Sponsored & Brought to you by
Enter The Matrix: Securing Azure’s AssetsMike Martin
http://www.twitter.com/techmike2kx
https://be.linkedin.com/in/techmike2kx
Enter the Matrix.Securing Azure’s Assets
Mike MARTIN, ArchitectCrosspoint Solutions
Mike MartinWho Am I
View more tips on my bloghttp://techmike2kx.wordpress.com
Crosspoint Solutions (part of Cronos)
Where I Work
Architect, Windows Azure MVP, MEET, Insider
What I Do
Where To Find Me
A little more about me
Azure
Journey to the CloudDIFFERENTIATIONAGILITYCOST
SaaS Solutions
Higher-level services
Cloud Infrastructure
Hyper-scalefootprint
AZURE REGIONS
28Azure regions around the world
More than AWS and Google Cloud combined
Latest launch was in October 2015-India – Central, India – South, India – WestGENERALLY AVAILABLE6 new regions announced: Canada Central, Canada East, Germany Central, Germany North East, United Kingdom (2 – regions TBD)
Platform Services
Infrastructure ServicesOS/Server Compute Storage
Datacenter Infrastructure (24 Regions, 22 Online)
Web and Mobile
Web Apps
MobileApps
APIManagement
API Apps
Logic Apps
Notification Hubs
Media & CDNContent DeliveryNetwork (CDN)
Media Services
IntegrationBizTalkServices
HybridConnections
Service Bus
StorageQueues
HybridOperations
Backup
StorSimple
Azure SiteRecovery
Import/Export
Networking
Data
SQL Database
DocumentDB
RedisCache Azure
SearchStorageTables
DataWarehouse Azure AD
Health Monitoring
Virtual Network
ExpressRouteBLOB
StorageAzureFiles
PremiumStorage
Virtual Machines
AD PrivilegedIdentity Management
Traffic Manager
AppGateway
OperationalAnalytics
Services ComputeCloud Services
Batch RemoteApp
ServiceFabric
Developer Services
Visual Studio
AppInsights
Azure SDK
VS Online
ContainerService
DNS VPN Gateway
Load Balancer
Domain Services
Analytics & IoT
HDInsight MachineLearning
StreamAnalytics
Data Factory
EventHubs
MobileEngagement
Data Lake
IoT Hub
Data Catalog
Security & Manageme
nt
Azure ActiveDirectory
Multi-FactorAuthentication
Automation
Portal
Key Vault
Store/Marketplace
VM Image Gallery& VM Depot
Azure ADB2C
Scheduler
The Matrix
Physical Defenses
Azure Edge Defenses
Your defenses
Your App / code
Trust
Microsoft Azure
Shared responsibilityREDUCES SECURITY COSTS + MAINTAINS FLEXIBILITY, ACCESS, & CONTROL
Customer Microsoft
On-Premises IaaS PaaS SaaS
NetworkingHardware
Physical Security
Operating System
Middleware
Virtualization
DataApplications
Users
Model Realworld Attacks
•Model Emerging Threats, Use Blended Threats•Exfiltrate & Leverage Compromised Data•Escape And Evade / Persistence
Identify Gaps In Security Story
•Measure Time To Compromise (Mttc) / Pwnage (Mttp)•Highlight Security Monitoring & Recovery Gaps•Improve Incident Response
Demonstrable Impact
•Prove Need For Assume Breach•Enumerate Business Risks•Justify Resources, Priorities & Investment Needs
Exercises Ability To Detect & Respond•Detect Attack & Penetration (MTTD)•Respond & Recover To Attack & Penetration (MTT)•Practiced Incident Response
Enhances Situational Awareness
•Produces Actionable Intelligence•Full Visibility Into Actual Conditions Within Environment•Data Analysis & Forensics For Attack & Breach Indicators
Measure Readiness &
Impact•Accurately Assesses Real-world Attacks•Identifies Gaps & Investment Needs•Focus On Slowing Down Attackers & Speeding Recovery•Hardening That Prevents Future Attacks
Trusted Cloud PrinciplesCommitment to principles worthy of your organization’s trust
We will provide you with control over your data to help keep it private.
Privacy & Control
We will implement strong security measures to safeguard your data.
Security
We will explain what we do with your data in clear, plain language.
