Data protection in the cloud: a guide for developers
The Azure platform was designed to provide security and compliance with all the requirements of developers. Learn how to use built-in services to securely store application data so that only authorized services and clients can access this data.
Security is one of the most important aspects of any architecture. Protecting business and customer data is critical. Data leakage can destroy the company's reputation and cause significant financial damage. In this module, we will discuss the main issues of security architecture in the development environment in the cloud.
')
Exploring the development of cloud solutions, the priority of which is security, we will see how one fictional Azure user uses these principles in practice.
Lamna Healthcare is a national healthcare provider. His IT department recently began moving most IT systems to Azure. The organization uses its own applications, open source applications and standard applications with different architectures and technology platforms. We learn what needs to be done to move systems and data to the cloud without compromising security.
In this module, you will learn how to perform the following tasks:
There is no panacea for all threats and one solution for all problems. Suppose that at Lamna Healthcare, the safety issue was out of sight. It became clear that this area should focus on. Lamna employees do not know where to start, and whether it is possible to simply buy a solution to ensure the safety of the environment. They are sure that they need a holistic approach, but they do not know exactly what it is. Here we will discuss in detail the key concepts of in-depth protection, define the basic security technologies and approaches to support the strategy of depth protection, and also talk about how to apply these concepts in the development of the architecture of Azure services.
Depth defense is a strategy that uses a number of mechanisms to slow down attacks aimed at obtaining unauthorized access to information. Each level provides protection, so if an attacker overcomes one level, the next level will prevent further penetration. Microsoft applies a multi-layered approach to security in both physical data centers and Azure services. The purpose of in-depth protection is to ensure the security of information and prevent theft of data by persons who do not have permission to access it. The general principles that are used to determine the state of security are confidentiality, integrity, and availability, collectively known as CIA (confidentiality, integrity, availability).
Depth protection can be represented in the form of several concentric rings, in the center of which are the data. Each ring adds an extra level of security around the data. This approach eliminates dependence on one level of protection, slows down the attack and provides alerts with telemetry data so that you can take action - manually or automatically. Let's look at each of the levels.
Almost always attackers hunt for data:
Persons responsible for data storage and access control are required to ensure adequate protection. Often, regulatory requirements prescribe specific controls and procedures to ensure confidentiality, integrity and availability of data.
If you integrate security into the application development life cycle, you can reduce the number of vulnerabilities in your code. Recommend to all groups of developers to ensure the safety of applications by default. Security requirements must be immutable.
Malicious programs, lack of patches and inadequate system protection make your environment vulnerable to attack. This level is aimed at ensuring the security of your computing resources, and you have the proper controls to minimize security problems.
The purpose of this level is to limit network connections in resources and use only the most necessary connections. Separate resources and use network-level management tools to restrict data exchange only between necessary components. By limiting data sharing, you reduce the risk of moving around computers on your network.
Along the perimeter of the network, protection against network attacks on resources is necessary. Detection of such attacks, elimination of their impact and notification of them are important elements of ensuring network security.
The level of policies and access is aimed at ensuring the security of identities, controlling access to only those who need it, as well as registering changes.
Physical security includes measures to restrict physical access to resources. It ensures that intruders do not overcome other levels, and protects data from loss and theft.
Each layer can implement one or several tasks according to the “Confidentiality, Integrity and Access” model.
Computing environments are moving from customer-managed data centers to cloud data centers, and with them shifting responsibility. Security is now the joint responsibility of cloud service providers and customers.
The threat pattern is changing in real time and on a large scale, so the security architecture is never perfect. Microsoft and our customers need the ability to respond to these threats intelligently, quickly, and at the right level.
Azure Security Center provides customers with unified security management and advanced threat protection to recognize and respond to security events in on-premises and in Azure. In turn, Azure customers must constantly review and develop their security architecture.
Lamna Healthcare is actively engaged in the implementation of in-depth protection in all IT departments. Since the organization is responsible for large volumes of sensitive medical data, it understands that a comprehensive approach will be the best option.
To protect corporate data, a virtual workgroup has been created in the company, consisting of representatives from each IT department and security department. The task of the group is to familiarize engineers and architects with vulnerabilities and how to fix them, as well as provide information support for working with projects in the organization.
Naturally, this work will never be done to the end. Therefore, to maintain the required level of protection, the company is scheduled to regularly review policies, procedures, technical aspects and architecture in a constant search for ways to improve security.
We examined what depth protection is, what levels it has and what is the task of each level. This security strategy in an architecture ensures an integrated approach to protecting the entire environment, rather than an individual level or technology.
To complete this free course, follow the link . There you will find these parts:
Introduction
Security is one of the most important aspects of any architecture. Protecting business and customer data is critical. Data leakage can destroy the company's reputation and cause significant financial damage. In this module, we will discuss the main issues of security architecture in the development environment in the cloud.
')
Exploring the development of cloud solutions, the priority of which is security, we will see how one fictional Azure user uses these principles in practice.
Lamna Healthcare is a national healthcare provider. His IT department recently began moving most IT systems to Azure. The organization uses its own applications, open source applications and standard applications with different architectures and technology platforms. We learn what needs to be done to move systems and data to the cloud without compromising security.
Note
Although the concepts discussed in this module are not exhaustive, they include some important concepts related to creating solutions in the cloud. Microsoft publishes a wide range of templates, tutorials and application development examples on the Azure platform. It is highly recommended that you view the content in the Azure Architecture Center before you begin planning and designing the architecture.
Learning objectives
In this module, you will learn how to perform the following tasks:
- Learn how to use in-depth protection to secure your architecture.
- Learn how to protect identities.
- Find out what technologies are available to protect your Azure infrastructure.
- Learn how and where to use encryption to protect data.
- Learn how to protect architectures at the network level.
- Learn how to use application security recommendations to integrate application security measures.
Depth protection
There is no panacea for all threats and one solution for all problems. Suppose that at Lamna Healthcare, the safety issue was out of sight. It became clear that this area should focus on. Lamna employees do not know where to start, and whether it is possible to simply buy a solution to ensure the safety of the environment. They are sure that they need a holistic approach, but they do not know exactly what it is. Here we will discuss in detail the key concepts of in-depth protection, define the basic security technologies and approaches to support the strategy of depth protection, and also talk about how to apply these concepts in the development of the architecture of Azure services.
Multi-level security approach
Depth defense is a strategy that uses a number of mechanisms to slow down attacks aimed at obtaining unauthorized access to information. Each level provides protection, so if an attacker overcomes one level, the next level will prevent further penetration. Microsoft applies a multi-layered approach to security in both physical data centers and Azure services. The purpose of in-depth protection is to ensure the security of information and prevent theft of data by persons who do not have permission to access it. The general principles that are used to determine the state of security are confidentiality, integrity, and availability, collectively known as CIA (confidentiality, integrity, availability).
- Confidentiality is the principle of minimum privileges. Access to information is available only to persons who are explicitly granted permission. This information includes the protection of user passwords, remote access certificates and the contents of e-mail messages.
- Integrity - preventing unauthorized changes to inactive or transmitted data. The general approach used in data transmission is that a unique data imprint is created for the sender using a one-way hash algorithm. The hash is sent to the receiver along with the data. The data hash is recalculated and compared by the recipient with the original, so that the data is not lost and not changed during the transfer.
- Availability — Ensuring availability of services for authorized users. Denial of service attacks are the most common cause of loss of accessibility for users. In addition, in case of natural disasters, systems are designed to avoid a single point of failure and deploy multiple instances of the application in geographically distant locations.
Security levels
Depth protection can be represented in the form of several concentric rings, in the center of which are the data. Each ring adds an extra level of security around the data. This approach eliminates dependence on one level of protection, slows down the attack and provides alerts with telemetry data so that you can take action - manually or automatically. Let's look at each of the levels.
Data
Almost always attackers hunt for data:
- which are stored in the database;
- which are stored on disk in virtual machines;
- which are stored in a SaaS application, such as Office 365;
- which are stored in the cloud storage.
Persons responsible for data storage and access control are required to ensure adequate protection. Often, regulatory requirements prescribe specific controls and procedures to ensure confidentiality, integrity and availability of data.
Applications
- Ensure that applications are protected and have no vulnerabilities.
- Keep confidential application secrets on protected media
- Make security a requirement for all application development.
If you integrate security into the application development life cycle, you can reduce the number of vulnerabilities in your code. Recommend to all groups of developers to ensure the safety of applications by default. Security requirements must be immutable.
Computing Services
- Secure access to virtual machines
- Implement endpoint security and install all fixes in a timely manner.
Malicious programs, lack of patches and inadequate system protection make your environment vulnerable to attack. This level is aimed at ensuring the security of your computing resources, and you have the proper controls to minimize security problems.
Network
- Limit interaction between resources through segmentation and access controls
- Set the default ban
- Limit incoming Internet traffic and outbound, where possible
- Implement a secure connection to local networks
The purpose of this level is to limit network connections in resources and use only the most necessary connections. Separate resources and use network-level management tools to restrict data exchange only between necessary components. By limiting data sharing, you reduce the risk of moving around computers on your network.
Perimeter
- Use protection against distributed denial of service attacks (DDoS) to filter large-scale attacks before they lead to denial of service for end users
- Use perimeter firewalls to detect attacks on the network and receive notifications about them.
Along the perimeter of the network, protection against network attacks on resources is necessary. Detection of such attacks, elimination of their impact and notification of them are important elements of ensuring network security.
Policies and access
- Manage access to infrastructure, manage change
- Use single sign-on and multi-factor authentication
- Check events and changes
The level of policies and access is aimed at ensuring the security of identities, controlling access to only those who need it, as well as registering changes.
Physical security
- Ensuring the physical security of buildings and controlling access to computing equipment in the data center is the first line of defense.
Physical security includes measures to restrict physical access to resources. It ensures that intruders do not overcome other levels, and protects data from loss and theft.
Each layer can implement one or several tasks according to the “Confidentiality, Integrity and Access” model.
Joint responsibility
Computing environments are moving from customer-managed data centers to cloud data centers, and with them shifting responsibility. Security is now the joint responsibility of cloud service providers and customers.
Continuous improvement
The threat pattern is changing in real time and on a large scale, so the security architecture is never perfect. Microsoft and our customers need the ability to respond to these threats intelligently, quickly, and at the right level.
Azure Security Center provides customers with unified security management and advanced threat protection to recognize and respond to security events in on-premises and in Azure. In turn, Azure customers must constantly review and develop their security architecture.
Deep Protection at Lamna Healthcare
Lamna Healthcare is actively engaged in the implementation of in-depth protection in all IT departments. Since the organization is responsible for large volumes of sensitive medical data, it understands that a comprehensive approach will be the best option.
To protect corporate data, a virtual workgroup has been created in the company, consisting of representatives from each IT department and security department. The task of the group is to familiarize engineers and architects with vulnerabilities and how to fix them, as well as provide information support for working with projects in the organization.
Naturally, this work will never be done to the end. Therefore, to maintain the required level of protection, the company is scheduled to regularly review policies, procedures, technical aspects and architecture in a constant search for ways to improve security.
Results
We examined what depth protection is, what levels it has and what is the task of each level. This security strategy in an architecture ensures an integrated approach to protecting the entire environment, rather than an individual level or technology.
Further parts
To complete this free course, follow the link . There you will find these parts:
- Introduction
- Depth protection
- Identity management
- Infrastructure protection
- Encryption
- Network security
- Results
- Five basic security elements to consider before implementing
- Manage secrets in server applications using Azure Key Vault
- Protect Azure resources with conditional access
Source: https://habr.com/ru/post/428447/
All Articles