- Hi, welcome to the Top 10
Azure Security Best Practices. My name is Mark Simos, Lead
Cyber Security Architect. And today we will be talking about the most important things to do as you go through your Azure Adoption. And as you look to secure an existing Azure set of resources. So the first thing to keep in mind, as we take a look at, is really
take a look at the problem. What is it that we are trying to solve when we talk about securing Azure? So let us take a look at this through the criminal's point of view or for the attacker's point of view. And the easiest way to look at this and get a good sense of it is by looking at what those
criminals, those attackers, and sometimes nation
state intelligence folks, what they can actually
buy off of the dark web, the bad neighborhoods on the internet. First of all, you can
actually hire an attacker to do all the work for you. And that cost anywhere from
250 is the cheapest that we see all the way up. You can buy a ransomware kit, which is really designed for
sort of those new criminals, those just getting started. And it costs about 60, $65 upfront, but they also have affiliate
models where they can take the ransomware kit author can
take a portion of the proceeds of the ransomware attacks
that the actual operator, the person, the customer of them uses. Compromised computers and mobile devices are actually fairly cheap, less
than a dollar in most cases, quite less when you
looked at the PC market and the mobile devices tend to be a little bit more expensive, a
little bit closer to a dollar all the way up to $3 a
piece again, on average. And these numbers just
as a point of reference, have stayed fairly steady over
the past three, four years that we have been tracking them closely. Spearfishing for hire to
take over the account, payment upon, Hey, I sent you
an email from that account, that is the account and
I am in control of it anywhere from 100 to a $1000 U.S. dollars. And then we also have stolen passwords, these usually come from
one or more breaches that have already happened, and they are about a dollar to 1000, a little bit cheaper in bulk. And those are essentially
someone's username and password that have been used somewhere else, but because users tend to and people tend to use the same
password over and over again, on average, in any given
enterprise organization, it is about a 1% hit rate
for that username password to match within that environment. So actually pretty good odds
for the attackers fairly cheap. So we see a lot of password
spray style of attacks, and then denial of service
to keep a website down on a monthly basis costs a little bit less than $800 per month, so fairly inexpensive. And this is really the threat landscape or one view of the threat
landscape that organizations face as they are trying to keep
their Azure resources secure and available and not tampered with. So as we look to what our
customers needed in Azure and where do we need to invest to help keep our customers secure. This information led to a couple of different investment areas. The first there is native threat
detection, including a native cloud
based SIEM Azure Sentinel, but it was not just about having a place to do long
analytics, we wanted to have what is the industry is coming to call XDR detection response,
being any detection response, which is very much based on
EDR, Endpoint Detection Response started this whole trend, but that was native threat detections that really have high quality alerts and response and investigation
and remediation experiences. And so we have invested
quite a bit to help secure all the different kinds of
assets our organizations tend to find our under attacks, Azure, Azure AD the identity is there, Windows, Linux, iOS, Android, SaaS apps. So lots of investment there,
even operational technology, Microsoft recently acquired
a company named CyberX that does great monitoring
of operational technology. So SCADA or ICS for those
computers that control physical machines and physical operations. Passwordless and
multifactor authentication is really where we focus on those identity and password based attacks. Passwords nobody enjoys them,
admins don't enjoy them, users don't enjoy them, but actually the attackers do technically, but we don't want them to. So passwordless is a big,
big initiative at Microsoft because we want to get out
of the business of passwords. We want to just look at the machine, have it do a facial read of
a biometric or a fingerprint, or just the fact that you have your phone and your phone can do similar things. We want to get out of the
business of passwords, investing heavily in there as well as all the different forms of
multifactor authentication to support that and to
secure where we are today. So the third area that we focused on is native firewalls and network security because we found that customers
as they move to The Cloud , they obviously need to bring network security capabilities with them and they bring those
requirements with them, but they often find that they want it to be simpler and easier
like the rest of IT. And so we have invested deeply into native security capabilities
within the Azure platform, including network security
groups and a number of others, we will discuss a little bit more later, but also we have a builtin native firewall so that you can protect
the edge of your network, that internet inverse egress point with a essentially firewall as a service. And it is fairly simple
and easy to configure. A lot less complexity helps you get up and running with that security quicker. So this is one set of the
things that we have invested in. The other thing that
we have been focused on is really learning and then
teaching our customers. We have learned a lot from our customers. there is a lot of very
sophisticated customers that we have learned from. We also work with NIST and the Open Group and many other experts in
industry working together because we want to build
guidance for our customers because we know The Cloud is new, we will be talking about that quite a bit. And so it takes a lot of education, but we also found that
customers really want clear prescriptive guidance
that says exactly what to do. And so we have invested quite a bit into a number of different
forms of that guidance. So the Top 10 Best Practices, which we will be talking about today, we also have the Azure
Security Benchmarks, which essentially are best
practices and controls. For security and Azure
what is the right way to apply industry best
practices to Azure specifically, which has mapped to CIS and NIST and PCI and all these other
common security frameworks that organizations aligned to. And then we know that the
journey to The Cloud itself can be pretty significant. And so Microsoft invested in
the Cloud Adoption Framework or CAF as we like to call it, to help people with that
journey of going to The Cloud , how do you do governance
and cost and security and all these big picture elements. And so that is an area where
we are continuing to invest. So organizations can have this
smooth journey to The Cloud , and then on a per workload basis, when it comes down to brass tacks and you actually have
to architect and design a specific workload replication
we have also invested in the Azure, Well
Architected Framework, WAF, not to be confused with
Web Application Firewall, but that Well Architected Framework of what does a Well architected
application look like. So that is efficient, it is secure and all of the other attributes you are looking for in an application. And so a lot of guidance there, but today is about the Top 10. So before we get into the Top 10, we have a small announcement to make around the Azure Security
Benchmarks, actually. So some of you may or may not be familiar with the Azure Security Compass, which is a set of guidance