Transparency
We will help you meet your specific compliance needs.
Compliance
Main Philosophy: Prevent and Assume Breach
Prevent breach—A methodical Secure Development Lifecycle and Operational Security minimizes probability of exposureAssume breach—Identifies and addresses potential gaps:• Ongoing live site testing of security response
plans improves mean time to detection and recovery
• Bug bounty program encourages security researchers in the industry to discover and report vulnerabilities
• Reduce exposure to internal attack (once inside, attackers do not have broad access)
Latest Threat Intelligence to prevent breaches and to test security response plansState of the art Security Monitoring and Response
Prevent and assume breach Security monitoring and response
Prevent breach• Secure Development Lifecycle• Operational Security
Assume breach• Bug Bounty Program• War game exercises• Live site penetration testing
Threat intelligence
Physical data center securityCameras24X7 security staffBarriersFencingAlarmsTwo-factor access control: Biometric readers & card readersSecurity operations center
Days of backup powerSeismic bracing
BuildingPerimeter
Computer room
Secure Multi-Tenancy Architecture
• Centrally manages the platform and helps isolate customer environments using the Fabric Controller
• Runs a configuration-hardened version of Windows Server as the Host OS
• Uses Hyper-V, a battle tested and enterprise proven hypervisor
• Runs Windows Server and Linux on Guest
VMs for platform services
• Manages their environment through service management interfaces and subscriptions
• Chooses from the gallery or brings their own OS for their Virtual Machines
Azure
CustomerSQL
Database
FabricController
Azure Storage
Guest VM Guest VM
Customer 2
Guest VM
Customer 1
CustomerAdmin
PortalSMAPI
Host OS
Hypervisor
Microsoft Azure
EndUsers
25
Data Segregation
Storage isolation:• Access is through Storage account keys and
Shared Access Signature (SAS) keys• Storage blocks are hashed by the hypervisor
to separate accountsSQL isolation:• SQL Database isolates separate databases
using SQL accountsNetwork isolation:• VM switch at the host level blocks inter-
tenant communication
• Design same principles for multi-tenancy
Azure
Customer
26
FabricController
CustomerAdmin
Guest VM Guest VM
Customer 2
Guest VM
Customer 1PortalSMAPI
EndUsers
Host OSHypervisor
Microsoft Azure
Azure Storage
SQL Database
AccessControl
Secure operations
Azure platform services infrastructure protection1. Azure Protection
Layer A: The Network Access Layer Layer B: Azure’s DDoS/DOS/IDS LayerLayer C: Host firewalls protect all the hosts, and the VLANs Layer D: Conformance with security and privacy requirements includes two-factor authentication for operators.
2. Customer protection: Layers 1-2: The distributed firewall isolates customer’s Layer 3: The virtual network can be managed similar to an on-premises private network.
i. Inside the VM: Firewalls, IDS, and DoS solutions.
ii. Virtual network appliances
Patching and Update ManagementAzure• Applies regularly
scheduled updates to the platform
• Releases critical patches immediately
• Rigorously reviews and tests all changes
• Uses a combination of third-party scanning tools for Azure environment
Customer• Applies similar patch management
strategies for their Virtual Machines
• Monitor 100,000+ vulnerability reports
• Sourced from customers and worldwide network of security researchers
• Prioritize critical updates
• Monthly OS releases with patches
• Reconciliation report
• Resolution summary
• Scanning & reporting of all Azure infrastructure VMs
• Track and remediate any findings
SCANNING AUDIT VALIDATION
PATCHING ROLLOUT
MONTHLY MSRC PATCH
REVIEW
DDoS System Protection Overview
MSFT Routing Layer
Detection Pipeline
Profile DB
Scrubbing Array
SLB
Application
Attack Traffic
Scrubbed Traffic
Flow Data
Routing Updates
Internet
• Traffic is re-routed to scrubbers via dynamic routing updates
• Traffic is SYN auth. and rate limited
MITIGATION PROCESS
• Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded, and analyzed in real time to determine attack behavior
DETECTION PROCESS
• TCP SYN• UDP/ICMP/TCP Flood
SUPPORTED DDOS ATTACK PROFILES
30
Antivirus/Antimalware Protection
• Performs monitoring & alerting of anti-malware events for the platform
• Enables real time protection, on-demand scanning, and monitoring via Microsoft Anti-malware for Cloud Services and Virtual Machines
AZURE
• Configures Microsoft Anti-malware or an AV/AM solution from a partner
• Extracts events to SIEM• Monitors alerts & reports• Responds to alerts
CUSTOMER
Customer VMsMICROSOFT AZURE
!
