TechEd NA 2014 – Announcing Hybrid Connections

TechEd North America 2014, Houston
Announcing Hybrid Connections: Building Amazing Hybrid Web Sites and Mobile Apps in Minutes – Santosh Chandwani

Day 4, 15 May 2014, 1:00PM-2:15PM (DEV-B307)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Hybrid connection is a simple way to access on-premise resource from Azure
    • When you don’t want to do something more complex, like VPN / ExpressRoute
  • Connection Manager allows connecting to an on-premise TCP or HTTP service
  • Can connect to Azure web site or Mobile Service

Full video

Santosh Chandwani, Senior Program Manager, Azure, Microsoft

Evolving Enterprise Infrastructure

  • Traditionally, have put everything on a corporate network
  • Azure also has its own network
    • Makes sense to move stuff into the cloud
  • But common to want to keep some critical data on-premise
  • One way to connect these networks
    • VPN, ExpressRoutes
    • Some limits
  • But sometimes you just a simple connection to an asset running on-premise
    • Simple


  • Reinforce ability to do hybrid applications on Azure
  • Extend hybrid capabilities to all Azure services (e.g. PaaS)
  • Don’t want custom code or infrastructure on-premise
  • Secure access without changing network configuration
  • Enterprise admins continue to have control and visibility

Introducing Hybrid Connections

  • Feature of Azure BizTalk Services
    • But don’t require using all of BizTalk
  • Fast, easy way to build Hybrid Apps in preview
  • Connect Mobile Services to on-premises resources

BizTalk Services FREE Edition (Preview)

  • Preview this week
  • Use Hybrid Connections at no charge
  • Hybrid Connections and Data Transfer now included w/all BizTalk Services tiers

Key Features

  • Access to on-premises resources
    • SQL Server, or resources that use TCP or HTTP
  • Works with most frameworks
    • Support for .NET, .NET for Mobile Services
    • No mention of Web API
  • No need to alter network perimeter
    • No VPN gateway or firewall changes to allow incoming traffic
    • Applications have access only to the resource that they require
  • Maintains IT control over resources
    • Group Policy controls, so enterprise admins can control

Hybrid Connections

  • Hybrid Connection Manager
    • Can discover resources on premise
  • From Web Sites or Mobile Services

Demonstration – Web sites

  • Shows web site talking to SQL Server, both on corporate network
  • Then publish web site up to Azure
  • Talking to SQL Azure database
  • Now, set up hybrid connection
    • From Azure Portal, add
    • Name
    • Hostname – on local network, also port name
    • Hostname—could it be IP?
    • Create or use BizTalk Service
  • At this point, it’s just existing on Azure—doesn’t actually connect to anything
  • Set it up from web site, so it knows that web site wants to connect to it
  • Then Remote into desktop
  • IP address could be any device
  • Manager must run on Windows
  • Listener Setup (thru portal)
    • Connected through the portal’s same account
    • They could also do manual setup, with MSI & connection string
  • Where in connection manager did we specify IP address to expose?
    Or was it because we installed it directly on the node that we want to connect to?
  • Now change conn string on web site
    • Replace connection string
  • Refresh web site, now talking to SQL Server on-premises

Lift and Shift

  • Lift web site up into Azure
  • Shift connection to point back to on-premise database
  • No code changes


  • Identify application by host name and port
  • Gave hostname and port to hybrid connection
    • Note: name could only be resolved on corporate network
  • Hybrid Connection Manager
    • Has gone through all security and threat models from Microsoft
  • Arrow directions—how is connection initiated
    • HCM initiates connection to both local resource and up to cloud
  • HCM pushes data
  • Once we spin up hybrid connection, we can use it from multiple services

Demo – Mobile Services

  • Mobile Services – .NET back-end
  • Can now launch and debug Mobile Service locally
  • Creating hybrid connection for Mobile Service from BizTalk Services portal
  • From Mobile Services part of portal, then pick existing Hybrid Connection (and BizTalk service)
  • Then set conn string to point to local database
  • Change code in Mobile Service to use the new connection string
  • Now running local app that goes to Mobile Server to get data
    • Mobile Service in turn is connected to hybrid connection
  • Remote to PC and install hybrid connection manager


  • Supports resources using TCP and HTTP for connectivity
    • Only static TCP ports
    • Need to know ahead of time what the port is
    • Also static IP address, presumably ?
    • Maybe dynamic ports in the future
  • Hybrid Connections don’t buffer or inspect traffic
    • TLS can be negotiated end-to-end between application and on-premises resource
    • Dynamic port redirection, e.g. FTP passive mode – doesn’t work (not supported)


  • Uses Shared Access Signature Authorization
    • Secure, Simple, Familiar
  • Separate roles for on-premises connector and application
  • Application authorization is independent
    • Between web site and on-premise resource


  • Max 5 connections to start with
  • On-premise setup
    • Link to download MSI will be available soon
    • Can use Powershell and MSI to create connection
  • When you get the on-premise installer, the set of connection strings for the connection
  • Mobile Services not yet in new Azure portal

Resiliency & Scale

  • On-Premises Resources can be scaled out as usual
    • Clustering, availability for SQL
  • Applications can be scaled out on Azure
    • Each instance of Website or Mobile Service will connect to Hybrid Connection
    • Don’t have to do anything special
  • Multiple instances of Hybrid Connection Manager supported
    • But going to same IP address
    • Gives us scale

Enterprise IT in control

  • Manage resource access for Hybrid applications
    • Group Policy controls for allowing access
    • Admins can designate resources to which Hybrid Applications have access
  • Event and Audit Logging
    • IT has insight into resources being accessed
    • IT can use existing infrastructure investments for monitoring and control
  • Dashboard on Azure portal
    • Access to connection health, status
    • Will provide insights on usage and metrics (future)



  • Fastest way to build hybrid applications
  • List and Shift web workloads to Azure web sites whilst connecting to on-premises data
  • On-premises data just clicks away from Azure Websites & Mobile Services

