520 likes | 696 Vues
DPR312. Architecting for a Secure Cloud. Michele Leroux Bustamante Chief Architect, IDesign mlb@idesign.net. Michele Leroux Bustamante. Chief Architect, IDesign ( www.idesign.net ) Chief Security Architect, BiTKOO ( www.bitkoo.com ).
E N D
DPR312 Architecting for a Secure Cloud Michele Leroux Bustamante Chief Architect, IDesign mlb@idesign.net
Michele Leroux Bustamante Chief Architect, IDesign(www.idesign.net) Chief Security Architect, BiTKOO(www.bitkoo.com) Microsoft Regional Director,(www.theregion.com) MVP Connected Systems Publications and Resources:DevProConnections, MSDN, CoDe Magazine, Microsoft whitepapers Learning WCF (O’Reilly 2007/2009) CodePlex (publications, webcasts, code, utilities) Speaker:Tech Ed, PDC, Dev Connections, NDC, etc. www.michelelerouxbustamante.com, www.learningwcf.com
Agenda • Benefits and concerns moving to the cloud • IT and shared hosting security aspects • Application architecture security aspects • Architectural scenarios for Windows Azure Platform features • Techniques for securing features by scenario
What Drives us to the Cloud? • Reduced capital investment • Scale out on demand, pay as you go • Unbounded scale for bursts or peak loads • Better overall IT management strategy • Quality of service, zero downtime updates • Focus resources on implementation and business logic
Typical Concerns • Loss of control • Reliability of services • Service level commitments and guarantees • Ability to change vendors if dissatisfied • Security
Windows Azure Platform Building Blocks Windows Azure AppFabric Windows Azure Windows Azure Storage SQL Azure Platform Infrastructure, Equipment, Data Center
Windows Azure Platform Features Access Control Windows Azure AD FS 2 Cache Web Role Worker Role Cache Service REST On Premise Domain AppFabric Blobs Tables Queues SQL Azure Azure Storage
Service Bus • Primarily designed to address connectivity issues • Services may be located behind Private IPs, firewalls, load balancers, proxy servers • Also enhances reliability and scalability • Provides added security On Premise Service
Service Bus as DMZ Browser Windows Phone 7 Browser WPF Browser MVC / JQuery AJAX Silverlight MVC Site Web Forms Site REST / Router Router MVC / REST REST REST DMZ Service Service Service Service Service Corporate Domain
Service Bus as DMZ (2) Browser Windows Phone 7 Browser WPF Browser MVC / JQuery AJAX Silverlight MVC Site Web Forms Site MVC / REST REST AppFabric DMZ Service Service Service Service Service Corporate Domain
Service Bus to Data On Premise / Migration Client Web Application AppFabric Windows Azure Service Corporate Domain
Service Bus Security Evil Client Client encrypt message signed request + Encrypt Access Control HTTPS AppFabric TCP / HTTPS Service Bus Recommendations: • Require relay credential • Encrypt keys at client • Try to use TCP relay for performance and cost savings • Add message security for highly sensitive data • Use negotiation for encryption certificate over HTTP decrypt message Encrypt Service Corporate Domain
SQL Azure • Relational data store in the cloud (SQL Server 2008 R2) • TDS support (client connections) • REST-based Management API • Protected by: • Firewall Rules • SQL Server authentication (not Windows) • Certificate authentication
Relational Data On Premise / In The Cloud Client Web / Worker Role AppFabric Windows Azure Service Corporate Domain SQL Azure
SQL Azure Recommendations: • Use portal admin to create DB admin accounts and manage firewall rules • Use DB admin accounts to configure schema and users • Use trusted subsystem users to reduce attack surface • Automate with the REST API where possible SQL Azure Security Corporate Domain Windows Azure Administrative REST Client SQL Server Management Studio SSRS Web Portal Web / Worker Role Service SSIS AS Allow Microsoft Services + User Credentials IP Address + Certificate IP Address + Service User IP Address + User Credentials Portal Admin IP Address + DB Admin Firewall Rules Table A Master Table B REST API user login user user SQL Azure
SQL Azure Data Protection SQL Azure Recommendations (2): • Limit access to hashing and encryption material • Use asymmetric encryption, cert store to protect keys, limited access • Protect hashing material by encrypting config user input Windows Azure compute hash A A Application Application compute hash Hash encrypt data decrypt data compare hash Hash Hash Encrypt Encrypt Hash Encrypt SQL Azure
Windows Azure & Windows Azure Storage • Compute, Storage and Management services • Host web applications and services • Applications can leverage non-relational tables, queues or blob storage • Replace relational database or use tables to compliment • Host large media content • Optionally distribute via Content Delivery Network (CDN) • Mount drives for migration approach • Go all-in or scale out specific features