Enable & configureanti-malware
Extract event information to SIEM or other reporting system
CustomerAdmin
PortalSMAPI
Events
Guest VM
AzureStorage
Alerting &reporting
Guest VM
Cloud Services
Threat Protection
• Performs big data analysis of logs for intrusion detection & prevention for the platform
• Employs denial of service attack prevention measures for the platform
• Regularly performs penetration testing
• Can add extra layers of protection by deploying additional controls, including DOS, IDS, web application firewalls
• Conducts authorized penetration testing of their application
Azure
CustomerCustomer Environment
Cloud Access & Firewall
Virtual network
Application tier
Logic tier
Database tier
VPNCorp 1
Internet End Users
443
443
Microsoft Azure
THREAT DETECTION: DOS/IDS Capabilities
32
Network Isolation
• Does not enable general internet access by default, except remote administration endpoints configured when Virtual Machines are created in the Portal
AZURE
• Configure endpoints for required access• Creates connections to other cloud and on-
premises resources
CUSTOMER
Customer 2
INTERNET
Isolated Virtual Networks
Customer 1
Isolated Virtual Network
Deployment X Deployment X Deployment Y
PortalSmart API
CustomerAdmin
VNET to VNET
Cloud Access Layer
Web Endpoint (public access)
RDP Endpoint(password access)
Client Client
VPNCorp 1
Microsoft AzurePortalSMAPI
Monitoring and Alerts
• Performs monitoring and alerting on security events for the platform
• Enables security data collection via Monitoring Agent or Windows Event Forwarding
AZURE
• Configures monitoring • Exports events to SQL Database,
HDInsight or a SIEM for analysis• Monitors alerts & reports• Responds to alerts
CUSTOMER
Customer VMsMICROSOFT AZURE
!
EnableMonitoringAgent
Extract event information to SIEM
or other reporting system
CustomerAdmin
PortalSMAPI
Events
Guest VM
Guest VM
Cloud Services
HDInsightAzureStorage
Alerting &reporting
Azure Active Directory 2FA Mandatory
Active DirectoryMicrosoft Azure Active
Directory
• Secure access management requires strong, centralized, identity management.
• Active Directory (AD) helps you with that on-premises.
• Azure Active Directory (AAD) helps you in Azure…and in Office 365, and in 1200+ apps.
• AD and AAD are tightly integrated, to enable single sign-on, a single directory, and centralized management.
• AD and AAD help address your compliance requirements.
Azure Active Directory (AAD) integration
• Two Factor Authentication can be implemented with Phone Factor or with AD on-premises.
Use Two Factor Authentication or DevOPsto access your production services
35
Threat Protection
• Uses password hashes for synchronization• Offers security reporting that tracks inconsistent
traffic patterns, including:• Sign ins from unknown sources• Multiple failed sign ins• Sign ins from multiple geographies in short
timeframes• Sign ins from suspicious IP addresses and
suspicious devices
• Reviews reports and mitigates potential threats
• Can enable Multi-Factor Authentication
Azure
Customer
X X X X XX X X X X
X X X X X
User Non-user
Transparency
Transparency & independent verificationAIDS CUSTOMERS IN MEETING SECURITY & COMPLIANCE OBLIGATIONS
Best practices and guidance
Third-party verification
Cloud Security Alliance
Security Intelligence
report
Compliance packages
Trust Center
Access to audit reports
Security Response
Center progress report
Customers know where and how their data is stored and used
Data storage and useCustomers control where customer data is stored
Microsoft doesn’t use customer data for advertising, marketing or share your data
Customers may delete their data or leave the service at any time
Global datacenter footprint
100+ Datacenters in over 40 countries
Data Location and Replication
• Microsoft will not store customer data outside the customer-specified geography
• Microsoft may only transfer customer data within a geo for redundancy of a geo
AZURE
• Chooses where data resides
• Configures data replication options
CUSTOMER
Privacy and Control
