Ignite 2015: Platform security vision

Session: BRK2482

Technology landscape:

Virtualization: VMs decoupled from hardware. Can’t use TPM, UEFI, secure boot, etc. VM mobility, complex lifecycle, strong isolation.

Cloud Computing: Treat your systems like cattle, not pets. Management process at scale. Distributed cloud.

Service Providers: trust boundary between tenant and service provider. Governance, risk, compliance. Cloud adoption blocker? Distributed accountability.

Administrator privileges – a risk factor. Stolen admin credentials. Insiders. Malicious service provider staff. They WILL be compromised.

Principles: Assume breach, trust boundaries.

Microsoft is introducing the “Trust Plane” between the Fabric and the workloads.

Virtual Secure Mode: Separate address space isolated from host OS. Enforced by hypervisor using hardware. Small “trustlets”. NO Windows stack, no network, no drivers, etc.

VM protected at rest and in transit: VM encrypted on disk, encryption key is locked in virtual TPM. Secure key exchange within the trust plane. Fabric and control plane have no access to keys.

Showed a demo where a tenant admin could NOT open a bitlocker encrypted VHDX.

Attestation service – Uses physical TPM, vTPM and UEFI. If a host is rootkited, it will invalidate the trust chain and be evicted from the cloud. Provider admin can’t open a console to a shielded VM.

Protect Workloads from direct attack

Encryption does not protect against legitimate access. Identity management is fundamental.

Demo: Privileged access control. Just in time and just enough privs to do you job. Shows off a portal to request privs, then it contains your privs to a specific part of the system.

Reduce attack surface: Nanoserver

Harden for common attacks: pass-the-hash mitigations (LSA in VSM). Applies only to Windows 10 and Server 2016.

Operations Insights Security Pack

Shows a demo of a pass-the-hash attack where the Microsoft product detected and alerted on it in real time.

Bottom line: Get servers with TPM 2.0 and UEFI.

Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments