Hidden Azure Some useful features to keep your
- Slides: 52
Hidden Azure Some useful features to keep your secrets safe Global Azure Bootcamp - Boston Azure - Boston 25 -April-2015 Bill Wilder, Finomial CTO @codingoutloud@gmail. com blog. codingoutloud. com linkedin. com/in/billwilder • Except where noted contents © 2014 Development Partners Software Corporation • http: //www. devpartners. com •
Hidden Azure Some useful features to keep your secrets safe Find this slide Global Azure Bootcamp - Boston Azure - Boston deck here 25 -April-2015 Bill Wilder, Finomial CTO @codingoutloud@gmail. com blog. codingoutloud. com linkedin. com/in/billwilder • Except where noted contents © 2014 Development Partners Software Corporation • http: //www. devpartners. com •
Questions during or after? @codingoutloud
www. cloudarchitecturepatterns. com Who is Bill Wilder? www. bostonazure. org www. devpartners. com
Goal: Alert you to the existence of a few Azure service features (awareness – not in-depth)
Automation Run. Books
Problem • Run a Nightly Job • Automatically • Securely – Deals with sensitive credentials • With auditing • All of it is in Power. Shell
demo
• General: http: //azure. microsoft. com/enus/services/automation/ • Automation Cmdlets to automate runbooks (not same as the runbook content): http: //msdn. microsoft. com/enus/library/dn 690262. aspx
Vulnerabilities (cool? ) (interesting? )
Ever hear of… • A 1 -Injection • A 2 -Broken Authentication and Session Management • A 3 -Cross-Site Scripting (XSS) • A 4 -Insecure Direct Object References • A 5 -Security Misconfiguration • A 6 -Sensitive Data Exposure • A 7 -Missing Function Level Access Control • A 8 -Cross-Site Request Forgery (CSRF) • A 9 -Using Components with Known Vulnerabilities • A 10 -Unvalidated Redirects and Forwards
unicorn cloud security for apps SESSION HIJACKING X SS SQL N O I T C E J IN CSRF Copyright © 2013 Elizabeth B. O’Connor • used with permission • www. elizabethboconnor. com
Little Bobby Tables (still a problem) http: //xkcd. com/327/
fun security challenges
Logging in securely with AAD (yawn? )
Boring?
Cloud News from June 2014 – DDo. S – Security Breach – Ransom / Extortion – Fighting Back – Malicious Destruction of Assets – Business Failure ELAPSED TIME 12 HOURS • http: //www. codespaces. com/ • A cautionary tale…
n r e t t a P Anti 1 FA single-factor auth (2 FA/MFA is widely available – e. g. , AAD)
demo
Azure Key Vault
Got Secrets? • Connection strings – Databases, Services • SSL Certificates • Authentication Certificates • Encryption Keys – Symmetric, Asymmetric • Storage Account Keys
How to Secure Secrets? • Web. config (or equivalent) • Configuration tab for Web Site – Connection Strings, SSL certs • Service. Configuration. cscfg • Azure Service Certificates
Azure Key Vault • Two simple concepts: – Key Value service – Secrets 1. Create a Key Vault 2. Store Secrets in it securely 3. Get them out securely
demo
More Azure Key Vault Concepts • Key Vault • Secret • Key – Wrap – Unwrap • HSM • Security Principal
http: //channel 9. msdn. com/Shows/Cloud+Cover/Episod e-169 -Azure-Key-Vault-with-Sumedh-Barde
Key. Vault Resources Samples (including C#): • https: //www. microsoft. com/enus/download/confirmation. aspx? id=45343 Power. Shell cmdlets: • https: //gallery. technet. microsoft. com/scriptce nter/Azure-Key-Vault-Powershell-1349 b 091
Valet Key Pattern
STORAGE ACCOUNT Blob Containers Tables Queues Blobs Rows Messages
Keys to the Kingdom Account Scope Fine for internal, trusted systems Not safe for untrusted clients Similar to DB connection string For DB, we gate access with code (ever afraid of Tenant Leakage) • With Azure Storage, we can do better • • •
e l a V K t y e
The Valet Key Pattern • Does your car have a special Valet Key? • Public, Read-Only Blobs can be shared – Whole Container or Individual Blob – Even through a web browser – No “custom code” needed to consume • Any other scenario requires custom code – Valet Key scenarios
Example Valet Key Permissions • • List contents Read all blobs in container Read specific blob Write to container Update specific blob Delete specific blob Start time End time
Valet Key Scenarios • Limited upload ability – Example with add-in • Read-only & time limited – Example from genealogy site • Bandwidth savings – Example from agent process uploads • Regulatory assurances – Example from thermo sensors
Valet Key In Action • Key benefit: AVOID GATEKEEPER DURING DATA TRANSFER – Scale, Cost, Reliability
Valet Key Mechanics (Storage) • Very FAST – No network traffic during CREATION (local only) • Uses one of the account Storage Keys – Fixed assets, fixed permissions – Not easily turned off • Optionally can use Named Access Policy – For Azure Storage – Can change later (or turn off)
3. Temporary Lock
https: //gist. github. com/ codingoutloud/ 9403 c 39 c 1985 ec 15 b 733 code
Azure Storage and Service Bus are enablers of Valet Key Pattern Shared Access Signature (SAS) Stored Access Policy (SAP)
Shared Access Signature is a Query String https: //vkpdemo. blob. core. windows. net/myc ontainer? sr=c&sv=2012 -02 -12&st=2015 -0424 T 19%3 A 37%3 A 16 Z&se=2016 -0424 T 20%3 A 37%3 A 16 Z&sp=rwdl&sig=ng. L% 2 Fiqu. Rock. On. Zdi. NIcz 3 S%2 Bz. MVP 13 DXZAhi maura. Q%2 BI%3 D
Shared Access Signature is a Query String https: //vkpdemo. blob. core. windows. net/myc ontainer? sr=c&sv=2012 -02 -12&st=2015 -0424 T 19%3 A 37%3 A 16 Z&se=2016 -0424 T 20%3 A 37%3 A 16 Z&sp=rwdl&sig=ng. L% 2 Fiqu. Rock. On. Zdi. NIcz 3 S%2 Bz. MVP 13 DXZAhi maura. Q%2 BI%3 D
In Azure Storage, Stored Access Policy is named set of Permissions … si=my-stored-accesspolicy … 1. Can be changed after issue 2. Limited to 5 at a time in storage
Actually Useful Valet Key Pattern Scenarios
Big File Upload from Desktop or Server
VKP Negoti Proces
Managed Public Blob Download
Least Privilege Queue-Centric Workflow Pattern
Web. Hooks
Keep it safe, kids! And stay in school.
And…. Find this slide deck here See you at Boston Azure bostonazure. org Bill Wilder @codingoutloud@gmail. com blog. codingoutloud. com linkedin. com/in/billwilder • Except where noted, slide deck is © 2014 Development Partners Software Corporation • http: //www. devpartners. com •
des questions?
- Stakeholders mapping
- Stakeholder mapping
- Keep it secret keep it safe
- Louise erdrich azure
- When a material is useful and harmful
- Azure data factory design patterns
- They say sometimes you win some
- Sometimes you win some sometimes you lose some
- Ice cream countable or uncountable
- Contact forces
- Some say the world will end in fire some say in ice
- Some say the world will end in fire some say in ice
- Some trust in chariots and some in horses song
- Keep the city cleanمعنی
- Gotta keep your head up
- What is the keep change flip method
- How is the nameplate worn on your uniform
- How to maintain deliverance by olukoya
- Dynamite security we keep your family safe
- How to keep your 21st century scholarship
- Please keep your mic muted
- Pure heart bible verse
- How to keep your blood healthy writing
- Keep your heart with all diligence
- Keep your eye on the donut not the hole
- If you keep buying despite a price increase, your demand is
- Create your azure free account
- It simulate or animate some features of intended system.
- Usability specification in hci
- Physical geography usa
- Give us your hungry your tired your poor
- No need objection
- Among the hidden theme
- Hidden rules examples
- Entrance hidden by bricks and rubble
- Hidden rules of poverty
- Hidden messages in water
- Hidden costs of assisted living
- Hidden cost fallacy
- Hidden markov chain
- Hidden ovulation
- She dwelt among the untrodden ways text
- Joe and harry window
- Ruby payne hidden rules chart
- Hidden markov model rock paper scissors
- The hidden tiger puzzle
- Hidden markov model tutorial
- Convention of lines
- Indications and contraindications of rpd
- Palahniuk
- Hidden markov chain
- Hidden surface removal algorithm in computer graphics
- Serpentis lookout