Microsoft Employee Access Management
Grants least privilegerequired to complete task
Multi-factor authentication required for all administration
Access requests areaudited, logged, and reviewed
No standing access to the customer data
Pre-screened admin
requests access
Leadership grantstemporary privilege
Just-in- Time &
Role-Based Access
Microsoft AzureBLOBS TABLES QUEUES DRIVES Microsoft
Corporate Network
Encryption in TransitAzure• Encrypts most communication between
Azure datacenters• Encrypts transactions through Azure
Portal using HTTPS• Supports FIPS 140-2 certified libraries and
algorithms
Customer• Can choose HTTPS for REST
API (recommended) • Configures HTTPS endpoints for
application running in Azure• Encrypts traffic between Web client and
server by implementing TLS on IIS
AzureDatacenter
AzureDatacenter
Azure Portal
Encryption at Rest
• Boot and Data drives—full disk encryption using BitLocker
• Public preview now available globally!• SQL Server—Transparent Data and Column Level
Encryption• Files & folders—EFS in Windows Server
VIRTUAL MACHINES
• Bitlocker encryption of drives using Azure Import/Export service
• StorSimple with AES-256 encryption
STORAGE
APPLICATIONS
• Client Side encryption through .NET Crypto API• RMS Service and SDK for file encryption by your
applications
RMS SDK.NET Crypto
SQL TDE Bitlocker Partners EFS
Bitlocker StorSimple
Virtual Machines
Applications
Storage
Compliance
Azure Compliance Framework
Microsoft maintains a team of experts focused on ensuring that Azure meets its own compliance obligations, which helps customers meet their own compliance requirements.
Compliance certifications
Compliance strategy helps customers address business objectives and industry standards and regulations, including ongoing evaluation and adoption of emerging standards and practices.
Continual evaluation, benchmarking, adoption, test, & audit
Ongoing verification by third-party audit firms.
Independent verification
Microsoft shares audit report findings and compliance packages with customers.
Access to audit reports
Extensive and growing experience
Operations Security
Assurance
HIPAA/HITECH
CJISSOC 1
201220112010
SOC 2
FedRAMPP-ATO
FISMAATO
UK G-Cloud OFFICIAL
2013 2014 2015ISO/IEC
27001:2005
CSA Cloud Controls Matrix
PCI DSS Level 1
AU IRAP Accreditatio
nSingapore
MCTS
ISO/IEC 27018EU Data
Protection Directive
CDSA
Data Deletion
Data destruction
•Wiping is NIST 800-88 compliant•Defective disks are destroyed
•Index immediately removed from primary location• Geo-replicated copy of the data (index) removed
asynchronously•Customers can only read from disk space they have written to
Disk Handling
Data use policies
Azure does not share data with its advertiser-supported servicesAzure does not mine Customer Data for advertising
Read the fine print of other cloud service provider’s privacy statements
VISUAL STUDIO ONLINE
2) Code Repository
3) Build 4) Test 5) Deploy to Azure
1) Code commit
6) Monitor and Improve
App
System Center / Application InsightsVisual
StudioEclipse / XCodeDE
VELO
PERS
DevOps - Microsoft’s solution
Mechanisms 4 u
• Portal access• Uses Live ID (Microsoft Account)• Go to http://manage.windowsazure.com
• Role: Service Administrator or Co-Administrator• Uses special REST API without providing certificate
•Management certificate• Certificate can be self-signed• Does not check certificate expiration• Used by PowerShell• Used by REST API
• Storage access• Uses secret key• Or anonymous share access
• RDP VM access• Uses username/password
Authentication and Access (4x)
• Portal access• Uses Live ID (Microsoft Account) –> Better have AAD / Org ID + MFA• Implement RBAC JEA principle
•Management certificate• ARE EVIL !!!!!• Only Use them in a management solution when that is the ONLY option!
• Storage access• I’v got the key … I’ve got ALL your Secrets• If needed? IMPLEMENT KEY VAULT!
•RDP VM access• Harden from the outside , and access through GW / S2S / ER• Better implement SSH / PoSh Remoting over SSL
Authentication and Access … BUT…!
•Network Security Groups• Firewalls before the Gateways• ACL’s• inside the guest OS
firewall • Network ACLs on public IP
addresses • Network ACLs at the
corporate firewall • IPsec inside the guest OS
•Network Isolation
Network Security
Role Based Access in Azure – aka RBAC • Role• Collection of actions• Role Assignment• Access is granted to AAD
users and services role assignment on the resources. • Azure AD Security Principals• Roles can be assigned to the
following types of Azure AD security principals:• Users• Groups• Service principals
RBAC in Azure•Portal Management •Powershell
foreach ($roledef in Get-AzureRMRoleDefinition) {
Write-Host 'Role: '$roledef.Name
Write-Host 'Actions'
(Get-AzureRMRoleDefinition -Name $roledef.Name).Actions
Write-Host 'NoActions'
(Get-AzureRoleRMDefinition -Name $roledef.Name).NoActions
Write-Host ([Environment]::NewLine)
}
Microsoft Azure
IaaS SaaSPaaS
Microsoft Azure Key Vault
Import keys
HSM
Key Vault
Safeguard cryptographic keys and other secrets used by cloud apps and services
• Increase security and control over keys and passwords
• Create and import encryption keys in minutes• Applications have no direct access to keys• Use FIPS 140-2 Level 2 certified HSMs• Reduce latency with cloud scale and global
redundancy
SQL Server Scenario
Applying to Azure - Infrastructure• Port scanning: the only open ports are those defined by us!•Denial of service:• External: depends on our settings, but the Fabric Controller tries to identify the attacks• Internal: all DOS attacks initiated from internal VMs will result in removing those VMs from the network
•Spoofing: compromised machines cannot impersonate VMs from the Fabric Controller (broadcast and multicast are blocked, https between VMs and FC)•Sniffing: the Hyper-V switch prevents sniffing from a VM to another VM on the same host; racks switches block it to other VMs•VMs are untrusted by the Root OS Hypervisor
•Endpoints•Antimalwae extensions•Storage access•Bitlocker Support on Disks
VM Security
Configuring Virtual Machine Security• Firewall rules• Leveraging public/private/domain profiles
•Access control lists (ACL)• Controls port access through at subnet level• IP address blacklisting• VM endpoint rules (up to 50 per endpoint)• Rule ordering
•Encryption• DPAPI not supported for cloud service• Secure key data with encryption keys• CloudLink
Endpoint ACL’sUsing Network ACLs, you can do the following:• Selectively permit or deny incoming traffic based on
remote subnet IPv4 address range to a virtual machine input endpoint. • Blacklist IP addresses• Create multiple rules per virtual machine endpoint• Specify up to 50 ACL rules per virtual machine
endpoint• Use rule ordering to ensure the correct set of rules
are applied on a given virtual machine endpoint (lowest to highest)• Specify an ACL for a specific remote subnet IPv4
address.
Network Security Groups (NSG)• Enables network segmentation &
DMZ scenarios • Access Control List
• Filter conditions with allow/deny• Individual addresses, address
prefixes, wildcards• Associate with VMs or subnets• ACLs can be updated independent
of VMs
Virtual Network
Backend10.3/16
Mid-tier10.2/16
Frontend10.1/16
VPN GW
Internet
On Premises 10.0/16
S2SVPNs
Internet
√ √
√ √
DMZ in a Virtual Network
Load Balancer
Internet
Web Proxy
App Servers
Database
VIRTUAL NETWORK
DMZ
InternalLoad
Balancer
DNS Servers
NSG
NSG
NSG
NSG
Security considerations when using NSG•Endpoint ACLs and Network Security Groups
don’t work together•Multi-NIC : for now the Network Security Group rules apply only to the traffic in primary NIC•For RDP endpoints for VM’s and Network Security Group : NSG does not allow access to any port from Internet, you have to create a specific rule to allow RDP traffic.
Azure Application Gateway Azure-managed,
first party virtual appliances
HTTP routing based on app-level policies
Cookies affinity URL hash
SSL termination and caching
Azure Disk Encryption – New VM or Running VM Workflow
ARM/PS cmdlets
HOST
1. Customer opt into enabling disk encryption2. Customer provide identity and other
encryption configuration to Azure Portal/API to provision encryption key material* in their key vault
3. Azure service management updates service model with encryption and key vault configuration and Azure platform push the encryption extension on the VM
4. Encryption extension initiate encryption on the VM
5. VM is encrypted
* Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux]
Azure Active Directory
AAD token
Azure Storage
Customer Key Vault
Virtual Machine
Service Managemen
t
Upload KeyEncryption Extension
Encryption
Extension
Encrypted Disks
Encryption Configuration
Applying to Azure - applications•Use custom domains instead of myapp.cloudapp.net and scope cookies to your custom domain; scripting!•Access to Azure Storage using Shared Access Signatures; attention to REST query injection• SQL Database: pay attention to SQL Injection; no TDE•Auditing -> Azure Tables•Authentication using Azure’s ACS, Azure AD, Windows Identity Foundation -> rely on existing patterns and user stores!
