UpSlide is a desktop application, and all documents produced or used by UpSlide are stored within our client network (or tenant). However, UpSlide needs to connect to web services hosted in the UpSlide Microsoft Azure tenant to function optimally. This article describes how these resources are secured.
Our Azure Stack
The endpoints UpSlide connects to are:
- Software licensing: Azure AppService (ASP.NET Stack) and Azure SQL Database
- Usage Stats: Azure AppService (ASP.NET Stack) and Azure SQL Database
- Software Update and Settings: Azure AppService, Azure SQL Database and Azure Storage Account (especially blob storage)
How do we monitor this infrastructure?
To ensure the availability and performance of our endpoints, we use Azure Monitor (combined with App Insights App services) to collect and display data, such as Exception Rates and Response Time, on real-time, interactive dashboards.
How do we secure access to those resources?
The Principle of Least Privilege is used at UpSlide:
- Only C-suite IT employees at UpSlide have owner (full) permissions to our subscription.
- Members of the Development Team have written permissions on test and staging resources, but not on production data or services.
- The IT Team has rights on resource creation and management. Delete locks are in place to ensure that nothing is deleted due to human error.
- The Accounting team only has billing admin rights to manage costs.
All secrets needed to access our automated releases pipelines (such as SAS Keys to upload to our blob storage, SQL DB Credentials, and Certificates passwords) are stored in Azure Key Vaults.
How do we ensure that our Azure Resources themselves are secured?
Please note that because we rely on Platform as a service (PaaS) solutions, this section will not cover the "system" topic of the security, such as software updates, because this is handled natively by Azure (more details here or here).
UpSlide infrastructure does not rely on any IaaS (VM / Containers) services, which may require manual patching.
- Azure app services:
- Custom rules monitoring alerts are in place to detect any PenTest/Intrusion attempts.
- Each code is scanned before release using a code analysis engine. We use Sonarqube to analyse our code quality and detect potential vulnerabilities.
- Every 3 Months, an automated Vulnerability Scanner scans our endpoints for any known vulnerabilities.
- All communication between UpSlide and the AppService is encrypted before transit using AES 256 and is sent over HTTPS.
- Azure SQL Databases:
- No external access can be made to our databases except from Trusted IP and Azure Services.
- Weekly Vulnerability scans are done to ensure no security issues are raised (access rights too permissive, unknown IPs whitelisted, etc.).
- Azure SQL Data encryption is enabled and enforced using Azure policies to our subscription.
- Azure Storage Accounts:
- Encryption at rest and in transit is enabled by default on Storage accounts.
- Use storage access keys to upload/read on storage accounts instead of storage account keys that are too permissive.
- Storage accounts have security level access set to "blob only." This ensures that everyone can download our packages, but that our storage account can't be enumerated (no public access except to the final resource which is given to client software by our app service).
- All of our infrastructure relies on Azure AD Accounts. MFA (Multi-Factor Authentication) is enforced for all UpSlide employees, reducing the risk of compromise for our user accounts.