DPR312: Architecting for a Secure Cloud
Download
Report
Transcript DPR312: Architecting for a Secure Cloud
DPR312
Chief Architect, IDesign (www.idesign.net)
Chief Security Architect, BiTKOO (www.bitkoo.com)
Microsoft Regional Director, (www.theregion.com)
MVP Connected Systems
Publications and Resources:
DevProConnections, MSDN, CoDe Magazine,
Microsoft whitepapers
Learning WCF (O’Reilly 2007/2009)
CodePlex (publications, webcasts, code, utilities)
Speaker:
Tech Ed, PDC, Dev Connections, NDC, etc.
www.michelelerouxbustamante.com, www.learningwcf.com
Security Aspect
Provider
Physical access to provider facility
x
Administrator access to equipment at provider facility
x
Patch management
x
Virus scanner and other protective measures
x
Denial of Service prevention
x
Packet filtering
x
Administrator access to cloud accounts
Backup and recovery
Business
x
x
x
Security Aspect
Provider
Isolation of database instances
x
Partition level packet filters
x
Protection against malicious tenants
x
Prevention of VM jailbreak
x
Network access restrictions to VM
x
Memory access restrictions between VM
x
Business
Remote access to VM
x
Administrator access to host environment
x
Security Aspect
Provider
Business
Transfer security
x
x
Data and content encryption
x
Key management
x
x
Identity management
x
x
Access control
x
x
DMZ requirements
x
x
Architecture tiers and boundaries
x
Risk assessment
x
Legislative requirements for compliance and audit
x
Windows Azure
Web Role
Access
Control
AD FS 2
Worker Role
Service
REST
AppFabric
Azure Storage
SQL Azure
On Premise Domain
On Premise
Service
Browser
Browser
MVC /
JQuery
Browser
WPF
Windows
Phone 7
AJAX
Silverlight
MVC / REST
REST
REST /
Router
Router
REST
Service
Service
Service
Service
Service
Web
Forms
Site
MVC
Site
DMZ
Corporate
Domain
Browser
Browser
Browser
WPF
MVC /
JQuery
AJAX
Silverlight
Web
Forms
Site
MVC
Site
MVC / REST
REST
DMZ
AppFabric
Service
Corporate
Domain
Windows
Phone 7
Service
Service
Service
Service
Client
Web
Application
AppFabric
Windows Azure
Service
Corporate
Domain
Security Aspect
Provider
DMZ, DoS prevention
Built-in
Business
Transfer security
TCP or HTTPS, add
message security
Symmetric key authentication
Provided by plumbing
Key management
Key protection
Rollover provided
Requires process
Provide encryption
encrypt
message
Evil
Client
Client
signed
request
+
HTTPS
Access
Control
AppFabric
TCP /
HTTPS
Service Bus Recommendations:
• Require relay credential
• Encrypt keys at client
• Try to use TCP relay for performance and cost savings
• Add message security for highly sensitive data
• Use negotiation for encryption certificate over HTTP
decrypt
message
Service
Corporate
Domain
Client
Web / Worker
Role
AppFabric
Windows Azure
Service
Corporate
Domain
SQL Azure
Security Aspects
Provider
Business
Data isolation
Physical server
Database instance
Data loss prevention
Internal backup
Backup/recover
process required
Data retention policy
90 days
Geographic restrictions
Choose region for
storage only
Transfer restrictions
may exclude cloud
Administrative access control
Portal admin
Firewall access rules / Windows Azure access
Portal or scripted
REST-API access
Certificate authN
Transfer security
HTTPS required
Data protection
Encryption, hashing
User access
Trusted subsystem
model is best
Corporate Domain
SQL Azure Recommendations:
• Use portal admin to create DB admin accounts and manage
firewall rules
• Use DB admin accounts to configure schema and users
• Use trusted subsystem users to reduce attack surface
Administrative
• Automate with the REST API
where possible
Windows Azure
Web / Worker
Role
Service
IP Address +
User Credentials
Web Portal
Allow Microsoft Services
+ User Credentials
SQL Server
Management
Studio
Portal
Admin
IP Address
+ DB Admin
SSRS
REST
Client
SSIS
AS
IP Address
+ Service User
IP Address
+ Certificate
Firewall Rules
user
REST
API
user
login
user
SQL Azure
SQL Azure Recommendations (2):
• Limit access to hashing and encryption material
• Use asymmetric encryption, cert store to protect keys, limited access
• Protect hashing material by encrypting config
user
input
Windows Azure
compute
hash
decrypt
data
Application
A
encrypt
data
Application
A
compare
hash
SQL Azure
compute
hash
Windows Azure
Web Role
Worker Role
REST
Windows Azure
Storage
Windows Azure
Application
Application
Storage
Client
REST
Uri
REST
Windows Azure Storage
Security Aspect
Provider
Business
Data isolation
Physical server
Partitioning
Data loss prevention
Internal backup
Backup/recover
process required
Data retention policy
90 days
Geographic restrictions
Choose region for
storage only
Transfer restrictions
may exclude cloud
Administrative access control
Portal admin
Data protection
Encryption, hashing,
MD5 signatures
Transfer security
HTTPS
Symmetric key authentication
Key management
Use tools or manual
Rollover provided
Key protection
Access restrictions
Requires process
Provide encryption
Internal containers
Windows Azure
Corporate Domain
Remote Client
Web / Worker
Role
Service
Client App
HTTPS
HTTPS
HTTPS
Administration
Management
Tools
Web
Portal
HTTPS
HTTPS
REST
Symmetric
Key
Windows Azure Storage
Remote
Client
Azure Storage
Recommendations:
• Never ship keys to
non-owned clients
• Avoid shipping keys to
remote clients
• Encrypt keys config
Client App
Windows
Azure
Administration
encrypt
key
Service
Web
Portal
roll
keys
HTTPS
HTTPS
REST
Symmetric
Key
Windows Azure Storage
Windows
Azure
Service
Blob Storage
Recommendations:
• For very large media
uploads and/or mission
critical data use MD5
validation to ensure
integrity
validate
signature
MD5
Hash +
Windows Azure
Storage
MD5
Hash +
Blob Storage Recommendations (2):
• Never allow public access to container
• Allow public read to blob links if appropriate for the application, try
to use SAS for this purpose to limit exposure
Service
Service
Service
Browser
Service
shared
access
policy
list
create
update
delete
read
read
list
create
update
delete
read
list
Client
create
update
delete
read
access
for
limited
time
with
shared
access
key
Shared Access
Signature (SAS)
>1 hour
requires
authentication
header in request
(no browser)
AJAX / JQuery
Silverlight
ASP.NET / MVC
WCF
.NET Code
WCF
.NET Code
Web Role
Worker Role
.NET FW 3.5 SP1 / .NET FW 4
CAS Policy
Blobs
NT Security Policy
Tables
Queues
External
Endpoint
External
Endpoint
Window Azure
Web
Role
Web
Role
WCF
Service
Web
Application
Internal
Endpoint
Internal
Endpoint
Worker
Role
Worker
Role
WCF
Service
WCF
Service
REST
Azure Storage
SQL Azure
Client
Client
Service Bus
Web
Role
Service
Web
Role
WCF
Service
Web
Application
Internal
Endpoint
Internal
Endpoint
Worker
Role
Worker
Role
WCF
Service
Corporate Domain
WCF
Service
Window Azure
Client
Service Bus
Web
Role
Service
Worker
Role
WCF
Service
write to queue
REST
Corporate Domain
Azure Storage
WCF
Service
pull from queue
Window Azure
Client
Web
Role
Service
Worker
Role
WCF
Service
WCF
Service
Worker
Role
WorkerWCF
Role Service
write to queue
REST
pull from queue
WCF
WorkerService
Role
WCF
Service
Client
Service
REST
Corporate Domain
Azure Storage
Azure Storage
Security Aspect
Provider
DNS attack prevention
Built-in
Transfer security
Privilege elevation prevention
Business
HTTPS
ACLs
Partial trust
Cross Site Scripting (XSS) prevention
ASP.NET features
and custom
Cross domain call prevention
Silverlight
configuration
SQL injection prevention
ASP.NET features
and parameterized
queries
Authentication models
Forms, Identity
Federation
Security Aspect
Provider
DNS attack prevention
Built-in
Transfer security
Privilege elevation prevention
HTTPS or TCP, add
message security
ACLs
SQL injection prevention
Endpoint privacy
Authentication models
Business
Partial trust
Parameterized
queries
Internal endpoints,
Service Bus
UserName,
Certificate, Identity
Federation
Browser
1
3
Login
Page
5
4
2
Azure Hosted
Web Site
STS
Windows
Client
1
2
STS
3
Azure Hosted
Service
Windows
Client
Azure Hosted
Service
DMZ
STS
Windows
Client
Azure Hosted
Service
DMZ
ADFS V2
Domain
Server
ADFS V2
AD
Users
Browser
3
1
5
2
FaceBook
Yahoo!
Windows
Live
4
Access
Control
Relying
Party
Web
Google
Browser
3
1
5
2
Google
FaceBook
Yahoo!
Windows
Live
4
Access
Control
Relying
Party
Web
Enterprise Identity
Provider
Google
Windows
Yahoo!
FaceBook
Live
Relying
Party
Web
Relying
Party
STS
Access
Control
Policy
AD FS V2
Flow of tokens, not direct communication
Enterprise Identity
Enterprise Identity
Provider Identity
Enterprise
Provider
Provider
http://www.microsoft.com/visualstudio
http://www.microsoft.com/visualstudio/en-us/lightswitch
http://www.microsoft.com/expression/
http://blogs.msdn.com/b/somasegar/
http://blogs.msdn.com/b/bharry/
http://www.microsoft.com/sqlserver/en/us/default.aspx
http://www.facebook.com/visualstudio
http://northamerica.msteched.com
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn