Episode 333 - TLS 1.0 Deprecation

by Evan Basalik June 8, 2020

Candace Jackson, a Senior PM in the Azure Security team, give us an update on the effort to remove the use of TLS 1.0 from applications in Azure.

 

Media file:

 https://azpodcast.blob.core.windows.net/episodes/Episode333.mp3

Resources:

links:
https://www.microsoft.com/en-us/download/details.aspx?id=55266
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls


Connection logging - This help identify what cipher suites and protocols are negotiated during a successful handshake

IIS
https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

Nginx
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
https://serverfault.com/questions/620123/how-can-i-let-nginx-log-the-used-ssl-tls-protocol-and-ciphersuite

Apache -
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats

 Some resource specific documenation that shows how to configure protocol and cipher suite usage
https://docs.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#disable-tls-10-and-tls-11
Blog: https://blogs.msdn.microsoft.com/appserviceteam/2018/04/17/app-service-and-functions-hosted-apps-can-now-update-tls-versions/
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-1112
https://docs.microsoft.com/en-us/azure/cloud-services/applications-dont-support-tls-1-2

 

Other updates:

Live Video Analytics now in public preview
Updated: June 01, 2020
Live Video Analytics (LVA) on IoT Edge is now in public preview. It is a platform to capture, record, and analyze live video and publish the results (video and/or video analytics), for you to build intelligent video applications. You can use LVA for a number of use cases across industries such as retail, healthcare, and transportation. You can bring any custom AI by plugging in video analysis edge modules, whether they are Cognitive Services containers, custom edge modules built with open source machine learning models, or custom models trained with a customer’s own data. You can also combine video analysis with other business data to make smarter business decisions.
LVA integrates with a number of Azure services (in the cloud and/or the edge), such as Stream Analytics on IoT Edge, Cognitive Services on IoT Edge, Media Services, Event Hub, and Cognitive Services.

From <https://azure.microsoft.com/en-us/updates/live-video-analytics-now-in-public-preview/>

 

 
 
 NOW AVAILABLE
CNI security vulnerability in older AKS clusters and mitigation steps
Updated: June 01, 2020
A security vulnerability has been identified in the container networking implementation (CNI) in CNI plugin versions v0.8.6 and older that may affect older AKS clusters.
Details
An AKS cluster configured to use an affected container networking implementation is susceptible to man-in-the-middle (MitM) attacks. By sending “rogue” router advertisements, a malicious container can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.
This vulnerability has been given an initial severity of Medium with a score of 6.0.
Vulnerability analysis and verification
All AKS clusters created or upgraded with a Node Image Version later or equal than “2019.04.24” are not vulnerable, as they set net.ipv6.conf.all.accept_ra to 0 and enforce TLS with proper certificate validation.
Clusters created or last upgraded before that date are susceptible to this vulnerability.
You can verify if your current Node Image is vulnerable by running: https://aka.ms/aks/MitM-check-20200601  on a machine that has CLI access to the cluster’s nodes.
Windows nodes are not affected by this vulnerability.

From <https://azure.microsoft.com/en-us/updates/cni-security-vulnerability-in-older-aks-clusters-and-mitigation-steps/>

From //build 2020 - Azure SQL Edge (preview)
https://azure.microsoft.com/en-us/services/sql-edge/


Deploy to Azure using GitHub Actions from your favorite tools
https://azure.microsoft.com/en-us/blog/deploy-to-azure-using-github-actions-from-your-favorite-tools/

 

Keywords:

Filed Under: Podcast

Episode 317 - Azure Lighthouse Security

by Cale Teeter March 2, 2020
In this episode we chat with Gunnar Campo on Azure Lighthouse, which provides partners with an easy way to run managed solutions for customers, and manage this via a single plan of glass.  Gunnar talks through the various areas that Lighthouse helps here with RBAC, scaling, and monitoring of these solutions.

