AWS vs Azure Security

how many people here work for Microsoft or Amazon so a few and probably a few more who are who are keeping their hands down and doing shy but very you're welcome so you know nice to have you here so then we are going to do a vote and the support guys from besides are very hardly helps offered to help with that and will they will then announce the result and then a wrap up and we'll all move on with our lives and the rest of the conference so let's get going so I started off by listing out the cloud security services and this isn't even all of them there's a lot of security services both with Amazon and Microsoft

just here so for example Amazon has a density and access management service I am and that's used to control and manage users groups policies and rules Microsoft Azure has Azure Active Directory I'm don't worry I'm not going to read through the whole list because you'll get bored for just to mention a couple of others AWS has key management service kms for hardware protection of cryptographic keys as you has Kevon so a lot of these different services there AWS services and their equivalent zero ones but there are some which are so for example guard duty is Amazon's threat detection and automated remediation response tool there's not really a desert problem for that similarly inspector for vulnerability

assessment in AWS again there's no real equivalent for that it is you there you can use something from the marketplace but equally the zero has some services that Amazon doesn't have like Sentinel the preview of the security information and event same system as your Active Directory privileged Identity Management is a great tool for temporarily elevating roles and workflow and order seeing privileged roles then there's some services which are exist in both but they're different feature sets all the different pricing so for example Amazon's certificate manager you can issue free of charge trusted certificates they're trusted by a browser the equivalent is your app server certificates cost fifty two pounds a year or two hundred twenty four

pounds a year for a world Constitution so that gives you an idea but as you can see is not particularly helpful in deciding which is better it's just a list at the end of the day so I thought a different approach is needed so what I then have prepared for this is oops didn't want to do that just yet some real-life security implementations so I thought to myself well what do I what have I done recently at work and this is not including going into the kitchen and having a chat in the coffee but actual security implementation work so I just thought well what things have I done recently so three things that I did

recently and this is that a financial services organization who are very concerned about security in the cloud and three of the tasks which I did so this are firstly to prevent public storage secondly to encrypt virtual machines and thirdly to alert when a service principle is used from an unauthorized IP address that the scenario there is a service principle is running on an orchestrated server on premise going out through the proxy so that should only ever originate from particular addresses and we wanted to be alerted when the happen so there are three things that I did recently so what I'm going to do for each of those three things I'm going to show you how I've

set that up in AWS and how I've set it up in is year so then you'll get a sort of idea of tracks terms what does it actually like to work in both clouds providers from a security perspective so let's start with preventing public access to storage so you'll all be aware I'm sure now over the last few years there have been a lot of very serious data breaches resulting from misconfigured storage accounts in the cloud Dow Jones Federal Express even the Pentagon has misconfigured storage accounts and who the Oba breach which was a bit more complex but ultimately the data was in the end taken from an s3 bucket so there's good reason for

wanting to prevent these sort of things happening by accident or intentionally so let's start by looking at how I'd implement this or how I've implemented this in Amazon so first of all to just show you the issue so I'm going to sue so I've logged into a Amazon account and a created an s3 bucket so this s3 bucket is this one so I've called it security spotlight and I've got a file in here called passwords not very imaginative and if I just click on this you'll see that there's an object URL at the bottom so if I right click on this and open in new tab let's see what happens so here are my passwords so any

of you can get the password some Mickey Mouse and Donald Duck if you're quick enough by going to the address there it's the public you know public address for that s3 bucket so it's very very easy to upload items to s3 buckets and make them public but how could we prevent that well let's have a look so I go back to the console and go back to s3 last November at reinvent so November 2018 Amazon announced a new service called bloc public access and this is one of a raft of improvements that they've made over the last couple of years to make it much clearer that objects are being made public and in this case to control them at the account

level so I could click on here and you'll see that there's this great new feature whereby I can block all public access in an AWS account so let's see what happens if I do that I'm going to edit this and I'm going to block all public access in this you can going to save this and confirm that I really want to save this by the way don't just go home and do this on your production account because something might stop working but it's fine on this account right so I've done this so now let's go back to my passwords file and see what happens if i refresh it and great is blocked what I'd expect so not only have

