Time
8 hours 33 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:00
Hello, Siberians. Welcome to this lesson on APP service security.
00:05
This lesson is part of the fifth Madu Off the is that 500 Microsoft Azure security technologist cast
00:13
some quick information on what will be covering in this lesson.
00:17
We'll start with an overview off azure APP service.
00:20
Well, then discussed best practices like the sibling insecure protocols
00:25
implementing client authentication and authorization application, Secret management and network security.
00:33
Let's get into this.
00:35
So let's review some of the men. Point about the APP service
00:40
fast. It's a managed service for Austin Web applications. FBI applications on mobile back end in Hajer
00:48
on by managed with men that we don't have to worry about operating system maintenance that was taking care off for horse by the platform on. It's done in a way that is transparent to us.
01:00
With AB service, we have the option off Austin, a halfs as cold as containers.
01:07
We also have flexibility in options toe deploy ah ha applications
01:12
we can deploy directly from get up as your repose bit bucket one. Drive dropbox or even using FTP.
01:22
Here's some security best practices for as your half service
01:26
fost the several insecure protocols.
01:30
Second
01:30
config. Our client authentication and authorization
01:34
talked
01:36
Implement secrets, management and forth
01:38
Implement network security. Let's look at this best practices in more details.
01:46
It's the best practice to disable unencrypted connections on insecure TLS protocols. So the first point here is to disable http
01:55
on absolutes Makes this easy by providing a turnkey option that we can use to enforce https on this way on secured requests A turned away before they even reach our application called
02:09
We can also enforce Onley security. Unless visions
02:15
tell us 1.0 is no longer considered secure by industry standards
02:20
have service as a conflict a vision option to disable this.
02:24
We should also look to the sable FTP
02:29
half service support both ftp an ftp s for court deployment on If we're using this method, we should be using FTP s instead off FTP
02:40
or better still, if when No, using this method, we can disable but protocols.
02:47
When it comes to client authentication,
02:50
we can implement our own authentication and authorization solution All we can allow Absar visto Undo this for horse. We can offload that task up service
03:00
have service supports a model called the Easy Art Mahdi
03:06
which Anders Web requests before handling them off to a application called As you can see in the diagram on the screen
03:13
and this way, the more you can authenticate request on deny on authorized requests before they even reach our court.
03:22
The model also supports multiple indication providers like a Joy D Microsoft account, Facebook, Google and Twitter,
03:30
which we get to applications secrets like database connection strings. AP I talking on private keys. It's no good practice to start them in court
03:40
by yourself doing that. What we want to do is to start them in Azure Key, vote on, then reference them in the application service configuration settings.
03:52
Here's an example off a secret reference in key votes
03:55
on Here's an alternative methods to reference the same secret. In Key Vote,
04:01
which we gets the network security. We can implement something called Started I P restrictions, which is essentially and allow the least off I P addresses
04:13
by the fault half service accept requests from all I P addresses from the Internet,
04:19
but we can limit this access to a small subset off I P addresses if we so choose.
04:25
That depends on our application use case
04:29
If we have a requirements to implement network isolation, we can use the isolated price into off AB service. To achieve this,
04:38
this gives complete network isolation by running a applications inside a dedicated APP service environment, and it runs these in the private virtual network.
04:49
Harder tears off AB service rather application on a shared network. Infrastructure
04:57
on what that means is that the sauces like Public I P addresses front and look balances I shared with other tenants. So if we do not want to do this, we can use the isolate that here.
05:10
We can also use a Web application firewall to protect applications, a guest Web application. Common traits like sequel injection on across I scripted.
05:19
We have too many options for Web application Firewall In Hajer,
05:24
we have the application gets way plus wife, which we can use to implement while from a regional perspective.
05:30
And we have as a front door plus wife, which we can use to implement wife from a global perspective.
05:36
He has some supplementary things for further studies on the topics covered in this lesson,
05:43
and here's a summary of what we covered.
05:45
We started with an overview off as your job service who didn't discourse. Best practices like dissembling, insecure protocols,
05:53
implementing client authentication and authorization
05:56
application. Secret management on network security.
06:00
Thanks very much for watching, and I'll see you in the next lesson.

Up Next

AZ-500: Microsoft Azure Security Technologies

In the AZ-500 Microsoft Azure Security Technologies training, students will learn the skills that are needed to pass the AZ-500 certification exam. All exam topics are covered as well as exam preparation strategies and hands-on practice.

Instructed By

Instructor Profile Image
David Okeyode
Cloud Security Architect
Instructor