Microsoft security practices | Azure Security Basics

January 5, 2020 posted by


(cheerful music) One critical aspect of the
shared responsibility model, is what’s your responsibility, what’s our responsibility, and Microsoft, how does Microsoft secure Microsoft? It’s part of using any type of service or system offered by a third party. You need to know what that party’s doing. What’s Microsoft doing
to protect Microsoft? And what are some of
our top level practices? Yeah, I mean Microsoft, we still have some on-premise
infrastructure as well. Everybody does and we have a
lot of things in the cloud. So, we have to look at
both of those aspects of security controls, as
any other business needs to. So, you know, in our traditional defenses, we do things like hardening. So, we’re patching things. We’re doing application white listing. And all the things that
everyone has told you to do for a long time in security on-premise. TOM: Right, and we get
asked all the time too. SARAH: Yeah. TOM: What are some of the things we do? What does Microsoft do
to secure Microsoft? And like you’re saying,
traditional defenses, traditional defense in-depth
models, it’s not going away. But also best practices like using, like a red team, purple team, blue team type model. Always attacking our systems, always defending our
systems to harden them, a lot of lessons learned around that, that we apply then and feed back into our security best practices, hardening our systems. As well as things like using scanning, vulnerability assessments, continual scanning of our systems. Things that many customers do, things that we do the same on our side to secure our systems, our properties. Yeah, and we also do bug bounties, as you can see on the slide there. Recently, we actually upped the amount of money you can potentially
get for a bug bounty, so have a look at that. Yeah, we want people to– Yeah, yeah, please.
It’s kinda cool! Please.
It is cool! I know!
Get at it you know? If you can find a proper
vulnerability in ours, yeah, you can be quids in. (laughing)
That’s very, very regional. (laughing) And then the other things we do, as you well know, Tom, I mean from our people side of things, we do a lot of background checks. TOM: This comes up all the time doesn’t it?
I know! TOM: It’s like hey what do
you do about Microsoft people, internal threat, people accessing my data as a customer. And I’d ask the same questions. It’s like you go into a bank, what’s preventing that teller
from getting to my money? So, things that we believe right? And we talk about a lot as best practice. Yeah. They’re kind of industry
best practices now. You know least privileged
models of course, just in time access. Yes. Using things like a
privileged access workstation, like a hardened workstation
to access any type of critical assets.
Yeah. Kinda standard best practices. Things that we’ve established
and we’ve been doing for quite a while.
Yeah. As part of operating
these big cloud systems. Yeah and MFA of course, multi-factor. For everything. For everything. Everyone in Microsoft has to use it, everybody. One area too and we think about and I’m a double e, my backgrounds electronic engineer, you think about security of systems, and security of system that’s all on a circuit board’s pretty easy. When you start talking about software and everything’s software now. These big switches, based around software. Yeah. The NIC cards on a server, they’re primarily on software. That’s an algorithm in FPGA. So, you’re weakness around the software is typically where you’ll
find vulnerabilities. It’s a person writing an algorithm, and no algorithm software’s perfect. So establishing a practice
to secure that software is critical to the
overall security posture of your systems. Things like SDL, you know, we have to practice it in our security development life cycle. So people say software security
development life cycle. Absolutely critical to the
overall security of systems. It’s something we take like gospel inside of Microsoft.
Yes! It is a practice. And we’ve been doing it for
a long time as well, right? Long time.
Long time. A lot of papers, a lot of processes and we have to adhere though, as Microsoft always.
Yeah, yeah, we do. And it’s also something that we make. There’s a great demand
from customers saying, “Hey, what do you do as practice “to secure your systems and software?” Especially software. So, we make things like the
secured DevOps tool kit. Packaging up what we do as IT
and as our development team, development and security teams do and to tools that customers
can use themselves to apply the same methods
and the same processes. SARAH: Yeah, and then we’ve also got last, but not least on here. We’re talking about our
continuous monitoring and logging. We have our CDOC, our Cyber
Defense Operation Center, who run 24/7. They’re here in Redmond and you can go and visit them if you’re lucky. (laughs) Well, you can look through
the window at them. You can’t visit them, per se. If customers, so many customers
struggling with what to do from like a monitoring,
logging sin-perspective with detections, correlations,
things that we do as well. We think we’re pretty good at
them and we do expose them. We like to work with our
customers around some of the tools and a lot of the things that we do as part of these practices internally, we’re making available to customers. Things like with Sentinel
and KQL, like query language, in the log storage method, log analytics. They evolved out of our
own internal practicees. Yeah. Practices. Practices, yes. Practicees. (laughs) Yeah, exactly. Well, these have come from
what we already use internally, right, so we know they
work and they’re good and they’re solid for cloud operations. Yeah. I think that leads very nicely
onto our security graph. Yeah, talk about information and using information to secure systems. Yes, it’s a got a very long flash name, the Microsoft Intelligent Security Graph, but this is how we collect all of our different threat intelligence. I mean, Microsoft gets, we get
6.5 billion telemetry signals a day from various different sources. I mean, we have, as you can see here, we have a billion Windows devices, 450 billion, I can’t even visualize, monthly authentications of AD and 18 billion web pages scanned. And then, 400 billion emails analyzed. It’s crazy amounts. TOM: It’s mind boggling, isn’t it? Yeah, yeah, and of course,
no one person or team or even probably a
country could look at this and actually process it manually. So, that’s why we use the security graph in order to, actually, you process that using machine learning, AI, to actually get useful insights from all of these telemetry signals. Cause just somebody looking at these by themselves will do nothing. There’s too many. Yeah, making something useful out of it. It’s amazing in terms of a data science. Yeah, big number crunching. Number crunching and very powerful. That insight into what’s
happening across all of our properties and
estate around the world and we get a lot of good data about that. Yeah. You know, who are bad actors? What’s going on where and tracking them, and then using that to secure us. Yeah! We’ve been doing that for a long time. I know! And, if we have a look here at our Intelligent Security
Graph and inside of it. So, this details a bit more about how we actually
use that information. So, we’re using AI. We’re using machine
learning and analytics, all that big data science number crunching to actually normalize it,
get some meaningful insights, and then we publish that
to our different products. So, you can see here,
we’ve got security center, AD, ATP, Windows Defender ATP, Officer 365 ATP, lots of ATPs. (laughing) Lots of ATPs and MCAS as well. TOM: So powerful though, it’s cool. SARAH: It is! TOM: Seeing this because
we’ve been using this for a long time, the
whole model, to secure us. SARAH: Yeah. TOM: And seeing now, Surface
has essentially an input into the localized detection capabilities across those different
Surfaces is pretty cool. SARAH: It is and it’s always
being updated as well. I mean I look at, I spend
a lot of time looking at Security Center, in particular, and you can see, we’ve
always got new threats, new best practices being
added all the time. And that’s coming from the security graph. TOM: Very cool. SARAH: Yeah, it is, it’s very cool. TOM: Oh, I wanted to talk
to this for a minute. SARAH: Oh, go for it,
go for it, be my guest. When it comes up, if you’re a customer and you’re looking at using Azure or any of properties for that matter, it’s like hey, how can I
trust what Sarah’s saying? I’m gonna trust what Tom’s saying. I’m very trustworthy. (laughing) But, that’s not enough for an auditor. But it’s really, exactly. So, it’s really important to understand and I’m proud of what we do here, understand how many systems are built. What are we doing from
a control perspective? Internally, how are they,
how are the systems built to handle my data? What is everything that we’re doing here that we’re describing? You know? Yeah. How’s that being documented? How’s it being audited? Can I get a third-party view
on what those controls are? And luckily, we’re very
transparent about this. It’s really important, so we’ll make sure that data’s available to
you both, directly from us, but also you can get the
views from third-parties and third-party auditors, including our work with the
government around FedRAMP. It’s a tool I use often with customers. As I start looking at
Azure, looking at Microsoft, Hey, can I trust Microsoft and let alone, can I use Microsoft and
then convince my auditors, my regulators, like
you were talking about. SARAH: Yes. Where’s the proof? Show me that Microsoft’s doing
what they say they’re doing. Exactly and of course, we’ve
got their SOC 2 and FedRAMP, but there’s a lot of other
different standards as well. This isn’t even, this particular slide, isn’t even comprehensive,
but here’s an idea. But, here’s a shout out
to some other places in the world as well if
you’re not in the US. So, we have things like in Australia and we’ve got IRAP which is
an Australian government. We’ve got a lot of
stuff in like Singapore. I’m shouting out to Asia,
and the Asia region. Pretty much if it’s a
well-known government or regional standard, we’ve
been certified against it. Azure has got very, very extensive regulatory assessments done. It’s in our interests to keep them done and up to date, of course, so. It’s a big deal. Yeah, it is a big deal. Making sure we have
the artifacts available to customers with the proof points, then they can use to
show to their regulators, their auditors that both our side of that shared responsibility– Yes. Equation is valid meets those requirements and then the customers, ultimately, it’s still their responsibility. I mean, they still have
to configure the systems, apply their controls and processes and prove that their side
is compliant as well. Yeah, that’s an important point as well because we know that with regulations, most regulations, they cover
sort of from infrastructure up to the software and the application into the process layer. So, we’re not saying here
that this is only thing you’re gonna have to do. It’s just takes away
that cloud provider bit that we take responsibility for. You’re still gonna have
to do some assessment against your application
and your internal processes. But, taking a little bit of the work out, just a little bit maybe.
It does, it takes out. Absolutely.
Yes, and also, you can’t do this when you’re
using a cloud provider, of course, you can’t actually do this side of the assessment yourself because you don’t have the
access to a data center. And you know, that’s Microsoft’s process. So, you know, helping a
little bit where we can. (laughs) And last but not least, we have our Cybersecurity
Reference Architecture. TOM: So, one of the hard things, this is even for us at Microsoft. We have so many different,
very, I would say, capable services and offerings. SARAH: We do, we have a lot of offerings. TOM: It’s hard to kind of
piece them all together and what their function is
and a lot of customers ask, “Hey, what should I do? “How can I wire this all together “in a way that makes sense let alone “just understand really
apply across my environment?” Our team and Marson on our
team has put this together and we use it kind of a framework in our reference architecture. So, all these pieces
and parts fit together. SARAH: Yeah, and we do
have a lot of products, as Tom said, lots and lots of products. And, this just helps show
how you fit them together and how you fit it together
in a bigger perspective just from a security and hybrid
enterprise security thing. Thing, I’m gonna use thing. (laughs) Because these are all
capabilities as well. So, you can also leave and
replace them with these because you’ve probably already got some of these products in your environment, but it helps you sort of
piece everything together when you’re running things in the cloud. And, I would print it off and
put it on your wall, maybe, or some bedtime reading. Excellent wall art. It is, it’s excellent. So, it’s just, we would
be here a long time if we talked about it in detail, but it’s just to tell you this is here. It’s some bedtime reading for you. And a great tool–
It is. From systems architecture
point of view for sure. It is, it’s a great reference and so, if you’re needing to understand how all our different
products fit together, cause it is, there are a lot of them. This is where you should go. (happy upbeat music)

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *