Securing API’s for
ultimate security and privacy
Learn how you can secure your API’s end-to-end within Azure
1

Solution Architect
Microsoft Azure MVP, Azure Advisor & Microsoft Certified Trainer
Your host for today: Toon Vanhoutte
2
@ToonVanhoutte

3

Agenda
| Protect your network
| Safeguard your API’s
| Secure your backends
| Shield your data
Securing your API’s in Azure 4

Azure Trust Center
Securing your API’s in Azure 5

Shared responsibility model
Securing your API’s in Azure 6

Scenario: Patient API
Securing your API’s in Azure 7
Hospital DB

8
Protect your network

How can we restrict network access?
Securing your API’s in Azure 9
| Isolated & private network
| Create your own, dedicated private
network within the Azure cloud
| Control outbound and inbound access
from and to that private network
| Deploy your Azure resources inside that
firewall-protected private network
| Multi-tenant cloud network
| Use the multi-tenant and shared
infrastructure of the Azure cloud
| Control inbound access to individual
components
| Deploy your Azure resources on the
public multi-cloud infrastructure
Get Patients
Test
Get Patients
Get Patients
and more...
Get Patients
Test
Get Patients
Get Patients
and more...

Virtual Networks
Securing your API’s in Azure 10
| Azure services not accessible
anymore from public internet
| Control external access via
Network Security Groups
| Establish VPN with on-
premises network
| Enable more advanced
DDoS protection
| Configure your own network
appliance (WAF, firewall, ...)

Application Gateway - WAF
Securing your API’s in Azure 11
| Only supported within a
Virtual Network
| Protects against web
vulnerabilities:
| SQL injection, cross site scripting,
bots, crawlers, HTTP protocol
violations...
| Based on OWASP 3.0 core rule
set
| Integrated with Azure Security
Center and Azure Monitor

Virtual Network Service Endpoints
Securing your API’s in Azure 12
| Alternative for services that are not
supported to run inside a VNET
| Azure services not accessible
anymore from public internet
| Access only allowed from with
Virtual Network (or subnet)
| Available on most data and
messaging services, complete list
can be find here

What if you don’t have an isolated VNET?
Securing your API’s in Azure 13
| Each individual component is responsible to restrict network access
| This is mostly limited to IP restrictions
| Many Azure IP restriction implementations rely on the application stack (e.g. IIS),
instead of doing this on the network edge.
Always combine IP
restrictions with another
security measure!

How can we restrict network access?
Securing your API’s in Azure 14
| Isolated & private network
| Multi-layered security
| Standard DDoS protection
| More network control
| Ability to choose network appliance
| High bandwidth VPN to on premises
| More expensive (dedicated compute)
| Less scalable
| Not supported by all Azure services
| Multi-tenant cloud network
| Single point of security failure
| Basic DDoS protection
| Less network control
| Rely on Microsoft’s standard offering
| Limited relayed hybrid connectivity
| Cheaper (shared infrastructure)
| High elasticity
| Supported by almost all Azure services

Scenario: Patient API
Securing your API’s in Azure 15
Hospital DB
VNET
IP
VNET Service
Endpoint
Hospital DB
IP
IP

16
Safeguard your API’s

Secure your API’s
Securing your API’s in Azure 17
Patient API
C#
Doctor API
nodeJS
Lab API
Java
Website
Each service must implement their
own variant of the same security.
Each service must share and manage
the same credentials.
PartnersPartners
What if we later need to on board a
variety of partners?
There’s a need for central security &
governance to design for change.

API Management
9/05/2019 Securing your API’s in Azure 18
Business
expansion
Central
governance
Visibility &
insights
Data
accessibility
Centralize
security
Fast
Adoption

Azure API Management Security
Securing your API’s in Azure 19
Azure API
Management
APPS
PUBLISHER
PORTAL
PROXY
DEVELOPER
PORTAL
BACKEND
SERVICE
Frontdoor
Security
User interaction:
• OAuth2
• Combined with OIDC
Machine-to-machine:
• API Key
• Basic Authentication
• Mutual Authentication
• OAuth2

Claim based authorization via OAuth2
9/05/2019 Securing your API’s in Azure 20
Authorization
Service
Azure API Management
JWT validation
myApp.com
Backend
API
Configuration endpoint
Resource
Owner
Access token
ID token
Access token
ID token
Access token

9/05/2019 Securing your API’s in Azure 21

API Management Security
Securing your API’s in Azure 22
Azure API
Management
APPS
PUBLISHER
PORTAL
PROXY
DEVELOPER
PORTAL
BACKEND
SERVICE
Frontdoor
Security
User interaction:
• OAuth2
• Combined with OIDC
Machine-to-machine:
• API Key
• Basic Authentication
• Mutual Authentication
• OAuth2
Backdoor
Security
Any backend API:
IP Restriction and
• API Key
• Basic Authentication
• Mutual Authentication
Azure resources:
• Managed Service
Identity

Azure API Management Tiers
9/05/2019 Securing your API’s in Azure 23

Scenario: Patient API
Securing your API’s in Azure 24
Hospital DBHospital DB
IP+JWT
OAuth2
VNET
IP+JWT
OAuth2
IP
VNET
IPMSI
IP

25
Secure your backends

Managed Service Identity
Securing your API’s in Azure 26
| Managed Service Identity is a feature of Azure Active Directory. It provides Azure
services with an identity in Azure AD. You can use that identity to authenticate to
any service that supports Azure AD authentication.
| No more keys or passwords needed to access another Azure resource!!!

Managed Service Identity
Securing your API’s in Azure 27
| Supported services (clients) that can get such a managed identity:
| VMs, Logic Apps, App Service, Azure Functions, Data Factory V2, Azure API Management, ACI
| Complete and updated list can be found here.
| Supported services (service) that support Azure AD authentication
| ARM, Key Vault, Azure Data Lake, Azure SQL, Event Hubs, Service Bus, Storage
| Complete and updated list can be found here.

How to authenticate with other services?
Securing your API’s in Azure 28
1. Use Managed Service Identity directly
2. Get access key from Key Vault, via Managed Service Identity
3. Azure DevOps deploys secrets from Key Vault into the client’s config store

Scenario: Patient API
Securing your API’s in Azure 29
Hospital DBHospital DB
IP+JWT
OAuth2
VNET
IP+JWT
OAuth2
IP
VNET
IPMSI
IPMSIMSI

30
Shield your data

Data in motion
Securing your API’s in Azure 31
| Only use encrypted communication channels

Data at rest
Securing your API’s in Azure 32
| Server-side encryption model
| E.g. SQL Database:
Transparent Data Encryption (TDE)
| Azure storage administrators cannot read
your data, but SQL admins still can
| Most Azure services encrypt your data
| Some have BYOK option
| Client encryption model
| E.g. SQL Database:
Always Encrypted
| Even SQL administrators cannot see your
sensitive data
| DIY for other Azure services
| Local key wrapping against Key Vault

GDPR
Securing your API’s in Azure 33
| Most common design strategies to deal with GDPR:
| Foresee sufficient procedures:
Minimize Hide Separate
Inform Get a copy Remove

34
Azure is a lot more than this!

Azure Security Features
9/05/2019 How we integrate! 35
| Azure Security Center
| Azure Sentinel
| Azure Frontdoor
| Secure Devops Kit for Azure
| Advanced Threat Protection
| SQL Advanced Data Security
| Immutable Blob Storage (WORM)
| …

36
At Codit, we care about your security!

Arcus
Securing your API’s in Azure 37
| Secrets made easy with
| OSS library that makes it easier to build secure applications on Azure
| Driven by Codit, made available to the community
| Available on GitHub
| All documentation on security.acrus-azure.net

9/05/2019 Securing your API’s in Azure 38
YesNo
Are you already
hosting your
API’s in Azure?
Azure
Readiness
Assessment
Azure
Maturity
Assessment

39
Thank you! Any questions?