Gunnar Campo

Media file: https://azpodcast.blob.core.windows.net/episodes/Episode317.mp3

Transcript: https://eus2.videoindexer.ai/accounts/e0eee289-7730-4999-978b-eb7f63be8cb5/videos/fb6da9345b/

 

Other updates:

Azure Monitor Log Analytics now has new, upgraded visualizations

From <https://azure.microsoft.com/en-us/updates/azure-monitor-log-analytics-upgraded-results-visualization/>

Fileless attack detection for Linux in preview
https://azure.microsoft.com/en-us/blog/fileless-attack-detection-for-linux-in-preview/

Burst 4K encoding on Azure Kubernetes Service
https://azure.microsoft.com/en-us/blog/burst-4k-encoding-on-azure-kubernetes-service/

A secure foundation for IoT, Azure Sphere now generally available
https://azure.microsoft.com/en-us/blog/a-secure-foundation-for-iot-azure-sphere-now-generally-available/

Preview of Active Directory authentication support on Azure Files
https://azure.microsoft.com/en-us/blog/preview-of-active-directory-for-authentication-on-azure-file/

 

Keywords:

Filed Under: Podcast

Episode 301 - Azure Sentinel

by Sujit D'Mello October 17, 2019

Azure Security Specialist, Sarah Young, gives us the low-down on the new Azure Sentinel service which gives you a SIEM in Azure that watches over all of your enterprise.

Sarah Young

Media file: https://azpodcast.blob.core.windows.net/episodes/Episode301.mp3

Transcript: https://eus2.videoindexer.ai/accounts/e0eee289-7730-4999-978b-eb7f63be8cb5/videos/2ad7063764/ 

https://azure.microsoft.com/en-us/services/azure-sentinel/

 

Other updates:

For the first time ever, you can register your self-installations of SQL Server on Azure Virtual Machines with Resource Provider to unlock features and functionality previously only available with our Azure Marketplace images.

Azure Kubernetes Service (AKS) managed identities integration is now available in preview. With managed identities, AKS now supports creating and using system-managed identities instead of service principals. Managed identities are essentially wrappers around service principals, making their management simpler.

From <https://azure.microsoft.com/en-us/updates/managed-identities-integration-in-azure-kubernetes-service-aks-is-now-in-preview/>

Private Preview - Azure Spring Cloud service
https://azure.microsoft.com/en-us/updates/private-preview-azure-spring-cloud-service/

New output options in Azure Stream Analytics—SQL Managed Instance and SQL Server on VM
https://azure.microsoft.com/en-us/updates/new-output-options-in-stream-analytics-managed-instance-and-sql-server-on-vm-as-output-targets-for-stream-analytics/

Measuring your return on investment of Azure as a compliance platform
https://azure.microsoft.com/en-us/blog/measuring-your-return-on-investment-of-azure-as-a-compliance-platform/


Infura Now Natively Supported in the Azure Blockchain Development Kit for Ethereum
https://blog.infura.io/infura-now-natively-supported-in-the-azure-blockchain-development-kit-for-ethereum-430fb02f1c9b
Discover, develop, and deploy smart contracts faster with Blockchain Dev Kit updates
https://cloudblogs.microsoft.com/opensource/2019/10/08/microsoft-azure-blockchain-dev-kit-updates-ethereum-devcon/
Azure Monitor adds Worker Service SDK, new ASP.NET core metrics
https://azure.microsoft.com/en-us/blog/azure-monitor-adds-worker-service-sdk-new-asp-net-core-metrics/

Keywords:

Filed Under: Podcast

Episode 286 - Secured Workstations

by Evan Basalik July 5, 2019

The team talks to Frank Simorjay about the importance of securing the workstations and learns why if the workstation isn’t secure, then many of the other security controls become useless.

Media file: https://azpodcast.blob.core.windows.net/episodes/Episode286.mp3

Transcript: https://eus2.videoindexer.ai/accounts/e0eee289-7730-4999-978b-eb7f63be8cb5/videos/3efd880845/?location=EUS2

Resources: https://aka.ms/securedworkstation

Keywords:

Filed Under: Podcast

Episode 277 - Automating Network Security

by Cynthia Kreng May 2, 2019

Microsoft Cloud Solution Architect Nills Franssens discussed a cool approach to help customers automate the network security settings in Azure to reduce errors and improve traceability of the infrastructure.