TechEd NA 2014 – Microsoft Azure Resource Manager

TechEd North America 2014, Houston
Microsoft Azure Resource Manager – Kevin Lam

Day 4, 15 May 2014, 2:45PM-4:00PM (DEV-B224)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Now group all resources in Azure portal into resource groups
  • Resource group should be based on whatever grouping makes sense to you
  • Can use Powershell and REST-based API to create/destroy resources
  • Resource templates can be used or modified
    • Start with templates used to create resources listed in gallery

Full video

Kevin Lam, Principal Program Manager, Azure, Microsoft

Today’s Challenge

  • Tough to
    • Deploy or update group of resources
    • Manage permissions on group of resources
    • Visualize group of resources in logical view

We have various Singletons

  • E.g. SQL Database, web site, etc.
  • Deploy is harder
  • Proper use of resources is more abstract
  • Isolation makes communication a challenge

Resource Centric Views

  • (old portal)
  • Big flat list, long list at left

Introducing Resource Manager

  • Application Lifecycle Container
  • Declarative solution for Deployment and Configuration
  • Consistent Management Layer

Resource Groups

  • Tightly coupled containers of a collection of resources
  • Can be same type or different
  • Every resource lives in exactly one resource group
  • Resource groups can span regions
    • E.g. web site located in multiple regions

Coupling for Resources

  • Resource Group is a unit of management
    • Lifecycle – deployment, update, delete, status
    • Grouping: metering, billing, quota – applied, rolled up to entire resource group

Q: Link resource groups together?

  • Not yet. But soon. Will be different ways to view resources

Resource Group Lifecycle

  • How do you decide where to put resources?
  • Hint – do they have common lifecycle and management?
  • Answer – up to you

Power of Repeatability

  • Azure templates can
    • Ensure idempotency –
    • Simplify orchestration
    • Provide cross-resource configuration and update support
  • Azure templates are:
    • Source file, checked-in
    • JSON file
    • Specifies resources and dependencies and connections
    • Parameterized input/output
  • Template drives execution list, based on dependencies

Add Your Own Power

  • Some resources can be extended by allowing more code or data inside resource
    • E.g. AV agent inside VM
    • WordPress web-deploy package on a Website
  • Allow for Scripting or Imperative configuration of resources
  • Extensible solution (Windows/Linux)
    • Chef, Puppet, etc.

Consistent Management Layer

  • Service Management API
    • Portal uses same API that is available to devs
  • Routing to appropriate resource provider
    • Resource providers adhere to resource provider contract

What Does This All Mean?

  • Application Lifecycle Container
    • Deploy/manage application as you see fit
  • Declarative solution for Deployment and Configuration
    • Single-click deployment of multiple instantiations of your application
  • Consistent Management Layer
    • Same experience of deployment and management, from wherever

Demo – Implementation

  • Postman hooked up to REST API
  • Hit API, get JSON data back
  • Examples
    • Get resource groups
    • PUT SQL Server (create)
  • Creating SQL Server node takes a bit of time
  • Then PUT SQL Database on that server
  • Anything that you PUT, you can also GET
  • Can get list of resources
    • Then index by number

Demo – New Portal

  • Gallery – curated list of resources that you can create
    • Microsoft and 3rd party
    • All creation is done by templates
    • You can get these templates and pull them down (PowerShell)
    • Can modify and use these default templates

New JSON editor in Visual Studio

  • With intellisense

TechEd NA 2014 – Public Cloud Security

TechEd North America 2014, Houston
Public Cloud Security: Surviving in a Hostile Multitenant Environment – Mark Russinovich

Day 3, 14 May 2014, 3:15PM-4:30PM (DCIM-B306)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • To move to cloud, customers must trust us
  • Need to follow best practices to make things secure
    • At least as good as what your customers are doing
  • Makes sense to look at top threats and think about mitigating risk in each case
  • Azure does a lot of work to mitigate risk in many areas
    • Often far more than you’d do in your own organization
  • Top three threats
    • Data breach
    • Data loss
    • Account or service hijacking
  • Encryption at rest not a panacea

Full video

Mark Russinovich – Technical Fellow, Azure, Microsoft

“There is no cloud without trust”

  • Security, Availability, Reliability

Misconceptions about what it means to be secure in cloud

  • Will dispel some of the myths
  • Look at what’s behind some of the risks
  • Mitigation of risks

The Third Computing Era

  • 1st – Mainframes
  • 2nd – PCs and Servers
  • 3rd – Cloud + Mobile
  • (Lack of) Security could ruin everything


  • Study after study, CIOs say looking at cloud, but worried about security
  • Other concerns
    • Security
    • Compliance
    • Loss of control

Goals of this Session

  • Identify threats
  • Discuss risk
  • Mitigate

Cloud Architecture

  • Canonical reference architecture
  • Virtualized structure
  • Datacenter facility
  • Microsoft—deployment people and DevOps
  • Customers of cloud—Enterprise, Consumer
  • Attacker

Cloud Security Alliance

  • Microsoft is a member

The Cloud Security Alliance “Notorious Nine” (what are threats to data in cloud?)

  • Periodically surveys industry
  • 2010 – Seven top threats
  • 2013 – Nine top threats
  • Mark adds 10th threat

#10 – Shared Technology Issues: Exposed Software

  • Shared code defines surface area exposed to customers
    • In public cloud, servers are homogeneous—exact same firmware
    • Hypervisor
    • Web server
    • API support libraries
  • What if there’s a vulnerability?
  • Stability and security are balanced against each other
    • Patching might bring down servers
  • Assumes infrastructure is accessible only by trusted actors
  • Corporate and legal mechanisms for dealing with attackers
  • This is: Enterprise Multi-tenancy

#10 – Shared Technology Issues: The Cloud Risk

  • A vulnerability in publically accessible software enables attached to puncture the cloud
    • Exposes data of other customers
    • Single incident—catastrophic loss of customer confidence
    • Potential attackers are anonymous and in diverse jurisdictions
  • “Are you doing as good a job as I’d be doing if I had the data in the house”?
  • Important (vs. Critical) – data not at risk, but confidence in Azure is critical
    • “Cloud critical”
  • “Hostile Multi-tenancy”
  • We do whatever it takes to patch immediately

