Azure Sentinel: Enterprise Governance (Part 1 of 3)

By Ashwin Venugopal -


To read part 2 of 3 please click here
To read part 3 of 3 please click here

The Shared Responsibility Model

As computing environments move from customer-controlled datacenters to the cloud, the responsibility of security also shifts and by shifting these responsibilities to a cloud service like Azure, organizations can reduce focus on activities that aren't core business competencies.

In cloud security deifferent scopes of responsibilities exist depending upon the kinds of services you use. For example- if you use virtual machines in Azure, Microsoft will be responsible for securing the physical networks, storage, and virtualization platform, which includes updating the virtualization hosts. However, you will need to help secure your virtual network and public endpoints while updating the guest operating system of your VMs.

Whatever the deployment type may be, you always retain responsibility for data, endpoints, accounts, and access management. 

Azure Cloud Security Advantages

The following diagram shows a traditional approach versus cloud-enabled approach, between which you can shift day to day responsibilities to your cloud provider and reallocate your resources in cloud-enabled approach unlike the traditional approach where many security responsibilities are unmet due to limited resources.


 

In the cloud-enabled approach, you are also able to leverage cloud based security capabilities for more effectiveness and use cloud intelligence to improve your threat detection and response time.

Azure Hierarchy

Azure Resource Manager

Azure Resource Manager (ARM) is the deployment and management service for Azure. It provides a consistent management layer that allows you to create, update, and delete resources in your Azure subscription. You can also use its access control, auditing, and tagging features to help secure and organize your resources after deployment. The ARM  uses APIs and authentication to allow access to resources.

Understand Scope

Azure offers four levels of scope i.e. management groups, subscriptions, resource groups, and resources. You can apply management settings at any of these levels of scope. for example when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription, but when you apply a policy on the resource group, that policy is applied to the resource group and all it resources.

You ca also deploy templates to management groups, subscriptions, or resource groups.

Resource Group

There are some important factors to be considered when defining your resource group:

  • All the resources in your group should share the same life-cycle. You deploy, update, and delete them together. 
  • Each resource can only exist in one resource group.
  • You can add or remove a resource group at any time.
  • You can move a resource from one resource group to another group.
  • A resource group can contain resources that are located in different regions.
  • A resource group can be used to scope access control for administrative actions.
  • A resource can interact with resources in other resource groups.     

If the resource group's region is temporarily unavailable, then you can't update resources in the resource group because the metadata is unavailable. The resources in other regions will still function as expected, but cannot be updated.

Management Groups

Management Groups are an Azure resource to create flexible and very maintainable hierarchies within the structure of your environment. Management Group hierarchies can up to six level deep and provides you with the flexibility to create a hierarchy that combines several of these strategies to meet your organizational needs.

The value of management groups

Group your Subscriptions

  • Provide user access to multiple subscriptions.
  • Allows for new organizational models and logically grouping of resources.
  • Allows for single assignment of controls that applies to all subscriptions.
  • Provides aggregated views above the subscription level.  

Mirror your organization's structure

  • Create a flexible hierarchy that can be updated quickly.
  • The hierarchy does not need to model the organization's billing hierarchy.
  • The structure can easily scale up or down depending on your needs.

Apply policies or access control to any service

  • Create one RBAC assignment on the management group, which will inherit that access to all the subscriptions.
  • Use ARM integrations that allow integrations with other Azure services like Azure Cost Management, Privileged Identity Management, and Azure Security Center.  

By using Azure management groups, workload and risk of error can be reduced by avoiding duplicate assignments. This will same immense time in application of assignments, creates one point for maintenance, and allows for better controls on who can control the assignment.

 

To read part 2 of 3 please click here
To read part 3 of 3 please click here


 

Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more