A Penetration Tester’s Guide to the Azure Cloud
By Apostolis Mastoris on 3 November, 2016
The wide adoption and the benefits of cloud computing has led many users and enterprises to move their applications and infrastructure towards the Cloud.
However, the nature of the Cloud introduces new security challenges, therefore organizations are required to ensure that such hosted deployments do not expose them to additional risk. Auditing Cloud services has become an essential task and, in order to carry out such assessments, familiarization with certain components of the target environments is required.
This talk provided insight into the Microsoft Azure Cloud service and presented practical advice on performing security assessments on Azure-hosted deployments. More specifically, it demystified the main components of a Cloud service and dived further into Azure-specific features. The main security controls and configurations associated with each of the mainstream Azure components were also explored. Areas that were covered include role-based security, secure networking features, perimeter security, encryption capability, auditing, and monitoring of activities within the Azure Cloud environment.
Additionally, the presentation included a demonstration of Azurite, a new tool that uses the Azure PowerShell cmdlets to collect verbose information about the main components within a deployment. The tool also provides functionality to visualize the components within a network infrastructure using an interactive representation of the topology and the associations between the deployment's components.
Watch “A Penetration Tester’s Guide to the Azure Cloud” during The Eleventh HOPE
The presentation can be viewed on the following URL: http://livestream.com/internetsociety2/hopeconf/videos/130622285
Azurite is open source software maintained by MWR InfoSecurity and is available on Github (https://github.com/mwrlabs/Azurite).