that was out there. What we have done is we have
worked together as a team, quite a few hours actually
over the past few months with the Azure Security Benchmarks Team and the Azure Security
Compass contributors. And we decided to actually
bring all those together into the Azure Security
Benchmarks going forward. So the Azure Security Compass
is being retired slowly. It is actually being migrated
to Microsoft Best Practices. So that there is one set
of Microsoft Best Practices across all of the different areas that people need guidance on. And specifically the
Azure Security Benchmarks are taking a lot of those
lessons learned from the Compass. And so there is no one place to go for Azure Security Best Practices, and that version two is out. And that includes not only
the benchmarks themselves mapped to all these other
industry best practices. And of course, Microsoft's
take on them with modern cloud, but also how do you apply those to individual Azure services? So Azure SQL, Azure Functions, Azure Storage, the API Gateway, all of these different
kinds of capabilities. How do you apply the benchmarks to those? And so that a version two of Azure Security Benchmarks is out and we are in the process
of updating all of those services baselines that
are associated with it. So onto the Top 10. So these Top 10, we view as essential
cloud security in a way. And we wanted to make them
as actionable as possible. We wanted to take a holistic view to look at the whole problem space. And we wanted to look at it from both the short-term and long-term. What are the quick wins
I need to get today to make sure I don't
get myself into trouble with an incident or an attack or something I should have known better, but we also want to make sure
that they have a long view and that you are investing into
things that are not going to, that we are not overlooking
those long-term things that are going to go ahead
and come back and bite us. And so we broke this up
into really four areas. People, because people
at the end of the day are the center of any system. It is really about people
enabling and empowering people. And particularly
insecurity often forgotten because it is been such
a technical discipline, but ultimately you have got defenders and you have got attackers. And even though it seems
like it is a technical attack and it is, and there is automation, it is. There is a human there that
is designing that automation, that is designing that malware, that is operating it in many
cases in a targeted attack as an actual attack operator. And so we want to make sure that we are focusing on the people, because there is also the
equivalent on the defense side where people need to
focus on making sure that people have the information they need, the context they need to be successful. And of course, there is a lot of things that you end up having to
do over and over again. And you want to capture those in processes so that we know who owns
what, we know where that goes. We know what to do next, so
that people have those things. And then the technology, which really automates as
much of that process as it can to make things as easy
as possible for people. So we are using those human minds, those great computers in our heads to do the most effective and useful things instead of boring, repetitive drudge work. And then the last piece
is something that we found is very interesting because
we are new with The Cloud and we are starting to do things that we are going to be living with for the next five, 10, 20 years much like we were 20 years ago when we started putting up
Active Directory and Windows 2000 and setting those kinds
of LDF directories up that did not exist in the 90s. we are in that same kind of
phase now with The Cloud. And we want to make sure that,
when we pour this concrete, when we make those key
long-term decisions, we don't want to have to
go back and break it later, or just say, you know what, we
are going to live with that, it was a bad decision,
but we have no choice, it is too hard to change. So we want to get ahead of that and making sure we are setting
these right foundational architecture decisions correctly. So let us go ahead and jump in. So one of the first things we realized is that it helps to take a step back and actually apply some perspective because this is, as I mentioned earlier, a generational shift in
technology and in computing. So we want to recognize
that and understand that how we are doing our jobs today. we are going to be doing the same job, what we do is not changing, but how we do it is going to change. So the perfect analogy for
this is moving from a house where you have to mow your lawn
and feed it and fertilize it and take care of all those
things and maintain all of that. To moving to a luxury apartment building with a great view of the ocean or the city or whatever you prefer, and that you are in a shared building. And that you are actually, you are still going to
have plumbing problems, you always will, that is just natural. You are still going to
have electrical things, but you need to know, do I call my plumber when
there is a problem here or do I need to call my
landlord and make them fix it? So you need to understand that sort of shared responsibility model
of what do I have to do and what do I not have to do? there is a lot of things that
actually get done for you in the Cloud that you
no longer have to do. A displaced forensics
is one of those things where the data sources
are actually moving. And so there is a number of
places where that happen. But recognizing that how you do your job is different than what you
are doing for your job. What is it that you are
providing to your boss and to the organization in terms of value, and then taking a look, what is that what, and how do I apply it to
this new world of the Cloud? And so it was very important
to take a look at it through that lens and recognize what you are doing is important. It just has to be done differently
as you move to the Cloud, especially as you are doing a hybrid over cloud and on premises. So starting with people. First thing to remember is that it is, as I mentioned earlier,
really a system of people because people are the
ones making the decisions, they are the ones
implementing the technology. If you want to go into it, people are also the ones that
actually made the microchips and typed in every line of programming. And even if you do have a program that writes other programs, that one was originally written by human. So we have got to remember that it is a people-centric discipline, even though we work with
technology every day. The way to think about what people need, quite frankly is education and context, as they move to The
Cloud is what we found. So think about it like you
have a special operations team, in the military context here, and these may be some of
the brightest men and women they are really good at their job, but if you drop them into a situation where they don't have any intelligence, they don't understand what is going on, who the bad guys are,
who the good guys are, who they are trying to protect. they are probably going to do a better job than any random other person, because they are training from the past, but they are not going to
be doing it at their best. And so the things that you need to provide your really talented team that you have is they need education on the
overall journey, the context, how things are changing, things like what are the important cultural elements as you move to The Cloud, because we have built so
many cultural assumptions around how on-premise technology works. We have got to look at those threats, the threats themselves are changing. What are the things and
the kinds of attacks that work and don't work? Shared responsibility, how
does that shared responsibility work that I was discussing earlier? What is it that the Cloud
