Post on 06-Jan-2018
description
transcript
Architecting for a Secure Cloud
Michele Leroux BustamanteChief Architect, IDesignmlb@idesign.net
DPR312
Michele Leroux Bustamante
Chief Architect, IDesign (www.idesign.net)Chief Security Architect, BiTKOO (www.bitkoo.com)
Microsoft Regional Director, (www.theregion.com) MVP Connected Systems
Publications and Resources:DevProConnections, MSDN, CoDe Magazine,
Microsoft whitepapers Learning WCF (O’Reilly 2007/2009)
CodePlex (publications, webcasts, code, utilities)Speaker:
Tech Ed, PDC, Dev Connections, NDC, etc.www.michelelerouxbustamante.com, www.learningwcf.com
Agenda
Benefits and concerns moving to the cloudIT and shared hosting security aspectsApplication architecture security aspectsArchitectural scenarios for Windows Azure Platform featuresTechniques for securing features by scenario
What Drives us to the Cloud?
Reduced capital investmentScale out on demand, pay as you goUnbounded scale for bursts or peak loadsBetter overall IT management strategy Quality of service, zero downtime updatesFocus resources on implementation and business logic
Typical Concerns
Loss of controlReliability of servicesService level commitments and guaranteesAbility to change vendors if dissatisfiedSecurity
Windows Azure Platform Building Blocks
Platform Infrastructure, Equipment, Data Center
Windows Azure Storage
Windows Azure
SQL Azure
Windows Azure AppFabric
IT Security Considerations
Security Aspect Provider BusinessPhysical access to provider facility x
Administrator access to equipment at provider facility x
Patch management x
Virus scanner and other protective measures x
Denial of Service prevention x
Packet filtering x
Administrator access to cloud accounts x
Backup and recovery x x
Shared Hosting Considerations
Security Aspect Provider BusinessIsolation of database instances x
Partition level packet filters x
Protection against malicious tenants x
Prevention of VM jailbreak x
Network access restrictions to VM x
Memory access restrictions between VM x
Remote access to VM x
Administrator access to host environment x
Application Architecture Considerations
Security Aspect Provider BusinessTransfer security x x
Data and content encryption x
Key management x x
Identity management x x
Access control x x
DMZ requirements x x
Architecture tiers and boundaries x
Risk assessment x
Legislative requirements for compliance and audit x
Windows Azure Platform Features
Service
AD FS 2
On Premise DomainAppFabric
Cache
AccessControl
Queues Tables Blobs
REST
SQL AzureAzure Storage
Web Role Worker Role
Cache
Windows Azure
Service Bus
Primarily designed to address connectivity issuesServices may be located behind Private IPs, firewalls, load balancers, proxy servers
Also enhances reliability and scalabilityProvides added security
On PremiseService
Service Bus as DMZ
Service Service Service Service
MVC / REST REST
Browser Browser BrowserWPF
MVC /JQuery AJAX Silverlight
Service
WindowsPhone 7
DMZ
REST / Router Router REST
Corporate Domain
MVCSite
Web FormsSite
Service Bus as DMZ (2)
Service Service Service Service
MVC / REST REST
Browser Browser BrowserWPF
MVC /JQuery AJAX Silverlight
Service
WindowsPhone 7
DMZ
Corporate Domain
AppFabric
MVCSite
Web FormsSite
Service Bus to Data On Premise / Migration
Service
Client
Web Application
AppFabric
Corporate Domain
Windows Azure
Service Bus Security Aspects
Security Aspect Provider BusinessDMZ, DoS prevention Built-in
Transfer security TCP or HTTPS, add message security
Symmetric key authentication Provided by plumbing
Key management Rollover provided Requires process
Key protection Provide encryption
Service Bus Security
Service
Client
AppFabric
Corporate Domain
EvilClient
AccessControl
Encrypt+
Encrypt
signed request
encryptmessage
decryptmessage
TCP / HTTPS
HTTPS
Service Bus Recommendations:•Require relay credential•Encrypt keys at client•Try to use TCP relay for performance and cost savings•Add message security for highly sensitive data•Use negotiation for encryption certificate over HTTP
SQL Azure
Relational data store in the cloud (SQL Server 2008 R2)TDS support (client connections)REST-based Management APIProtected by:
Firewall RulesSQL Server authentication (not Windows)Certificate authentication
Relational Data On Premise / In The Cloud
Service
Client
Web / WorkerRole
AppFabric
Corporate Domain
Windows Azure
SQL Azure
SQL Azure Security Aspects
Security Aspects Provider BusinessData isolation Physical server Database instance
Data loss prevention Internal backup Backup/recover process required
Data retention policy 90 days
Geographic restrictions Choose region for storage only
Transfer restrictions may exclude cloud
Administrative access control Portal admin
Firewall access rules / Windows Azure access Portal or scripted
REST-API access Certificate authN
Transfer security HTTPS required
Data protection Encryption, hashing
User access Trusted subsystem model is best
SQL Azure Security
Service Web / WorkerRole
Corporate Domain Windows Azure
SQL Azure
Table BTable A Masteruserlogin useruser
Web PortalSQL Server
ManagementStudio
RESTClient
SSRS
Allow Microsoft Services+ User Credentials
Administrative
IP Address + User Credentials
Portal Admin
IP Address + DB Admin
IP Address + Certificate
RESTAPI
SSIS
AS
Firewall Rules
IP Address + Service User
SQL Azure Recommendations:• Use portal admin to create DB admin accounts and manage
firewall rules• Use DB admin accounts to configure schema and users• Use trusted subsystem users to reduce attack surface• Automate with the REST API where possible
SQL Azure Data Protection
encryptdataAApplication
Windows Azure
SQL Azure
Encrypt
Encrypt
Encrypt
decryptdata
computehashAApplication
Hash
Hash
Hash
computehash
userinput
Hash
comparehash
SQL Azure Recommendations (2):• Limit access to hashing and encryption material • Use asymmetric encryption, cert store to protect keys, limited access• Protect hashing material by encrypting config
Windows Azure & Windows Azure Storage
Compute, Storage and Management servicesHost web applications and servicesApplications can leverage non-relational tables, queues or blob storage
Replace relational database or use tables to complimentHost large media contentOptionally distribute via Content Delivery Network (CDN)Mount drives for migration approach
Go all-in or scale out specific features
Windows Azure & Windows Azure StorageWindows Azure
Windows Azure Storage
Queues Tables Blobs
REST
Web Role Worker Role
Application
Windows Azure Storage
Windows Azure
Windows Azure Storage
Queues Tables Blobs
REST
StorageClient
Application
RESTUri
Windows Azure Storage Security Aspects
Security Aspect Provider BusinessData isolation Physical server Partitioning
Data loss prevention Internal backup Backup/recover process required
Data retention policy 90 days
Geographic restrictions Choose region for storage only
Transfer restrictions may exclude cloud
Administrative access control Portal admin
Data protection Encryption, hashing, MD5 signatures
Transfer security HTTPS
Symmetric key authentication Use tools or manual
Key management Rollover provided Requires process
Key protection Provide encryption
Access restrictions Internal containers
Windows Azure Storage Security
Windows Azure Storage
Queues Tables Blobs
REST
ServiceWeb / WorkerRole
Corporate DomainWindows Azure Remote Client
Client App
Administration
ManagementTools
WebPortal
HTTPS HTTPS HTTPS HTTPS HTTPS
Symmetric Key
Windows Azure Storage Tiers
Windows Azure Storage
Queues Tables Blobs
REST
Service
Client App
WebPortal
Symmetric Key
encryptkey
rollkeys
Remote Client
WindowsAzure
Administration
HTTPS HTTPS
Azure Storage Recommendations:
• Never ship keys to non-owned clients
• Avoid shipping keys to remote clients
• Encrypt keys config
Blob Storage Integrity
Windows Azure Storage
Blob Container
Service
validatesignature
WindowsAzure
MD5Hash +
MD5Hash +
Blob Storage Recommendations:
• For very large media uploads and/or mission critical data use MD5 validation to ensure integrity
Blob Storage Shared Access Signatures
Service
Public Blob Access
createupdatedelete
read
Service
Public Container Access
createupdatedeleteread
list
Service
Private Container
createupdatedeleteread
list
list
Service
Private Container
readaccessfor limited timewithsharedaccesskey
sharedaccess
policy
Browser Client
Shared AccessSignature (SAS)