Media file: https://azpodcast.blob.core.windows.net/episodes/Episode277.mp3

Transcript: https://eus2.videoindexer.ai/accounts/e0eee289-7730-4999-978b-eb7f63be8cb5/videos/c30d2920e9/ 

Resources:

https://github.com /NillsF/NSG-CSV-to-ARM

https://www.slideshare.net/NillsFranssens/automating-network-firewall-rule-creation-using-powershell-and-cicd

 

Other updates:

Because we’re committed to delivering consistent, high performance and mission-ready solutions to Azure Government customers, we’re continually optimizing our cloud datacenter infrastructure to be more efficient and cost-effective. As part of this optimization, we’ll be retiring the Azure US Gov Iowa region on April 30, 2020, and you’ll need to migrate your resources to an alternative region to avoid service disruption. As with all changes of this type, we’re providing 12 months’ notice so you have adequate time to adjust.
We operate three additional government regions, all of which provide similar or enhanced capabilities to the US Gov Iowa region, including:
 · Access to a more comprehensive and growing portfolio of Azure services.
 · Identical comprehensive compliance and resiliency options.
 · High performance through our dedicated low-latency network.
Required action
Take these steps by April 30, 2020, to avoid disruptions to your applications and enjoy quality and feature updates:
 1. Choose from three alternate US Gov regions, located in Virginia, Texas and Arizona, for your Azure resources. We recommend the US Gov Virginia region, as it has the greatest number of available Azure services.
 2. Follow this comprehensive guidance to migrate to that region.
We encourage you to review the migration guidance at your earliest convenience and plan accordingly.


Monitoring enhancements for VMware and physical workloads protected with Azure Site Recovery
https://azure.microsoft.com/en-us/blog/monitoring-enhancements-vmware-physical-azure/

Accelerate supercomputing in the cloud with Cray ClusterStor
https://azure.microsoft.com/en-us/blog/supercomputing-in-the-cloud-announcing-three-new-cray-in-azure-offers/
Azure.Source - Volume 80
https://azure.microsoft.com/en-us/blog/azure-source-volume-80/
Serverless automation using PowerShell preview in Azure Functions
https://azure.microsoft.com/en-us/blog/serverless-automation-using-powershell-preview-in-azure-functions/

General availability: Azure Log Analytics in CENTRAL US, EAST US 2, EAST ASIA, WEST US and SOUTH CENTRAL US
https://azure.microsoft.com/en-us/updates/general-availability-azure-log-analytics-in-central-us-east-us-2-east-asia-west-us-south-central-us/

Keywords:

Filed Under: Podcast

Episode 210 - CPU Vulnerability

by Evan Basalik January 4, 2018

Evan talks about the hot issue of the CPU vulnerability that's been addressed by Microsoft in Windows on Azure and on-premises. He discusses the reason for the reboots of all the Azure servers and how customers can alleviate the impact of these reboots.

https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/

Media file: https://azpodcast.blob.core.windows.net/episodes/Episode210.mp3

Indexed audio: https://www.videoindexer.ai/media/3869c863fb/

 

Other updates:

Preview version 12.0.0-beta of the Azure SDK for Go is now available to help you use Azure services from Go applications. To get it, run `go get -u github.com/Azure/azure-sdk-for-go/...` or use dep.


The Azure Container Networking Interface (CNI) plug-in is now generally available for Kubernetes clusters deployed using acs-engine.
You can use the plug-in to deploy and manage your own Kubernetes cluster with native Azure networking capability, by default. Azure CNI allows your containers to be part of an Azure virtual network and leverage the rich set of capabilities that a virtual network offers.

Keywords:

Filed Under: Podcast

Episode 193 - Handling Secrets

by Cale Teeter August 31, 2017

We talk to Chris Kent, from Hashicorp about the problem of handling secrets in cloud computing. He discusses the Vault product and we compare it to Azure Key Vault.

Chris Kent

Media file: http://azpodcast.blob.core.windows.net/episodes/Episode193.mp3

Indexed audio: https://www.videoindexer.ai/media/e1c71ec187

https://www.hashicorp.com/

 

Other updates:

Announcing the public preview of Azure Archive Blob Storage and Blob-Level Tiering
https://azure.microsoft.com/en-us/blog/announcing-the-public-preview-of-azure-archive-blob-storage-and-blob-level-tiering/

New performance levels and storage add-ons in Azure SQL Database
https://azure.microsoft.com/en-us/blog/new-performance-levels-and-storage-add-ons-in-azure-sql-database/

What’s brewing in Visual Studio Team Services: August 2017 Digest
https://azure.microsoft.com/en-us/blog/visual-studio-team-services-august-2017-digest/

Announcing the Coco Framework for enterprise blockchain networks
https://azure.microsoft.com/en-us/blog/announcing-microsoft-s-coco-framework-for-enterprise-blockchain-networks/

 

Keywords:

Filed Under: Podcast

Episode 191 - Just-In-Time Access

by Cale Teeter August 10, 2017

Cale and Russell talk to Microsoft Cloud Solutions Architect, Jamie Bryant, about a new feature in Azure that makes it more secure - Just-In-Time Access.

Media file: http://azpodcast.blob.core.windows.net/episodes/Episode191.mp3

Indexed audio: https://www.videoindexer.ai/media/230c1fad19

https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

 

Other updates:

 

Reduce troubleshooting time with the upgraded Resource Health check in Azure SQL Data Warehouse. 

 

This upgrade considers the health status of all components of the SQL Data Warehouse architecture, which includes each SQL database distribution and the SQL Data Warehouse engine on each compute node. Login and heartbeat signals of each component are emitted at least once every 2 minutes, providing you a low-latency, holistic view of the health status of your data warehouse. If your instance is Unavailable, we will provide the reason along with recommended actions that you should perform.

 

The Resource Health check can detect unavailability reasons, such as when your instance is pausing, scaling, or upgrading. This feature also detects when there are any connection issues, whether they are user connections or inner SQL database connections.

You check the health of SQL Data Warehouse by signing in to the Azure portal and clicking the Resource Health blade.

 

Azure AD authentication extensions for Azure SQL DB and SQL DW tools

https://azure.microsoft.com/en-us/blog/azure-ad-authentication-extensions-for-azure-sql-db-and-sql-dw-tools/

 

Operating Azure Stack

https://azure.microsoft.com/en-us/blog/operating-azure-stack/

 

Root cause analysis and time exploration updates to Azure Time Series Insights

https://azure.microsoft.com/en-us/blog/root-cause-analysis-and-time-exploration-updates-to-azure-time-series-insights/

 

Azure Active Directory Pass-through authentication (Azure AD as a service – Highly available, secure, easy to deploy, great user experience) - doesn’t yet allow MFA.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication

 

Announcing deploy to Azure app service Jenkins plugin and more

https://azure.microsoft.com/en-us/blog/annoucing-jenkins-deploy-to-azure-app-service-plugin-and-new-managed-disk-support-for-azure-storage-plugin/

 

Automate Application Insights processes with the connector for Flow and Logic Apps

(Using connectors for Microsoft Flow to query and visualise App Insights data and send by email/raise work items in TFS)

Keywords:

Filed Under: Podcast

Episode 176 - Networking Discussion

by Sujit D'Mello April 28, 2017

Evan and Sujit talk to Jared Ross, an Azure Consultant who specializes in Networking, Compliance and Security, on why customers should be aware of the network within Azure and tips on how to protect their resources.