#10 – Shared Technology Issues: Bottom Line

  • Enterprises and clouds exposed to this risk
  • Clouds at higher risk
    • Data from lots of customers
    • API surface is easy to get to
  • Clouds are generally better at response
    • Azure has about 1,000,000 servers
    • Can do critical patch in just a couple hours, all servers
    • Breach detection/mitigation
  • Risk matrix
    • Perceived risk—bit below average
    • Actual risk – Fairly high (Mark’s assessment)

#9 – Insufficient Due Diligence

  • Moving to cloud, but side-stepping IT processes
    • Shadow IT
    • BYOIT – Bring your own IT—non-IT going to cloud
    • IT management, etc. are designed for on-premises servers
  • Bottom line
    • IT must lead responsible action

#9 – Insufficient Due Diligence – Azure

  • Azure API Discovery
    • Monitors access to cloud from each device
  • SDL
  • Cloud SDL (under development)

#8 – Abuse of Cloud Services

  • Agility and scale of cloud is attractive to users
  • Use of Compute as malware platform
  • Use of storage to store and distributes illegal content
  • Use of compute to mine digital currency
    • VMs shut down per month, due to illegal activity: 50,000-70,000
    • Bulk of it is for generating crypto currency
    • Top 3 countries that are doing this: Russia, Nigeria, Vietnam
    • Password for Vietnamese pirate: mauth123 (password123)
    • Harvard supercomputer was mining bitcoin

#8 – Abuse of Cloud Services: It’s Happening

  • Attackers can use cloud and remain anonymous
  • Bottom line
    • Mostly cloud provider problem
    • Hurts bottom line, drives up prices
  • Using machine learning to learn how attackers are working

#7 – Malicious Insiders

  • Many cloud service provider employees have access to cloud
  • Malicious check-in, immediately rolls out to everybody
  • Operators that deploy code
  • Datacenter operations personnel
  • Mitigations
    • Employee background checks
    • Limited as-needed access to production
      • No standing admin privileges
    • Controlled/monitored access to production services
  • Bottom line
    • Real risk is better understood by third-party audits

Compliance is #1 concern for companies already doing stuff in cloud

#7 – Malicious Insiders – Compliance

#6 – Denial of Service

  • Public cloud is public
  • Amazon was at one point brought down by DDOS
  • Your own app could get DDOS’d
  • Cloud outage – a form of DDOS
  • Redundant power from two different locations to each data center
  • Blipping power to data center results in major outage—several hours
  • Mitigations
    • Cloud providers invest heavily in DDOS prevention
    • Third party appliances that detect and divert traffic
    • We do this for our clients too
    • Large-scale DDOS, doesn’t catch smaller things
  • Geo-available cloud providers can provide resiliency
  • Azure
    • DDOS prevention
    • Geo-regions for failover

#5 – Insecure Interfaces and APIs

  • Cloud is new and rapidly evolving, so lots of new API surface
  • CSA – one of the biggest risks
  • Examples
    • Weak TLS crypto – DiagnosticMonitor.AllowInsecure….
    • Incomplete verification of encrypted content
  • Bottom line
    • Cloud providers must follow SDL
    • Customers should validate API behavior

#4 – Account or Service Traffic Hijacking

  • Account hijacking: unauthorized access to an account
  • Possible vectors
    • Weak passwords
    • Stolen passwords (e.g. Target breach)
    • Then you find that people use same password everywhere; so attacker can use on other services
  • Not specific to cloud
    • Cloud use may result in unmanaged credentials
    • Developers are provisioning apps, hard-coding passwords, publishing them
    • Lockboxes, “secret stores”
    • Back door—someone in DevOps gets phished, then brute force
  • Mitigations
    • Turned off unneeded endpoints
    • Strong passwords
    • Multifactor authentication
      • Entire world moving to multifactor
    • Breach detection
  • Azure
    • Anti-malware
    • IP ACLs (with static IP addresses)
    • Point-to-Site, Site-to-Site, ExpressRoute
    • Azure Active Directory MFA

#3 – Data Loss

  • Ways to lose data
    • Customer accidentally deletes data
    • Attacker deletes or modifies it
    • Cloud provider accidentally deletes or modifies it
    • Natural disaster
  • Mitigations
    • Customer: do point-in-time backups
    • Customer: geo-redundant storage
    • Cloud provider: deleted resource tombstoning
      • Can’t permanently delete
      • 90 days
  • Azure
    • Globally Replicated Storage
    • VM Capture
    • Storage snapshots
    • Azure Site Replica

#2 – Data Breaches

  • Represents collection of threats
  • Most important asset of company is the data

#2 – Data Breaches: Physical Attacks on Media

  • Threat: Attacker has physical access to data/disk
  • Mitigation: cloud provider physical controls
    • To get in data center, gate with guards
    • To get into room with servers, biometric controls
    • Disk leaving data center—very strict controls
    • Data scrubbing and certificate
    • SSDs never leave data center, because it’s so hard to scrub it
    • HDDs are scrubbed
  • Enhanced mitigations
    • Third-party certifications (e.g. FedRamp)
    • Encryption at rest
  • Azure: third-party encryption

Encryption at rest

  • Two types
    • Cloud provider has keys
    • Customer has keys
  • When you have keys, you’re also giving keys to cloud to decrypt

#2 – Data Breaches: Physical Attacks on Data Transfer

  • Man-in-the-middle
  • Mitigation
    • Encrypt data between data centers
    • APIs use TLS
    • Customer uses TLS
    • Customer encrypts outside of cloud

#2 – Data Breaches: Side-Channel Attacks

  • Threat: Collocated attacker can infer secrets from processor side-effects
  • Snooping on processor that they’re co-located on
  • Researcher assumptions (but unlikely)
    • Attacker knows crypto code customer is using and key strength
    • Attacker can collocate on same server
    • Attacker shares same core as you
    • Customer VM continuously executes crypto code
  • Not very likely
  • Bottom line
    • Not currently a risk, in practice

