45.jpg)
Relying Party STS + Access Control
RelyingPartyWeb
AccessControl
GoogleYahoo!FaceBook
Enterprise Identity Provider
Flow of tokens, not direct communication
WindowsLive
Enterprise Identity ProviderEnterprise Identity
ProviderAD FS V2
RelyingPartySTS
Policy
![Page 46: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/46.jpg)
WHEW!
![Page 47: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/47.jpg)
Summary
Application architecture must be well defined before you can define your cloud strategyAssess risks related to data, content and other assetsDetermine which can be moved to the cloudDetermine the need for a migration plan as needed from on-premise to the cloudDefine the application architecture for the cloud and the security plan for each Windows Azure Platform featureDocument the IT, shared hosting and application security concerns and mitigations in your internal SLA
![Page 48: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/48.jpg)
ARC Track Resources
http://www.microsoft.com/visualstudio http://www.microsoft.com/visualstudio/en-us/lightswitch http://www.microsoft.com/expression/http://blogs.msdn.com/b/somasegar/http://blogs.msdn.com/b/bharry/http://www.microsoft.com/sqlserver/en/us/default.aspxhttp://www.facebook.com/visualstudio
![Page 49: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/49.jpg)
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
![Page 50: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/50.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 51: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/51.jpg)
Scan the Tag to evaluate this session now on myTech•Ed Mobile
![Page 52: Architecting for a Secure Cloud](https://reader036.vdocument.in/reader036/viewer/2022062302/5a4d1ad67f8b9ab0599731d3/html5/thumbnails/52.jpg)