This document summarizes Karl Ots's presentation on securing Azure infrastructure. It discusses:
1. Karl Ots's background working with Azure customers on security projects since 2011.
2. The multi-layered security of Azure datacenters, including physical security, network security, and server environment security.
3. Ways to secure an Azure environment, including identity and access management, encryption, securing hosts and networking, and third-party solutions.
4. Features of Azure Security Center for unified security management, monitoring, and recommendations.
2. KARL OTS @ KOMPOZURE
• Co-organizer of Finland Azure User Group and
IglooConf
• Working on Azure since 2011
• Patented inventor
• Worked with tens of different customers on full-scale
Azure projects, from startups to Fortune 500
enterprises
Managing Consultant,
Kompozure Ltd
Karl.ots@kompozure.com
3.
4. 2 Mil
kilometers
intra-datacenter
fiber
72+
Tb per second
Backbone
100+
datacenters
42
Azure regions
Millions
of servers
ACCESS
APPROVAL
Background check
System
check
PERIMETER
One defined
access point
Video
coverage
Perimeter
fencing
BUILDING
Two-factor
authentication with
biometrics
24x7x365
security
operations Verified single
person entry
SERVER
ENVIRONMENT
Employee &
contractor vetting
Inability to identify location
of specific customer data
Secure
destruction bins
Rest assured with layered datacenter security
5. SECURE YOUR AZURE ENVIRONMENT
Identity & access Encryption Secure hosts &
networking
3rd party
solutions
Unified security
management
✓ RBAC
✓ Strong
Authentication
✓ Monitoring and
Alerting
✓ Encryption Key
Management
✓ Encryption at
Rest and In
Transit
✓ Host AV &
monitoring
✓ Virtual
Networks
✓ Traffic Rules
✓ Secure
Connectivity
✓ Antimalware
✓ Network
Appliances
✓ Encryption
✓ Monitoring
✓ Application
Security
✓ Authentication
✓ Security Policy
✓ Monitoring
✓ Recommendati
ons
✓ Threat
Detection
6. ENCRYPTION
• At Rest
o Storage: SSE
o VM Disks: ADE
o Azure SQL: TDE
• In Transit
o All traffic between Azure datacenters encrypted
o We can enforce HTTPS connection to Storage
7. AZURE SECURITY CENTER
• Gain visibility and control
• Integrated security, monitoring, policy
management
• Built in threat detections and alerts
• Leverages global threat intelligence from
Microsoft products and services, Digital Crime
and Incident Response Centers, and third
party feeds
10. VNET SUPPORT FOR PAAS
• App Service Web Apps (VNET Integration, ASE and Isolated)
• API Management (Premium)
• Storage Firewall (NEW)
• Azure SQL Managed Instance (NEW)
11. RESOURCES
• Azure Trust Center
o https://www.microsoft.com/en-us/TrustCenter/
• Microsoft Azure Security - Getting Started (free Pluralsight course):
o https://www.pluralsight.com/courses/microsoft-azure-security-getting-
started?twoid=43eb6e26-b9fd-4aa0-b88f-2604b82e810f
• PCI-DSS Compliant PaaS Blueprint
o aka.ms/pciblueprints
12. DDOS PROTECTION
• Protection against
o Volumetric attacks (e.g. UDP floods)
o Protocol attacks (e.g. SYN floods)
o Application layer attacks (SQL injections, XSS)
• Simulations available from Azure Networking team