1 of 35

HOW TO DEPLOY & SECURE

YOUR APPLICATIONS IN AZURE

Develop Security & Compliances in Azure

23.03.22

2 of 35

SEVEN PEAKS TEAM

Team Presentation

3 of 35

BIOGRAPHY

Giorgio Desideri

Tech Lead of Cloud Solutions

  • Working from 2006 in IT industries
  • Experienced into Developer / Consultant / Team Leader positions

4 of 35

AGENDA

Points which are presented today

  • Starting from Azure Account
  • Stepping through Identity
  • Database and Application Security
  • Frameworks & Models
  • Conclusions

5 of 35

AZURE ACCOUNT

Starting from the base

6 of 35

AZURE ACCOUNT

Consideration before open an account

  • Audience
    • Project / Product ( engineers, testers, managers, etc. )
    • Application ( users, customers, etc. )
    • Maintenance ( support team, operators, etc. )

  • Access method
    • Credentials or Certificates
    • MFA
    • Devices ( desktops, laptops, mobile, etc. )

7 of 35

AZURE ACCOUNT

Consideration before open an account

https://docs.microsoft.com/en-us/azure/active-directory/

People

Devices Management

Domain Service

Identity Governance

Identity Protection

Roles

Application

Hybrid

Azure Active Directory

8 of 35

AZURE ACCOUNT

Consideration before open an account

  • Licenses ( Price )
    • Free
    • Office 365
    • Premium P1 / P2
  • Identity Governance
    • Access policy
    • Password Sync / Reset
    • Synchronization with on-premises
    • Synchronization with 3rd parties
  • Scope
    • Active Directory Policies
    • Azure Resources ( RBAC )
  • Device Governance
    • Device Management
    • Mobile Device Management (MDM)
    • Access Reviews
  • Monitoring
    • Alert & Reports

9 of 35

IDENTITIES

Stepping through access management in Azure

10 of 35

IDENTITIES

Access Management

User

Services

Application

POLICY

Roles

Groups

Devices

  • Assigned
  • Dynamic
  • Built-In
  • Custom

“Metadata” :

{

},

11 of 35

IDENTITIES

Access Management

  • User Type
    • Guest
    • Member
    • Microsoft 365 (Enterprise)
    • Work / Consumer Account (Azure B2C)

User

Services

Application

Devices

12 of 35

IDENTITIES

Access Management

  • Identity Type
    • Managed Identity
      • System-defined
      • User-defined
    • Service Principal ( Application Registration )
    • Enterprise Application

User

Services

Application

Devices

13 of 35

IDENTITIES

Access Management

  • Identity Type
    • Programmatic defined by SDK
    • Service inherited ( supported by SDK )

User

Services

Application

Devices

14 of 35

IDENTITIES

Access Management

  • Registration Type / Method
    • AD Join
    • Mobile Device Management ( MDM )
    • Windows Autopilot
    • Hybrid environment ( group policy )
    • AD Connect / Federation

User

Services

Application

Devices

15 of 35

IDENTITIES

Access Management

User

Services

Application

RBAC

AD Roles

Devices

Resources

Active Directory

16 of 35

IDENTITIES

Access Management

User

Services

Application

RBAC

AD Roles

Devices

Resources

Active Directory

17 of 35

DATABASE & APPLICATION

How can apply a “secure development” ?

18 of 35

DEVELOPER,

DEVELOPER,

DEVELOPER

19 of 35

DATABASE SECURITY

Development

Authentication

Encryption

Network Restriction

RBAC

Protect Keys

20 of 35

DATABASE SECURITY

Development

Azure AD Authentication vs SQL Authentication

  • Decouple Database permissions
  • Benefits of Azure AD identity access and permissions management
  • Password and Secret storage
  • Certificate / Token authentication

Authentication

Encryption

Network Restriction

21 of 35

DATABASE SECURITY

Development

Data Encryption

  • Transparent Data Encryption ( TDE )
  • Encryption-at-rest

Authentication

Encryption

Network Restriction

22 of 35

DATABASE SECURITY

Development

Network access restriction

  • IP restrictions
  • Azure SQL Firewall
  • Azure Synapse analysis
  • Encryption-in-transit

Authentication

Encryption

Network Restriction

23 of 35

APPLICATION SECURITY

Development

Integrated

  • Azure Active Directory
    • Azure B2C
  • OAuth 2.0
  • OpenID Connect
  • Social ( Facebook, Google, Twitter )

Authentication

RBAC

Protect Key

Network Restriction

24 of 35

APPLICATION SECURITY

Development

Scope definitions & restrictions

  • Users, groups, applications
  • Against Azure resources
  • Integration and/or connectivity regulation

Authentication

RBAC

Protect Key

Network Restriction

25 of 35

APPLICATION SECURITY

Development

My Secrets are mine and only mine !

  • Azure KeyVault
  • Hardware Security Modules

Authentication

RBAC

Protect Key

Network Restriction

26 of 35

APPLICATION SECURITY

Development

Network access regulation

  • App Service Environment
  • IP restrictions
  • Azure Web Firewall ( WAF )
  • VNet integration ( NSG, ASG )

Authentication

RBAC

Protect Key

Network Restriction

27 of 35

FRAMEWORKS & MODELS

Approaches to follow

28 of 35

FRAMEWORKS & MODELS

Azure Cloud Adoption Framework

29 of 35

FRAMEWORKS & MODELS

Azure Zero Trust Model

30 of 35

CONCLUSIONS

Considerations

31 of 35

CONCLUSIONS

Take Away points

  • Consider your requirements and check against the Azure account
  • Access Management of your identities:
    • Audiences ( engineers and not )
    • Permissions
    • Methods
    • Operations ( SecOps )

32 of 35

CONCLUSIONS

Take Away points

  • What is important for a “secure development” ?
    • Knowledge & Practice
      • “Close the door behind you”
      • “Welcome, how are you ?”
    • Monitor & Alerts
    • Review & Enforcement

33 of 35

CONCLUSIONS

Take Away points

34 of 35

Questions ?

Thanks for joining

35 of 35

UPCOMING MEETUP

Check out our event page

Stay tuned for what’s coming next!