Windows Azure Security

8/4/2019 Windows Azure Security

1/27

Windows Azure Security

A Peek Under the Hood

Charlie Kaufman | 06/03/2010


2/27

Agenda

Introduction

Azure Compute Security

Azure Storage Security

SQL Azure SecurityQuestions


3/27

3

Azure Combines Three Components

Compute Think Stateless CPU in the Cloud

(Rented by the CPU - hour)

Storage Like a file system, but structured differently tosupport scalability and parallelism

(Rented by the Gigabyte - Month)

SQL Azure Another form of storage, accessed with SQLqueries rather than file-like operations

Can be used separately, but more commonly a Computetenant is layered atop Storage, SQL Azure, or both

There will likely be more components in the future


4/27

4

Security Threats

Azure

Customer Tenant

Customer Admin User

External Web Site


5/27

5

From Subscription Portal

Create a Compute Tenant Create a Storage Account Create a SQL Azure Database

Once created, they are managed via separate mechanisms

Customer authenticates to Subscription Portal using LiveID


6/27

Agenda

Introduction

Azure Compute Security




7/27

7

Underlying Hardware

Rack-mounted servers

Each rack has a collection of identical nodes

Each node (currently) has 2 CPU chips with 4 cores each

16 Gig of memory

Disks for local storageNetwork Interface to a Top-of-Rack Switch


8/27

8

Hypervisor and VM Sandbox

All Guest access to network and disk is mediated by Root VM(via the Hypervisor)

Hypervisor

Network/Disk

R

o

o

t

VM

Gu

e

s

t

V

M

Gu

e

s

t

V

M

Gu

e

s

t

V

M

Gu

e

s

t

V

M

Gu

e

s

t

V

M

Gu

e

s

t

V

M

Gu

e

s

t

V

M


9/27

9

What Does the World Look Like to aGuest VM?

1, 2, 4, or 8 CPUs; up to 14 GB of memory

Three disk drives:

C:\ (for temps; initially populated with config file)

D:\ (for application code; initially as supplied by customeradmin)

E:\ (for OS code; initially as supplied by Azure)

Network connectivity to Internet via NAT and to other VMs of

same tenant

Guest agent accepts incoming HTTP/RPC connections fromRoot OS


10/27

10

Handling Attacks by a Tenant

Not dependent on the security of Windows

Instead, dependent on the security of the Hypervisor and theexposed network and disk drivers

C:\, D:\, and E:\ are not really disks. They are VHD files in theroot OSs file system.

Attack surface is minimized by accepting few commands andsupporting only a few hardware devices


11/27

11

Root OS Services

Disk I/O remapping and bandwidth quota enforcement

Network Packet Filter and bandwidth quota enforcement

No forging of IP address or false responses to ARPs

Connectivity only to Internet, peer VMs within tenant, and asmall set of specific services (e.g., DNS)

Multicast blocked except for use of DHCP to get IP address


12/27

12

Azure Network Services

For scalability, customer tenants can be divided into roles

(e.g., front end, back end)

Roles can have multiple instances

Azure will divide incoming connections among front-end roleinstances

When a new role instance is created, its disks (C:\, D:\, and E:\)are initialized. When a role instance is discarded, the contentsof its disks are discarded. Compute holds only ephemeral data permanent data must be kept in Azure Storage, SQL Azure,

or an external customer-provided store.

High availability is achieved through fast failover. IndividualVMs can be discarded and reinitialized at any time.


13/27

13

Recovery from Any Sort of Failure

If a customer VM fails, the Root VM can reboot it or if

necessary reinitialize all of its on-disk state

If a Root VM fails or an entire node fails, the Fabric Controllercan power cycle the node, reboot it from the network, andreinitialize all of its actual disks

All customer VMs can be migrated to other nodes while thenode is being tested before it is returned to service orqueued for manual repair


14/27

14

Handling Attacks by a CustomerAdministrator

Customer Administrator gets to specify:

How many roles in a tenant, how many instances of eachrole, and what size VM each runs on

The application software that runs in each VM and itsconfiguration

Certificates, passwords, and secret keys each VM can use toauthenticate to other entities

Requests go through the Developer Portal (browser based) orDeveloper API (RPC over HTTP over SSL)

Authentication to Developer API uses a certificate and privatekey registered through the Developer Portal


15/27

15

Protecting the Fabric Controllers

Guest Agent

Guest VM

Fabric Agent

Root VM

Hypervisor

Fabric Controller

Developer API

Developer Portal


16/27

16

Handling Attacks by an End User

Azure divides incoming connections among front-end role

instances

Customer has all the facilities of Windows to protect the VMagainst end-user attacks

Azure must deal with DDoS (bandwidth) attacks that could

overwhelm all of Azure

Customer must deal with DDoS attacks that could overwhelmthe customer front ends

Increasing the number of front ends is always an option


17/27

17

Internet Gateways

Gateways are shared with other Microsoft properties (e.g.,

Hotmail, MSN, Live, )

Very high speed links at multiple locations worldwide

Not impossible to overload, but one of the highest capacitytargets deployed today


18/27

18

One More Problem to Worry About

Azure could be used as a platform for attacking other Internet

sites

A customer tenant could be recruited into a bot army tospread spam or participate in DDoS attacks

A customer could intentionally participate in such things

We have to be responsive to complaints from other Internetsites that they are under attack from one of our tenants


19/27

Agenda

IntroductionAzure Compute Security




20/27

20

Azure Storage

Runs on separate hardware with no network connectivity to

compute except (logically) through Internet

Requests run over HTTP and optionally over SSL with serverauthentication

Storage is organized into storage accounts

A single customer may have many storage accounts

A single secret key controls all access to a storage account

Fine-grained access controls are not implemented

A customer wanting fine-grained access controls canimplement a front-end compute tenant that has full accessto the storage account but mediates access to data items


21/27

21

Azure Storage Scalability

To reduce the need for locks when dealing with a conventional

file system, Azure storage implements the primitives: blobs,tables, and queues.

For backwards compatibility, it also implements an XDrive withdisk semantics for applications that have not been

converted.The customer is responsible for coordinating the assignment of

XDrives to VMs. An XDrive can only be open from one VMat a time.


22/27

22


Data from many customers is mixed in a single pool

Access to data in a specific account is only granted to entitieshaving the secret key for that account

Storage keys are randomly generated when the storageaccount is created (or later at the request of the customer)

A storage account may have two active keys at any given timeto support key rollover

Storage keys are used to HMAC sign each access request


23/27

23

Access Control Extensions

To deal with some common cases:

Blobs can be marked as world readable, which allows themto be read without authentication by anyone knowing theirname

Queries can be HMAC signed with some of their parameters

unspecified. Passing such a query and its signature to aprocess allows it to access a subset of the data in an XStore.


24/27

Agenda

IntroductionAzure Compute Security




25/27

25

Azure SQL

As with storage, runs on separate hardware with no

connectivity to compute except (logically) over the Internet

Subscription portal can create databases

Data from many customers is pooled in a single SQL instance,but they are treated as separate and access controlled

independently


26/27

26

Questions & Answers

Submit text questions using the Ask button.

Send us your feedback and content ideas in the survey.

Replay of this webcast will be available in 24 hours.

Get the latest developer content (webcasts, podcasts,videos, virtual labs) at: www.Microsoft.com/Events/Series/

For more security webcasts:

www.microsoft.com/events/series/securitytalk
http://www.microsoft.com/Events/Series/http://www.microsoft.com/events/series/securitytalk.aspx?tab=webcastshttp://www.microsoft.com/events/series/securitytalk.aspx?tab=webcastshttp://www.microsoft.com/Events/Series/


27/27

2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows Azure Security

Documents

Transcript of Windows Azure Security