2. www.aditi.com
About Me
Nuno Filipe Godinho
Director of Cloud Services, Europe @ Aditi Technologies
Windows Azure MVP
nunog@aditi.com
http://msmvps.com/blogs/nunogodinho
Twitter: @NunoGodinho
5. www.aditi.com
Basic Cloud Security Concerns
• Where is my data located?
• Is the Cloud Provider secure?
• Who can see my Data?
• How do you make sure my company data follow “the rules”?
• Can I have my Data back?
• Can I have compliant applications in the Cloud?
6. www.aditi.com
Security is Multi-Dimensional
• Solutions to be secured should consider all security aspects
• How does people treat sensative data?Human
• DB Hardening, Cryptography, PermissionsData
• Design and Implement Security Best
PracticesApplication
• OS Hardening, Regular PatchingHost
• Firewall, VLANS, Secure Channels, ...Networking
• Who can access my servers?Physical
7. www.aditi.com
Data
Defense in Depth Approach
Physical
Application
Host
Network
Strong storage keys for access control
SSL support for data transfers between all parties
Front-end .NET framework code running under partial trust
Windows account with least privileges
Stripped down version of Windows Server 2008 OS
Host boundaries enforced by external hypervisor
Host firewall limiting traffic to VMs
VLANs and packet filters in routers
World-class physical security
ISO 27001 and SAS 70 Type II certifications for datacenter
processes
Layer Defenses
Windows Azure Security Layers
8. www.aditi.com
Physical Security
• Physical Data Center SSAE 16/ISAE 3402 Attestation and
ISO 27001 Certified
• Motion Sensors
• 24x7 protected Access
• Biometric controlled access systems
• Video Camera surveillance
• Security breach alarms
9. www.aditi.com
Built in Firewalls
• All Traffic travels through several firewalls
– Fabric Controlled
• Host VM
• Local Firewalls
– Service Owner Controlled
• Guest VM Firewall
• SQL Database Firewall
10. www.aditi.com
Windows Azure Security Layers
Managed Code
Access Security:
partial trust
Windows Account:
running with least
privileges
Windows FW (VM):
rules based on service
model
Virtual Machine:
fixed CPU, memory,
disk resources
Root Partition Packet
Filter: defense in
depth against VM
“jailbreaking”
Network ACLs:
dedicated VLANS for
tenant nodes
11. www.aditi.com
Defenses Inherited by Windows Azure Platform
Applications
Spoofing
Tampering/
Disclosure
Elevation of
Privilege
Configurable
scale-out
Denial of
Service
VM switch
hardening
Certificate
Services
Shared-
Access
Signatures
HTTPS
Side channel
protections
VLANs
Top of Rack
Switches
Custom
packet
filtering
Partial Trust
Runtime
Hypervisor
custom
sandboxing
Virtual
Service
Accounts
Repudiation
Monitoring
Diagnostics
Service
Information
Disclosure
HTTPS
Shared Access
Signatures
16. www.aditi.com
Quick Concepts
• Consider always the two areas of compliance:
– Data in Transit
• Commonly delineated into two primary categories
– data that is moving across public or “untrusted” networks such as the
Internet,
– data that is moving within the confines of private networks such as
corporate Local Area Networks (LANs)
– Data at Rest
• Commonly located on desktops and laptops, in databases and on file servers.
In addition, subsets of data can often be found in log files, application files,
configuration files, and many other places.
17. www.aditi.com
Lessons Learned
Process for defining which Data Privacy Compliance is required
1. Assess your organizational structure to understand where your business is being
conducted.
2. Know what rules apply to your organization, particularly when you have international
locations.
3. Know what you need to encrypt. Any sensitive data types that need to be protected
for regulatory compliance or to comply with internal policies and standards can be
strong candidates for encryption. If you have a data classification policy, encrypt the
most sensitive or critical category or two.