#2 – Data Breaches: Logical Attack on Storage

  • Threat: attacker gains logical access to data
  • Mitigations
    • Defense-in-depth prevention
    • Monitoring/auditing
  • Encryption-at-rest not a significant mitigation
    • If they can breach logical access, they can maybe get keys too
    • The keys are there in the cloud
    • Encrypt-at-rest isn’t based on real threat modeling

#2 – Data Breaches: Bottom Line

  • Media breach not significant risk
  • Network breach is risk
  • Logical breach is a risk
    • Encrypt-at-rest doesn’t buy much

#1 – Self—Awareness

  • E.g. Skynet
  • People are actually worried about this

TechEd NA 2014 – Data Privacy and Protection in the Cloud

TechEd North America 2014, Houston
Data Privacy and Protection in the Cloud– A.J. Schwab, Jules Cohen, Sarah Fender

Day 2, 13 May 2014, 10:15AM-11:30AM (OFC-B233)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • The issue of Trust is important whenever you talk about moving data to cloud
    • Need to convince users that data will be secure, private
  • Data Privacy is key goal for Microsoft
  • Lots of tools for controlling access to data, e.g. identity management
  • Security at many layers, e.g. physical, network, etc.
    • Microsoft pours lots of resources into security for the layers that they control

Full video

Jules Cohen – Trustworthy Computing group, Microsoft

Three major buckets, when thinking about moving data to the cloud

  • Innovation properties – will cloud let me do what I want?
  • Economics – what is TCO?
  • Trust

First two buckets are relatively un-complicated

  • Trust – harder to evaluate, more visceral
  • Privacy and data protection are part of trust


  • Microsoft has made significant investments
  • If you already trust the cloud, we’re going to improve level of trust

Changing Data Protection concerns to opportunities

  • You already trust people within your organization
  • In cloud world, some of these functions move off premises
  • Ref: Barriers to Cloud Adoption study, ComScore, Sept-2013
    • 60% – security is barrier to cloud adoption
    • 45% – concerned about data protection (privacy)


  • Can’t have privacy without security
  • Security is a pre-req
    • Do the right people have access to the data?
  • Once data is in the right hands, we can talk about privacy
    • Do people who have access to data use it for the right things?

Perceptions after migration to cloud

  • 94% – said they experienced security that they didn’t have on-premise
  • 62% – said privacy protection increased after moving to cloud

Microsoft’s approach to data protection

  • 1 – Design for privacy
    • Corporate privacy policies, disclosures
    • Trustworthy Computing formed in 2002, after memo from Bill Gates—privacy, security, reliability
  • 2 – Built-in features
    • Customers can use these features to protect their data
  • 3 – Protect data in operations
    • Operating services – Microsoft committed to data protection in service operations
    • Microsoft complies with various standards, help customers comply with those standards
  • 4 – Provide transparency and choice

Privacy governance – Program

  • Design for Privacy
  • People – Employee several hundred people focused on privacy
  • Process
    • Internal standards
    • Rules maintained by Trustworthy Computing
  • Technology
    • Use tools to support people and processes
    • Look for vulnerabilities

Privacy government – Commitments

  • Microsoft services meet highest standards in EU (Article 29)
  • First (and only) service provider to get this approval

Sarah Fender – Director of Product Marketing, Windows Azure, Microsoft – Built-in Features

Data Protections in Azure

  • Data location – can choose to run in a single region, or multiple regions
  • Redundancy & Backup
    • 3 copies of data, within region
    • Can also do geo-redundant storage, to different region
    • E.g. Create new storage account, pick region
  • Manage identities and access to cloud applications
    • Centrally manage user accounts in cloud
    • Enable single sign-on across Microsoft online service and other cloud applications
    • Extend/synchronize on-premise to cloud – Active Directory synching to Azure
  • Monitor and protect access to enterprise apps
    • Passwords stored in encrypted hashes
    • Security reporting that tracks inconsistent access patterns – e.g. user accessing service from distant geo-locations
    • Step up to Multi-Factor Authentication – e.g. text message or e-mail with secret code

Data encryption

  • VMs – encrypted disk using BitLocker
  • Can encrypt data at rest
  • Applications – RMS SDK
  • Storage – .NET Crypto, BitLocker (import/export), StorSimple w/AES 256

Data protections in Office 365

  • Encrypt data in motion and also at rest

A.J. Schwab – Senior Privacy Architect, Office 365, Microsoft – Protect Data in Operations

Value proposition of running in cloud

  • Less work—patching, reacting to problems

Defense in depth strategy

  • Physical
    • Who comes into facility?
    • What media goes in/out?
    • If bad guy can stand in front of your computer, it’s not your computer anymore
  • Network
    • Looking for anomalous traffic
    • Packet penetration testing
    • Watching logs
  • Identity & Access Management
    • Internal Microsoft authentication policies for internal staff
    • Know who people are and who gets access from within Microsoft
    • Just-in-time access – when someone wants access to customer information, it’s an exception
  • Host Security
    • Patching, managing OS on host
  • Application
    • Make sure that application is running in secure configuration
  • Data
    • “Data is everything” – data is money
    • Big part of the focus, protesting the data
  • 24x7x365 incident response

Cloud security must be equal or better to on-premise

Protect data in operations

  • Data isolation
    • Very important to customers
    • Only privileged user has access to data
  • Limited Access
    • MFA for service access
    • Auditing of operator access/actions
    • Zero standing permissions in the service
    • Automatic Microsoft staff account deletion
      • To make sure that things follow policies, everything is automated
    • Staff background checks, training
      • Can Microsoft trust the people that it hires?

Approach to Compliance

  • Industry standards and regulations
  • Controls Framework & Predictable audit schedule
  • Certification and Attestations

Customer Stories – Kindred Healthcare

  • Background
    • Big healthcare provider
    • Mobile service, ensure data privacy
  • Solution
    • Office 365 Exchange, SharePoint, Lync
    • Met security and privacy needs

Shared Protection Responsibility

  • IaaS – cloud customer has most of the responsibility
  • SaaS – cloud provider assume many of the responsibilities

Provide transparency and choice

  • Trust Center web page – for Office 365, and for Azure
  • Lots of documentation online


  • 1 – Design for privacy
  • 2 – Built-in features
  • 3 – Protect data in operations
  • 4 – Provide transparency and choice

Questions and Answers

Q: Sharepoint, is data encrypted while data is at rest? Is BitLocker available? Or third-party products?