provider's job to do? What is it that it is my job to do? And what can I expect from them? What phone numbers will I have to call? What do I have to do to
work successfully with them? And we invested quite a bit at Microsoft to provide training around all of that as part of our online documentation. So we will be sending you links to each of these best practices
and where to get that. So that is one of the big
areas that we focused on because we know it is
something our customers need. Now, the second piece is, okay, great, I have got the
big picture, I have got the context. I know what is
changing at a high level, but I need to do my job. I need to know where the logs are. I need to know where the storage is. I need to know how to do this. I need to know what tools I
am going to be looking at. How do I set permission? Where is the firewalls. So we know that organizations,
excuse me, people and professionals need that
specific training on it as well. And so we have got quite
a few resources on that, that we have collected
together at Microsoft to make it as easy as
possible for folks to learn exactly how The Cloud works and exactly how to do very specific tasks. So best practice to is really around educating on that cloud
technology, how it works, and we have got all that published. So you can find that very quickly as you are ramping yourself up
or having your team ramp up. Moving onto process, so the first thing that we have
noticed in the process space is that nobody owns the decision, nobody's accountable
for making a decision, the decision is not going to get made. And then the project to go to The Cloud, is not going to go forward, the businesses is not
going to realize value, the IT teams are not going
to be seen as successful. And the security teams,
are not going to be able to secure it because nobody knows
who is making in this case, the security decisions
are going to be The Cloud. So that is one of the
first things we found is it is so critical to
figure out who is making what kinds of security decisions. So we publish very clear guidance on the, I think it is five or six categories of exactly which
decisions need to be made, which types of decisions
and which teams that we find within the customer typically are the ones that actually make these decisions. Because we found that
helps clear obstacles and make the project not only go faster, but be a lot more secure
because you don't end up having the project getting frustrated that security is not moving forward and then just bypassing them. So it is very important to
get those security decision- - making assignments made
as quickly as possible. Next one is really
around incident response. You don't want to have to
plan for a crisis during a crisis. So we found
security incidents happen. We have a principle of
assumed wage and compromise because it happens. Attackers are constantly
doing their thing. It is fairly cheap, there is really good return on
investment for the attackers. So they will be constantly attacking. As you move to The Cloud, the attackers will continue
attacking you there. So it is important that
you have that preparation. Some of which has the
education we mentioned earlier, but some of which is
updating the processes. So if we get this kind of attack, how do I do host based investigation? What is the process for this, who is responsible for it? Who is going to do these pieces, what kind of training do they need and what tools do they need, etc. And so we found that updating your incident response processes really helps as you move to The Cloud. It is very important to focus
on that as early as you can. Last one, posture management. So in the process space,
there is something new in The Cloud that has not been
possible before, security industries talked for a
long time about continuous monitoring. We want to
have a continuous view of where our security posture is and what kind of attacks are happening so we can make real time decisions. Well, when it comes to
cloud and guess what? You got your wish. And so the challenge that
we see organizations face is they are not quite sure
who is responsible for fixing this with this real time
data that is coming in, who is responsible for monitoring it. So Microsoft based on our interactions with different customers and others, we have put together a
set of recommendations on using Secure Score, who is the one that is
monitoring the Secure Score and the other security posture pieces, who is making sure that they are holding everyone else accountable to remediate it. And then who is actually fixing it, who are the ones that are responsible? Hey, we found that SQL needs
this configuration change. We found that there needs a patch that needs to be applied to these Vms, who is going to actually do
that, who is going to apply it. And simple theme is as close to the resource
owners we can get. So those decisions should
be made by the same people that are accountable for the risk of that not being available. So the people that own those resources, the application owners, or say the storage and database owners really
depends on your model, how much you are doing dev ops and how much you are doing
kind of specialization, but ultimately whoever owns the resources should be responsible
for also securing them and actually honestly
held accountable for it. And then you have another group, usually a governance style group that should be doing the
monitoring to make sure that we are moving forward
in our security posture and not moving backwards. This is particularly
important in The Cloud because of how fast things change. Not only are new features
coming out all the time, but resources are being created and modified and removed
all the time by these teams that are doing it because
they need to keep up and they need to keep
their organization agile. And so with all this change, it is super important to
have very good clarity on who is monitoring and then
who is remediating all these. And we built in a lot of automation in Azure Security Center and Secure Score and other capabilities to
make this as easy as possible. And now we get to technology. So technology, the first one
and this is extremely important is passwordless or MFA. In most cases, you have to use some form of multifactor authentication as a stepping stone to passwordless because passwordless is
something that is possible, but it is not perfectly applicable and universally easy for
every single scenario. I personally have not used my own password in a very long time,
usually two to three months, sometimes six or eight months between actual uses of the password. And frequently it is when
I get a new computer, because I use the
Windows Hello biometrics, easy to log in, it looks at my face, allows me in and is much stronger than my password ever was or ever will be. So passwordless is very possible
in a number of scenarios, but it is not 100%
applicable in all cases, but at a minimum
multifactor authentication especially for admins,
but really for all users start with the admins role to ever users. Very, very important here. The great thing is, is
that it is actually easier than remembering and typing a password. So very, very strongly
recommend that, super important. So the next one, number seven, native network security and firewall, we have learned that organizations are looking for more simplicity. Sometimes simplicity comes
in the form of using, Hey, I have an existing familiar
capability, a checkpoint, a Palo Alto or some
other next gen firewall. Great, so we have got that
it is in the marketplace and we can do that. we are also seeing organizations demand a different kind of simplicity that they actually want to
have firewalls a service. I want something simple. I want something easy. I just want something built in where I just click, click and I am done. I don't want to have to set up load balancers and virtual appliances. So we offer that choice. And in Azure, and we focused
on building more and more capabilities into Azure Firewall, which is our native firewall as a service, and allows you to do things. So I will be showing that in
the demo, just a few minutes, that a native network
security and firewall, in addition, it is more than just firewall there is network security
groups, web application firewalls. There is quite a
few different capabilities in there, but we found that
organizations increasingly want more and more
built into the platform, so that is all manageable in one way. And it is as simple as possible
because we have learned that complexity quite
frankly, is often the enemy of security, because if no
one can understand it, then it really ends up
getting in people's ways, or it is not as secure as we think it is because nobody quite
frankly understands it. Similarly, we are seeing
some of the same things in the native threat detection, and now the native threat
detection is also important for an additional reason other than just it is built into the platform. We found that it is very
difficult as all these new types of capabilities, IOT devices,
and some of the older ones, the OT devices as well,
Kubernetes and containers, and all these different kinds
of new objects are really challenging for vendors to keep up with because The Cloud moves so fast. And so increasingly we see
organizations demanding, I just want threat
detection built into Azure. I want it easy, I want
to be able to click a box and I want the storage accounts to just send those alerts right on up. I want the SQL to send
the alerts right on up, I just want them all in one console, and I want to instrument
all of the different stuff, all the different assets that
I have into that one place. And so Microsoft is
investing very aggressively into native threat detection,
so not only do we have the, Azure Sentinel, which is a SIEM to pull all these sources together, and we also have Azure Defender
and all of the different resources that are either in
Azure or connecting to Azure, have that first party threat
detection capability in there, so you can get a high quality alert that you don't have to waste time trying to write a similar one. You have detection, and you also have the response capabilities
to help with investigation so that you can make it easier as the analysts are dealing
with, a live investigation to make it as easy as possible for them to get the data they need and query it and dig deeper. So let us go ahead and
move on and actually say, take a look at how some of
these native controls work. This demo, I am going to
give a quick overview, and then I am going to
actually do the demo. we are going to show some of
the native threat detection capabilities, as I just mentioned, and what those alerts look
like and where they come from. And then we are also going
to take a look through native security and
governance capabilities. So Azure Security Center, Secure Score, and those capabilities
for that big picture view from a risk perspective, not
just the threat perspective, sort of what could happen as
opposed to what is happening. Then we are going to take a
quick look at the firewall and how that is configured
as well as Firewall Manager, the web application firewalls show you a sense of what that looks like, SQL protection and a few
other security features just to get a sense of where
this native security is, and where you can find it and a little bit about
how to configure it. All right, so we have got our demo up now, and we are going to take a very quick tour through a lot of these security features and capabilities that are
built into the Azure platform, these native capabilities,
just to give you kind of a sense of where
they are and where to look, we are going to be going
through quite a few. So, not going to go through
all of them in a lot of depth, but just want to give a
quick sense of what is there so that you are familiar with where to look for those in the platform. So we are starting here
in Azure Security Center, it is a fairly easy place to find. Actually, if you are on
the home screen of Azure, there is that little green
shield icon there to find that. And so as of Ignite, we now
have two different names for what used to be known
as Azure Security Center, the first is still Azure Security Center for sort of the Secure Score, hygiene compliance and those capabilities but all of the things that
formerly were known as Azure Security Center Standard are now known as Azure Defender, and that is part of what we
are calling our XDR strategy started with EDR, Endpoint
Detection Response, it is now X for any detection response. And so tools that are
specialized to a platform to provide those threat
detection, threat response, and unrelated features,
and so Azure Defender is right there up front
and Security Center still, which is where it originated. And so we are going to take a look first at the Azure Secure Score elements of it. For those of you that are not familiar, this capability is really designed to help you plan and
figure out what to do. The Top 10 are a great way to get started, but you are going to
want detailed guidance and detailed actionability of
specifically what to address. And so that is where Secure Score comes in and gives you a nice rating and ranking of how you are doing versus
your peers, et cetera. So we can go ahead and click
into Secure Score here, see what the score is in
this particular environment, and then if you have
multiple subscriptions, you'll be able to see all those there. you'll also be able to
see which subscriptions you don't have visibility
into so that you can go and work with those subscription
owners to get those. And this covers a whole lot of things you can see which ones
give you the most points, and the remediating vulnerabilities. No surprise here, you'll see that multifactor authentication
is one of the higher ones, I am sorry, that is actually its own one. That is individually
one of the highest ones in this case this one is good, that is the largest amount
of points typically there. And then in this case, this particular demo tenant here has a number of different things, and you'll notice that some of these have a quick fix button to them. So the ones that we could automate remember we are trying to
simplify and automate folks jobs, there is a quick fix button. This is typically done by the
people that are responsible for the resources to remediate them, as opposed to the governance function, that is kind of looking
at the all up report, but we did want to make it
as easy as possible for folks so that they could fix these
issues as fast as possible and lower your attack,
surface and vulnerability. So now let us go back
to the main screen here, and you'll notice that there is also a lot of compliance capabilities so we know a lot of organizations have to meet regulatory requirements, and so we have built in the ability and mapped in all of these
similar types of controls to all these different compliance regimes or compliance requirements, and it details out there is some things you can detect technically,
there is some things you can't. And so all the
ones that we can detect, we do mark there, whether it is being met, the nice green check box there
and whether they are not. And then the ones that are grayed out are the ones that are actually
are not able to be measured either at this time or
at all with the platform. And so quite a bit of coverage
here as your CIS PCI DSS, we have our own Azure Security Benchmark, which just got updated, HIPAA
high trust and the like. So we do take customer feedback on which ones to address
first and focus on. And then let us go back
to the Security Center Hub for a moment and take a look through the Secure Score itself. I am sorry, not the Secure Score itself, I got confused, we can take a look at the different recommendations that are being made here. And if we look for
Linux, you'll notice that there is a whole lot
of recommendations here specific to Linux, you
look for Kubernetes, because say that is your responsibility, is that you have to handle
the container security and the orchestration security you can search for those and
find those same thing is true of SQL and IOT and a bunch
of other technologies. So it is a pretty quick way for someone that is only responsible for those to focus on what they can do to improve the organization Secure Score. So let us switch over
to Azure Defender now to give you a quick sense of that, and so we can take a look here and get a nice summary
of how well we are doing from a coverage perspective,
do we have a good coverage? Then notice here in this inventory piece, we can also notice where we have healthy and unhealthy agents,
so we have visibility. Again, building on this
software defined data center because everything is software defined, it is all instrumented, and we have good visibility into it to say, hey, we are not going
to be surprised that we lost or more often found some old
Windows 2003 or Solaris box or something like that in
a physical data center, because everything in here is an object, it is managed, it is defined. So it is fairly easy and
straightforward to pick that up, so if you look in the
Azure Defender piece, you'll notice again, that coverage across, Kubernetes app services,
key vaults, SQL, you name it IOT, and also with our new acquisition, very soon you'll see legacy
operational technology. So SCADA ICS types of devices, from the 1990s, 1980s,
and sometimes before. So we have got coverage for
that coming in here as well. So the Azure Defender for
IOT will actually include not just the modern
IOT, but the old stuff. And so you can see where
you are going on there. What are the top threats on
the attacks that are happening? The alerts that are
affecting the most resources. So lots and lots of insights here, don't have time to go into all of those, but all of the things
you are familiar with, if you are using Azure Security
Center Standard are here and the effective app
control just-in-time access to the AMS for the
management ports and whatnot. So lots to explore there, lots to learn. So the next thing we are going to do is we are going to switch
out of Azure Security Center Azure Defender and into Azure Firewall to have a quick sense of that. So we can take a look at
the Azure Firewall here. We do have a test firewalls, so we are going to take a look at that. And the nice thing about this is because it is viral as a service, you don't have a lot of load balancing and similar kind of configuration setups and routing to do, you simply
just connect that firewall to a particular virtual network, and then, what is the public IP, if any that this is associated with and then you are off to the races and then it is essentially
acting as a firewall. there is obviously the activity log, there is the access
control to who can manage this particular firewall there is tags, so you can keep track of them, if you have different firewalls for different business
purposes or different layers or tiers within your environment. I am working on some DNS elements there. And then you notice that there
is a threat intelligence tab and so within the threat
intelligence piece, we have eight trillion signals
a day coming into Microsoft and so we have a lot of rich context on what is going out on the internet in terms of which identities
are bad, which IP is bad, or which DNS is bad. Now firewall only can really
apply a bad DNS address or a bad IP address that
are known to be malicious. And so you can actually just simply turn the alerts or the alert and deny on, and that is really all you have to do to take that huge amount
of threat intelligence has been essentially
processed down for you there. Go into Firewall Manager. And so there is an interesting, most folks are familiar
with VNS or virtual networks that are a collection
of subnets effectively, where it can be broken down into subnets. We can look at it either way. A Firewall Manager really takes advantage and is kind of a
reflection of the maturing of how we have gone from those V nets up, because the V nets are
just basic virtual network. And then we realized as people
peer to peer connect to that with V net pairing, it got complicated, it got difficult to kind
of track and understand and set a enterprise policy on. And so we created this
Azure virtual Lan concept, and then that allowed
us to do a hierarchy. And then when we wanted
to add firewalls in there, Microsoft also do support third party department firewalls as well. Then we created this concept
called a Virtual Hubs, which allow us to assemble
essentially make it very easy to manage the connections
and the routing between those as well as the routing
through the firewalls, either the Azure builtin firewall in a number of actually
partner firewalls as well. So that is really what the
Security Virtual Hubs does. And of course, as
Firewall Manager implies, we can also do the firewall policies and manage those centrally and set up those Azure firewall
policies and configure them. Firewalls are great for
sort of unsolicited traffic. But we also want to make
sure that we are addressing the WAF scenario, which is terrific that is targeted your
application and intended to be malicious to try and
exploit that application. And so we have a web application
firewalls built in as well. And so we will go ahead
and create a policy here to give you a quick sense
of what that looks like. And we will just say in this
case application gateway, it does link to the front door
or the application gateway or the CDN, Content Delivery Network. So you have those options there where you are going to put the WAF and then let us pick a resource
group demo is just fine, because we are not going
to actually create this. And then we will just call this test WAF. And the policy settings themselves, you can put some exceptions
in there, et cetera. And then prevention or detection,
of course manage rules. (mumbles) support those custom rules. If you do have learnings
on your specific app that you want to have or you
want to tailor over time, as opposed to these and it
quite a few builtin rules for all the different on
this case best practices and the specific rules that support those. So quite a bit of capability there in the application firewall. And then in all of the
different Azure services, there are varying different
types of security capabilities. we are going to take a look at SQL today, but there is quite a
bit in storage as well. So if you take a look
at the SQL databases, we will just go ahead and
jump into one of these here. And you'll see here that you have, as you look at this database, quite a bit of security
context and information, the SQL team has done a
great job of pulling through, how are you doing on your
transparent data encryption your Azure defender for SQL your auditing and really kind of pulling
some of those things, this is the SQL interface. This is not the SQL security interface. This is SQL interface. So they have done a great job of exposing security very
naturally through there. And so this one is a great example of kind of how we do stuff. And there is a couple other features that I want to cover very quickly. Some of these services, all
of them offer and support what is known as Private Link allows you, I am sorry, not all services,
but all of them will do this. we are going through every single service and making sure they all
support what is called Private Link. And so when you do that, you can set up a private endpoint on each of these different services, instead of having your instance of SQL, your instance of functions, your instance of Kubernetes
