SlideShare una empresa de Scribd logo

How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud

Lorenzo Barbieri
Lorenzo Barbieri

Slides from the Azure security session I did at Global Azure Norway 2021.

Tecnología
1 de 25
Descargar para leer sin conexión
EVERYTHING STARTS WITH A “GOOD” ARCHITECTURE RG for - Dev-Test - Production Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize
1ST STRIKE The case of disappearing resources Attack one! Destroy ‘em all! Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
MITIGATION Infrastructure as Code: • Script & Backup everything • ARM & Azure Policy PaaS safeguards: o AzureWeb App Undelete o SQL Point in time restore o Blob Storage restore Azure DevOps or GitHub Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
REMEDIATION Subscription role protection o RBAC Azure AD could be protected with MFA Delete Locks Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
2ND STRIKE The case of unexpected load Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize Attack two…o…o… oooo! $$$ $ RG for - Dev-Test - Production
MITIGATION o Alert rules and monitoring o IP restrictions (i.e., web.config) OR Private Endpoint o Functions in App Service Plan o GB*s daily quota o App Service Diagnostics Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
REMEDIATION o Web App Firewall/Azure Firewall/Application Gateway/3rd party o API Management o Azure DDOS Protections forVNET Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
3RD STRIKE The case of data and storage loss Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Attack three! I know your secrets! Photo resize +web.config RG for - Dev-Test - Production
MITIGATION o Key rotation o Least user privilege (DB) o Alert Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
REMEDIATION o SQL DB Firewall o VNET Storage o Private Endpoint o Managed Service Identity Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config o Handle Disconnect RG for - Dev-Test - Production
4TH STRIKE The case of being Gitted Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Fourth Attack! Keys from the octocat! Photo resize +web.config RG for - Dev-Test - Production
REMEDIATION o Move all the keys to a secure path o Use Azure Pipelines or GitHub Actions to set them before deployment o Azure KeyVault o Managed Service Identity Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config ? RG for - Dev-Test - Production
>_ SSH 5TH STRIKE The case of remote connections Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Remote Attack! Photo resize +web.config >_ SSH RG for - Dev-Test - Production
MITIGATION o Patching and security policies o Azure Security Center Not only forVMs, could check networks, App Services, Blob Storage, SQL, etc… Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config >_ SSH RG for - Dev-Test - Production
REMEDIATION o Network Security Groups o VNET o Private Endpoint Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config >_ SSH RG for - Dev-Test - Production
A BETTER ARCHITECTURE Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
RECAP – THE 7 GOLDEN RULES • Script everything • Backup everything • Least user privilege • Trust no one • Monitor everything • Assume cloud failure • Protect your secrets
WHAT IS DOING MICROSOFT TO SECURE AZURE?
Two-factor authentication with biometrics Employee & contractor vetting Metal detectors Video coverage rack front & back Inability to identify location of specific customer data Secure destruction bins Ongoing roaming patrols Video coverage Ongoing roaming patrols Front entrance gate 1 defined access point Video coverage Perimeter fencing Two-factor authentication with biometrics Video coverage No building signage 24x7x365 security operations Verified single person entry Ongoing roaming patrols Background check System check PHYSICAL DATACENTER SECURITY Access approval Perimeter Building Server environment
VIRTUAL MACHINES APPLICATIONS STORAGE & DATABASES PROTECT DATA AND COMMUNICATIONS Enable built-in encryption across resources Azure Storage Service Encryption Azure Disk Encryption SQL TDE/Always Encrypted Encrypt data while in use Azure confidential computing Use delegated access to storage objects Shared Access Signature enables more granular access control Use a key management system Keep keys in a hardware HSM/don’t store key in apps/GitHub Use one KeyVault per security boundary/per app/per region Monitor/audit key usage-pipe information into SIEM for analysis/threat detection Use KeyVault to enroll and automatically renew certificates
TAKE A LOOK AT AZURE SECURITY CENTER
APP SERVICE DIAGNOSTICS • An interactive and intelligent experience for self- troubleshooting your app issues • What does that actually mean? • 🔒Diagnose and troubleshoot your app issues and learn about best practices • 🎨Use Genie to guide you through each problem category tile • 📈 Intelligent search capabilities • 🌏Straight out-of-the box, no extra configuration necessary
publicspeaking.dev lorenzo.barbieri@microsoft.com Thank you! Feedbacks are important… Send me an email ☺ LinkedIn.com/in/geniodelmale Connect with me on LinkedIn

Recomendados

GitHub for partners
GitHub for partnersGitHub for partners
GitHub for partners
Lorenzo Barbieri
 
Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!
Lorenzo Barbieri
 
App Modernization: From 0 to Hero
App Modernization: From 0 to HeroApp Modernization: From 0 to Hero
App Modernization: From 0 to Hero
Lorenzo Barbieri
 
Kubernetes vs App Service
Kubernetes vs App ServiceKubernetes vs App Service
Kubernetes vs App Service
Lorenzo Barbieri
 
Workshop Azure DevOps Repos
Workshop Azure DevOps ReposWorkshop Azure DevOps Repos
Workshop Azure DevOps Repos
Norberto Enomoto
 
Azure Academyadi: Introduction to GitHub and AzureDevOps
Azure Academyadi: Introduction to GitHub and AzureDevOpsAzure Academyadi: Introduction to GitHub and AzureDevOps
Azure Academyadi: Introduction to GitHub and AzureDevOps
Lorenzo Barbieri
 
Microsoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and AzureMicrosoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and Azure
Davide Benvegnù
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...
CollabNet
 

Recomendados

GitHub for partners
GitHub for partnersGitHub for partners
GitHub for partners
Lorenzo Barbieri
 
Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!Azure DevOps & GitHub... Better Together!
Azure DevOps & GitHub... Better Together!
Lorenzo Barbieri
 
App Modernization: From 0 to Hero
App Modernization: From 0 to HeroApp Modernization: From 0 to Hero
App Modernization: From 0 to Hero
Lorenzo Barbieri
 
Kubernetes vs App Service
Kubernetes vs App ServiceKubernetes vs App Service
Kubernetes vs App Service
Lorenzo Barbieri
 
Workshop Azure DevOps Repos
Workshop Azure DevOps ReposWorkshop Azure DevOps Repos
Workshop Azure DevOps Repos
Norberto Enomoto
 
Azure Academyadi: Introduction to GitHub and AzureDevOps
Azure Academyadi: Introduction to GitHub and AzureDevOpsAzure Academyadi: Introduction to GitHub and AzureDevOps
Azure Academyadi: Introduction to GitHub and AzureDevOps
Lorenzo Barbieri
 
Microsoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and AzureMicrosoft Skills Bootcamp - The power of GitHub and Azure
Microsoft Skills Bootcamp - The power of GitHub and Azure
Davide Benvegnù
 
A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...A Reference Architecture to Enable Visibility and Traceability across the Ent...
A Reference Architecture to Enable Visibility and Traceability across the Ent...
CollabNet
 
Azure DevOps: the future of integration and traceability
Azure DevOps: the future of integration and traceabilityAzure DevOps: the future of integration and traceability
Azure DevOps: the future of integration and traceability
Lorenzo Barbieri
 
Google Cloud Build - Sfeir Lunch Janvier 2019
Google Cloud Build - Sfeir Lunch Janvier 2019Google Cloud Build - Sfeir Lunch Janvier 2019
Google Cloud Build - Sfeir Lunch Janvier 2019
Gaëlle Acas
 
All Around Azure: DevOps with GitHub - Managing the Flow of Work
All Around Azure: DevOps with GitHub - Managing the Flow of WorkAll Around Azure: DevOps with GitHub - Managing the Flow of Work
All Around Azure: DevOps with GitHub - Managing the Flow of Work
Davide Benvegnù
 
UGIdotNET App Modernisation Keynote
UGIdotNET App Modernisation KeynoteUGIdotNET App Modernisation Keynote
UGIdotNET App Modernisation Keynote
Lorenzo Barbieri
 
Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014
Andreas Rehn
 
Azure devops
Azure devopsAzure devops
Azure devops
Mohit Chhabra
 
Leveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the EnterpriseLeveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the Enterprise
Andrew Kelleher
 
Intro to Azure DevOps
Intro to Azure DevOpsIntro to Azure DevOps
Intro to Azure DevOps
Lorenzo Barbieri
 
Introduction to Azure DevOps
Introduction to Azure DevOpsIntroduction to Azure DevOps
Introduction to Azure DevOps
Lorenzo Barbieri
 
ChatOps in Action
ChatOps in ActionChatOps in Action
ChatOps in Action
Todd Kaplinger
 
Getting Started with Azure Artifacts
Getting Started with Azure ArtifactsGetting Started with Azure Artifacts
Getting Started with Azure Artifacts
Callon Campbell
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Janusz Nowak
 
Azure function DevOps pipeline, ALM / DevOps Rangers feedbacks
Azure function DevOps pipeline, ALM / DevOps Rangers feedbacks Azure function DevOps pipeline, ALM / DevOps Rangers feedbacks
Azure function DevOps pipeline, ALM / DevOps Rangers feedbacks
Krief Mikael
 
Azure DevOps - Version Controlling with Git
Azure DevOps - Version Controlling with GitAzure DevOps - Version Controlling with Git
Azure DevOps - Version Controlling with Git
Eng Teong Cheah
 
[JAZUG Tohoku Azure DevOps] Azure DevOps
[JAZUG Tohoku Azure DevOps] Azure DevOps[JAZUG Tohoku Azure DevOps] Azure DevOps
[JAZUG Tohoku Azure DevOps] Azure DevOps
Naoki (Neo) SATO
 
CI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformCI/CD on Google Cloud Platform
CI/CD on Google Cloud Platform
DevOps Indonesia
 
Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019
Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019
Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019
Jeffrey Palermo
 
The Power of Azure DevOps
The Power of Azure DevOpsThe Power of Azure DevOps
The Power of Azure DevOps
Jeff Bramwell
 
Infrastructure automation with .NET
Infrastructure automation with .NETInfrastructure automation with .NET
Infrastructure automation with .NET
Swaminathan Vetri
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
Surasuk Oakkharaamonphong
 
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
Lorenzo Barbieri
 
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
Lorenzo Barbieri
 

Más contenido relacionado

La actualidad más candente

All Around Azure: DevOps with GitHub - Managing the Flow of Work
All Around Azure: DevOps with GitHub - Managing the Flow of WorkAll Around Azure: DevOps with GitHub - Managing the Flow of Work
All Around Azure: DevOps with GitHub - Managing the Flow of Work
Davide Benvegnù
 

La actualidad más candente (20)

Azure DevOps: the future of integration and traceability
Azure DevOps: the future of integration and traceabilityAzure DevOps: the future of integration and traceability
Azure DevOps: the future of integration and traceability
 
Google Cloud Build - Sfeir Lunch Janvier 2019
Google Cloud Build - Sfeir Lunch Janvier 2019Google Cloud Build - Sfeir Lunch Janvier 2019
Google Cloud Build - Sfeir Lunch Janvier 2019
 
All Around Azure: DevOps with GitHub - Managing the Flow of Work
All Around Azure: DevOps with GitHub - Managing the Flow of WorkAll Around Azure: DevOps with GitHub - Managing the Flow of Work
All Around Azure: DevOps with GitHub - Managing the Flow of Work
 
UGIdotNET App Modernisation Keynote
UGIdotNET App Modernisation KeynoteUGIdotNET App Modernisation Keynote
UGIdotNET App Modernisation Keynote
 
Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014Building a Service Delivery Platform - JCICPH 2014
Building a Service Delivery Platform - JCICPH 2014
 
Azure devops
Azure devopsAzure devops
Azure devops
 
Leveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the EnterpriseLeveraging Azure DevOps across the Enterprise
Leveraging Azure DevOps across the Enterprise
 
Intro to Azure DevOps
Intro to Azure DevOpsIntro to Azure DevOps
Intro to Azure DevOps
 
Introduction to Azure DevOps
Introduction to Azure DevOpsIntroduction to Azure DevOps
Introduction to Azure DevOps
 
ChatOps in Action
ChatOps in ActionChatOps in Action
ChatOps in Action
 
Getting Started with Azure Artifacts
Getting Started with Azure ArtifactsGetting Started with Azure Artifacts
Getting Started with Azure Artifacts
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
 
Azure function DevOps pipeline, ALM / DevOps Rangers feedbacks
Azure function DevOps pipeline, ALM / DevOps Rangers feedbacks Azure function DevOps pipeline, ALM / DevOps Rangers feedbacks
Azure function DevOps pipeline, ALM / DevOps Rangers feedbacks
 
Azure DevOps - Version Controlling with Git
Azure DevOps - Version Controlling with GitAzure DevOps - Version Controlling with Git
Azure DevOps - Version Controlling with Git
 
