architecting for a secure cloud l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Architecting for a Secure Cloud PowerPoint Presentation
Download Presentation
Architecting for a Secure Cloud

Loading in 2 Seconds...

play fullscreen
1 / 52

Architecting for a Secure Cloud - PowerPoint PPT Presentation


  • 143 Views
  • Uploaded on

DPR312. Architecting for a Secure Cloud. Michele Leroux Bustamante Chief Architect, IDesign mlb@idesign.net. Michele Leroux Bustamante. Chief Architect, IDesign ( www.idesign.net ) Chief Security Architect, BiTKOO ( www.bitkoo.com ).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Architecting for a Secure Cloud' - garran


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
architecting for a secure cloud
DPR312

Architecting for a Secure Cloud

Michele Leroux Bustamante

Chief Architect, IDesign

mlb@idesign.net

michele leroux bustamante
Michele Leroux Bustamante

Chief Architect, IDesign(www.idesign.net)

Chief Security Architect, BiTKOO(www.bitkoo.com)

Microsoft Regional Director,(www.theregion.com)

MVP Connected Systems

Publications and Resources:DevProConnections, MSDN, CoDe Magazine,

Microsoft whitepapers

Learning WCF (O’Reilly 2007/2009)

CodePlex (publications, webcasts, code, utilities)

Speaker:Tech Ed, PDC, Dev Connections, NDC, etc.

www.michelelerouxbustamante.com, www.learningwcf.com

agenda
Agenda
  • Benefits and concerns moving to the cloud
  • IT and shared hosting security aspects
  • Application architecture security aspects
  • Architectural scenarios for Windows Azure Platform features
  • Techniques for securing features by scenario
what drives us to the cloud
What Drives us to the Cloud?
  • Reduced capital investment
  • Scale out on demand, pay as you go
  • Unbounded scale for bursts or peak loads
  • Better overall IT management strategy
  • Quality of service, zero downtime updates
  • Focus resources on implementation and business logic
typical concerns
Typical Concerns
  • Loss of control
  • Reliability of services
  • Service level commitments and guarantees
  • Ability to change vendors if dissatisfied
  • Security
windows azure platform building blocks
Windows Azure Platform Building Blocks

Windows Azure AppFabric

Windows Azure

Windows Azure Storage

SQL Azure

Platform Infrastructure, Equipment, Data Center

windows azure platform features
Windows Azure Platform Features

Access

Control

Windows Azure

AD FS 2

Cache

Web Role

Worker Role

Cache

Service

REST

On Premise Domain

AppFabric

Blobs

Tables

Queues

SQL Azure

Azure Storage

service bus
Service Bus
  • Primarily designed to address connectivity issues
    • Services may be located behind Private IPs, firewalls, load balancers, proxy servers
  • Also enhances reliability and scalability
  • Provides added security

On Premise

Service

service bus as dmz
Service Bus as DMZ

Browser

Windows

Phone 7

Browser

WPF

Browser

MVC /

JQuery

AJAX

Silverlight

MVC

Site

Web

Forms

Site

REST /

Router

Router

MVC / REST

REST

REST

DMZ

Service

Service

Service

Service

Service

Corporate Domain

service bus as dmz 2
Service Bus as DMZ (2)

Browser

Windows

Phone 7

Browser

WPF

Browser

MVC /

JQuery

AJAX

Silverlight

MVC

Site

Web

Forms

Site

MVC / REST

REST

AppFabric

DMZ

Service

Service

Service

Service

Service

Corporate Domain

service bus to data on premise migration
Service Bus to Data On Premise / Migration

Client

Web

Application

AppFabric

Windows Azure

Service

Corporate Domain

service bus security
Service Bus Security

Evil

Client

Client

encrypt

message

signed

request

+

Encrypt

Access

Control

HTTPS

AppFabric

TCP /

HTTPS

Service Bus Recommendations:

  • Require relay credential
  • Encrypt keys at client
  • Try to use TCP relay for performance and cost savings
  • Add message security for highly sensitive data
  • Use negotiation for encryption certificate over HTTP

decrypt

message

Encrypt

Service

Corporate Domain

sql azure
SQL Azure
  • Relational data store in the cloud (SQL Server 2008 R2)
  • TDS support (client connections)
  • REST-based Management API
  • Protected by:
    • Firewall Rules
    • SQL Server authentication (not Windows)
    • Certificate authentication
relational data on premise in the cloud
Relational Data On Premise / In The Cloud

