A Finland Azure User Group session held in Helsinki, Finland on 19th of June 2018.
Azure Security Center Updates
Azure Role Based-Access recap + how to use Azure Privileged Identity Management with Azure Resources
Azure Monitoring in real life
Top 8 security fails
2. KARL OTS @ KOMPOZURE
• Co-organizer of Finland Azure User Group, IglooConf and PolarConf
• Podcast host at Cloud Gossip
• Working on Azure since 2011
• Patented inventor
• Working on full-scale Azure projects with different customers, from
startups to Fortune 500 enterprises
Managing Consultant
karl.ots@kompozure.com
+358 50 480 1102
3. IN THIS SESSION
• Azure Security Center updates
• Azure Access control (RBAC + PIM for RBAC role)
• Azure Security monitoring
o Expectation vs Reality
• Top security fails and how to avoid them
6. ROLE BASED ACCESS CONTROL SCOPES
Subscription
Resource Groups
Resources
7. RBAC ROLES
Owner
• Can perform all management operations for a resource and its child
resources including access management and granting access to
others.
Contributor
• Can perform all management operations for a resource including
create and delete resources. A contributor cannot grant access to
other.
Reader
• Has read-only access to a resource and its child resources. A reader
cannot read secrets.
8. PRIVILEGED IDENTITY MANAGEMENT
• Requires Azure AD Premium P2
o For all users in the whole AAD Tenant
• Identifies users with administrative privileges
• Enables on-demand, just-in-time administrative access
• Generates reports about administrator access history
16. TOP AZURE SECURITY FAILS
1. Everyone is Owner
1. …In the Subscription scope
2. Service Principals have too wide
privileges
3. No monitoring
4. No alerting
1. Security Center
2. SQL Auditing
3. WAF
5. Storage access key is used directly, not
through Key Vault
6. Unprotected public endpoints
(HTTP/RDP
7. Too short audit log retention (if any)
8. IaaS: missing VM updates…
17. RESOURCES
• Azure Trust Center
o https://www.microsoft.com/en-us/TrustCenter/
• Microsoft Azure Security - Getting Started (free Pluralsight course):
o https://www.pluralsight.com/courses/microsoft-azure-security-getting-
started?twoid=43eb6e26-b9fd-4aa0-b88f-2604b82e810f
• Azure Virtual Datacenter (eBook)
o https://azure.microsoft.com/en-us/resources/azure-virtual-
datacenter/en-us/
• PCI-DSS Compliant PaaS Blueprint
o aka.ms/pciblueprints