Examining Security with Azure

Rather than having one long video for Azure Advent, I've tried to make a set of smaller videos that you can watch in any order. In this series of videos I talk about security on Azure. For other great Azure content, check out the contributions to the Azure Advent event.

Security Introduction

What do you think of when someone says security?

A minimal definition I would give for security would be resilience from harm.

Often it feels like we talk about security as an end state. For example, this application or website is secure. Very much like other areas of operability, security is a mind-set and a set of processes and technologies that are continually evolving to respond to malicious and accidental activities that could harm our infrastructure, application, data, and overall impact the value and trust of our customers.

In 2015, Gartner Inc., revealed its top strategic predictions for 2016 and beyond. One of these predictions was that "Through 2020, 95 percent of cloud security failures will be due to some problematic use by customers rather than cloud providers. In 2019, Gartner Inc. updated this prediction up through 2025 increasing the problematic usage to 99%! You could say that it's a competitive advantage to improve security skills.

Looking at the different types of infrastructure you can invest in from on-prem datacenters, infrastructure as a service, platform as a service, to software as a service, there are some elements of security that are taken on by the cloud provider and some that are the responsibility of the customer. This is part of the premium price that comes from a provider handling a part of resilience for you. No matter what architecture is chosen though, data and it's accessibility, identity and access management, and end-point management is the responsibility of the customer.

It's important to talk about how to talk about security. Models are useful ways to inspire conversations and build context between people. One of the first models that I learned about was the CIA triad: confidentiality, integrity, and availability. Confidentiality is the set of rules that limit access to information to the people who should have access to it. Integrity is that assurance that information is true and correct to its original purpose and that only those who should be able to can modify that information. Availability is about the reliable access to information and resources to the individuals who need it and when they need it.

A newer model is the DIE model. It helps orient architecture decisions by framing based on desirable outcomes. When we can choose a distributed architecture, we can better manage the harm that is caused by distributed attacks. When we can choose an immutable infrastructure, we can detect changes and repair those changes. When we can choose ephemeral infrastructure, then often by the time an attacker is able to figure out a vulnerability in our infrastructure it's already gone and the value of trying to compromise the infrastructure approaches zero.

Additional Resources

• Introduction to Azure Security
• Azure Data Center Security
• Check whether an account has been compromised in a data breach on https://haveibeenpwned.com.
• Verizon Data Breach Report
• Example of attack.

Designing and Architecting with a Security Focus

Additional Resources

• OWASP Application Security Verification Standard Project
• Microsoft Threat Modeling Tool
• OWASP Threat Model Project
• Microsoft Security Risk Detection - Fuzz Testing

Developing with a Security Perspective

Additional Resources

• Example of issue that could have been prevented with linting
• Compliance as Code
• Microsoft Security Risk Detection - Fuzz Testing
• Learn all about testing with the Test Automation University
• Azure Key Vault

Monitoring with a Security Perspective

Additional Resources

• Minimum Viable Response Plan by Jason Hand
• Azure Security Foundations Benchmark (DRAFT) The Azure Security Center has a free tier that is automatically enabled on all Azure subscriptions and provides security policy, continuous security assessment, and actionable security recommendations to help you protect your Azure resources.
• Central documentation for Azure Security Center
• Azure Learn Module for Azure Security Center
• Azure Learn Modules for Security Operations

Twitter

There are a lot of industry discussions that happen on Twitter. If you're interested in learning about current trends and practices, here are a few interesting accounts:

• Jam
• Ian Coldwater
• Tinker Fairy
• Teri Radichel
• Tanya Janca
• Cariad
• Jenessa Petersen
• Sarai Rosenberg
• Victoria Drake
• Yolonda Smith
• Luis Saiz Gimeno
• Christina Morillo
• Quiessence Phillips
• Alison Gianotto
• Pamela Dingle
• Victoria Drake
• Kelly Shortridge
• Ana Oprea
• CTF Circle
• OWASP
• WoSEC

Do you have resources that you'd recommend? Please share below and I'll update this page to include them.