Client

Web / Worker

Role

AppFabric

Windows Azure

Service

Corporate Domain

SQL Azure

sql azure security

SQL Azure Recommendations:

  • Use portal admin to create DB admin accounts and manage firewall rules
  • Use DB admin accounts to configure schema and users
  • Use trusted subsystem users to reduce attack surface
  • Automate with the REST API where possible
SQL Azure Security

Corporate Domain

Windows Azure

Administrative

REST

Client

SQL Server

Management

Studio

SSRS

Web Portal

Web / Worker

Role

Service

SSIS

AS

Allow Microsoft Services

+ User Credentials

IP Address

+ Certificate

IP Address

+ Service User

IP Address +

User Credentials

Portal

Admin

IP Address

+ DB Admin

Firewall Rules

Table A

Master

Table B

REST

API

user

login

user

user

SQL Azure

sql azure data protection
SQL Azure Data Protection

SQL Azure Recommendations (2):

  • Limit access to hashing and encryption material
  • Use asymmetric encryption, cert store to protect keys, limited access
  • Protect hashing material by encrypting config

user

input

Windows Azure

compute

hash

A

A

Application

Application

compute

hash

Hash

encrypt

data

decrypt

data

compare

hash

Hash

Hash

Encrypt

Encrypt

Hash

Encrypt

SQL Azure

windows azure windows azure storage
Windows Azure & Windows Azure Storage
  • Compute, Storage and Management services
  • Host web applications and services
  • Applications can leverage non-relational tables, queues or blob storage
    • Replace relational database or use tables to compliment
    • Host large media content
    • Optionally distribute via Content Delivery Network (CDN)
    • Mount drives for migration approach
  • Go all-in or scale out specific features
windows azure windows azure storage23
Windows Azure & Windows Azure Storage

Windows Azure

Web Role

Worker Role

REST

Queues

Tables

Blobs

Windows Azure

Storage

windows azure storage
Windows Azure Storage

Windows Azure

Application

Application

REST

Uri

Storage

Client

REST

Queues

Tables

Blobs

Windows Azure Storage

windows azure storage security
Windows Azure Storage Security

Corporate Domain

Windows Azure

Remote Client

Administration

Service

Web / Worker

Role

Web

Portal

Client App

Management

Tools

HTTPS

HTTPS

HTTPS

HTTPS

HTTPS

REST

Queues

Tables

Blobs

Symmetric

Key

Windows Azure Storage

windows azure storage tiers
Windows Azure Storage Tiers

Remote

Client

Client App

Azure Storage Recommendations:

  • Never ship keys to non-owned clients
  • Avoid shipping keys to remote clients
  • Encrypt keys config

Windows

Azure

Administration

Web

Portal

Service

encrypt

key

roll

keys

HTTPS

HTTPS

REST

Queues

Tables

Blobs

Symmetric

Key

Windows Azure Storage

blob storage integrity
Blob Storage Integrity

Windows

Azure

Service

Blob Storage Recommendations:

  • For very large media uploads and/or mission critical data use MD5 validation to ensure integrity

validate

signature

MD5

Hash

+

Windows Azure

Storage

Blob Container

MD5

Hash

+

blob storage shared access signatures
Blob Storage Shared Access Signatures

Blob Storage Recommendations (2):

  • Never allow public access to container
  • Allow public read to blob links if appropriate for the application, try to use SAS for this purpose to limit exposure

Browser

Client

Service

Service

Service

Service

read

access

for

limited

time

with

shared

access

key

shared

access

policy

list

create

update

delete

Shared Access

Signature (SAS)

>1 hour

requires

authentication

header in request

(no browser)

create

update

delete

create

update

delete

read

list

read

list

read

Public Container Access

Private Container

Public Blob Access

Private Container

windows azure architecture
Windows Azure Architecture

Web Role

Worker Role

AJAX / JQuery

Silverlight

.NET Code

WCF

ASP.NET / MVC

WCF

.NET Code

.NET FW 3.5 SP1 / .NET FW 4

CAS Policy

NT Security Policy

Blobs

Tables

Queues

application architecture tiers
Application Architecture Tiers

External

Endpoint

External

Endpoint

Window Azure

Web

Role

Web

Role

WCF

Service

Web

Application

Internal

Endpoint

Internal

Endpoint

Worker

Role

Worker

Role

WCF

Service

WCF

Service

REST

Blobs

Tables

Queues

SQL Azure

Azure Storage

added security with service bus
Added Security with Service Bus

Client

Client

Service Bus

Web

Role

Web

Role

WCF

Service

Web

Application

Service

Internal

Endpoint

Internal

Endpoint

Worker

Role

Worker

Role

WCF

Service

WCF

Service

Corporate Domain

Window Azure

scaling out compute cycles
Scaling Out Compute Cycles

Client

Service Bus

Web

Role

Worker

Role

WCF

Service

WCF

Service

Service

pull from queue

write to queue

Window Azure

REST

Compute Queue

Corporate Domain

Azure Storage

scaling out compute cycles 2
Scaling Out Compute Cycles (2)

Client

Web

Role

Worker

Role

WCF

Service

WCF

Service

Service

Worker

Role

WCF

Service

Worker

Role

WCF

Service

pull from queue

write to queue

Worker

Role

WCF

Service

REST

Compute Queue

scaling out media access
Scaling Out Media Access

Client

REST

Service

Blob

Container

CDN

Cache

Blob

Container

CDN

Cache

Blob

Container

CDN

Cache

Azure Storage

Azure Storage

Corporate Domain

identity federation benefits
Identity Federation Benefits
  • Decouple authentication mechanism from applications and services
  • Go claims-based
  • Reduce IT pain and risk related to provisioning and de-provisioning users
  • Extend trust to users across domain, corporate and Internet boundaries
  • Support Single Sign-On (SSO)
passive federation
Passive Federation

Browser

3

Login

Page

5

1

4

2

Azure Hosted

Web Site

STS

active federation
Active Federation

Windows

Client

3

1

2

STS

Azure Hosted

Service

sts on premise
STS On Premise

Windows

Client

Azure Hosted

Service

DMZ

STS

windows users behind dmz
Windows Users Behind DMZ

Windows

Client

Azure Hosted

Service

DMZ

Domain

Server

AD Users

ADFS V2

ADFS V2

access control and mainstream identity providers
Access Control and MainstreamIdentity Providers

Browser

3

Google

FaceBook

4

1

5

2

Yahoo!

Windows

Live

Access

Control

Relying

Party

Web

access control and enterprise identity providers
Access Control and EnterpriseIdentity Providers

Browser

3

Google

FaceBook

4

1

5

2

Yahoo!

Windows

Live

Access

Control

Enterprise Identity Provider

Relying

Party

Web

relying party sts access control
Relying Party STS + Access Control

Google

Yahoo!

FaceBook

Windows

Live

Access

Control

Relying

Party

Web

Relying

Party

STS

Policy

Enterprise Identity Provider

Enterprise Identity Provider

AD FS V2

Enterprise Identity Provider

Flow of tokens, not direct communication

summary
Summary
  • Application architecture must be well defined before you can define your cloud strategy
  • Assess risks related to data, content and other assets
  • Determine which can be moved to the cloud
  • Determine the need for a migration plan as needed from on-premise to the cloud
  • Define the application architecture for the cloud and the security plan for each Windows Azure Platform feature
  • Document the IT, shared hosting and application security concerns and mitigations in your internal SLA
arc track resources
ARC Track Resources
  • http://www.microsoft.com/visualstudio
  • http://www.microsoft.com/visualstudio/en-us/lightswitch
  • http://www.microsoft.com/expression/
  • http://blogs.msdn.com/b/somasegar/
  • http://blogs.msdn.com/b/bharry/
  • http://www.microsoft.com/sqlserver/en/us/default.aspx
  • http://www.facebook.com/visualstudio
resources
Resources
  • Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

  • Sessions On-Demand & Community
  • Microsoft Certification & Training Resources

www.microsoft.com/teched

www.microsoft.com/learning

  • Resources for IT Professionals
  • Resources for Developers

http://microsoft.com/technet

http://microsoft.com/msdn