Azure Identy Management
Your identity goes with you
PCs and devices
3rd party clouds/hosting
Azure AD
You
Self-service Single sign on
•••••••••••Username
Identity as the control planeSimple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other Directories
Windows ServerActive Directory
On-premises
Microsoft Azure Active Directory
Microsoft Azure Active Directory Cloud App Discovery
10xSource: Help Net Security 2014
as many Cloud apps are in use than IT estimates
• SaaS app category• Number of users• Utilization volume
Comprehensivereporting
Discover all SaaS apps in use within your organization
Empower UsersCentrally managed identities and access.
Monitor and protect access to cloud applications.
Your Directory on the cloud
Empower UsersCentrally managed identities and access.
Monitor and protect access to cloud applications.
Your Directory on the cloud
Connect and Sync on-premises directories with Azure.
Your Directory on the cloud
Azure Active Directory Connect*
Microsoft AzureActive Directory
Other Directories
PowerShell
LDAP v3
SQL (ODBC)
Web Services ( SOAP, JAVA, REST)
*
SaaS appsCentralized access
administration for preintegrated SaaS apps and other Cloud-based apps.Secure business processes with advanced access management capabilities.
Comprehensive identity and access management console.
Centrally managed identities and access
Your cloud apps ready when you are.
IT professional
Security reporting that tracks inconsistent access patterns, analytics and alerts.
Built-in security features.
Monitor and protect access to enterprise apps
B2B: cross-organization collaboration B2B: cross-organization collaboration “I need to let my partners access my company’s apps using their own
credentials.”
Share without complex configuration or duplicate users.
A user at a large partner may log into my company’s apps with their Active Directory usernames and passwords.
A user at a smaller partner may log into my company’s apps with their Office 365 usernames and passwords.
Admin configures sharing for cloud apps.
“I can’t email my 25 MB file and need to share it with a partner using Box.com.”
Seamlessly provide Azure Active Directory to customers & partners
For example, a user at a partner can set up everyone in their company.
Users can bring their own email-based or social identities.
Azure Active Directory B2C offering is tailored for enterprises who serve large populations (100’s of thousands to millions) of individual customers, and whose business success depends upon consumer adoption of web applications for improving customer satisfaction and reducing operational costs.
Azure Active Directory B2C(Business-to-Consumer )
Azure Active Directory B2C will include :Self-Service User registrationLogin with Social IdP or create your own credentialsOptional MFABulk user import toolsSSO to multiple web sitesUser interface customization
Cloud Domain Join makes it possible to connect work-owned Windows devices to your company’s Azure Active Directory tenancy in the cloud. Users can sign-in to Windows with their cloud-hosted work credentials and enjoy modern Windows experiences.
Cloud Domain Joined Devices
Enterprise compliant ServicesRoaming Settings, Windows backup/Restore, Store access…Data stored in enterprise compliant backend services on Azure.No need to add a personal Microsoft account.
SSO from the desktop to org resources SSO from desktop to Office 365 and 1,000’s of enterprise apps, websites and resources.Access enterprise-curated Store and install apps using a work account.
ManagementAutomatic MDM enrollment during first-run experience.
Support for hybrid environmentsTraditional Domain Joined PCs also benefit from Cloud Domain Join functionality when the on-prem Active Directory is connected with an Azure Active Directory in the cloud.
Cloud Domain Join
Azure AD : Identity driven security
SSO + MFA
Conditional access
Cloud App Discovery
Advanced security reporting
Privileged Identity Management
Azure Operational Insightsaka Operations Management Suite aka Azure Log Analyticsaka System Center Advisor
Log Management – Collect, correlate and visualize all your machine data
OMS Log Analytics
Machine datafrom
on-premises and Cloud
InsightsOperational Insights
AZURE BLOB
SEARCH SERVICE
PORTALDATA
PROCESSING ENGINE
Troubleshooting
Correlate & Search data from multiple sources
Collect custom data types Build dashboards powered
by search queries
OperationInsights
Forecast future capacity needs and pinpoint performance bottlenecks
Check your update and malware protection status
Security Intelligence
Identify security breaches Meet compliance
requirements for auditing Analyze security data
REAL TIMEDASHBOARDS & REPORTING SCALABLESEARCH READY MADE
INTELLIGENCE
Key Benefits:
Event Logs | IIS Logs | Security LogsPerformance Counters | Syslog | & many more
Machine Data
Windows & Linux Server
Servers forwarding data through SCOM
Windows & Linux Server
Servers directly forwarding data
CloudVMs
OMS Security related matters• AD Assessment• Malware Assessment• System Update
Assesment• Change Tracking• Wire Data• Security and Audit
New in Preview : Security and Audit
OMS Agent For LinuxWhat sorts of data can I collect?•Syslog: Collect your choice of syslog events from rsyslog and syslog-ng•Performance Metrics: We can collect 70+ performance metrics at a 30 second granularity using our new. Get metrics from the following objects: System, Processor, Memory & Swap space, Process, Logical Disk (File System) and Physical Disk. Full list of Performance Counters. •Docker container logs, metrics & inventory: We show information about where your containers and container hosts are, which containers are running or failed, and Docker dameon and container logs sent to stdout and stderr. We also show performance metrics such as CPU, memory, network and storage for the container and hosts to help you troubleshoot and find noisy neighbor containers. We support Docker version 1.8+.•Alerts from Nagios + Zabbix: The agent can collect alerts from your most popular monitoring tools. This allows you to view all your alerts from all your tools in a single pain of glass! Combine this with our existing support for collection of alerts from Operations Manager. We currently support Nagios 3+ and Zabbix 2.x.•Apache & MySQL performance metrics: Collect performance metrics about your MySQL/MariaDB server performance and databases and Apache HTTP Servers and Virtual Hosts.
How Data Flows to OMS
Microsoft Operations Management Suite
agents mgmt server
Your Environment
Azure Storage
Portal
Certificate Based Authentication & SSL
Data Compression
4
Separate Azurefile partition for each customer’s workspaceUses Azure Secure Authentication Service to Storage communication
6 Certificate Based Authentication & SSL
Authenticate through Org Account or Microsoft Account
7
Service run by authorized personnel in operations teamAll activities are logged & can be audited
5
OpsMgr DBs
‘multiple’ mgmt groups1
2 Data being forward to OMS bypass on-premises databases; adds no load to them
proxy server
agents Agents directly connecting to OMS3
https://preview.systemcenteradvisor.com/Content/AdvisorCore/Resources/Security.pdf
Azure Security Center
Continuous security monitoringIntegrated security managementBuilt in threat detections and alertsWorks with broad ecosystem of security solutions
IntroducingAzure Security Center
Gain Visibility and Control
Unified view of all security related information, relevant threats and recommendations
Central management of security policies, network configuration, virtual machine baselines, etc.
Integrated security event logging and monitoring, including events from partner solutions
Unlock AgilityDefine policies for your Azure subscriptions according to your company security needs
Security recommendations guide resource owners through the process of implementing required controls
Rapidly deploy security services and appliances from Microsoft and partners, like firewalls and endpoint protection
Keep up with Cyber ThreatsConstantly collects, analyzes, and fuses security events from your Azure resources, the network, and integrated partner solutions
Leverages global threat intelligence from Microsoft products and services, Digital Crime and Incident Response Centers, and third party feeds
Creates prioritized security alerts with insight into the attack and recommendations on how to remediate
The power of analytics-driven threat detection
Compromised machines
Failed exploitation attempts
Brute force attacks
Data exfiltration
Web application vulnerabilities
Advanced malware
Staying connectedAzure Trust Center http://azure.microsoft.com/en-us/support/trust-center/
Azure Security Bloghttp://blogs.msdn.com/b/azuresecurity/
Azure Network Security Whitepaperhttps://azure.microsoft.com/en-us/blog/microsoft-azure-network-security-whitepaper-version-3-is-now-available/
Top Related