- Speaker: Sinead O’Donvan (Irish, by the accent)
Zero Trust Architecture document
- Networking – the focus here
Verify explicitly every access control
- Being on the network is not enough
Use least privilege access
- IP address is not enough
- No one is perfectly secure. Identify the breach. Contain the breach. Do your best to stop breaches in the first place.
You cannot claim success:
- It requires constant improvement.
Network Maturity Model
- Traditional (most customers)
- Few network security perimeters and flat open network
- Minimal threat protection and static filtering
- Internal traffic is not encrypted
- Many ingress/egress cloud micro-perimeters with some micro-segmentation
- Cloud native filtering and protection for known threats
- User to app internal traffic is encrypted
- Fully distributed ingress/egress cloud micro-perimeters and deeper micro-segmentation
- ML-based threat protection and filtering with context-based signals
- All traffic is encrypted
Three Cores of Azure Network Security
- Segment – prevent lateral movement and data exfiltration
- Protect – secure network with threat intelligence
- Connect – embrace distributed connectivity … or face revolt from the users/devs
Deploy securely across DevOps process
- Azure Firewall
- Azure WAF
- Azure Private Link
- Azure DD0S Protection
- Load Balancer
- Host-based: an agent on the VM implements it
- Hypervisor: Example, VMware SNX
- Network controls
Azure Network Segmentation Controls
- Subscription: RABC, logic isolation for all resources
- Virtual network: An isolated and highly secure environment to run your VMs and apps. “This is the hero of segmentation”
- NSG: Enforce and control network traffic security rules that allow or deny network traffic for a VNet or a VM.
- WAF: Define application specific policies to protect web workloads.
- Azure Firewall: Create and enforce connectivity policies using application, network and threat intelligence filtering across subscription(s) and VNet(s).
- Use both public or private IP. Public app interface is public, backend is private.
- Choose cloud transit approach VNet peering or Virtual WAN.
- Carefully control routing
- Segment across subscription, vnet, and subnet boundaries
- Managed at an org level
- Enable application aware segmentation
- Easily create micro perimeters
- Managed at an application level
Azure Firewall Manager (Preview)
- Central deployment and configuration
- Deploy and configure multiple Azure Firewall instances
- Optimized for DevOps with hierarchical policies
- Automated Routing
- Easily direct traffic to your secured hub for filtering and logging without UDRs
- And more
Azure Web Application Firewall
- Microsoft threat intelligence
- Protect apps against automated attacks
- Manage good/bad bots with Azure BotManager RuleSet
- Site and URI patch specific WAF policies
- Customise WAF policies at regional WAF for finer grained protection at each host/listener or URI path level
- Geo-filtering on regional WAF
- Enhanced custom rule matching criterion
MS sees 20/30 DDoS attacks per day.
WAF as a Service
Both run in Azure.
It’s time to transform your network.
- User to app moves to Internet centric connectivity
- Application to backend resources use private connectivity
- Redesign your network and network security models to optimize user experience for cloud
- Continue to extend app delivery models and network security to the edge
Azure Firewall Manager
- Easily create multiple secured virtual hubs (DMZ Hubs) in Azure
- Use Azure Firewall or 3rd party security
- Create global and local policies
- Easy to set up connectivity
- Split routing – optimized O365 and Azure public PaaS
CheckPoint CloudGuard Connect will debut soon as a partner extension.
Azure Private Link
Highly secure and private connectivity solution for Azure Platform.
- Private access from VNet resources, peered networks and on-premises networks
- In-built data exfiltration protection
- Predictable private IP addresses for PaaS resources
- Unified experience across PaaS customer owned and marketplace services
Microsoft taking this very seriously. All new PaaS services “from Spring onwards” must support Private Link.
See previous posts on this – it requires more work IMO because it lacks VNet peering support and requires login via the Azure Portal – doesn’t support MSTSC or SSH clients.
- Embrace zero trust network model
- Segment your network and create micro-perimters with Azure Firewall, NSG, etc
- Use a defense in depth security strategy with cloud native services
- Enable WAF and DDoS
- Explore Azure as your secure Internet edge with Azure Firewall Manager