or whatever it is exposed through the public
networks and the public internet really the Azure networks, we actually are putting
the option that all of them will be able to project
onto a private network. And so instead of being exposed
through a public IP address, it will only be exposed through
your internal, private IPS, and then you would
publish through the normal sort of WAF application gateway pieces. And so that is coming for
nearly all the services we are making really
solid progress on getting the three, 400, I can't
remember the number Azure services set up for
that, but a few of them also, including SQL additionally,
have the ability to set specific network filtering rules often called a server firewall
or a firewall settings for that specific service. So you'll see that in there as well. And so you can then go ahead and block and allow addresses in there. So that is another one of the
capabilities that is there. And the other thing, and this
is the reason I picked SQL to show the demo on as opposed
to storage or the others. Is there something else going on, so somebody who you may have heard of Microsoft information protection, which is our vision for really having a single set of policies that you can do classifying labeling protection
of all types of data, structured, unstructured, you name it. And so we have gotten very,
very strong capabilities in the unstructured the document space, and we are starting to see those features and we are investing here
in continuing to invest in the structured space so in SQL we do have data classification as well. And so let us take a look here in the data discovering classification. we are not at the point where we can based on the classification
labeling actually protect the different cells and
rows, et cetera differently, but we are on that journey and we are moving in that direction. And so you'll see here using very similar identical policies, actually as your Azure information
protection for documents, you can set those same sets of policies and labels up in SQL. And so we can label
those and then make sure that we then set up the appropriate, transparent data encryption
or other types of protections within SQL, there is a lot to SQL. I don't have time to cover them all, but wanted to give you a sense of that, because this is a sign of things to come. we are investing very heavily
because we want customers to have this single set of
things, and then it just, you can apply it to any types of data. So with that, we have covered quite a few
of the different technologies. And so now we will get back and close out on the best practices. Now that we have gone through the demo, we are going to talk a
little bit about longterm. So we are going to talk about, the way I like to think about this, and this is the reason why we have kind of the bricks and mortar kind
of concrete icon there, is if you pour the foundations wrong, when you are building
a house or a building it is really, really hard to change later. And there is a couple of
decisions as you build your architecture and
Azure and any other cloud that if you get them wrong, you pretty much have to break the concrete and spend a lot of time and effort kind of changing those foundational underpinnings. So we really want to get
those foundations right the first time because it is no
fun to try and fix them later. Those are ugly projects. So number nine here, single
directory and identity. We know that enterprise organizations have a lot of different
directories in many cases or different identity management systems. It is a very common configuration, especially among medium
and larger size enterprises for The Cloud and going forward, we strongly recommend you want
to get to a single directory in a single identity for
each user, for each person. there is one minor exception
to that, which is admins. Administrators with high privilege access should not be using their
day to day use account for doing administrative tasks. Those two should be separated because there is a security
risk of merging those two. But for every other user
in the organization, including the admins day to day account, you want to have a single directory, so there is an account in one place. And Azure Director Directory
and Active Directory, essentially act as one
directory at this point in time, that is evolved quite
a bit over the years. And so you want to have
that single directory and you want to have a single identity because when you look at this
from everybody's perspective, the end user trying to
remember different passwords, different accounts, different
usernames, very painful. You look at the admins
that have to administer different directories and
slightly similar things. And all the connections you
have to have between them, it gets very complicated quickly. And then you look at the SOC analyst and the people that
are supporting the SIEM and the other analytical pieces to correlate all of the
security stuff happening. When you have multiple identities, you have to integrate even
more systems into this and then figure out how
to correlate between, well that happened on this LDAP directory, but this was on the enterprise one. And this is our customer database. And are these the same actual John Smith? It gets really complicated, really fast. So we have learned at least
from the now going forward, make sure you are standardizing
on a single directory. So pick one enterprise
active directory tenant, and that is the enterprise going forward for most organizations, this
is the active directory tenant. When you went to Azure, excuse me, when you went to Office 365, because it is the same active directory that is underpins office 365 as all of the other Azure services. And again, like I said, we have really extended
active directory on prem to a Azure Active Directory and made it as if it is one single system where you make a modification one side and it will sink in either way, depending on your configuration. So we want you to have that single directory, single identity. It makes everybody's
life easier and security, and IT all your end users. It is a victory in all corners. So get this foundational decision, don't be trying to layer
on virtual directories and extra things just use one if you can. Number 10 identity
access, instead of keys, we have learned you can't
be 100% perfect on this. You can't always use an Azure
ID account instead of a key, like a shared access
signature or an access key because The Cloud initially
the first early versions of it, both Amazon, ourselves, GCP and whatnot, The Cloud started doing
authentication heavily using keys instead of identities. And for those of you that
have not done key management is painful for those of you
that are doing key management, I am sorry, it is painful. Key management is not fun. Now you can't be 100%
off of key management, there is always a case where
you may need to do that. there is always particular applications, legacy architectures certain
ways things have been done where you actually have to do keys, but where there is a choice and Microsoft is pushing very heavily on our internal engineering teams to make sure that every
single Azure service will be able to use Azure
ID for authentication. Again, back to that single
directory, single identity, and nine in all those cases,
in all of the Azure services, we will support Azure Active Directory. That is a path we are on and
we were working very hard to make that 100% across every service. We recognize that there
are still gaps now, we recognize there are
certain applications that require using and managing a key. We get that, but in every place that you have a choice of
using in a managed identity, use it instead of a key. I like to think of key management as being similar to handling
raw nuclear material. It is possible, but it is
not fun and it is not safe. It is really easy to make a mistake. You want to have something
that is packaged up nicely. And that has its lifecycle management, which is what identity does. Identities are very much
key based under the hood, but you manage them in a nice directory. They have got a lifecycle, They have got a password reset process. They have got all these different things to make managing it easier. So avoid keys everywhere you can, because you don't want to
be educating developers on how to handle a key well, you would rather just
say, use this identity and let their identity
admins deal with it. Much, much better process, so everywhere you can avoid
using keys, use identities. And the last, this is
kind of the special bonus. there is actually 11 best practices. Sorry, couldn't contain
ourselves, couldn't help it. So 11 yes, 11 of 10, little
special bonus, no extra charge. So single strategy. So I am going to start
with a story on this one. If you go and you go to any
sort of enterprise organization, you ask the networking team, tell me about your enterprise
segmentation strategy, they are going to tell
you about IP addresses and ranges and siters
and all sorts of things. And is it a slash 24, slash whatever and go through all that kind of stuff. And it is going to be
very much based on sites and physical networks and whatnot. Then you go to the identity team and they are going to talk to you about, OU structures and many cases and groups and how those things are set up. And then you go to the application team and you ask them the same question, then you say, we don't
really use those much. We kind of do, but not really. And by the way, the application teams are the ones that actually
talked to the business into to the business stakeholders. And so you end up with what I like to call
misaligned cheeseburger, where you have all these different teams that are trying to do
roughly the same thing, but they are not talking to each other and they are not sharing,
they are not aligning, they are not actually coordinating well. And so you ended up with a
situation where the defenders are really at a disadvantage and the attackers have all
sorts of extra opportunities because of this lack of
coordination between the teams. And of course, there is also all sorts of organizational friction. And so even though, and I use this example of an enterprise segmentation strategy, but there is so many more decisions. Whereas if your teams
are not working together, they are not coordinating and you don't have the networking folks and the identity folks
and the application team and the productivity team, all working together to figure this out, that you are going to
have these challenges and you are going to
have a lot of friction, you are going to have a lot of gaps. And we have learned as we
work with our customers and we do architecture design sessions and have these conversations. If we don't have everyone
in the same room, as we are making these
strategic decisions, we are going to keep repeating
that meeting over and over again. Oh, we did not have the
networking team in the room and we did not have these guys and we did not have the
identity team in the room. Well, then you are going to
have the same set of meetings all over again until
you have everyone there, because everybody has to
understand this new world. They all have to make decisions together because the silos that we built
over the past 20 plus years in Enterprise IT on premises, are not necessarily the way
things should be divided up as you move to The Cloud, there
is some subtle differences. And so everybody has
to realign and reorient around this new world and figuring out, okay, what does your team do? What does my team do? What does this team do? What does that team do? Understand who makes the
decisions and move forward. So it is very important to
build a single strategy together as an entire organization, and really it is time to
start connecting those silos and working forward. So some of you may have seen
some of my sessions before, and you may be thinking to
yourself, wait a second. This is the Mark Simos talk. And all the slides have
been very simple and clean. there is been no really
big, complicated diagrams. Is that really Mark Simos? Well, for those of you that
are looking forward to that, we do have a special treat for you. There is a big complicated slide that brings a lot of concepts together. So this is really
targeted at sort of those security professionals,
IT professionals among you that are trying to pull all this together. So these best practices are great, but tell me how all this really works. Give me the specific
features and technology names and how do these things
connect with the arrows. And so what we did was we
put together this diagram that really describes how this native security for Azure works. Keep in mind, we love our partners. We love the existing
capabilities our customers have. We want them to be successful with it. This is representing the
Microsoft capabilities because quite frankly, we ran out of room to include everybody. And there is a lot of
partner integrations here that is not necessarily depicted, but we wanted to show all
of these native capabilities and how they come together. So that middle black bar
there is really showing sort of the end to end lifecycle of Azure and all things related to
Azure and the security of it. We have learned that teams need two things to be successful in security. And the first is visibility,
the second is control, and you have visibility
into both the risk factors and governance things, and
the overall, how are we doing? And are we vulnerable? As well as the threat detection, which is high quality alerts,
as well as the raw data and logs and signal, to be
able to do something with that, the control side has that
same governance need. You need to be able to sort
of set up policy and guide developer teams and IT teams and whatnot, but we also need preventive
controls to block the attack. So if we can block an
attack, it is a lot cheaper, it is a lot more effective. You can't always block an attack often you have to detect it because the things that an
attacker can do are so broad, you can't block everything. You could notpossibly block everything. So you have this flow. And the first thing everybody
asks us in the security team is where are the logs? I want logs, give me logs. Of course, we provide the logs, all the Azure services through
Azure monitor and whatnot, we provide all those different logs. And we have learned that
there is something that organizations and security
people are not used to asking for. And this kind of goes
into what I was discussing at the beginning, which is alerts. We want organizations need, but are not used to asking
for high quality alerts. I want a high quality alert
on my IOT and my legacy OT, my legacy operational technology. I want high quality
alerts on my containers, on my SQL, on my storage
accounts, for my VMs. I don't want to have to write a SIEM role. Everybody's used to writing
a similar a SIEM query and do their static analysis. Everybody's used to that, they are not used to
getting high quality alerts that are ready to go,
I can investigate this. I need to investigate it now, they are used to just getting raw data. And so we focus very much on providing not only that raw data, but
also those high quality alerts. One of the things we have
learned is that protecting Azure is not just about protecting the stuff that is literally on Azure. If you lose control over the account, that is an administrator
of Azure or the workstation where that account logs in that is an administrator of Azure. You also lose control
over your Azure tenant and the resources in it because the attacker can
