• No results found

Windows Azure Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Windows Azure Security"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

Windows Azure Security

(2)

Agenda

Introduction

Azure™ Compute Security Azure Storage Security

SQL Azure™ Security Questions

(3)

Azure Combines Three Components

Compute – Think Stateless CPU in the Cloud

(Rented by the CPU - hour)

Storage – Like a file system, but structured differently to support scalability and parallelism

(Rented by the Gigabyte - Month)

SQL Azure – Another form of storage, accessed with SQL queries rather than file-like operations

Can be used separately, but more commonly a Compute tenant is layered atop Storage, SQL Azure, or both

(4)

4

Security Threats

Azure

Customer Tenant

Customer Admin User

(5)

From Subscription Portal

Create a Compute Tenant

Create a Storage Account

Create a SQL Azure Database

Once created, they are managed via separate mechanisms Customer authenticates to Subscription Portal using LiveID

(6)

Agenda

Introduction

Azure Compute Security Azure Storage Security

SQL Azure Security Questions

(7)

Underlying Hardware

Rack-mounted servers

Each rack has a collection of identical nodes

Each node (currently) has 2 CPU chips with 4 cores each 16 Gig of memory

Disks for local storage

(8)

8

Hypervisor and VM Sandbox

All Guest access to network and disk is mediated by Root VM (via the Hypervisor)

Hypervisor Network/Disk R o o t V M G u e s t V M G u e s t V M G u e s t V M G u e s t V M G u e s t V M G u e s t V M G u e s t V M

(9)

What Does the World Look Like to a

Guest VM?

1, 2, 4, or 8 CPUs; up to 14 GB of memory Three disk drives:

C:\ (for temps; initially populated with config file)

D:\ (for application code; initially as supplied by customer admin)

E:\ (for OS code; initially as supplied by Azure)

Network connectivity to Internet via NAT and to other VMs of same tenant

Guest agent accepts incoming HTTP/RPC connections from Root OS

(10)

10

Handling Attacks by a Tenant

Not dependent on the security of Windows®

Instead, dependent on the security of the Hypervisor and the exposed network and disk drivers

C:\, D:\, and E:\ are not really disks. They are VHD files in the root OS’s file system.

Attack surface is minimized by accepting few commands and supporting only a few hardware devices

(11)

Root OS Services

Disk I/O remapping and bandwidth quota enforcement Network Packet Filter and bandwidth quota enforcement

No forging of IP address or false responses to ARPs

Connectivity only to Internet, peer VMs within tenant, and a small set of specific services (e.g., DNS)

(12)

12

Azure Network Services

For scalability, customer tenants can be divided into roles

(e.g., front end, back end)

Roles can have multiple instances

Azure will divide incoming connections among front-end role instances

When a new role instance is created, its disks (C:\, D:\, and E:\) are initialized. When a role instance is discarded, the contents of its disks are discarded. Compute holds only ephemeral data – permanent data must be kept in Azure Storage, SQL Azure, or an external customer-provided store.

High availability is achieved through fast failover. Individual VMs can be discarded and reinitialized at any time.

(13)

Recovery from Any Sort of Failure

If a customer VM fails, the Root VM can reboot it or – if

necessary – reinitialize all of its on-disk state

If a Root VM fails or an entire node fails, the Fabric Controller can power cycle the node, reboot it from the network, and reinitialize all of its actual disks

All customer VMs can be migrated to other nodes while the node is being tested before it is returned to service or queued for manual repair

(14)

14

Handling Attacks by a Customer

Administrator

Customer Administrator gets to specify:

How many roles in a tenant, how many instances of each role, and what size VM each runs on

The application software that runs in each VM and its configuration

Certificates, passwords, and secret keys each VM can use to authenticate to other entities

Requests go through the Developer Portal (browser based) or Developer API (RPC over HTTP over SSL)

Authentication to Developer API uses a certificate and private key registered through the Developer Portal

(15)

Protecting the Fabric Controllers

Guest Agent Guest VM Fabric Agent Root VM Hypervisor Fabric Controller Developer API Developer Portal

(16)

16

Handling Attacks by an End User

Azure divides incoming connections among front-end role instances

Customer has all the facilities of Windows to protect the VM against end-user attacks

Azure must deal with DDoS (bandwidth) attacks that could overwhelm all of Azure

Customer must deal with DDoS attacks that could overwhelm the customer front ends

(17)

Internet Gateways

Gateways are shared with other Microsoft properties (e.g., Hotmail®, MSN®, Live, …)

Very high speed links at multiple locations worldwide

Not impossible to overload, but one of the highest capacity targets deployed today

(18)

18

One More Problem to Worry About…

Azure could be used as a platform for attacking other Internet sites

A customer tenant could be recruited into a bot army to spread spam or participate in DDoS attacks

A customer could intentionally participate in such things

We have to be responsive to complaints from other Internet sites that they are under attack from one of our tenants

(19)

Agenda

Introduction

Azure Compute Security Azure Storage Security SQL Azure Security

(20)

20

Azure Storage

Runs on separate hardware with no network connectivity to compute except (logically) through Internet

Requests run over HTTP and optionally over SSL with server authentication

Storage is organized into storage accounts

A single customer may have many storage accounts

A single secret key controls all access to a storage account

Fine-grained access controls are not implemented

A customer wanting fine-grained access controls can

implement a front-end compute tenant that has full access to the storage account but mediates access to data items

(21)

Azure Storage Scalability

To reduce the need for locks when dealing with a conventional file system, Azure storage implements the primitives: blobs, tables, and queues.

For backwards compatibility, it also implements an XDrive with disk semantics for applications that have not been

converted.

The customer is responsible for coordinating the assignment of XDrives to VMs. An XDrive can only be open from one VM at a time.

(22)

22

Azure Storage Security

Data from many customers is mixed in a single pool

Access to data in a specific account is only granted to entities having the secret key for that account

Storage keys are randomly generated when the storage

account is created (or later at the request of the customer) A storage account may have two active keys at any given time

to support key rollover

(23)

Access Control Extensions

To deal with some common cases:

Blobs can be marked as “world readable”, which allows them to be read without authentication by anyone knowing their name

Queries can be HMAC signed with some of their parameters unspecified. Passing such a query and its signature to a

(24)

Agenda

Introduction

Azure Compute Security Azure Storage Security SQL Azure Security Questions

(25)

Azure SQL

As with storage, runs on separate hardware with no

connectivity to compute except (logically) over the Internet Subscription portal can create databases

Data from many customers is pooled in a single SQL instance, but they are treated as separate and access controlled

(26)

26

Questions & Answers

Submit text questions using the “Ask” button.

Send us your feedback and content ideas in the survey.

Replay of this webcast will be available in 24 hours.

Get the latest developer content (webcasts, podcasts, videos, virtual labs) at: www.Microsoft.com/Events/Series/

For more security webcasts:

(27)

References

Download now ( PDF - 27 Page - 456.20 KB )

Related documents

Superfast Private Cloud

CloudNet Cloud connectivity bypasses the public Internet and is delivered over private VLANs over the Exponential-e network - resolving Cloud data security and privacy issues..

Spatial variability of coffee plant water consumption based on the SEBAL algorithm

Figure 5 – Crop evapotranspiration (ET c ) of adult coffee plantations based on the SEBAL algorithm compared to ET c (mm d –1 ) calculated with observed data. ET c observed

WHITE PAPER. Identikey Server 3.1 Strong Authentication solution for On-Demand Applications and SaaS

• It is a complete server solution that is flexible and scalable in size • Authentication requests on web sites can be forwarded through SOAP over SSL to the

Sage 200 Online. System Requirements and Prerequisites

This requires assessing the size of the database and the compute -size - this is the size of the server resource in the Windows Azure Data Centre that run the web and system

Remote Connectivity Infrastructure

Customer Internet SSL SAP Support Citrix GoToAssist SAP DMZ Netviewer Server Secured remote connectivity.. Remote Connectivity

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

The user authenticates to the AD FS server using Integrated Windows Authentication (Kerberos tokens over HTTP) and requests login to Fairsail.. AD FS returns a SAML assertion to

Feature and Technical

accounts a subscriber added The BlackBerry Internet Service encrypts email messages that it sends and receives using SSL if the external messaging server (POP over SSL, IMAP over SSL,

Configuring Primary and Backup Proxy Servers for Standalone Content Engines

When you enter the proxy-protocols transparent default-server global configuration command, the Content Engine forwards intercepted HTTP, HTTPS-over-HTTP, and FTP-over-HTTP requests