Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
Cloud Security Concerns Windows Azure Platform Security Model
Compute Services Storage Identity and Access Networking Management
Optimized for
Versatile across
On Premises
Platform as a Service
4
Security Talk
Security Talk
Defenses
Strong storage keys for access control SSL support for data transfers between all parties Front-end .NET code running under partial trust Windows account with least privileges Windows Server 2008 R2 OS image Host boundaries enforced by external hypervisor Host firewall limiting traffic to VMs VLANs and packet filters in routers World-class physical security ISO 27001 and SAS 70 Type II certifications for datacenter processes
Application
Host
Physical
Security Talk
Network
Secure by Design
Industry leading software security assurance process
Prescriptive yet practical approach Proactive not just looking for bugs Eliminate security problems early Proven results
Security Talk
The Windows Azure Platform is an internet-scale cloud services platform hosted in Microsoft data centers around the world, proving a simple, reliable and powerful platform for the creation of web applications and services.
Security Talk
Fabric Controller
Role Types
Load-balancers
Switches
Security Talk
No persistent storage in the Compute nodes Limited number of device drivers Network connectivity restricted using host firewall
Host VM
VM isolation
Network/Dis k
Customer code run on dedicated virtual machines (VMs) VMs isolated by a Hyper-V based hypervisor All access to network and disk is mediated by a host virtual machine
11
Security Talk
FrontEnd-1
FrontEnd-2
Middle Tier-1
Middle Tier-2
Security Talk
12
13
Security Talk
14
Security Talk
SQL Azure
Relational Database as a Service in Azure
Built upon the SQL Server engine One logical server per Azure subscription Abstracts the Logical from the Physical Administration
Multiple front-end servers receiving client connections Data stored in three replicas Reads are completed at the primary Writes are replicated to a quorum of secondaries
Replica 1
DB
Replica 2
Replica 3
16
Security Talk
Multiple Secondaries
Other Providers
Use of Active Directory identities Integration with 3rd and groups through federation Single sign-on with party systems through Enables seamless access popular Internet identity WS-* and SAML 2.0 experience providers with other open standards WS-* and SAML corporate applications tied to AD
17
Security Talk
Key features
Broad identity provider support, including AD Federation Services v2 and popular Web identity providers (Live ID, Facebook, Google, Yahoo) WS-Trust and WS-Federation protocol support Full integration with Windows Identity Foundation (WIF) Configurable through new management web portal
18
Security Talk
20
Security Talk
Industry Certifications
ISO/IEC 27001:2005 SAS 70 Type II
23
Security Talk
North Europe
North America
North Central US South Central US
West Europe
Europe
Asia
East Asia
South Asia
Microsoft complies with all applicable laws regarding cross-border data transfer including EU and US Safe Harbor requirements
24
Security Talk
Call to Action
1. Sign up and deploy your first app on Windows Azure Platform - http://bit.ly/tBavpE 2. Activate your Windows Azure benefit for MSDN Subscribers - http://bit.ly/qT0HW9
4. Attend a 1-day Windows Azure Discovery Workshop on Nov 12. Email vincentleong@info-trek.com
Summary
Cloud Security Concerns Windows Azure Platform Security Model
Compute Services Storage Identity and Access Networking Management
References
Windows Azure Security Guidance http://bit.ly/uU2w5I ACS Samples and Documentation - http://bit.ly/rTX93K Microsoft Global Foundation Services (GFS) http://bit.ly/sfvoci GFS Infrastructure videos - http://bit.ly/rqhAEA Security Resources for Windows Azure http://bit.ly/rIulDp Real World Windows Azure Security http://bit.ly/uo6Mwo Windows Azure Training courses - http://bit.ly/uC8oYo