impersonate those accounts either by taking over it from the machine or just taking over the account directly, password theft and whatnot. So we have learned it is important to have that full end to end view. Now this is not Azure presentation, so we are not going to go
over it too much depth. But when you look at the whole picture, Microsoft has also put a lot of investment into that front end. So taking those same high quality alerts on the end points and the
identities, et cetera, feeding those into the preventive controls and into the endpoint management. So you can make better decisions and you can make real
time access decisions through conditional access and all these other kinds of pieces, essentially providing that zero
trust access control there, and that kind of T-shaped
box, the upside down T so that is very much part
of Azure Security as well, but we are going to spend more time focusing on the right today. So when most people think
about how do I protect stuff, they think in the paradigm
of what we were able to do in the on premise world, and we call that data plane security, and this is very much
focused on pro application and pro workload controls and protections. So this includes things like firewalls, even though we are quote unquote, "protecting the network
with the firewall," we are actually protecting the workloads that are on our network, or
that are in our environment. It is things like encryption
and using key vault to manage those keys for the
ones that you do have to have. It is about following DevSecOps
and securing your code. It is about just application
security in general. It is about securing the API access, securing the network, so that you are securing assets against a network based
attacks, DDoS protections. What about firewall to
protect the applications? So all of these are really
about protecting the application either in aggregate as a
whole at that network edge or on the specific
applications themselves. So this is kind of the
classic security piece. Microsoft has invested
quite a bit to make sure all of those things are there
in a cloud native format so that you can use them to secure it. The thing that is new and
interesting and different about The Cloud is we are no longer sitting inside of a dumb building. we are not in a building
where you badge in, and that is how you get access to, putting a server into a 19
and track or blades or VMs or whatever else you have in
your physical data center. We actually have a software
defined data center because it is software
defined, it can be intelligent. And so Microsoft, we took
advantage of this fact, so everything that is created in Azure or update or destroyed
all the resources in it, go through the Azure Resource Manager or ARM as we like to call it. And so, because it is software defined, we can intercept all of those requests. All of those changes, all those creations, all those deletions. And we can apply policy
where you can set up and say, if this thing happens,
you always add a firewall. If this does not have a firewall, you block it from being created
or whatever the case may be. there is a lot of different
scenarios in this, but you have policy control that is built into the data center itself. That is what we call
Management Plane Security in that darker green box. And so plenty to read up
on and research there, but we invested a lot into that to take advantage of that and really have an intelligent
software defined data center, not just a simple dumb platform. We wanted to have
something that was actually taking advantage of the
data streams that we have, the intercept we have to apply policy and really help make the
platform a lot more secure, very top there on the right
Azure cloud Adoption Framework, I mentioned earlier really
about going to The Cloud securely or investing more and more and putting more and more
security guidance in there. there is quite a bit
already on security roles, responsibilities, and
whatnot and strategies and then we are continuing
to develop that as well. And then in the middle there, the Azure Security
Benchmarks in that gray box is like I mentioned before, those prescriptive best
practices and the controls and lots of investment there
so that throughout all of this, you have those best practices that you can use to
apply, when to apply these and how to fit in your existing
third party capabilities, and what do you do to configure it so that you are not
vulnerable to those attacks. So as we wrap up here and in
case it was not clear before, we want you to follow
these best practices. We want you to go to that Azure Security, Top 10 linked on the top right. We have also provided convenient
links to each specific one, so you can dig into that and we have provided a lot more
detail on exactly what we mean and the resources available,
the videos, the documentation, feature capabilities, you name it. So all of that is link in each of these to make it as easy as possible for you to follow these best practices. So please continue to read up
on the Azure Security Top 10. Starting with the people
side, cloud security journey, people need to know the context
of the journey they are on. Technical training,
they need to understand the specific components they
are going to be responsible for. People in IT are really good at learning technology as they go. The cloud is a lot to learn quickly. So keep that in mind, as much as you can provide them training documentation guidance, the better we have provided a number
of resources there, but as much as possible,
provide people as much training, because it gets very difficult to learn hundreds of things at once or tens of things at once. One or two things at once, not so hard, but when you get a lot,
it is overwhelming. Assign accountability, make sure that, you know who is making security decisions, make sure you are updating
your incident response process. Posture management, you have the data, you have the dashboards,
you have the information. It is all part of the free
part of Azure Security center, use it, take advantage of it. Passwordless and MFA,
I think the statistic, if I recall correctly is
99.9% of identity attacks, identity attacks on all attacks would have been blocked with MFA. The attackers don't even have to try. They don't even have to
invest to get around MFA. So get your admins on MFA,
make them work for it, make them earn it. Native Network Security and Firewall, take a look at the stuff
that is built into the system and see if it is got what you need or see if you are going to bring your existing firewall
capabilities with you, very important there. Native Threat Detection, take a look at the stuff
we have in the platform. there is an amazing set of
threat detection capabilities. Some of which we took a look at today to help make your life easier. So you don't have to pull
a bunch of logs in the SIEM and then try and figure something out. So great capability is there. Foundational decisions, single
directory, single identity make life simple. Separate accounts for admins,
but for all of the things, single directory, single identity. Identity Access Controls,
use them instead of keys, avoid key management if you can, if you have to use Azure Key
Vault or something similar, but avoid keys, if you can. And lastly, get everybody
on the same page. Single strategy, get the
teams working together. Use the enterprise segmentation strategy as a way to get everyone on the same page. Use the move to Azure and the need to make
these decisions up front. That is the way to get all
the teams in the same room. you'll be amazed at how
many connections happen, how many good conversations happen and how many good things start off as people start working together instead of working in
their individual silos. And with that, I thank you
very much for watching. Stay safe out there, thank you.
