Windows Azure Security Essentials – Part 2/N – Cloud Threats and how Windows Azure handle them

   One of the very important part of security is to know you threats, and in Cloud it’s important to know what threads are different from the On-premise environments, and those are:

  • Traditional threats, like:
    • Cross-site scripting (XSS), SQL Injection
    • DoS Attacks, network spoofing, DDoS
  • Old threads are mitigated by the system and are responsibilities of the Cloud Vendor
    • Patching is automated and instances are moved to secure systems
    • Cloud resiliency improves failover across a service
  • Also some of the existing threads are expanded, like:
    • Data privacy such as location and segregation
    • Abuse of privilege access by admins
  • So new Threads also appear. Threads like:
    • Privilege escalations from the virtual machines to hosted server
    • Breaking the boundaries between VM’s
    • “Hyperjacking”

   Windows Azure implements the following security measures:

    Level Defenses in place
    Data
    • Strong storage keys fro access control
    • SSL support for data transfers between all parts involved
    Application
    • Partial Trust mode to run public facing applications
    • Windows account with least privileges in order to avoid gaining access to something important even if getting in the application
    Host
    • Special version of Windows Server 2008 R2 Operating System
    • Host boundaries enforced by external hypervisor
    Network
    • Host firewall limiting traffic to the VMs
    • VLANs and packet filters in routers
    Physical
    • World class physical security
    • ISO 27001 and SAS 70 Type II certifications for datacenter processes

       Defenses inherited by Windows Azure Platform Applications

    Type of Thread Defense
    Spoofing VLANs
    Top Rack switches
    Custom packet filtering
    Tampering / Disclosure VM switch hardening
    Certificate Services
    Shared-access signatures
    HTTPS
    Side channel protections
    Repudiation Monitoring
    Diagnostics Service
    Denial of Service Configurable scale-out
    Elevation of Privilege Partial Trust Runtime
    Hypervisor custom sandboxing
    Virtual Service Accounts

      Windows Azure Data Center Security

    • World-Class Physical Security
      • 24×7 secured access
      • Electronically controlled access systems
      • Video camera surveillance
      • Motion detectors
      • Security breach alarms
    • Industry Certifications
      • ISO 27001-2005
      • SAS 70 Type II

     

    This information was achieved base on the following video.

    Windows Azure Security Essentials – Part 1/N – Security Overview

       Security is one of the very important parts of Cloud Computing, since we are in a completely new environment that the ones we are used to. When using Cloud Computing “The Platform is managed for us” rather, the “Us managing our platform”.

        Another thing that is completely different between the On-Premise and the Platform as a Service Model, is because instead of having full control of the platform (Physical/Network/Host/Application and Data), we are really only controlling the Data and the Application, since the rest is the responsibility of our vendor, in the Windows Azure Service Platform case this is Microsoft. But having this managed by Microsoft, we need assurance that our data is secure, and protected even from Microsoft Admins.

       So some of the Cloud Security Concerns are:

    • Where is my data located? Is the Data Stored in some place that is possible based on my country laws and regulations?
    • Is the Microsoft Cloud “secure”?
    • Who can see my data?
    • How do you make sure my company data follows “the rules”? (Country rules and laws)

      And for all of this Cloud Security needs a Mind Shift, since:

    • Much of the traditional infrastructure security moves to the platform and application layers, and we are unable to change them. So we need to do something different like:
      • So Network Access Control Lists and Firewalls become host packet filters and virtual filters
      • Reduction of the attack surface, least privilege, user authentication and input sanitization become key concerns when designing and developing an application.
      • Also the Platform and Network Level encryption will still play a very important role, but the most important point is that the developer becomes more responsible for the application security and encryption design.

       In order to manage the Security on Windows Azure we can use:

    • Service Management Security
      • Customers create a Windows Azure subscription using LiveID credentials
        • Live ID is one of the longest running Internet Authentication Services available
      • Hosted services and storage accounts managed through LiveID or a Service Management API or SMAPI with user-generated public/private key pairs.
        • SMAPI protocol runs over SSL and it’s authenticated based on the user-generated public/private keys.
      • All communications between the several Windows Azure internal components are encrypted using SSL, and also the communication between the Fabric Controller and the managed nodes is unidirectional.

      By default the Web Roles run in partial trust mode, and the recommendation is that all public facing roles should use Partial Trust as well as avoiding to have secret information. Instead we should really pass that information to a higher level trust role, for example to a Worker Role running on Full-Trusted mode and only with Internal Endpoints.

       Within each Windows Azure Subscription a developer can create multiple storage account, and each account has 2 Keys in order to provide the key rollover capability, the same way as we change our passwords frequently in order to maintain security.

     SQL Azure Security

    • Same security Model as in SQL Server Authentication Model
      • SQL Server Logins
        • Authenticate access to SQL Azure
      • Database Users
        • Grant access to the database level
      • Database Roles
        • Group users and grant to the database level
    • Only SQL Server authentication is supported
      • User must provide credentials every time they connect
      • Password resets will not force a connection to be re-authenticated
      • Every 60 minutes has passed since last authentication, a re-authentication is performed (done automatically, and if there is a password update, this will be used instead)
    • During the provisioning process, SQL Server created a login for you that is the server-level principal similar to SA (System Administrator) login in SQL Azure.
      • Used to create additional user accounts
    • Only available thought port TCP 1433, which needs that customers configure their internal firewalls to allow Outgoing request to this port.
    • Source IP address needs to be authorized in SQL Azure Firewall