>1 hour requiresauthenticationheader in request(no browser)
Blob Storage Recommendations (2):• Never allow public access to container• Allow public read to blob links if appropriate for the application, try
to use SAS for this purpose to limit exposure
.NET FW 3.5 SP1 / .NET FW 4
CAS Policy NT Security Policy
Web Role
ASP.NET / MVC
AJAX / JQuery Silverlight
WCF
.NET Code
Worker Role
.NET Code
Tables QueuesBlobs
Windows Azure Architecture
WCF
Application Architecture TiersWindow Azure
Queues Tables Blobs
REST
Azure Storage SQL Azure
Web Role
Web Application
Web Role
WCF Service
Worker Role
WCFService
Worker Role
WCF Service
ExternalEndpoint
ExternalEndpoint
InternalEndpoint
InternalEndpoint
Added Security with Service Bus
Window Azure
Web Role
Web Application
Web Role
WCF Service
Worker Role
WCFService
Worker Role
WCF Service
InternalEndpoint
InternalEndpoint
Client
Service Bus
Service
Corporate Domain
Client
Scaling Out Compute Cycles
Window Azure
WorkerRole
Web Role
WCF Service
Service Bus
Service
Corporate Domain
Client
Compute Queue
REST
Azure Storage
WCFService
write to queue pull from queue
Scaling Out Compute Cycles (2)
WorkerRole
Web Role
WCF ServiceService
Client
Compute Queue
REST
WCFService
write to queue pull from queue
WorkerRole
WCFService
WorkerRole
WCFServiceWorker
RoleWCF
Service
Scaling Out Media Access
Service
Corporate Domain
Client
BlobContainer
REST
Azure Storage
BlobContainer
BlobContainer
Azure Storage
CDNCache
CDNCache
CDNCache
Web Application Security Aspects
Security Aspect Provider BusinessDNS attack prevention Built-in
Transfer security HTTPS
Privilege elevation prevention ACLs Partial trust
Cross Site Scripting (XSS) prevention ASP.NET features and custom
Cross domain call prevention Silverlight configuration
SQL injection prevention ASP.NET features and parameterized queries
Authentication models Forms, Identity Federation
WCF Service Security Aspects
Security Aspect Provider BusinessDNS attack prevention Built-in
Transfer security HTTPS or TCP, add message security
Privilege elevation prevention ACLs Partial trust
SQL injection prevention Parameterized queries
Endpoint privacy Internal endpoints, Service Bus
Authentication models UserName, Certificate, Identity Federation
Identity Federation Benefits
Decouple authentication mechanism from applications and servicesGo claims-basedReduce IT pain and risk related to provisioning and de-provisioning users Extend trust to users across domain, corporate and Internet boundariesSupport Single Sign-On (SSO)
Passive Federation
Browser
Azure HostedWeb Site STS
LoginPage
1
2
5
3
4
Active Federation
STS Azure HostedService
WindowsClient
1 2 3
STS On Premise
STS
Azure HostedService
WindowsClient
DMZ
Windows Users Behind DMZ
ADFS V2
Azure HostedService
WindowsClient
DMZ
ADFS V2
DomainServer
AD Users
Access Control and MainstreamIdentity Providers
RelyingPartyWeb
AccessControl
Yahoo! WindowsLive
Browser
1 25
3
4
Access Control and EnterpriseIdentity Providers
RelyingPartyWeb
AccessControl
Yahoo! WindowsLive
Browser
1 25
Enterprise Identity Provider
3
4
Relying Party STS + Access Control
RelyingPartyWeb
AccessControl
GoogleYahoo!FaceBook
Enterprise Identity Provider
Flow of tokens, not direct communication
WindowsLive
Enterprise Identity ProviderEnterprise Identity
ProviderAD FS V2
RelyingPartySTS
Policy
WHEW!
Summary
Application architecture must be well defined before you can define your cloud strategyAssess risks related to data, content and other assetsDetermine which can be moved to the cloudDetermine the need for a migration plan as needed from on-premise to the cloudDefine the application architecture for the cloud and the security plan for each Windows Azure Platform featureDocument the IT, shared hosting and application security concerns and mitigations in your internal SLA
ARC Track Resources
http://www.microsoft.com/visualstudio http://www.microsoft.com/visualstudio/en-us/lightswitch http://www.microsoft.com/expression/http://blogs.msdn.com/b/somasegar/http://blogs.msdn.com/b/bharry/http://www.microsoft.com/sqlserver/en/us/default.aspxhttp://www.facebook.com/visualstudio
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile