1 / 38

Flight Schedules*

Flight Schedules*. To revisit breakouts, theaters, and labs, check out: aka.ms/ AADIgniteSessions. *Subject to change…. Lock down access to Azure using Identity. Arturo Lucatero @ArlucaID Program Manager Azure Active Directory. BRK3383. Manage and secure with identity. Cloud.

kathyc
Télécharger la présentation

Flight Schedules*

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Flight Schedules* To revisit breakouts, theaters, and labs, check out: aka.ms/AADIgniteSessions *Subject to change…

  2. Lock down access to Azure using Identity Arturo Lucatero @ArlucaID Program Manager Azure Active Directory BRK3383

  3. Manage and secure with identity Cloud Partners &Customers Employees Identity Devices On-premises

  4. Lets chat about how… The identity features of Azure and Azure Active Directory can help you reduce the risk and impact of accidents and attacks

  5. How to Lock Down Access to Azure using Identity Alice • Reduce vulnerability to credential attacks with multi-factor authentication and Conditional Access. • Minimize your blast radius with Azure Role-based access control and Privileged Identity Management • Stop managing local accounts for Virtual Machines with Azure AD sign in for Azure VMs. • Remove credentials from your code with managed identities for Azure resources. Bob Charlene Robot

  6. #1: Reducing vulnerability to credential attacks

  7. #1: Reduce vulnerability to credential attacks Breaches due to compromised credentials, are very much still a thing: • In the second half of 2017, phishing was the #1 threat vector (>50%) for o365* • Weak and guessable passwords BREAKING NEWS: <YOUR COMPANY NAME> BREACHED! *Source: https://www.microsoft.com/en-us/security/intelligence-report

  8. What can you do about it? Require multi-factor authentication for anyone managing Azure! Azure AD phone-based MFA • Microsoft Authenticator app • Phone call • SMS message Conditional Access Triggered under specific conditions: • For specific app e.g. Azure • When not on network • When sign-in considered high risk + More info aka.ms/MFAquickstartand aka.ms/CAquickstart

  9. Demo!

  10. Take it a step further! Go passwordless: aka.ms/gopasswordless Block weak passwords: aka.ms/noweakpasswords

  11. #2: Minimize your blast radius

  12. Azure Role-Based Access Control (RBAC) Subscription • Fine-gained access control to Azure “control plane” • Grant access by assigning Security Principal a Role at a Scope • Security Principal: User, group or service principal • Role: Built-in or custom • Scope: Subscription, resource group or resource • Assignments are inherited down the resource hierarchy Reader Resource Group Owner Resource Contributor

  13. What’s a role? • A collection of actions • Microsoft.Compute/virtualMachines/* • Microsoft.Compute/virtualMachines/start/action • Microsoft.Network/virtualNetworks/read +70 built-in roles for Azure RBAC • e.g. Virtual Machine Contributor, Backup Contributor, Security Reader, etc.

  14. What’s your blast radius? More actions More scope “Blast radius”

  15. Manage to Least Privilege Observers People doing real work Use “break glass” account Single-purpose robots or targeted debug “Use minimum role assignments to get normal work done.”

  16. Azure AD Privileged Identity Management You don’t always need a hammer, but sometimes it comes in handy! • Enable “Just In Time” access to Azure • Expire access automatically • Assign temporary access for quick tasks, on-call schedules • Get alerts when new users or groups are assigned resource access, and when they activate eligible assignments

  17. Demo!

  18. Azure RBAC & Azure AD Privileged Identity Management Just scan the QR code! More info and next steps @ aka.ms/azureIAMand aka.ms/PIMquickstart

  19. #3: Stop managing local accounts for Virtual Machines

  20. Local admin accounts on VMs? Challenges with managing local accounts to sign in to Azure VMs: • Huge temptation to share name/password among team • Must remember to remove accounts/keys • Rotate passwords when people leave organization • Subject to credential management problems A better way: Azure AD sign in for Azure VMs

  21. Azure AD sign in for Azure VMs Preview available for Linux VMs today! Improved Security • Use Azure AD credentials to login • Mitigate credential theft or weak credentials • Leverage Azure AD password complexity and lifetime policies • Leverage multi-factor authentication Seamless collaboration • Assign user/admin privileges using Azure RBAC • No longer need to scrub VMs to remove unnecessary accounts/keys • No longer need to manually remove users from VMs when they leave the org

  22. Demo!

  23. Azure AD sign in for Azure VMs *Preview available today* for Linux VMs *Coming soon* for Windows Server 2019 and Windows 10 client VMs More info and next steps @ aka.ms/aadVMsignin

  24. #4: Remove credentials from your code

  25. Robots authenticating to cloud services? Challenges with managing workloads that authenticate to cloud services: • Putting credentials in your code. • Sanitizing code so credentials don’t get exposed in source control • Responsible for credential rotation A better way: Managed identities for Azure resources

  26. Managed Identities for Azure resources Managed Service Identity? Automatically managed service principals in Azure Active Directory, exclusively dedicated for Azure services instances. They enable Azure workloads to authenticate to cloud services without needing credentials in code. We take care of the credentials. Just tell us what you need to authenticate to. It’s FREE!

  27. Analogy Keys SAS Keys, username and password, etc. Keys Built-in garage door opener System assigned managed identity Built-in garage door opener Azure Storage, Key Vault, Resource Manager, etc. Hand-held garage door opener User assigned managed identity Virtual Machine, Function, App Service, etc. Hand-held garage door opener Identity to Resource Assignment Azure RBAC role assignment Cloud Service Azure resource Identity

  28. Behind the scenes: System assigned + Virtual Machine Azure Resource Manager gets a request to enable a system assigned managed identity Request is sent to Azure AD to create the managed identity & its backing service principal Managed identity is configured onto the corresponding resource User grants permissions to managed identity VM code requests tokens via IMDS. Managed identity subsystem gets access token from Azure AD VM code authenticates to cloud service! Note: No credentials in code where seen during this flow! 

  29. Demo!

  30. Data Actions (Preview) Extended RBAC for Data Operations • Bob is assigned owner at subscription scope. • Can perform all management operations. • Cannot perform data operations • PhotoReadID (managed identity) is assigned Storage Blob Data Contributor (Preview) at storage account scope • Can perform management and data operations, as defined in the resource-specific role.

  31. System assigned managed identity Drum roll! Now GA + Virtual Machines & Virtual Machine Scale Sets = More info and next steps @ aka.ms/azureManagedIdentity

  32. What’s coming on the roadmap? Managed identities for Azure resources: • User assigned managed identities coming soon to App Services & Functions! • More Integrations with other Azure services coming soon! Azure Role-Based Access Control: • >2000 role definitions/role assignments per subscription • Portal UX for creating and managing custom roles Azure AD sign in for Azure VMs: • Support for Windows Server 2019 VMs in Azure

  33. Summary and next steps

  34. View all Identity Announcements @ aka.ms/IdentityBlog Related sessions on demand and

  35. Let’s continue the conversation! • Have feedback for the team? • Want to give us input on our roadmap? • Have a scenario we’re missing? Sign up for a 30 min call with our team: aka.ms/AzureIAMcall Thank you!@ArLucaID

  36. Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations

More Related