Windows Azure & Windows Azure Storage Windows Azure Web Role Worker Role REST Queues Tables Blobs Windows Azure Storage
Windows Azure Storage Windows Azure Application Application REST Uri Storage Client REST Queues Tables Blobs Windows Azure Storage
Windows Azure Storage Security Corporate Domain Windows Azure Remote Client Administration Service Web / Worker Role Web Portal Client App Management Tools HTTPS HTTPS HTTPS HTTPS HTTPS REST Queues Tables Blobs Symmetric Key Windows Azure Storage
Windows Azure Storage Tiers Remote Client Client App Azure Storage Recommendations: • Never ship keys to non-owned clients • Avoid shipping keys to remote clients • Encrypt keys config Windows Azure Administration Web Portal Service encrypt key roll keys HTTPS HTTPS REST Queues Tables Blobs Symmetric Key Windows Azure Storage
Blob Storage Integrity Windows Azure Service Blob Storage Recommendations: • For very large media uploads and/or mission critical data use MD5 validation to ensure integrity validate signature MD5 Hash + Windows Azure Storage Blob Container MD5 Hash +
Blob Storage Shared Access Signatures Blob Storage Recommendations (2): • Never allow public access to container • Allow public read to blob links if appropriate for the application, try to use SAS for this purpose to limit exposure Browser Client Service Service Service Service read access for limited time with shared access key shared access policy list create update delete Shared Access Signature (SAS) >1 hour requires authentication header in request (no browser) create update delete create update delete read list read list read Public Container Access Private Container Public Blob Access Private Container
Windows Azure Architecture Web Role Worker Role AJAX / JQuery Silverlight .NET Code WCF ASP.NET / MVC WCF .NET Code .NET FW 3.5 SP1 / .NET FW 4 CAS Policy NT Security Policy Blobs Tables Queues
Application Architecture Tiers External Endpoint External Endpoint Window Azure Web Role Web Role WCF Service Web Application Internal Endpoint Internal Endpoint Worker Role Worker Role WCF Service WCF Service REST Blobs Tables Queues SQL Azure Azure Storage
Added Security with Service Bus Client Client Service Bus Web Role Web Role WCF Service Web Application Service Internal Endpoint Internal Endpoint Worker Role Worker Role WCF Service WCF Service Corporate Domain Window Azure
Scaling Out Compute Cycles Client Service Bus Web Role Worker Role WCF Service WCF Service Service pull from queue write to queue Window Azure REST Compute Queue Corporate Domain Azure Storage
Scaling Out Compute Cycles (2) Client Web Role Worker Role WCF Service WCF Service Service Worker Role WCF Service Worker Role WCF Service pull from queue write to queue Worker Role WCF Service REST Compute Queue
Scaling Out Media Access Client REST Service Blob Container CDN Cache Blob Container CDN Cache Blob Container CDN Cache Azure Storage Azure Storage Corporate Domain
Identity Federation Benefits • Decouple authentication mechanism from applications and services • Go claims-based • Reduce IT pain and risk related to provisioning and de-provisioning users • Extend trust to users across domain, corporate and Internet boundaries • Support Single Sign-On (SSO)
Passive Federation Browser 3 Login Page 5 1 4 2 Azure Hosted Web Site STS
Active Federation Windows Client 3 1 2 STS Azure Hosted Service
STS On Premise Windows Client Azure Hosted Service DMZ STS
Windows Users Behind DMZ Windows Client Azure Hosted Service DMZ Domain Server AD Users ADFS V2 ADFS V2
Access Control and MainstreamIdentity Providers Browser 3 Google FaceBook 4 1 5 2 Yahoo! Windows Live Access Control Relying Party Web
Access Control and EnterpriseIdentity Providers Browser 3 Google FaceBook 4 1 5 2 Yahoo! Windows Live Access Control Enterprise Identity Provider Relying Party Web
Relying Party STS + Access Control Google Yahoo! FaceBook Windows Live Access Control Relying Party Web Relying Party STS Policy Enterprise Identity Provider Enterprise Identity Provider AD FS V2 Enterprise Identity Provider Flow of tokens, not direct communication
Summary • Application architecture must be well defined before you can define your cloud strategy • Assess risks related to data, content and other assets • Determine which can be moved to the cloud • Determine the need for a migration plan as needed from on-premise to the cloud • Define the application architecture for the cloud and the security plan for each Windows Azure Platform feature • Document the IT, shared hosting and application security concerns and mitigations in your internal SLA
ARC Track Resources • http://www.microsoft.com/visualstudio • http://www.microsoft.com/visualstudio/en-us/lightswitch • http://www.microsoft.com/expression/ • http://blogs.msdn.com/b/somasegar/ • http://blogs.msdn.com/b/bharry/ • http://www.microsoft.com/sqlserver/en/us/default.aspx • http://www.facebook.com/visualstudio
Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn