image[5][3][3]So which security threats are mitigated by the Windows Azure environment and which security threats must be mitigated by the developer?

The paper, Security Best Practices for Developing Windows Azure Applications, describes what you should consider as key threats that your an application running on the Windows Azure. And it shows specifically where Azure provides the mitigation and those you need to call APIs and those which you need to handle yourself. (It does not address regulatory compliance issues.)

What You Should Handle

I’ll take a selection of the threats and and what you should do and provide a reference for where you can learn more about how to implement them in your code. This list comes from Windows Azure Security Overview.  But the results will come for you.

This is not an exhaustive list. And as you can tell from the previous parts in this series, you tailor your security practices based on your own application needs.

Threat of Tampering

Tampering/disclosure of credentials or other sensitive application data. Use Windows Identity Foundation and HTTPS mutual authentication for SSL connections.

  • See How to: Manage Service Certificates for information on adding certificates to the store, associating certificates with services, and updating certificates. In these scenarios, the IT manager and the service developer are presumed to be two different people, but they may also be the same person.
  • See Windows Identity Foundation helps simplify user access for developers by externalizing user access from applications via claims and reducing development effort with pre-built security logic and integrated .NET tools.

Threat of Repudiation

Audit log collection, storage and analysis. Use monitoring and diagnostic APIs as needed; transfer logs to Storage private blob/table storage over HTTPS. See:

  • Take Control of Logging and Tracing in Windows Azure in MSDN Magazine.
  • Azure Monitor for code to monitor your Azure-hosted applications in real-time. It includes a library for capturing runtime process information to cloud table storage; and also a desktop application for viewing the captured information in real-time.
  • Using Windows Azure Diagnostics (about a third of the way down the page). Windows Azure provides integrated features for monitoring, logging, and tracing within the deployed environment; generally referred to as diagnostics. These features are most suited to monitoring performance of applications over time, though they can also be used for debugging purposes as well.

Threat of Information Disclosure

Disclosure of arbitrary secrets in blob/table/queue storage. Pre-encrypt secret data prior to uploading. Do not store decryption keys in Windows Azure Storage.

Disclosure of Shared Access Signatures. Use HTTPS to securely transfer Shared Access Signatures to intended recipients and set appropriate permissions on containers.  See Managing Access to Blobs and Containers for how to use Shared Access Signatures.

Denial of Service Threat

Request flooding at the customer code/app level. Implement application-level request throttling if necessary. See Autoscaling and Windows Azure.

Elevation of Privilege

Misconfiguration of Service/Application settings. Must scope all cookies and the document.domain property to the service subdomain (eg. http://contoso.cloudapp.net) and NOT to *.cloudapp.net

Cross-site Request Forgery Attacks against the web role. Use ASP.NET defenses. See Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks.

Cross-site Scripting Attacks against the web role. Use the Anti-XSS Library.

API fuzzing attacks on interfaces exposed by the web role.  Fuzz all interfaces and endpoints unique to code exposed to the web (or any other services)

Apply security-testing tools including fuzzing tools. "Fuzzing" supplies structured but invalid inputs to software application programming interfaces (APIs) and network interfaces so as to maximize the likelihood of detecting errors that may lead to software vulnerabilities.

File Fuzzing attacks against custom, application-provided file parsers. Fuzz test all proprietary network protocol or file format parsers.

Patching of security vulnerabilities at the Web Role/customer code level. Have a security response and updating plan in place.

You can get tools to assist in your fuzzing testing from the The Microsoft Security Development Lifecycle (SDL) site. SDL includes tools and processes that you can use freely. For example, you can use:

SQL Azure

I added this section about SQL Azure because the platform offers some additional ways to mitigate the threats that you should know.

SQL Azure Security Administration. Security administration in SQL Azure Database is similar to security administration for an on-premise instance of SQL Server. Managing security at the database-level is almost identical, with differences only in the parameters available. Because SQL Azure databases can scale to one or more physical computers, SQL Azure Database uses a different strategy for server-level administration.

SQL Azure Firewall. You can lock down your database to provide access to only those users or computers who are authorized. To help protect your data, the SQL Azure firewall prevents all access to your SQL Azure server until you specify which computers have permission. The firewall grants access based on the originating IP address of each request.

Resources

The Trustworthy Computing Security Development Lifecycle

Windows Azure Security Overview

The Microsoft Security Development Lifecycle (SDL)

Next Up

Windows Azure Security Best Practices – Part 5: Claims-Based Identity, Single Sign On. User identification represents the keys to accessing data and business processes in your application. In this section, I describe how you can separate user identity and the roles of your user out of your application and make it easier to create single sign on applications.

Here are links to the articles in this series:

 

Bruce D. Kyle
ISV Architect Evangelist | Microsoft Corporation

image