[JAZUG Tohoku Azure DevOps] Azure DevOps
[JAZUG Tohoku Azure DevOps] Azure DevOps[JAZUG Tohoku Azure DevOps] Azure DevOps
[JAZUG Tohoku Azure DevOps] Azure DevOps
 
CI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformCI/CD on Google Cloud Platform
CI/CD on Google Cloud Platform
 
Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019
Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019
Azure DevOps for .NET - Fall into the Pit of Success, .NET Conf 2019
 
The Power of Azure DevOps
The Power of Azure DevOpsThe Power of Azure DevOps
The Power of Azure DevOps
 
Infrastructure automation with .NET
Infrastructure automation with .NETInfrastructure automation with .NET
Infrastructure automation with .NET
 
Azure DevOps
Azure DevOpsAzure DevOps
Azure DevOps
 

Similar a How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud

Microservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and moreMicroservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and more
Mitoc Group
 
Architecting Multitenant SaaS Applications with Azure - Microsoft Ignite The ...
Architecting Multitenant SaaS Applications with Azure - Microsoft Ignite The ...Architecting Multitenant SaaS Applications with Azure - Microsoft Ignite The ...
Architecting Multitenant SaaS Applications with Azure - Microsoft Ignite The ...
Eran Stiller
 

Similar a How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud (20)

How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
 
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
 
Azure Security: How to protect a hybrid PaaS-IaaS solution built entirely in ...
Azure Security: How to protect a hybrid PaaS-IaaS solution built entirely in ...Azure Security: How to protect a hybrid PaaS-IaaS solution built entirely in ...
Azure Security: How to protect a hybrid PaaS-IaaS solution built entirely in ...
 
Why You Need a Front End Developer
Why You Need a Front End DeveloperWhy You Need a Front End Developer
Why You Need a Front End Developer
 
Angularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankAngularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bank
 
Responsive web design with Angularjs
Responsive web design with AngularjsResponsive web design with Angularjs
Responsive web design with Angularjs
 
Trusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy ModelTrusted by Default: The Forge Security & Privacy Model
Trusted by Default: The Forge Security & Privacy Model
 
Build Web Applications using Microservices on Node.js and Serverless AWS
Build Web Applications using Microservices on Node.js and Serverless AWSBuild Web Applications using Microservices on Node.js and Serverless AWS
Build Web Applications using Microservices on Node.js and Serverless AWS
 
JSFoo-2017 Takeaways
JSFoo-2017 TakeawaysJSFoo-2017 Takeaways
JSFoo-2017 Takeaways
 
Azure and web sites hackaton deck
Azure and web sites hackaton deckAzure and web sites hackaton deck
Azure and web sites hackaton deck
 
Applying Advanced Techniques to Azure Web Apps
Applying Advanced Techniques to Azure Web AppsApplying Advanced Techniques to Azure Web Apps
Applying Advanced Techniques to Azure Web Apps
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced Session
 
Microservices Architecture for Web Applications using Amazon AWS Cloud
Microservices Architecture for Web Applications using Amazon AWS CloudMicroservices Architecture for Web Applications using Amazon AWS Cloud
Microservices Architecture for Web Applications using Amazon AWS Cloud
 
DevOps Toolbox: Infrastructure as code
DevOps Toolbox: Infrastructure as codeDevOps Toolbox: Infrastructure as code
DevOps Toolbox: Infrastructure as code
 
Evolve 19 | Jayan Kandathil | Running AEM Workloads on Microsoft Azure
Evolve 19 | Jayan Kandathil | Running AEM Workloads on Microsoft AzureEvolve 19 | Jayan Kandathil | Running AEM Workloads on Microsoft Azure
Evolve 19 | Jayan Kandathil | Running AEM Workloads on Microsoft Azure
 
Google App Engine overview (GAE/J)
Google App Engine overview (GAE/J)Google App Engine overview (GAE/J)
Google App Engine overview (GAE/J)
 
Microservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and moreMicroservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and more
 
DevSecOps with Confidence
DevSecOps with ConfidenceDevSecOps with Confidence
DevSecOps with Confidence
 
Architecting Multitenant SaaS Applications with Azure - Microsoft Ignite The ...
Architecting Multitenant SaaS Applications with Azure - Microsoft Ignite The ...Architecting Multitenant SaaS Applications with Azure - Microsoft Ignite The ...
Architecting Multitenant SaaS Applications with Azure - Microsoft Ignite The ...
 
