Understanding that Microsoft Azure PaaS and IaaS defenses are often different
I received many comments from people asking me to clarify the following line from my previous blog post:
The threat model makes the delineation explicit, and this is more pronounced when considering IaaS defenses and PaaS defenses, which can often be quite different.
So, I want to spend a little time explaining what I mean by IaaS and PaaS defenses being different.
The rest of this post assumes you know the difference between IaaS and PaaS, if not, take a look at this resource on the Microsoft Azure site.
Probably the best way to explain the difference is by example: persistent file storage.
In an IaaS solution, usually implemented with virtual machines running, say, Windows Server or Linux, files are protected from disclosure and tampering threats using access control mechanisms. On Windows you’d use access control lists (ACL) that you can tweak using the command-line or from PowerShell, and on Linux you’d probably use chmod. Essentially, this is exactly what you would do if you were protecting files on a server in your own data center today.
PaaS is different. One of the most common ways to store files in Microsoft Azure is to use the Azure Blob Store. The big difference between blob storage and normal file storage is the file I/O, and the protection methods that come with file I/O, is hidden away from you, instead you use a URI to access files at rest, for example:
https://<accountname>.blob.core.windows.net/photos/Siouxsie/HappyHouse.jpg
The blob store access model is not a granular ACL or permission model. By default, the blob data in your storage account is accessible only to Azure storage account owners. It is possible to grant access to anonymous users, and access can be granted to users or software that has a shared access signature (SAS). Shared access signatures allow you to restrict access (read and/or write) to specific IP addresses within a certain time range.
A SAS URI might look like this:
https://<accountname>.blob.core.windows.net/photos/Siouxsie/HappyHouse.jpg?
sv=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&
sip=168.1.5.60-168.1.5.70&spr=https&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D
As you can see, access control lists or permissions used in IaaS do not apply in PaaS solutions. It’s the same scenario (files at rest), same threats (disclosure and tampering) but totally different defense. Be aware that anyone who has the SAS can access the resource, too.
To summarize, when you’re building a threat model for an Azure solution, it’s critical that you call out the specific defenses used when protecting assets, this is especially true when designing a PaaS solution versus an IaaS solution.
For more info on Microsoft Azure security in general, visit the Azure Trust Center.
- Michael
PS Yes, I know you can use cryptographic defense to protect files at rest! That’s going to be my next topic for next week!