Media file: http://azpodcast.blob.core.windows.net/episodes/Episode176.mp3

Yousef Khalidi's great 7-part blog post is Jared's recommended reading. The first part is listed below and you can follow along. 

https://azure.microsoft.com/en-us/blog/networking-innovations-that-drive-the-cloud-disruption/

Another favorite is Olivier Martin https://azure.microsoft.com/en-us/blog/networking-to-and-within-the-azure-cloud/

 

Other resources and updates:

https://thebitcoinnews.com/microsoft-drives-forward-with-the-blockchain-btcmanagers-week-in-review-april-24/

https://azure.microsoft.com/en-us/blog/announcing-azure-time-series-insights/

Today we are excited to announce the public preview of Azure Time Series Insights, a fully managed analytics, storage, and visualization service that makes it incredibly simple to interactively and instantly explore and analyze billions of events from sources such as Internet of Things.

Today, we are announcing the general availability of the new, simplified Azure management libraries for .NET for Compute, Storage, SQL Database, Networking, Resource Manager, Key Vault, Redis, CDN and Batch services.

https://azure.microsoft.com/en-us/blog/azure-management-libraries-for-net-generally-available-now


Today, we are announcing the general availability of the new, simplified Azure management libraries for Java for Compute, Storage, SQL Database, Networking, Resource Manager, Key Vault, Redis, CDN and Batch services.

https://azure.microsoft.com/en-us/blog/azure-management-libraries-for-net-generally-available-now/

 

Back in November, we announced the general availability of the Azure IoT Gateway SDK. We’ve already heard from a number of customers who are leveraging the open source Gateway SDK to connect their legacy devices or run analytics at the edge of their network. It’s great to see quick adoption! With the Gateway SDK’s modular architecture, developers can also program their own custom modules to perform specific actions. Thanks to its flexible design, you can create these modules in your preferred language – Node.js, Java, C#, or C. (NuGet, Maven etc. packages)

https://azure.microsoft.com/en-us/blog/azure-iot-gateway-sdk-packages


Azure Billing Reader role and preview of Invoice API
Tuesday, April 25, 2017
Today, we are pleased to announce the addition of a new in-built role, Billing Reader role. The new Billing Reader role allows you to delegate access to just billing information with no access to services such as VMs and storage accounts. Users in this role can perform Azure billing management operations such as viewing subscription scoped cost reporting data and downloading invoices. Also, today we are releasing the public preview of a new billing API that will allow you to programmatically download subscription’s billing invoices.

https://azure.microsoft.com/en-us/blog/azure-billing-reader-role-and-preview-of-invoice-api/

 

Keywords: , ,

Filed Under: Podcast

Episode 171 - Secure Productive Enterprise

by Cale Teeter March 24, 2017

We talk to Edward Walton, a Cloud Solution Architect @ Microsoft, about a topic that he is very passionate about - making the Enterprise Cloud Secure & Productive.

Media file: http://azpodcast.blob.core.windows.net/episodes/Episode171.mp3

 

Other updates:

Announcing Support for Multi-member Consortium Blockchain Networks on Azure
https://azure.microsoft.com/en-us/blog/multi-member-consortium-blockchain-networks-on-azure/
 
Azure AD B2C Access Tokens now in public preview
https://azure.microsoft.com/en-us/blog/azure-ad-b2c-access-tokens-now-in-public-preview/
 
Lighting up network innovation
https://azure.microsoft.com/en-us/blog/lighting-up-network-innovation/
 
Announcing Azure Service Fabric 5.5 and SDK 2.5
https://azure.microsoft.com/en-us/blog/announcing-azure-service-fabric-5-5-and-sdk-2-5/
 
Azure Resource Manager template reference now available
https://azure.microsoft.com/en-us/blog/azure-resource-manager-template-reference-now-available/

 

Keywords:

Filed Under: Podcast

Announcements

Now on Spotify! Simply search for Azure Podcast and you will find it (may need to scroll down a bit). 

Podcast Clients

You can find us on iTunes, XBOX Music, Windows Phone podcast app and in most Podcast clients on Android. Or simply use the RSS feed link above and plug it into your Podcast client.

 

Flyer

Love this podcast? Use this flyer to socialize it with your community.

Calendar

<<  July 2020  >>
MoTuWeThFrSaSu
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789

View posts in large calendar

Tag cloud