A focus on Azure Security Options

A number of options are available for Microsoft Azure security solutions and as part of planning your azure subscriptions. There are a number of options any customer should consider.

I have put together a small whitepaper which introduces some of the key concepts and solutions which should be considered for any cloud deployment.

You can download my published whitepaper below.

MICROSOFT AZURE SECURITY A FOCUS ON CLOUD SECURITY SOLUTIONS

Shared Responsibilities: Cloud Computing

Whilst implementing security controls in Microsoft Azure, it is also important to understand the shared responsibilities between cloud service providers and what the customer can configure and control in terms of networking and security for the services customers require. Responsibilities change when you work with SaaS, PaaS and IaaS. It’s also important to understand how Microsoft handles security response and the process which is followed..

Alice Rison, Senior Director, Microsoft Azure has just published details on two recent whitepapers which were recently released to provide insight into the shared responsibilities and security response at Microsoft.

The published papers can be found linked to this announcement here: Microsoft Incident Response and shared responsibility for cloud computing

Azure NSG Rules:Beware

Recently, I had reviewed an issue with a load balancer which was not working correctly in Azure IaaS. This load balancer was specifically created in Azure Resource Manager (ARM) and it was load balancing a SQL Server AlwaysOn Availability Group (AOAG) listener. Client connections would fail to connect to the SQL Server standard TCP port 1433, through the load balancer, but would be accessible from to host with a direct reference.

After a fair amount of troubleshooting, Network Security Group (NSG) rules were preventing the load balancer from working correctly. The default rules in NSGs are set at a very high priority, which do allow load balancers to access the local virtual networks. This is currently defined in the default rule highlighted below. The source tag AzureLoadBalancer is used to allow a destination of any with any service/port on the NSG.

AzureNSGDefaultInBoundRulespng

The rule which blocked the load balancer from functioning correctly has been shown below.

AzureNSGInternetBlocktInBoundRule

Creating a rule blocking a source tag of Internet with destination any and service of any with any source/target port ranges of any, rendered the load balancer inoperable. The rule is actually not required since the default DenyAllInBound rule would block any internet traffic. Besides, you would need to either load balance requests or NAT traffic from the internet to the local subnet or host in order to have the appropriate communication pass through.

When you define your NSGs and apply these to subnets or host network interfaces, be aware that you have the capability to block Azure services from working correctly.

Manage the security architecture correctly and ensure that you design your NSGs based on your requirements, also be aware of the default NSG rules which are implicitly implied.

Microsoft Security Compliance Manager 2.5

Microsoft Security Compliance Manager 2.5 is now available for download and packed with new features. Download it here

Microsoft Security Compliance Manager 2 (beta)

The Microsoft Security Compliance Manager v2 beta is available for download here.

You will need a Windows Live ID to download the package from Microsoft Connect.

Microsoft Attack Surface Analyzer & Security Compliance Manager

Microsoft have relased an attack surface analyzer as part of their Security Development LifeCycle tools. The free product is avaiilable for download here.

As well as using the attack surface analyzer tool, I would highly recommend using the Microsoft Security Compliance Manager for assisting in applying best practice group policies for a Windows Domain Environment.

Understanding the attack surface on a server and applying best practice security policies within an enterprise environment are vital as part of a security strategy.

Pen Testing/Security Tool: BackTrack 4

I wanted to share this free download. The BackTrack project has been around for many years and BackTrack 4/R2 includes many new features and tools.

If your interested in security and using a free tool for pen testing, try this one as part of your security  toolkit.

Download BackTrack 4 here

Two Factor Authentication: Enterprise Security Architecture

For many years now its been a standard practice to have a username and a password to access an enterprise service, internally in the organization or access resources over the internet via a VPN or web service. Today, the chances are most systems are still being accessed using this simple authentication model. Its like in the 70s, you had one key to unlock your car and start your vehicle. Before the car manufacturers installed immobilizers and anti-theft electronics with encrypted 2/3 way remote keys, anyone could get into your vehicle, without the deadlocks (and without breaking glass), and hotwire your car and be away down the road in less than 25 seconds. I like to think of this example as a one factor authenticated user on a enterprise network. I have a username and a password (my key to unlock the car) and get going.

Two Factor Authentication (TFA,2FA) has been around for many years. It is the basics of something you know (a password or a pin) and something you have, a token. Now we are moving onto the realm of  immobilizer with a key fob. That sounds great, but as always there is a cost associated with the value of having one time passwords provided by tokens, providing the ultimate security architecture for authenticaton. One time passwords (OTP) are the best method as a security measure. Thats said, I’m not discussing Multi-Factor Authenciation (MFA) in this post which offers additional security.

Over the years the cost of TFA has come down considerably and should be considered as a inherent part of the security architecture in any organization. For example, if your still not convinced, lets look at the very basics of how someone might try to hack into your system:

1) Well known passwords: A dictionary attack tends to try most common dictionary words. A dictionary database is used as part of the hacking program  to attempt to crack the password. As the power of computers increase, any number of passwords in a dictionary can be exhaustively tried within a matter of minutes. Companies usually include security controls to lockout accounts within a number of failed attempts within a set period of time to protect against this type of attack. Controls and policies are also put into place to force complex passwords (passwords with upper case and lower case characters, numbers and other non alphabetic characters) and require them to be changed after a set number of days.

2) Key logger/Malware: Lets put the above control in place, and any malware (Malicious Software) can record and send back screen shots and key strokes you have typed on your keyboard without your knowlege on a regular basis to a server over the internet. This is a basic example of how the basic enterprise security policies can fail.

3) Try common usernames and passwords: How often do you create test accounts, which may not have policies applied for account expiration and for password changes?

In the past I have found the following username/password combinations during basic security checks:

  • test/test
  • test/test1
  • test/test123
  • testuser/testuser
  • testuser1/test
  • testuser2/testuser2

Whilst this might seem like a simple approach to trying to hack test accounts, how many of you may have used the above combinations in the past? Even though this post discusses usernames and passwords, the same applied to well known usernames and passwords for network devices.

4) Shoulder surfing/internal threat: Someone walks by your desk and watches you login to your account and sees the keystrokes.

5) Can you remember where you wrote down your passwords, because you have so many to remember to access all the corporate systems?

As well as two factor authenication, it would be ideal to integrate all the corporate systems with a common security directory e.g. Microsoft Active Directory Domain Services (ADDS). The TFA model can then be integrated with ADDS and ensure access to applications is secured using the same model, thus providing an extra factor of security within the enteprise.

Which vendor should you choose?

I have listed the most commonly know vendors below:

RSA
Safe Word
Phone Factor
DeepNet Security
Quest Defender
EnTrust Identity Guard

Don’t forget to ensure the security architecture should apply internally as well as externally. Any externaly accessible IP address which provides access to the corporate systems should follow the same standards. Now a question comes to mind for a future post? How does this affect Cloud Computing – another post for a later date. I will be discussing the security standards an enterprise should consider when moving to the cloud.

Cloud Computing, The Basics

When it comes to ‘ Cloud Computing’ there are a few acronyms which are referenced in most articles which I will explain in my first official blog about cloud computing basics. The main acronyms are described below.

SaaS (Software as a Service): A Service provided by a vendor which is typcially provided as a packaged solution to multiple customers. The service is usually provided, but not limited to, through a web browser. The vendor provides the service over the internet and is managed and maintained by the vendor. The customer does not need to worry about upgrades, patching and the security architecture of the service. Examples of SaaS include Facebook, Microsoft Online and Google Apps. SaaS has been around for a number of years.

IaaS (Infrastructure as a Service): Infrastructure as a Service is a service model where a company would outsource the servers, network and storage to a service provider. All the hardware is owned and managed by the service provider and the resources are provided over the internet. The service provider can also provide the operating system, messaging and databases. The company obtaining the services would usually pay on a transaction or per use basis. Examples of IaaS include Amazon Web Services AWS), Microsoft Hyper-V Private Cloud, Apples iWork.com and IBM’s Blue cloud services. Utilizing IaaS effectively allows the architecture of a dynamic datacenter which can be flexible to a organizations requirements.

PaaS (Platform as a Service): Platform as a Service is a architecture framwork that allows a complete development platform to build and assemble solutions, similar to SaaS, but with development tools for customization. The underlying Operating System and Hardware is still provided by the service provider. PaaS offers the ability to run full rich applications over the internet offered as a utility computing. The model is still usually provided on a pay per use or on a subscription basis. Rich internet applications can be developed by businesses utilizing a rhobust platform with faster application delivery times. PaaS includes modules which can be integrated to build the applications necessary for the business. Examples of PaaS include Microsoft Azure, Salesforce.com, Rollbase, Google App Engine and BungeeConnect.

Cloudstream An integration template which provides the required nuts and bolts to secure, provide governance and manage the communication between two services at the Application Programming Interface (API). The integration can be enterprise to cloud and cloud to cloud. The cloudstream captures configuration information for cloud brokers and packages the configuration information to connect the endpoints together. CloudStream will become the standard for integration across the cloud and enterprise. For on premise systems, appliances/software solutions can help with cloud integration such as the  Vordel Cloud Service Broker, Forum Sentry SOA Security Gateway .Layer 7 CloudSpan Products, Ping Federate Connectors and Microsoft Active Directory Federation Services 2.0.