Protecting customer Azure FullStack solution

Abstract

Tämän opinnäytetyön tarkoituksena oli tutkia erilaisia tietoturvan näkökulmia, jotka liittyvät Microsoft Azure pilvipalveluun ja FullStack kehitykseen Azure-palveluita hyödyntäen. Moni yritys haluaa tai menee julkiseen pilveen, mutta saattaa jäädä aukkoja toteutukseen, kun yritys itse tai ulkopuolinen konsultointi toteuttaa työn. Tutkimus painottuu Azuren parhaisiin käytäntöihin, OWASP Top 10, PiTuKri, CVE sekä CWE referenssien käyttöön.

This thesis is based on personal research for the past experiences in consultant customer work. After not getting a customer project to do this thesis due to tough market situations, this ended up becoming a chance to study Azure and its related security aspects to increase knowledge and career growth.

Azure has become more popular in Finland public sector scope, which made this relevant for current Cloud maturity learning.

Main interests were, how Azure handles the security based on popular OWASP Top 10 guidances and Finland focus PiTuKri Cloud guidance. This was scoped around 3 layer FullStack development with a frontend, backend and SQL database. On top of the development aspect, Identity Management is one of the main focuses for keeping a secure environment.

Till the end of the research it became quite clear how important the Identity Management was for keeping the user and access as secure as possible. Since Azure has ways to protect different logging methods to use other Azure services, those protections allow the use of Zero Trust models to mitigate and monitor activities.