Serverless architectures
Serverless architecturesServerless architectures
Serverless architectures
 

Más de Lorenzo Barbieri

Más de Lorenzo Barbieri (20)

Microsoft Ignite Milan: Copilot Adoption In Italy
Microsoft Ignite Milan: Copilot Adoption In ItalyMicrosoft Ignite Milan: Copilot Adoption In Italy
Microsoft Ignite Milan: Copilot Adoption In Italy
 
Can Santa Cloud survive the Generative AI revolution?
Can Santa Cloud survive the Generative AI revolution?Can Santa Cloud survive the Generative AI revolution?
Can Santa Cloud survive the Generative AI revolution?
 
Build and Modernize Intelligent Apps​
Build and Modernize Intelligent Apps​Build and Modernize Intelligent Apps​
Build and Modernize Intelligent Apps​
 
Develop any software from anywhere!
Develop any software from anywhere!Develop any software from anywhere!
Develop any software from anywhere!
 
Personal Branding for Developers @ PyCon Italy 2023
Personal Branding for Developers @ PyCon Italy 2023Personal Branding for Developers @ PyCon Italy 2023
Personal Branding for Developers @ PyCon Italy 2023
 
Storytelling inclusivo
Storytelling inclusivoStorytelling inclusivo
Storytelling inclusivo
 
Effective Public Speaking
Effective Public SpeakingEffective Public Speaking
Effective Public Speaking
 
Codemotion DevCast: App Modernization in the Cloud
Codemotion DevCast: App Modernization in the CloudCodemotion DevCast: App Modernization in the Cloud
Codemotion DevCast: App Modernization in the Cloud
 
Practical Personal Branding for Developers
Practical Personal Branding for DevelopersPractical Personal Branding for Developers
Practical Personal Branding for Developers
 
Prepare a Short Pitch
Prepare a Short PitchPrepare a Short Pitch
Prepare a Short Pitch
 
Kubernetes for .NET Developers
Kubernetes for .NET DevelopersKubernetes for .NET Developers
Kubernetes for .NET Developers
 
Accessible Public Speaking
Accessible Public SpeakingAccessible Public Speaking
Accessible Public Speaking
 
Kubernetes VS. App Service: When the orchestrator challenges the platform
Kubernetes VS. App Service: When the orchestrator challenges the platformKubernetes VS. App Service: When the orchestrator challenges the platform
Kubernetes VS. App Service: When the orchestrator challenges the platform
 
Public Speaking For Geeks: Work from Home Edition!
Public Speaking For Geeks: Work from Home Edition!Public Speaking For Geeks: Work from Home Edition!
Public Speaking For Geeks: Work from Home Edition!
 
Public Speaking for Geeks @ MS Ignite The Tour Milan
Public Speaking for Geeks @ MS Ignite The Tour MilanPublic Speaking for Geeks @ MS Ignite The Tour Milan
Public Speaking for Geeks @ MS Ignite The Tour Milan
 
DevOps@Work Roma 2020 Keynote
DevOps@Work Roma 2020 KeynoteDevOps@Work Roma 2020 Keynote
DevOps@Work Roma 2020 Keynote
 
From Developer to Cloud Solutions Architect
From Developer to Cloud Solutions ArchitectFrom Developer to Cloud Solutions Architect
From Developer to Cloud Solutions Architect
 
Build effective microservices applications with a serverless architecture and...
Build effective microservices applications with a serverless architecture and...Build effective microservices applications with a serverless architecture and...
Build effective microservices applications with a serverless architecture and...
 
Improve your public speaking skills!
Improve your public speaking skills!Improve your public speaking skills!
Improve your public speaking skills!
 
Advanced Serverless Computing in Azure: not another "Hello serverless World"!
Advanced Serverless Computing in Azure: not another "Hello serverless World"!Advanced Serverless Computing in Azure: not another "Hello serverless World"!
Advanced Serverless Computing in Azure: not another "Hello serverless World"!
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud

  • 1.
  • 2. EVERYTHING STARTS WITH A “GOOD” ARCHITECTURE RG for - Dev-Test - Production Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize
  • 3. 1ST STRIKE The case of disappearing resources Attack one! Destroy ‘em all! Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
  • 4. MITIGATION Infrastructure as Code: • Script & Backup everything • ARM & Azure Policy PaaS safeguards: o AzureWeb App Undelete o SQL Point in time restore o Blob Storage restore Azure DevOps or GitHub Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
  • 5. REMEDIATION Subscription role protection o RBAC Azure AD could be protected with MFA Delete Locks Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
  • 6. 2ND STRIKE The case of unexpected load Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize Attack two…o…o… oooo! $$$ $ RG for - Dev-Test - Production
  • 7. MITIGATION o Alert rules and monitoring o IP restrictions (i.e., web.config) OR Private Endpoint o Functions in App Service Plan o GB*s daily quota o App Service Diagnostics Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
  • 8. REMEDIATION o Web App Firewall/Azure Firewall/Application Gateway/3rd party o API Management o Azure DDOS Protections forVNET Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
  • 9. 3RD STRIKE The case of data and storage loss Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Attack three! I know your secrets! Photo resize +web.config RG for - Dev-Test - Production
  • 10. MITIGATION o Key rotation o Least user privilege (DB) o Alert Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
  • 11. REMEDIATION o SQL DB Firewall o VNET Storage o Private Endpoint o Managed Service Identity Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config o Handle Disconnect RG for - Dev-Test - Production
  • 12. 4TH STRIKE The case of being Gitted Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Fourth Attack! Keys from the octocat! Photo resize +web.config RG for - Dev-Test - Production
  • 13. REMEDIATION o Move all the keys to a secure path o Use Azure Pipelines or GitHub Actions to set them before deployment o Azure KeyVault o Managed Service Identity Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config ? RG for - Dev-Test - Production
  • 14. >_ SSH 5TH STRIKE The case of remote connections Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Remote Attack! Photo resize +web.config >_ SSH RG for - Dev-Test - Production
  • 15. MITIGATION o Patching and security policies o Azure Security Center Not only forVMs, could check networks, App Services, Blob Storage, SQL, etc… Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config >_ SSH RG for - Dev-Test - Production
  • 16. REMEDIATION o Network Security Groups o VNET o Private Endpoint Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config >_ SSH RG for - Dev-Test - Production
  • 17. A BETTER ARCHITECTURE Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
  • 18. RECAP – THE 7 GOLDEN RULES • Script everything • Backup everything • Least user privilege • Trust no one • Monitor everything • Assume cloud failure • Protect your secrets
  • 19. WHAT IS DOING MICROSOFT TO SECURE AZURE?
  • 20. Two-factor authentication with biometrics Employee & contractor vetting Metal detectors Video coverage rack front & back Inability to identify location of specific customer data Secure destruction bins Ongoing roaming patrols Video coverage Ongoing roaming patrols Front entrance gate 1 defined access point Video coverage Perimeter fencing Two-factor authentication with biometrics Video coverage No building signage 24x7x365 security operations Verified single person entry Ongoing roaming patrols Background check System check PHYSICAL DATACENTER SECURITY Access approval Perimeter Building Server environment
  • 21. VIRTUAL MACHINES APPLICATIONS STORAGE & DATABASES PROTECT DATA AND COMMUNICATIONS Enable built-in encryption across resources Azure Storage Service Encryption Azure Disk Encryption SQL TDE/Always Encrypted Encrypt data while in use Azure confidential computing Use delegated access to storage objects Shared Access Signature enables more granular access control Use a key management system Keep keys in a hardware HSM/don’t store key in apps/GitHub Use one KeyVault per security boundary/per app/per region Monitor/audit key usage-pipe information into SIEM for analysis/threat detection Use KeyVault to enroll and automatically renew certificates
  • 22. TAKE A LOOK AT AZURE SECURITY CENTER
  • 23. APP SERVICE DIAGNOSTICS • An interactive and intelligent experience for self- troubleshooting your app issues • What does that actually mean? • 🔒Diagnose and troubleshoot your app issues and learn about best practices • 🎨Use Genie to guide you through each problem category tile • 📈 Intelligent search capabilities • 🌏Straight out-of-the box, no extra configuration necessary
  • 24.
  • 25. publicspeaking.dev lorenzo.barbieri@microsoft.com Thank you! Feedbacks are important… Send me an email ☺ LinkedIn.com/in/geniodelmale Connect with me on LinkedIn