  • Microsoft has committed to goal of having all data in transit and all data at rest is encrypted
  • By the end of 2014, Sharepoint data at rest will be fully encrypted
  • But law enforcement has generally been satisfied with current security and privacy policies

Q: What tools do you have to assist attorneys?

  • See materials in the Trust Center
  • Microsoft constantly talking to lawyers, to stay on top of current regulations
  • So probably collateral materials that are required are there
  • We do have Controls Framework that maps what Microsoft does and maps it to specific regulatory requirements
  • Thinking about how to package this up and present it for customers

Q: How to evaluate tools based on legal requirements?

  • We (Microsoft) can’t give you (customer) legal advice. But we can show you how tools map to particular requirements
  • Can do this in the context of certain verticals, e.g. Banking

If you have questions, stop by the Security & Compliance station in the Azure booth

TechEd NA 2014 – Microsoft Azure Security and Compliance Overview

TechEd North America 2014, Houston
Microsoft Azure Security and Compliance Overview– Lori Woehler

Day 2, 13 May 2014, 8:30AM-9:45AM (DCIM-B221)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Microsoft has done a lot of work to support various security standards
    • In some cases, you can use their documents as part of your own demonstration of compliance
  • Data can be more secure in cloud, given the attention payed to security
  • Customer has greater responsibilities for demonstrating compliance when using IaaS (Infrastructure)
    • Fewer responsibilities when using PaaS (Platform)—just application and data
  • Potentially more compliance issues in EU and Asia, or in certain verticals (e.g. Healthcare)
  • Good compliance cheat sheet that lists typical steps to take

Full video

Lori Woehler – Principal Group Program Manager, Microsoft. CISSP, CISA
At Microsoft since 2002
On Azure team for 18 months


  • Understand how Azure security/compliance helps you to meet obligations
  • Define Azure S&C boundaries and responsibilities
  • Info on new resources and approaches

Other sessions

  • B214 Azure Architectural Patterns
  • B387 Data Protection in Microsoft Azure
  • B386 MarkRu on Cloud Computing
  • B306 Public Cloud Security

Track resources

  • Security Best Practices for enveloping Azure Solutions
  • Windows Azure Security Technical Insights
  • Audit Reports, Certifications and Attestations
    • Includes all details related to audits
    • Can just hand off the stack of paper to outside auditors

Other resources

Technology trends: driving cloud adoption

  • 70% of CIOs will embrace cloud-first in 2016
  • Benefits of cloud-first
    • Much faster to deliver solution
    • Scale instantly
    • Cheaper, e.g. $25k in cloud would cost $100k on premises

Cloud innovation

  • Pre-adoption concerns (barriers to adoption)
    • 60% – security is concern
    • 45% – worried about losing control of data
  • Security, Privacy, Compliance

Cloud innovation

  • Benefits realized
    • 94% – new security benefits
    • 62% – privacy protection increased by moving to cloud

Trustworthy foundation timeline

  • 2003 – Trustworthy Computing Initiative
  • Digital Crimes Unit
  • ISO/IEC 27001:2005
  • SOC 1
  • UK G-Cloud Level 2
  • SOC 2
  • CSA Cloud Controls Matrix
  • PCI DSS Level 1

Azure stats

  • 20+ data centers
  • Security Centers of Excellence – combat evolving threats
  • Digital Crimes Unit – legal/technical expertise, disrupt the way cybercriminals operate
    • Info on botnets
    • Bing team publishes blacklist and API to access it
  • Compliance Standards – alphabet soup of standards, audits, certs

Microsoft Azure – Unified platform for modern business

  • Four pillars
    • Compute
    • Data Services
    • App Services
    • Network Services
  • Global Physical Infrastructure

Simplified compliance

  • Information security standards
    • Microsoft interprets, understands
  • Effective controls
    • Map to controls, e.g. SOC 1 type 2, SOC 2 Type 2
    • Evaluate both design and effectiveness of controls
  • Government & industry certifications
    • Ease of audit and oversight

Security compliance strategy

  • Security goals in context of industry requirements
  • Security analytics – detect threats and respond
  • Ensure compliance for high bar of certifications and accreditations
  • Continual monitoring, test, audit

Certifications and Programs

  • Slide shows summary of various certifications
  • ISO/IEC 27001 – broadly accepted outside U.S.
    • Now supporting “Revision 3” under 27001
  • SOC 1, SOC2 – for customers who need financial reporting
    • Five different areas: Security, Privacy, Confidentiality, Integrity, Availability
    • SSAE 16 / ISAE 3402 – accounting standard
  • For IaaS, compliance information is more detailed
  • Increasing focus on government certification and attestation

Contractual commitments

  • EU Data Privacy approval
    • Only Microsoft approved from EU Article 29
  • Broad contractual scope
    • Contractual commitments for HIPAA et al

Shared responsibility

  • Where is customer responsible, vs. Microsoft
  • Customer
    • Manages control of data in PaaS
    • Going with PaaS reduces customer responsibility to just Applications and Data
    • Under PaaS, no customer responsibility for Runtime, Middleware, O/S
  • SaaS – no customer responsibility

PaaS Customers – important things to know

Paas Customer Responsibilities

  • Access Control – define security groups and security set
    • Logs to demonstrate that access is due to customer granted permission
  • Data Protection
    • Geo-location – be careful about setting yourself up for potential non-compliance
      • There are obligations in Europe and Asia
      • You can check for access from outside your geo-location boundaries; then potentially restrict access
    • Data Classification and Handling
      • Deciding what data should go up to the cloud
      • Microsoft has published guides to classifying data (schemas)
      • Cloud Controls Matrix – show where you have programmatic obligation
    • Privacy and Data Regulatory Compliance
  • Logging & Monitoring Access and Data Protection
  • ISMS Programmatic Controls
  • Certifications, Accreditations and Audits
    • Can I just use Microsoft’s audit results are our own? No

IaaS Customer Responsibilities

  • Application Security & SDL (Security Development Lifecycle)
    • Can test outside of protection
    • Role segregation, between operations and development
    • E.g. rely on TFS to show process and evidence
  • Access Control – identity management
    • Start with access control to Azure environment itself
    • Then also access control to guest Oss (or SQL Server)
    • Auditors will focus on timing of provisioning/de-provisioning (e.g. remove user when they leave company)
  • Data Protection
    • Microsoft demonstrates that data in your environment is not exposed to other customers
    • Focuses on HyperV when testing
  • O/S Baselines, Patching, AV, Vulnerability Scanning
    • Standard build image in Azure, patched to most recent security update
    • Customers should adopt standard patching cadence; matching your on-premise infrastructure
    • Configuration and management of SSL settings is responsibility of customer
  • Penetration Testing
  • Logging, Monitoring, Incident Response
    • Microsoft has limited ability to access your logs and VM images
  • ISMS Programmatic Controls
    • Impact of documentation of Standard Operating Procedures—quite cumbersome
    • Can start by taking dependency on Azure, in documents that Microsoft have already generated
    • But this doesn’t go all of the way
  • Certifications, Accreditations & Audits
    • Auditors shouldn’t re-test customers in the areas that Azure already covers
    • Documentation that Azure provides should be enough
    • White papers in trust center describe how to leverage Microsoft stuff

Compliance cheat sheet

  • Identify your obligations/responsibilities
    • E.g. contractual
  • Adopt Standard Control Set
    • List of the rules, ties into policies
  • Establish policies and standards
    • “Your plan is your shield”
    • Criteria against which external auditors will evaluate your environment
    • Don’t try to be too broad, trying to cover every possible audit—auditor will apply their own judgment
    • Set level of detail listing deliverable and schedule for deliverable
    • Then you just demonstrate that you’ve met the policies that you’ve set
  • Document system(s) in scope
    • Challenging, if you haven’t implement an asset inventory mechanism
    • Auditors will want to see all assets—physical and virtual (e.g. user accounts, etc).
    • A significant amount of work
    • Log when systems come online and offline (into or out of production)
  • Develop narratives for each control
    • Written description of how a control executes
    • Ties back to specs for systems
    • Auditors will look at spec and then test plan
  • Test control design & execution
  • Identify exceptions and issues
    • No such thing as perfect
    • Document decisions made
    • “Qualified report” – auditor’s report that says that vendor is only partly compliant
  • Determine risk exposure
    • “Transferring risk” to third party—sometimes reduces your risks, sometimes increases your risks
    • Understand both costs and risks
    • Story of Singapore government, including keystroke loggers and video cameras, plus person observing live data feed (for traders using financial service)
  • Define remediation goals and plans
  • Monitor the system
    • And demonstrate to 3rd party that your controls are behaving as expected
  • Report on compliance status
    • Not just reporting for checklist

More detailed cheat sheet

Most Frequently Asked Questions

  • PCI Compliant? – no
  • Can xyz audit Azure? – no
  • Can we have your pen test reports? –
  • Will you fill out this 500 question survey? –
  • Kicked out of the room at this point

TechEd NA 2014 – The Future of Microsoft Azure DevOps: Building, Deploying, Managing, and Monitoring Your Cloud Applications in the New Azure Portal

TechEd North America 2014, Houston
The Future of Microsoft Azure DevOps: Building, Deploying, Managing, and Monitoring Your Cloud Applications in the New Azure Portal – Chandrika Shankarnarayan, Bradley Millington

Day 1, 12 May 2014, 4:45PM-6:00PM (DCIM-B223)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Gradually doing migration of old portal features to new portal
  • New portal organization much better, information organized based on what you need to see
  • Tight integration with Visual Studio Online
    • VSO will eventually go away, as it’s subsumed into Azure portal
  • With VSO integration, Azure portal includes lots of ALM stuff
  • Diagnostics on web sites now a bit easier, with streaming logs, etc.

Full video

Chandrika Shankarnarayan – Principal Program Manager Lead, Microsoft


  • Icebreaker –
  • DevOps lifecycle
  • Resource Manager
  • Demos
    • New portal, new concepts
    • Using VSO to manage dev lifecycle
    • Operating a running app

Microsoft Azure

  • IaaS, PaaS
  • IaaS – VMs, Storage, Networking, CDN
  • PaaS – Web, Mobile, Identity, Data, Analystics, Integration, Media, Gaming

DevOps Basics

  • Developers
  • Code Repository
  • Build
  • Test
  • Deploy to Cloud
  • Monitor and Improve

Consistent Management Layer

  • Tools – Azure + Command Line + Visual Studio
  • Consistent Service Management API
  • Resource Manager – compose application of multiple resources, on-premise and in cloud
  • Resource provider contract

What does it all mean?

  • Application Lifecycle Container
    • Deply/manage application as you see fit
  • Declarative solution for Deployment and Configuration
    • Single-click deployment of multiple instantiations of your application
  • Consistent Management Layer
    • Same experience whether from portal, command line, or tools


  • Gallery – one-stop for all Azure services, Microsoft or third-party
  • Website + SQL – composite
    • Resource Group – set of services
    • Website configuration
      • Very nice summary of web hosting plan features
      • Lots more tiers
      • E.g. Standard Small
    • Database configuration
      • Can use existing database
  • Create Team Project
    • Name
    • Git for source code control
    • Account – Visual Studio Online
  • Portal overview
    • Can customize the portal
    • Can change size of various things
    • Can unpin tiles from portal
  • Hubs concept
    • Notifications – all of your operations (including API stuff)
    • Billing – lists your accounts – single place to show pricing stuff
      • Burn rate for the month
      • Cost breakdown, based on resource
      • Manage Admins from Billing
  • Open Team Project
    • Add User for Team Project – autocomplete if user is in AAD tenant

Bradley Millington – Principal Program Manager, Microsoft

Browse Team projects

  • Can pin to dashboard
  • Can find web site and pin to start

Drilling into Team Project

  • Summary lens – overview of resource
  • Quick start – some quick docs on what you can do
  • Properties – basic props
  • Code lens
    • Source repository (TFS or Git)
  • Build lens
    • Build definitions that trigger builds
  • Work lens
    • Backlog and work items
  • Users lens – manage users

Adding code to repository

  • Get clone URL
  • Command line, “git remote add ..” and then “git push ..”
  • Back on portal, code shows up – all the git commit history is still there
    • Commits – properties, diffs, etc.
  • Can browse source code

Continuous deployment between project and the web site

  • Can browse from project and look for web site
  • Deployment slots
    • Add Slot
    • Name
  • Slot is just another web site
  • In web site, “set up continuous deployment”
  • Choose source – e.g. Visual Studio Online
  • Choose project
  • Choose branch

This created a Build definition

  • Every time you check-in code, it builds (and deploys?)
  • Resource map shows master web site and staging deployment
  • Drill into build – can look at log files, build results
  • Same build info that you’d see in Visual Studio

Create work items

  • Can just type items and press RETURN
  • Can set properties on work items


  • Projects backed by Azure Active Directory – so you can really control who gets access
  • When yo uadd user to project, they are added to a VSO account
  • VSO – unlimited number of private projects
  • But 5 free basic users

Scaling of Visual Studio Online account

  • Users, paid services, etc. – through VSO portal

Build definition

  • Can see deployment

Can look at staging site

  • Click Swap to swap it to production
  • “Swapping website slots”

Look at Azure portal from perspective of developer that’s been using it for a while

  • Can click on Build Definition and look at various builds
  • Drill into build that failed – look at details
  • Can see compilation problem, get specific error in solution
  • Can even edit code (errors not yet highlighted)
  • Can then make code changes directly in repository

Or you might see that compilation worked, but tests failed

Visual Studio integration

  • Can open up solution, look at build results
  • Can fix, then queue new build

Chandrika back again

Day 100 in life of Ops person

  • Look at Resource Group
    • Can contain web sites
    • Show costs for this resource group
  • Pick website
    • Website, SQL database, and associated project


  • Graph of HTTP requests
  • Edit query (for graph)
    • Add other metrics, change to “Past Hour”
  • No 404 errors
  • Can set up Alert, track errors, e.g. 404

Client-side analytics

  • Mobile device type
  • Browser types
  • Can look at page load time, by page

Configuration – code snippet

  • Just Javascript snippet that you inject into application

Webtest – can ping application from various geographic locations

  • For a test, look at average response time, failures, etc.

Can also look at server that you’re hosting on

  • CPU percentage for a given day

Can set up Autoscale

  • By default, you have a single metric – e.g. CPU percentage
  • One Key metric to look at, to see if you need to scale, is HTTP Queue Length


  • Can customize metrics and graphs
  • E.g. CPU usage, Memory, and HTTP queue length
  • Easy to customize

Troubleshooting – Events

  • Azure records every operation that you make in portal
  • E.g. Scale Up / Down (e.g. from Autoscale)
  • Can drill into these events and look at specific properties


  • Can set up alert rules for any metrics
  • E.g. CPU Percentage
  • Specify threshold, condition, period
  • Can do E-mail, SMS

Streaming Logs – real-time for troubleshooting

  • Diagnostics logs – can configure
  • Can see stuff hitting site in real-time

Console connection to web site


  • Can’t define in new portal yet – use old portal
  • Sometimes gaps between current portal and new portal

Traffic Manager

  • Support for hybrid connections
  • Can set up in portal
  • Create or use existing
  • Also available for Mobile Services


  • Azure Portal Preview + Resource Manager
    • Enterprise grade
    • Bridges islands of experiences
    • Simple, best in class
    • Consistent
    • Customizable
    • Enable discovery, cross-sell and up sell of services
    • Provide ecosystem for internal and externa partners



Q: Merging Visual Studio Online and Azure Portal?

  • Yes gradually moving stuff to Azure Portal. But no real roadmap for how this will work

Q: On current portal, timeline of preview portal?

  • New portal available in “preview”, not full functionality yet. Will continue to obring more and more services into Preview portal. “Over a period of time”. And data consistency between two portals

Q: Features available in on-premise platform? (Windows Azure Pack)

  • All this work will transition to Azure Pack. But timeframe is TBD

Q: Application insights – can you bring info from on-premises instances?

  • Yes, goal to be agnostic w/respect to cloud/on-prem. So eventually, yes.

Q: Plan for role-based stuff?

  • Resouce Manager integrated with AD, so we’re set up for it. So a possible future ability – define Users/Roles

Q: Analytics – what about perspective for business/marketing people?

  • We have some of those scenarios, e.g. in Office 365. Will definitely bring some of those scenarios into this portal. So yes, the experience would be in this same portal. Also looking at dashboards that you customize for certain roles, “custom dashboards” target at specific role, e.g. Marketing.

Q: Where are the metrics coming from (e.g. 404)

  • Yes, coming directly from web site back-end (Performance Counter)

Q: Continuous deployment options? ??

  • A function of team management features and dashboards targeted at specific groups in team

Q: Additional step to continuously deploy into production?

  • Swap to move to production. More likely, you’d have bigger resource group and you want to move a number of items from staging to production. Maybe pull some features from Visual Studio. Also, you can use API layer in Resource Manager to do something like run scripts that do cloning and deployment. One goal of Resource Management is to reliably replicate some of the expected scenarios.

Q: Integration of package management system, e.g. NuGet?

  • Great idea, but can’t speak to specific plans.

TechEd NA 2014 – Building Highly Available and Scalable Applications in Microsoft Azure

TechEd North America 2014, Houston
Building Highly Available and Scalable Applications in Microsoft Azure – Stephen Malone, Narayan Annamalai

Day 1, 12 May 2014, 1:15PM-2:30PM (DEV-B311)

Disclaimer: This post contains my own thoughts and notes based on attending TechEd North America 2014 presentations. Some content maps directly to what was originally presented. Other content is paraphrased or represents my own thoughts and opinions and should not be construed as reflecting the opinion of either Microsoft, the presenters or the speakers.

Executive Summary—Sean’s takeaways

  • Azure Traffic Manager
    • Routes to appropriate region, depending on where user is located
    • Automatic failover, if region goes down
    • Configure things using Powershell
    • Can now include non-Azure endpoints in policy
  • Use PaaS when you can, IaaS when you have to
  • Lots of flexibility when creating/configuring virtual networks

Full video

Stephen Malone – Program Manager, Microsoft

Why Microsoft / Azure

  • Global footprint

Azure Network Stack

  • Network is glue that binds everything together for scale
  • Main building blocks that allow you to build scalable, secure services
  • Layers: Network services, Core SDN etc.


Azure Traffic Manager

  • Intelligent customer routing
  • Load balancing policies (profile types)
    • Performance – Direct user to closest service (based on latency)
    • Round-robin – Distribute equally
    • Failover – Direct to backup service if primary fails (also happens with other policies)

Automated failure detection and re-direction

  • Users hit servers in their own region
  • Service health monitoring
    • If something stops responding
    • Azure Traffic Manager automatically detects and re-routes user to “next best” service


How Azure Traffic Manager work?

  • DNS based global traffic management
  • Traffic Manager profile created with name, routing policy, and health monitoring configuration
  • Your domain name
  • CNAME to
  • Load-balancing, endpoint monitoring
  • Service instances (endpoints) added to Traffic Manager …


How it works

  • DNS look for web site you need
  • Name server for your name indicates that it’s CNAME
  • Hits DNS Server for traffic manager, with Policy Engine
  • Then to Traffic Manager

E.g. If there are three sites

  • Traffic Manager makes use of your particular policy (e.g. pick nearest service)
  • Then site picked and IP returned to client


New support for External Endpoints

  • Now support for non-Azure endpoints for all traffic manager policies
  • Full support for
    • Automated monitoring
    • Failure detection
    • End-user re-direction
  • Include endpoints from different Azure subscriptions in the same policy
  • Add redundancy for your on-premises service using Azure Traffic Manager
    • Great way to try out Azure – as backup
  • Include on-premises endpoints as scale units to achieve greater scale
    • Or as additional geo locations to improve performance for your end users
  • Enables burst to cloud scenarios transparently to end-user
    • Also can auto scale up within a region

Demo – External Endpoints

  • Create a new profile in Powershell
  • Then add endpoint to profile (e.g. U.S.)
  • Different domain name (e.g. or
  • Then show adding an external endpoint

Narayan Annamalai – Senior Program Manager, Azure

  • Will talk about how we can help you to scale

Build to scale

  • Regional Virtual Networks
    • Really picking up now

Virtual Network

  • Logical isolation with control over network
  • Create subnets with your private IP addresses
  • Stable and persistent private IP addresses
  • Bring your own DNS
  • Use Azure-provided DNS
    • VMs can register themselves with this DNS
  • Secure VMs with input endpoint ACLs

Typical multi-tier services

  • Composed of various services
  • They are interconnected, certain services having to talk to certain others


How you use

  • You can pick IP addresses for your VMs, within a virtual subnet that you create

Isolated and connected

  • Internet portal into one public IP
  • Then customer virtual network that acts as a private network
  • “Isolated private channel”
  • Use PaaS when you can; use IaaS when you have to
  • PaaS gives you some additional services (like auto-scaling)
  • All of these services can be part of the same virtual network
    • Brings IaaS and PaaS together

Regional scope

  • VNET spans to an entire region
  • Fully connected private and isolated network across datacenters
  • New services requiring specific SKUs A8, A9 can be added to same VNet –
    • Seamless expansion
  • Previously, VNet had to be within a single scale unit
  • Now, VNet can include multiple SKUs (in terms of scale)

Inter connected VNets

  • VNets can be connected thru secure Azure gateways
  • VNets can be in different subscriptions
  • VNets in same or across regions can be connected

Connecting to Multiple Sites

  • Multiple site-to-site connections
  • Multiple on-premises sites connect to same VNet
  • Sites may be geographically dispersed

Public facing Services

  • Every cloud service given public IP address (VIP) from Azure’s pool of address
  • Virtual machines, Web/Worker roles in cloud service can be accessed thru VIP using endpoints
  • Azure provides load balancing at no charge

Create endpoints

  • E.g. open port 80, run two instances behind it

Public Endpoint Access Control Lists

  • Can whitelist IPs, subnets, etc.
  • Can allow or deny various IPs

Internal load balancing (preview)

  • Load balancing between VMs w/o public facing endpoints
  • Two flavors
    • Private load balancing within cloud service
    • Or within VNet
  • Multi-tier applications with internal facing tiers require load balancing
    • Middle tier, DB backend not exposed to Internet
    • Load-balanced endpoints exposed only to CorpNet
    • Sharepoint, LOB Apps

Scenario – LOB Apps

  • Private, Sharepoint accessible from other VNets

IP reservation

  • Today, you get VIP assigned by Azure
  • When you re-deploy, you get different IP
  • Now, IP reservation
    • Reserve public IP addresses
    • Customers can own IP addresses and assign them to cloud services
    • Reserved IP can be used on any cloud service on the region
    • Current IP address on existing service can be reserved as well
    • Reserved IPs are customers to keep
  • Why do you need it?
    • Your service might talk to an external service that needs to be configured to whitelist your service
    • So your IP needs to remain static so that whitelist still works

Instance level public IPs (Preview)

  • Today, every cloud service gets VIP assigned by Azure
  • You must map from public VIP to port on VM for internal server
  • Now – Instance-level Public IPs
    • Assign public IPs to VMs
    • Direct reachability to VM, no endpoint required
    • Public IP used as the outgoing IP address
    • Enables scenarios like FTP services, external monitoring, etc.

Demo – Create VNet, etc.

  • Powershell very powerful when doing things on Azure
  • Some functions not available yet on portal, must use Powershell
  • Start with: Get-AzurePublishSettingsFile
  • Set-AzureVNetConfig
  • Reserve IP
    • New-AzureReservedIP, define by name
    • Then Get-AzureReservedIP – by name
  • Creating specific web sites (VMs)
  • Create VM on a specific Vmnet