Security can be applied at various levels. We’ll see the adventure of two friends building a web solution, but one of them is trying to sabotage from the inside. We’ll see if the loyal friend will succeed in protecting all the work, and how the solution should evolve to be more secure!

1. #azuresatpn
How do you protect a hybrid Paas-iaas
solution, built entirely in the cloud?
lorenzo.barbieri@microsoft.com
@_geniodelmale

2. EVERYTHING STARTS WITH A “GOOD”
ARCHITECTURE
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production

3. 1ST STRIKE
The case of
disappearing
resourcesAttack
one!
Destro
y ‘em
all!
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production

4. MITIGATION
Infrastructure as Code:
• Script & Backup
everything
• ARM & Azure Policy
PaaS safeguards:
o Azure Web App
Undelete
o SQL Point in time
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production

5. REMEDIATION
Subscription role
protection
o RBAC
Azure AD could be
protected with MFA
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production

6. 2ND STRIKE
The case of
unexpected
load
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
Attack
two…o…o…
oooo!
$$$
$RG for
- Dev-Test
- Production

7. MITIGATION
o Alert rules and
monitoring
o web.config based IP
restriction
o Functions in App
Service Plan
o App Service
Diagnostics
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production

8. REMEDIATION
o Web App
Firewall/Azure
Firewall/Application
Gateway/3rd party
o API Management
o Azure DDOS
Protections for
VNET
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production

9. APP SERVICE DIAGNOSTICS
• An interactive and intelligent experience for
self-troubleshooting your app issues
• What does that actually mean?
• 🔒Diagnose and troubleshoot your app issues
and learn about best practices
• 🎨Use Genie to guide you through each
problem category tile
• 📈 Intelligent search capabilities
• 🌏Straight out-of-the box, no extra
configuration necessary

10. 3RD STRIKE
The case of
data and
storage loss
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Attack
three!
I know
your
secrets!
Photo resize
+web.config
RG for
- Dev-Test
- Production

11. MITIGATION
o Key rotation
o Least user
privilege (DB)
o Alert
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production

12. REMEDIATION
o SQL DB Firewall
o VNET Storage
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
o Handle Disconnect
RG for
- Dev-Test
- Production

13. 4TH STRIKE
The case of
being Gitted
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Fourth
Attack!
Keys
from the
octocat!
Photo resize
+web.config
RG for
- Dev-Test
- Production

14. REMEDIATION
o Move all the keys to
a secure path
o Use Team Build to set
them before
deployment
o Azure Key Vault
o Managed Service
Identity
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
?
RG for
- Dev-Test
- Production

15. >_
SSH
5TH STRIKE
The case of
remote
connections
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Remote
Attack!
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production

16. MITIGATION
o Patching and
security policies
o Azure Security
Center
Not only for VMs, could check
networks, App Services, Blob Storage,
SQL, etc…
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production

17. REMEDIATION
o Network Security
Groups
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production

18. A BETTER ARCHITECTURE
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production

19. RECAP – THE 7 GOLDEN RULES
• Script everything
• Backup everything
• Least user privilege
• Trust no one
• Monitor everything
• Assume cloud failure
• Protect your secrets

20. TAKE A LOOK AT AZURE SECURITY
CENTER

21. Export to Excel
and Power BI
SECURITY CENTER ARCHITECTURE
IP Geotagging, …
Netflow, SQL DB
and Storage Logs, …
Windows Events, Syslog,
CEF, Configurations
Threat Detections, Prescriptive
Recommendations
Security Dashboards
Deliver Rapid Insights into
Security State Across All
Workloads
Actionable Security
Recommendations
Investigation Tools
and Log Search
Curated, Prioritized
Security Alerts
Security Dashboards Deliver
Rapid Insights into Security
State Across All Workloads
REST APIs NotificationsAutomation

22. AZURE SECURITY CENTER FEATURES
 Server EDR with WDATP
 Linux threat detection
 Organization wide security policies &
management groups
 Programmatic automation:
 Powershell cmdlets
 REST APIs
 JIT VM Access
 Dynamic rule priorities
 Adaptive application controls (Windows)
 Alerts
 Support for “groups for review”
 File integrity monitoring
 Process investigator- detection of fileless attacks
 Azure App services threat detection
 Azure Gov
 Alerts map
GA
 Limited public preview:
 Adaptive network hardening
 PCI/CIS/ISO/SOC compliance reports
 Public preview:
 Network map
 Secure score IAAS/PAAS
 Docker containers on Linux servers
 UEBA for Azure resources and identities with
MCAS
 Threat detection for Azure blob storage
 Threat detection for Azure PostGresSQL
 Threat detection for Azure MySQL
Preview

23. RESOURCES
• “Parts Unlimited” sample site with telemetry and fault injection:
– https://microsoft.github.io/PartsUnlimited/
• The “bible of Chaos Engineering”: http://principlesofchaos.org/
• Only for the “Brave”, Netflix Chaos Monkey integrated with Spinnaker:
https://github.com/Netflix/chaosmonkey
• Cloud Bedlam: https://github.com/GitTorre/CloudBedlamLinux/tree/dotnet-core

24. Security
BRK2395 Wed 9AM
Azure Security
fundamentals: Protecting
infrastructure, apps, and
data in the cloud
BRK2038 Wed 2:15PM
Simplify protection of
cloud resources with
Azure Security Center
BRK2368 Tues 9AM
Practical guide for using
Azure Security Center to
protect hybrid cloud
environment
(workshop: WRK2010
Tues 10:45AM)
BRK3059 Thurs 3:15PM
Manage keys, secrets, and
certificates for secure
apps and data with Azure
Key Vault
Monitoring
BRK2270 Tues 4PM
Full stack monitoring
across application,
infrastructure and
network with Azure
Monitor
(workshop: WRK2012 Wed
9AM)
BRK3354 Thurs 10:15AM
Monitor your
infrastructure and
analyze operational logs
at scale with Azure
Monitory
BRK3349 Tues 11:30AM
Everything about Azure
Monitor telemetry and
building integration with
ITSM and SIEM tools
Resiliency
BRK3060 Mon 4PM
Backup your data with
Azure Backup
(workshop: WRK2011 Wed
12:30PM)
BRK3078 Wed 11:30AM
Ensure application
availability with cloud-
based disaster recovery,
Azure Site Recovery
BRK3064 Thurs 2:15PM
Implement Cloud Backup
and Disaster Recovery at
Scale in Azure
Automate
BRK3063 Fri 12:30PM
Azure Update,
Inventory, and
Automation for Linux
and Windows VM
management
BRK3069 Wed 4PM
What's new in
PowerShell
Governance
BRK3062 Tues 2:15PM
Architecting Security and
Governance Across your
Azure Subscriptions
BRK3085 Thurs 4PM
Deep dive into
Implementing
governance at scale
through Azure Policy
BRK2476 Thurs 9AM
Make the most of Azure
by optimizing your cloud
spend through Azure
Cost Management and
Reserved Instances
NEW
Security & management
hands on labs (to be updated
CY18 Q4)
Learn more about
Azure Governance
Learn more about
Azure Security
Learn more about
Azure Monitor
Learn more about
Azure resiliency
Learn more
about Azure
Automation
Hands on
experience
AZURE SECURITY & MANAGEMENT@IGNITE

25. #azuresatpn
Thank you very much!
Feedbacks are important!
Tweet: @_geniodelmale #azuresatpn
or send me an email 
lorenzo.barbieri@microsoft.com
@_geniodelmale