4. Locate Data at Rest that is housed in systems across the enterprise
1. Databases
2. File Shares and large-scale storage
3. Email Systems
4. Backup Media
17
18. www.aditi.com
5. Locate Data in Transit across network channels both within and outside the
organization
1. Assessing the data trajectory
2. Gaining visibility into the network traffic itself
6. Decide how to handle Sensitive Data
1. Eradication
2. Obfuscation / Anonymize
3. Encryption
18
Lessons Learned (cont.)
Process for defining which Data Privacy Compliance is required
19. www.aditi.com
Penetration Testing
• Microsoft conducts regular penetration testing to improve Windows Azure security
controls and processes
• Customers can execute Penetration Testing in Windows Azure. Are just required to get
previous authorization from Microsoft through filling out a Penetration Testing
Approval Form (http://bit.ly/WAPenTesting) and contacting Support.
19
21. www.aditi.com
Summary
• Windows Azure is very secure
– Top Level measure at all levels
• Windows Azure is compliant
– Several of the most important compliances
• ISO 27001
• SSAE 16/ISAE 2402 (SOC 1 Type 2)
• HIPPA BAA
• Before starting leveraging Windows Azure understand
– Data in Transit
– Data at Rest
23. www.aditi.com
Resources
• Windows Azure Standard Response to Request for Information: Security and Privacy
(Cloud Security Alliance) – http://bit.ly/WASecurityPrivacy
• Windows Azure Penetration Testing Approval Form – http://bit.ly/WAPenTesting
• Windows Azure Security – http://bit.ly/WASecurity
23
Key point – Microsoft implements a defense-in-depth approach to protect the infrastructure under its control against security threats.To provide a secure platform for its customers and protect against the most prevalent security threats, Microsoft implements the following security controls in the stack under its control:[Note this is NOT an exhaustive list]At the data layer, access to data stored in Azure is controlled using strong storage access keys that are provisioned to the customer. All access to data can be (and should be) done over SSL to protect the confidentiality and the integrity of the data while in transit over the network.At the application layer, Azure developers have the choice to run their front-end code under Azure Partial Trust, a “sandbox” that blocks access to native (non-.NET) components and helps ensure the integrity of the platform. All customer code is also run under a low privilege user account, and customers are not given administrative privileges over the operating system. At host level, Azure virtual machines run a special version of Windows Server 2008 stripped down of all unnecessary components to reduce the attack surface and patch management requirements. Virtual machines boundaries are enforced by a underlying hypervisor and do not depend on the security of the VM Windows operating system.At network level, all traffic to and from the virtual machines are filtered according to the policy defined by the customer, and enforced by the firewall on the virtual machine as well as a firewall running on the host (root) system. Microsoft also deploys VLANs and packet filters to segregate network access between customers, management systems and the Internet, and uses special devices to protect its infrastructure against distributed denial of service attacks (DDoS).At the physical layer, Microsoft runs Azure on its own datacenters which implement world-class security controls, whose security controls and information security management systems have been certified under the international ISO/IEC 27001:2005 standard and the AICPA’s SAS 70 Type II standard.
Services are isolated from other servicesCan only access resources declared in the service model .Local node resources – temp storageNetwork end-pointsIsolation using multiple mechanismsMuch of the traditional infrastructure security moves to the platform and application layersNetwork Access Control Lists and Firewalls become host packet filters and virtual firewallsMultiple, privileged accounts become pre-defined agent accounts controlled by the systemPlatform and network level encryption will still play a role, but the application developer becomes more responsible for defining how encryption is used end-to-endServices are isolated from other servicesCan only access resources declared in the service model .Local node resources – temp storageNetwork end-pointsIsolation using multiple mechanismsAutomatic application of windows security patchesRolling operating system image upgrades
Port Scanning/ Service EnumerationThe only ports open and addressable (internally or externally) on a Windows Azure VM are those explicitly defined in the Service Definition file. Windows Firewall is enabled on each VM in addition to enhanced VM switch packet filtering, which blocks unauthorized traffic Denial of Service Windows Azure’s load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out. On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs). VIP traffic is routed through Windows Azure’s load-balancing infrastructure. Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.Windows Azure is also reviewing additional Distributed Denial of Service (DDoS) solutions available from Microsoft Global Foundation Services to help further protect against Denial of Service attacks.SpoofingVLANs are used to partition the internal network and segment it in a way that prevents compromised nodes from impersonating trusted systems such as the Fabric Controller. At the Hypervisor VM Switch, additional filters are in place to block broadcast and multicast traffic, with the exception of what is needed to maintain DHCP leases. Furthermore, the channel used by the Root OS to communicate with the Fabric Controller is encrypted and mutually authenticated over an HTTPS connection, and it provides a secure transfer path for configuration and certificate information that cannot be intercepted.Eavesdropping / Packet SniffingThe Hypervisor’s Virtual Switch prevents sniffer-based attacks against other VMs on the same physical host. Top-of-rack switches will be used to restrict which IP and MAC addresses can be used by the VMs and therefore mitigate spoofing attacks on internal networks. To sniff the wire inside the Windows Azure cloud environment, an attacker would first need to compromise a VM tenant in a way that elevated the attacker to an administrator on the VM, then use a vulnerability in the hypervisor to break into the physical machine root OS and obtain system account privileges. At that point the attacker would only be able to see traffic inbound to the compromised host destined for the dynamic IP addresses of the VM guests controlled by the hypervisor. Multi-tenant hosting and side-channel attacksInformation disclosure attacks (such as sniffing) are less severe than other forms of attack inside the Windows Azure datacenter because virtual machines are inherently untrusted by the Root OS Hypervisor. Microsoft has done a great deal of analysis to determine susceptibility to side-channel attacks. Timing attacks are the most difficult to mitigate. With timing attacks, an application carefully measures how long it takes some operations to complete and infers what is happening on another processor. By detecting cache misses, an attacker can figure out which cache lines are being accessed in code. With certain crypto implementations involving lookups from large tables, knowing the pattern of memory accesses - even at the granularity of cache lines - can reveal the key being used for encryption. While seemingly far-fetched, such attacks have been demonstrated under controlled conditions. There are a number of reasons why side-channel attacks are unlikely to succeed in Windows Azure: An attack works best in the context of hyper-threading, where the two threads share all of their caches. Many current CPUs implement fully independent cores, each with a substantial private cache. The CPU chips that Windows Azure runs on today have four cores per chip and share caches only in the third tier.Windows Azure runs on nodes containing pairs of quad-core CPUs, so there are three other CPUs sharing the cache, and seven CPUs sharing the memory bus. This level of sharing leads to a great deal of noise in any signal from one CPU to another because actions of multiple CPUs tend to obfuscate the signal.Windows Azure generally dedicates CPUs to particular VMs. Any system that takes advantage of the fact that few servers keep their CPUs busy all the time, and implements more logical CPUs than physical CPUs, might open the possibility of context switches exposing cache access patterns. Windows Azure operates differently. VMs can migrate from one CPU to another, but are unlikely to do so frequently enough to offer an attacker any information.
Timing: 2 minutesKey Points:Microsoft’s Global Foundation Services provides the key compliance capabilities you need.Talk Track:Often our customers just want a very simple checklist of what compliance capabilities Microsoft's online cloud infrastructure has – to that end:we're ISO 20001 certified (first certified in 2008); we have SAS 70 Type 2 attestations in place (Microsoft is moving to the new SSAE 16/ISAE 3402 SOC 1, 2 and 3 as the industry reties the SAS 70); we meet our HIPAA and HITECH obligations; various state and global privacy obligations are met by our overall program; we are PCI data security standard certified; and, finally, we have had a U.S. FISMA Authority to Operate since 2010.
Windows Azure Core Services:Cloud Services (includes Web, Worker, and VM roles)Storage (includes Blobs, Queues, and Tables)Networking (includes Traffic Manager, Connect, and Virtual Network)Virtual MachinesIncluded in the above are our service management features and the management portal, as well as the information management systems used to monitor, operate, and update these services.EU-US Safe Harbor FrameworkMicrosoft (including, for this purpose, all of our U.S. subsidiaries) is Safe Harbor certified with the U.S. Department of Commerce.This allows for legal transfer of data to Microsoft for processing from within European Union and countries with aligned data protection laws. Microsoft acts as the data processor and, to the extent of the Service’s capabilities, decisions regarding data usage are made by the data controller.ISO 27001Received ISO/IEC 27001:2005 certificate from BSI on 11/29/2011 for Windows Azure Core ServicesBroad international information security standard. Acts as security baseline.Ability to clearly demonstrate that we have achieved a baseline certification.Gets our compliance team building a rigorous security compliance framework that can then be expanded upon – documentation and process heavy with some technical gaps to close.The ISO/IEC 27001:2005 certificate validates that Microsoft has implemented the internationally recognized information security controls defined in this standard.SSAE 16Successor to SAS 70 attestations.An accounting standard that is relied upon as the authoritative guidance for reporting on service organizations.It illustrates Microsoft’s willingness to open up internal security programs to outside scrutiny.The end result is auditor’s report on the effectiveness and suitability of selected controls to achieve desired control objectives during the period under review. Detailed SSAE 16 report can then be shared with customers under NDA.We expect to have the audit report (SOC 1 Type 2) available for Windows Azure core services by 7-June-2012.EU Data Protection DirectiveLaw that sets a baseline for handling personal datein the EUUS standards meet EU requirements through US Safe HarborMicrosoft self-attests compliance under the US Safe Harbor framework, which lets us transfer EU PII outside EU, and even allows the “onward-transfer” from the US to another countryHowever, EU regulators and customers increasingly consider the Safe Harbor to be inadequate and are asking for EU Model Contractual Clauses. We currently offer to sign EU MC for WA core services.Location of Data Clarifies that we don’t transfer EU data outside of EU data centers except in extraordinary circumstancesCustomers may specify the geographic region(s) of the Microsoft datacenters in which Customer Data will be stored. For data redundancy or other purposes, Microsoft may move Customer Data within a major geographic region (for example, between West Europe and North Europe), but Microsoft will not move Customer Data outside the major geographic region(s) customer specifies (for example, from Europe to US or from US to Asia) except where the customer configures the account to enable this (for example, through use of the Content Delivery Network feature). Microsoft may, however, access Customer Data from outside such region(s) where necessary for Microsoft to provide customer support, to troubleshoot the service, or to comply with legal requirements. Such transfers will be done pursuant to EU-US Safe Harbor Framework.Microsoft does not control or limit the regions from which customers or their end users may access Customer Data.Health Insurance Portability and Accountability Act (HIPAA)Specifies privacy, security, and disaster recovery guidelines for electronic storage of health records. No platform can be HIPAA compliant; what is needed, though, is Business Associate Agreement (BAA) that enables third parties to build HIPAA compliant applications on Windows Azure. We need to sign a BAA with the Covered Entity if Protected Health Information (PHI) they are responsible for is to be stored, processed or otherwise accessed by AzureSubstantial overlap with ISO controls, i.e., HIPAA program will benefit substantially from ISO workCompleted mapping of ISO 27001 controls to HIPAA controls, list of subcontractors done, expected to offer BAA in Q2 CY2012FISMAFederal Information Security Management Act of 2002 (FISMA) is a U.S. federal law that defines a comprehensive framework to protect government information, operations, and assets against natural and man-made threatsRequired by law for U.S. federal agencies, and looked on favorably by other government agenciesThe law gives National Institute of Standards and Technology (NIST) authority to establish standards that are not product and technology specificVery strong security standardWe are committed to obtaining FISMA Moderate Authorization to Operate (ATO)Sponsoring agency General Services Administration (GSA)Build on top of ISO/SSAE work, and remediate controls where needed to much stricter FISMA standardsEngineering gap analysis completedProjected completion Q4 CY2012