Beruflich Dokumente
Kultur Dokumente
Agenda
Introduction
Azure Compute Security Azure Storage Security
Security Threats
User
Customer Admin
Azure
Customer Tenant
Agenda
Introduction
Azure Compute Security Azure Storage Security
Underlying Hardware
Rack-mounted servers Each rack has a collection of identical nodes Each node (currently) has 2 CPU chips with 4 cores each 16 Gig of memory Disks for local storage Network Interface to a Top-of-Rack Switch
G u e s t
V M
G u e s t
V M
G u e s t
V M
G u e s t
V M
G u e s t
V M
G u e s t
V M
G u e s t
V M
Hypervisor
Network/Disk
All Guest access to network and disk is mediated by Root VM (via the Hypervisor)
8
10
Root OS Services
Disk I/O remapping and bandwidth quota enforcement Network Packet Filter and bandwidth quota enforcement No forging of IP address or false responses to ARPs Connectivity only to Internet, peer VMs within tenant, and a small set of specific services (e.g., DNS) Multicast blocked except for use of DHCP to get IP address
11
13
14
Guest Agent
Root VM
Guest VM
Hypervisor
15
16
Internet Gateways
Gateways are shared with other Microsoft properties (e.g., Hotmail, MSN, Live, ) Very high speed links at multiple locations worldwide Not impossible to overload, but one of the highest capacity targets deployed today
17
We have to be responsive to complaints from other Internet sites that they are under attack from one of our tenants
18
Agenda
Introduction
Azure Compute Security Azure Storage Security
Azure Storage
Runs on separate hardware with no network connectivity to compute except (logically) through Internet Requests run over HTTP and optionally over SSL with server authentication Storage is organized into storage accounts A single customer may have many storage accounts A single secret key controls all access to a storage account Fine-grained access controls are not implemented A customer wanting fine-grained access controls can implement a front-end compute tenant that has full access to the storage account but mediates access to data items
20
21
22
23
Agenda
Introduction
Azure Compute Security Azure Storage Security
Azure SQL
As with storage, runs on separate hardware with no connectivity to compute except (logically) over the Internet Subscription portal can create databases Data from many customers is pooled in a single SQL instance, but they are treated as separate and access controlled independently
25
Submit text questions using the Ask button. Send us your feedback and content ideas in the survey. Replay of this webcast will be available in 24 hours. Get the latest developer content (webcasts, podcasts, videos, virtual labs) at: www.Microsoft.com/Events/Series/ For more security webcasts: www.microsoft.com/events/series/securitytalk
26
2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.