I turned off have I made all objects in all this three buckets in this account private what I've also done is prevented anybody creating new public s3 buckets or uploading new objects to s3 and making them public so that's how I would do this in Amazon so let's just go back to the PowerPoint asset so these are just screenshots of what I've shown you and what about is here so let's move on to Azure storage so with the 0th storage I wanted to do a similar sort of thing so the first thing that I looked at was well could we use as your policy so as your policy is a really great tool which is Microsoft as you have implemented

and it's quite similar to service control policies in AWS and with this year policy you can set rules to say things like you can only deploy resources in Europe for example so you could do a lot of control have a lot of controls like this but wouldn't it be great if there's a zero policy that just stopped you from creating a can container in the storage account with there was public so I did what we all do when we wanted to find something searched on Google and the page which came up was this page so hacker would fit improve as your storage so there was a request or suggestion about a year ago to do exactly what I was thinking would

be a good idea and the message from Microsoft is the feedback is well received as a storage team is working on the feature for this scenario it's estimated to ship in calendar year 2019 so it's not there yet hopefully it will be soon and then you know we can't we can't control create unintentional creation of public objects using a zero policy but in the meantime I need to come up with the solution so what I did well just show you the issue and then what I did so these are my storage accounts in Microsoft Azure make that a little bit bigger so I created the storage account called confidential storage data and if I look at blobs

you'll see here I've got a container called personal data so what I could do here is change the access level so the moment it is actually set to private but I'm going to change this to blob and press ok so it's now if you look at the access type it's now listed as blob which at which does actually mean public though that's not immediately obvious so then I can go into my file here which is called confidential and I've got a URL here so I'm gonna copy that to the clipboard and I'm going to paste that in and let's see what happens so here's my file that I've made public in Anna's your storage account there it is so what I wanted to

do was to come up with the solution to prevent that happening or if it does happen to change it to be private as quickly as possible so here's what I did so I created an automation account saves my automation account in is here and created a rum book called remediates orange jobs and this is a PowerShell script that runs every 15 minutes and what it does is it uses is your mpow shell to search across the account the subscription look for all is their storage accounts and then for every is their storage account look at all the containers and for all the containers look to see are any of them public and if they are then to change

the access level to be private so have I talked long enough to so that this has happened so what I've done so we avoid waiting 15 minutes I just kicked it off manually so let's see if that's actually taking the fact shirt it has so it's found the container which I just showed you called personal data and then it should have changed the access level to be private instead of public so let's see if that works so I'll go back to my object and yes it did work so you can see now that we've got an AWS and an is your approach for making sure that objects in storage accounts are private so just going back to here here are some

screenshots of what I just showed you so the difference are supposin is that with AWS block public access you can prevent creation of public objects in s3 buckets with a 0 at the moment they could get created but you can clean them up very quickly using an automation script so that's number one let's move on to number two so number two is encrypting virtual machines so this is a very common requirement for any organization concerned about security or with regulatory requirements to make sure that all machines are encrypted so with Amazon Web Services the approach for the absolute virtual machine can have route drive and attach drives so the approach is to create a key in key management service KMS and

then to create an encrypted Amazon machine image or ami encrypted with that key and then to build the virtual machine in Amazon using that AMI and then for attached drives to encrypt as they're built using the key so let's just have a quick look at that so if I go through my instances in AWS yes you'll see that I have an instance running in West Europe this is my virtual machine if I have a look at the attached volume I can get the reference number the ID of the attached EBS elastic block store image volume and then I can look at that volume here and you'll see that yes it is encrypted and it's encrypted using that key so

that's the Amazon approach

what about Microsoft is here well with Azur again you can encrypt the route and attach drives of virtual machines so the first thing you have to do is to create a key vault then create a key in the key vault and then build the virtual machine unencrypted and then run Pasha a PowerShell script which encrypts using BitLocker if it's a Windows virtual machine or DM crypt if it's Linux and that uses the key that's in key vaults which actually encrypts the secret that said used to as the BitLocker encryption key and this process takes around about 10 minutes per virtual machine and of course this can be sequence into a build pipeline so as soon as you build the

virtual machine you then run the patch file script so you can complete you can completely automate this so I'm just gonna show you that in Azure so back in this year portal I'm going to go into virtual machines and here's my virtual machine and if I select this go to disks you'll see yes encryption is enabled and that was achieved using the approach which I just showed you so comparing AWS adizero for virtual machine encryption both have a solution both work very well the main difference is that with AWS the machine can be encrypted right from the moment that is built because the ami is encrypted with the 0 is not encrypted to start with and then you encrypt it using

half ah you found on the encryption using partial so that's number two let's move on to number three of my tasks at work so the third one is alerting on an unauthorized API or service principle call so we start off with AWS so the requirement was to come up with an alert if a particular AWS key is used from an IP address which is not supposed to be used from so again a fairly common requirement for organizations concerned about security so there's more than one ways that this could be done but the way we tried did it was to implement a lambda function so a lambda function that I implemented is shown here so turned on Cloud trails the Cloud trail

provides a log of all activity on the account that I then configured to send to mystery bucket the s3 the objects arriving in s3 is then used to trigger the lambda function which then does some analysis to see if it matches the particular condition for the key and IP address and then to actually send an alert to a simple notification service or SLS which are then subscribed to from my email address so this code is in this case it's JavaScript it could equally well be and nodejs it could equally well be Python so if I look at my email you'll see here oops that's the wrong one as obvious yeah so here's here's an example alert received using this

mechanism from AWS so that's the Amazon solution what about is you

okay well in his ear similar requirement that if a particular SEO service principle is used from an unauthorized IP address I want to get an alert so the solution that I came up with there was firstly to use as your activity log so it's your activity log is equivalent to cloud trail and it's a record of all of the different changes and calls that are made to that subscription I configured that as your activity log - to send that information - as your log Analytics and then within log Analytics wrote a saved search to look for that particular pattern of information and then within as your monitor traitors and alerts trivial and alert rule and an alert action group

which pointed to my email address so that was the approach with this year so just taking a look at that if I go back into the the CEO portal go back to not going to monitor and then alerts and I'll just change this so the past seven days so here at my alerts so they're generated using this mechanism and if I go into email there's an example email from that alert so you can see that with both a SS enters year it's possible to come up with good solutions I'm probably found the easier one a bit more straightforward to do because just personally the way that you write the search queries is this should be easy

whereas for me writing nodejs and Java scripts is a bit more time-consuming but they're nothing wrong you know either approach either solution is is great and works very well so so my third actual implementation so we're now going to move what we're going to do now is rather than do any questions at the end we're going to do a few just got time for a few questions or comments okay see one here already and the B sides volunteers are very kindly going to go around the room with microphones so that one there so if what have you want to start I say we've only got time for about three questions I should think or comments if you just want to make a

comment all this equipment so when building fears and then encrypting their personal see really build of retrospective going into this later then encrypt in their to state to neighbors and zero and you do the improvements there well okay so I think you all heard that the difference I guess well obviously if it's if it's an existing a state and they're not encrypted then it can take a lot longer than ten minutes I've to be quite honest I've that would definitely work in this year to be honest I haven't ever thought about how that might be done with AWS or whether it's possible I don't if anybody else has but so I wouldn't like to comment about AWS but as you would

definitely work but it would take a lot longer than 10 minutes so I think we had another question at the front or comment oh sorry whatever they were just going to anyone near the back first yeah I think the student beaches on both is quite featuring both partners are very feature it either best way to me compared the security of the department is to see if their resources are secure by default and they can't follow that sort of policy how I think a Joe had done really bad job of doing that you know so making a question which means public the public IP addresses I think that's kind of not very good she already did are following their superb ideas

yes okay well thank you for that so in case anybody didn't hear I think the comment to summarize was that you feel that one should make it a choice or decision according to the default settings and you believe that a SS does a better job of that okay go ahead sorry in confluence here well one in the back and then we'll do one at the front and then we'll have to carry on we'll have to move on for there it's just a time so if you want to go ahead one or both of the other one okay if you get well how's it your disagreement with a Muslim okay so basically you're advocating your multi-cloud strategy

which a lot of organizations to do I completely you know agree with that okay they will take them out as a comment and last one and then we need to move on in the interest of time and the next speakers thank you just a question based on your it's you service another customer having seen security be a defining factor between the two flowers or is it a matter that should be to secure AWS because they have already chosen AWS or secure assured because they have already chosen sure yes that's a really good question and in my personal experience the decision has always been made by very senior management without really any knowledge of security much at all and then it's

been my job to make it secure whichever it may be some of you may have different experiences so thank you for those comments and questions really appreciate that so what we're going to do now is we're actually going to do a vote and don't take this too seriously we've had the three besides well three as the pea sized volunteers are very card Lee gonna come up and help with this so that they can take a view and then I'll announce the results and then it will wrap up at that point and finish so what we're going to do here is what I'm asking you to do is vote for AWS or Z though this is not

a referendum or anything like that okay is don't take it too seriously and you can vote if you don't agree with this whole thing you don't have to vote right and if you think that both AWS and this year they're both you know more or less equivalent on security mirrors damn it then you can vote for both nothing wrong with you voting for both if that's what you feel and you're going to just determine the result by looking at the audience so you guys ready okay so those of you who want to vote for AWS please raise your hands now and keep them up for a little while so you'll go back in your mind okay

thank you so now put your hands down please and now those of you want to vote for is here please put your hands up now okay if you got that thank you so I'm going to leave it to you to announce the results okay so the winner is okay that's the winners so okay so what I would say and we haven't finished yet what I would just like to say is and I hope you'll join me in appreciating you know all the hard work which both AWS and as you have put into developing a very conference comprehensive set of security services so you know thank you to both organizations so I'm just going to hopefully your honor say well that's a

boat okay if you just hang on for a minute just got a couple of last words so firstly if any of you wish to are interested in finding out more than we can go into in half an hour my next cloud security deficit cops training course is at 44 Khan in September details on the 44 comm website be great to see some of you there and if you want to follow me on Twitter connect on LinkedIn I'm the only four Schwarzenegger working in security you're very welcome to email or we'll be around the rest of the day as well so thank you very much and thank you also to the p-side