Windows Azure Security Deltas

- J.D. Meier, Paul Enfield.

This document enumerates some of the key deltas between securing an on-premises application against securing one deployed on Windows Azure. For each feature, we have listed some key hot spots related to that feature, and the impact of that item upon securing your application.

Feature Hot Spots Impact
Managed infrastructure
* na * na
Failover
* Loosely coupled system design * Application design
Scalablility through instances
* Dynamic IP’s * Use DNS names over IP addresses
* (sub)domain names
Azure Storage
* Access keys * Secret storage
* REST access * Authorizing REST access
* HTTP or HTTPS transport * Secure communication of Access Signatures
* Shared Access Signatures * AuthN/Z on blob access
* Blob access (shared access)
Management portal
* Live ID access * Live ID distribution/management
* Deployment * Certificate deployment and management
AppFabric Access Control
* Claims mapping * REST service authentication and authorization
* Configuration access * Live ID distribution/mgmt.
* Signing certs * Key rollover is manual/admin
* Key rollover mechanism
AppFabric Service Bus
* Shared Secret authentication
* SAML authentication
* SWT authentication
* Discoverability thru DiscoverType.Private/Public
SQL Azure
* SQL Authentication only * Auth via credentials – req strong pwd conventions
* User provisioning/deprovisioning * Lack of user management (provisioning) integration with ADFS
* SQL Azure firewall - IP Screening * Permit service connections (IPs w/in Azure env permitted)
* Avoid concat connection strings; use SqlConnectionStringBuilder class
* Use Encrypt=true connection property to force auth over SSL
* Use Persist Security Info=false



Last edited May 20, 2010 at 11:42 PM by paulenfield, version 15

Comments

No comments yet.