What is a "Zero Trust Network"?

Internet

Client

VPN

Internet

Client

VPN

Hard rules outside,
soft (or no) rules inside

Perimeter Security

• Secure secure "inside" from insecure "outside"
• E.g. Firewalls, proxies, DMZs, VPNs

• Mobile and home working outside of corpnet/VPN
• Is corpnet really secure?
• Software-as-a-Service
  • Outgoing and incoming
• Further reading: Google's BeyondCorp project

Internet

Client

VPN

Assumption:
We cannot trust
any network

Internet

Assumption:
We cannot trust
any network

Prerequisites for Zero Trusted Networking

• Authenticate every connection
  • ​Users, Devices
• Encrypt all traffic
• Log everything

• Network segmentation
  • ​Microsegmentation
• ​Problems: PaaS, Serverless

How Can Azure Help?

• PaaS and Serverless
  • No more patching of base software infrastructure
• Encryption of data in transit out of the box
  • Certificate management (free managed certs in preview)
  • Key Vault secure storage for certs and secrets
• Azure AD for authentication and authorization
  • Users and services
  • Managed identities for M2M communication
• Private Endpoints
  • Enable PaaS/Serverless in locked-down network segments
• Logging, monitoring, and telemetry
  • Application Insights

How Can Azure Help?

• Network security
  • Network Security Groups
  • Web Application Firewall (WAF)
  • DDoS protection
  • API Management
  • Secure RDP/SSH (e.g. Bastion)
  • VPN Gateways
• Secure Control Plane
  • Azure Resource Manager
  • Azure Cloud Shell

Avoid...

• ...secrets
  • Use AAD instead
  • E.g. AAD admin for Azure SQL
• (if not avoidable) ...storing secrets outside Key Vault
• ...putting old, legacy apps on the internet
• ..applying traditional perimeter-focused policies on cloud-native apps
  • Make no sense with many PaaS/Serverless cloud services
• ...forget logging/monitoring/telemetry
• ...underestimating the importance of AAD
• ...manually manage certificates and secrets
• ...inventing your own security protocols and services

Demo
Time!

Demo

• Cloud Native Web API
  • App Service Web App
  • .NET Core 3.1
  • Protected by AAD (OpenID Connect)
• SQL DB for storage
  • Fully managed
  • Admin access protected by AAD
  • App access protected by AAD (Managed Identity)
• Limit SQL DB access to VNet
  • SQL Private Endpoint
• Legacy Node.js app
  • Not ready for Zero Trust Networking
  • VNet isolation with access via Bastion

Demo

• Code Walkthrough
  • App Service Code
  • Legacy Web App
• Let Web API access legacy backend
  • Access through Bastion
  • Allow PaaS access to VNet
• Protect Web API using AAD "Easy Auth"
  • Show headers
• Switch SQL to AAD
  • AAD Admin
  • Managed Identity access from Web API
• Restrict access to SQL DB using Private Endpoint
  • Including private DNS zone