How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud
1.
2. EVERYTHING STARTS WITH A “GOOD”
ARCHITECTURE
RG for
- Dev-Test
- Production
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
3. 1ST STRIKE
The case of
disappearing
resources
Attack
one!
Destroy
‘em all!
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production
4. MITIGATION
Infrastructure as Code:
• Script & Backup everything
• ARM & Azure Policy
PaaS safeguards:
o AzureWeb App Undelete
o SQL Point in time restore
o Blob Storage restore
Azure DevOps or GitHub
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production
6. 2ND STRIKE
The case of
unexpected
load
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
Attack
two…o…o…
oooo!
$$$
$
RG for
- Dev-Test
- Production
7. MITIGATION
o Alert rules and
monitoring
o IP restrictions (i.e.,
web.config) OR
Private Endpoint
o Functions in App Service
Plan
o GB*s daily quota
o App Service Diagnostics
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production
9. 3RD STRIKE
The case of
data and
storage loss
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Attack
three!
I know your
secrets!
Photo resize
+web.config
RG for
- Dev-Test
- Production
10. MITIGATION
o Key rotation
o Least user privilege
(DB)
o Alert
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production
11. REMEDIATION
o SQL DB Firewall
o VNET Storage
o Private Endpoint
o Managed Service
Identity
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
o Handle Disconnect
RG for
- Dev-Test
- Production
12. 4TH STRIKE
The case of
being Gitted
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Fourth
Attack!
Keys from
the
octocat!
Photo resize
+web.config
RG for
- Dev-Test
- Production
13. REMEDIATION
o Move all the keys to a
secure path
o Use Azure Pipelines or
GitHub Actions to set
them before deployment
o Azure KeyVault
o Managed Service
Identity
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
?
RG for
- Dev-Test
- Production
14. >_
SSH
5TH STRIKE
The case of
remote
connections
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Remote
Attack!
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production
15. MITIGATION
o Patching and security
policies
o Azure Security
Center
Not only forVMs, could check networks,
App Services, Blob Storage, SQL, etc…
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production
16. REMEDIATION
o Network Security
Groups
o VNET
o Private Endpoint
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production
17. A BETTER ARCHITECTURE
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production
18. RECAP – THE 7 GOLDEN RULES
• Script everything
• Backup everything
• Least user privilege
• Trust no one
• Monitor everything
• Assume cloud failure
• Protect your secrets
20. Two-factor
authentication
with biometrics
Employee &
contractor vetting
Metal
detectors
Video coverage
rack front & back
Inability to identify
location of specific
customer data
Secure
destruction bins
Ongoing
roaming patrols
Video
coverage
Ongoing
roaming patrols
Front
entrance gate
1 defined
access point
Video
coverage
Perimeter
fencing
Two-factor
authentication
with biometrics
Video
coverage
No building
signage
24x7x365
security operations
Verified single
person entry
Ongoing
roaming patrols
Background
check
System
check
PHYSICAL DATACENTER SECURITY
Access
approval
Perimeter
Building
Server
environment
21. VIRTUAL MACHINES APPLICATIONS STORAGE & DATABASES
PROTECT DATA AND COMMUNICATIONS
Enable built-in encryption across resources
Azure Storage Service Encryption
Azure Disk Encryption
SQL TDE/Always Encrypted
Encrypt data while in use
Azure confidential computing
Use delegated access to storage objects
Shared Access Signature enables more granular access control
Use a key management system
Keep keys in a hardware HSM/don’t store key in apps/GitHub
Use one KeyVault per security boundary/per app/per region
Monitor/audit key usage-pipe information into SIEM for
analysis/threat detection
Use KeyVault to enroll and automatically renew certificates
23. APP SERVICE DIAGNOSTICS
• An interactive and intelligent experience for self-
troubleshooting your app issues
• What does that actually mean?
• 🔒Diagnose and troubleshoot your app issues and
learn about best practices
• 🎨Use Genie to guide you through each problem
category tile
• 📈 Intelligent search capabilities
• 🌏Straight out-of-the box, no extra configuration
necessary