Azure Sentinel: Enterprise Governance (Part 1 of 3)

By Ashwin Venugopal -


To read part 2 of 3 please click here
To read part 3 of 3 please click here

The Shared Responsibility Model

As computing environments move from customer-controlled datacenters to the cloud, the responsibility of security also shifts and by shifting these responsibilities to a cloud service like Azure, organizations can reduce focus on activities that aren't core business competencies.

In cloud security deifferent scopes of responsibilities exist depending upon the kinds of services you use. For example- if you use virtual machines in Azure, Microsoft will be responsible for securing the physical networks, storage, and virtualization platform, which includes updating the virtualization hosts. However, you will need to help secure your virtual network and public endpoints while updating the guest operating system of your VMs.

Whatever the deployment type may be, you always retain responsibility for data, endpoints, accounts, and access management. 

Azure Cloud Security Advantages

The following diagram shows a traditional approach versus cloud-enabled approach, between which you can shift day to day responsibilities to your cloud provider and reallocate your resources in cloud-enabled approach unlike the traditional approach where many security responsibilities are unmet due to limited resources.


 

In the cloud-enabled approach, you are also able to leverage cloud based security capabilities for more effectiveness and use cloud intelligence to improve your threat detection and response time.

Azure Hierarchy

Azure Resource Manager

Azure Resource Manager (ARM) is the deployment and management service for Azure. It provides a consistent management layer that allows you to create, update, and delete resources in your Azure subscription. You can also use its access control, auditing, and tagging features to help secure and organize your resources after deployment. The ARM  uses APIs and authentication to allow access to resources.

Understand Scope

Azure offers four levels of scope i.e. management groups, subscriptions, resource groups, and resources. You can apply management settings at any of these levels of scope. for example when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription, but when you apply a policy on the resource group, that policy is applied to the resource group and all it resources.

You ca also deploy templates to management groups, subscriptions, or resource groups.

Resource Group

There are some important factors to be considered when defining your resource group:

  • All the resources in your group should share the same life-cycle. You deploy, update, and delete them together. 
  • Each resource can only exist in one resource group.
  • You can add or remove a resource group at any time.
  • You can move a resource from one resource group to another group.
  • A resource group can contain resources that are located in different regions.
  • A resource group can be used to scope access control for administrative actions.
  • A resource can interact with resources in other resource groups.     

If the resource group's region is temporarily unavailable, then you can't update resources in the resource group because the metadata is unavailable. The resources in other regions will still function as expected, but cannot be updated.

Management Groups

Management Groups are an Azure resource to create flexible and very maintainable hierarchies within the structure of your environment. Management Group hierarchies can up to six level deep and provides you with the flexibility to create a hierarchy that combines several of these strategies to meet your organizational needs.

The value of management groups

Group your Subscriptions

  • Provide user access to multiple subscriptions.
  • Allows for new organizational models and logically grouping of resources.
  • Allows for single assignment of controls that applies to all subscriptions.
  • Provides aggregated views above the subscription level.  

Mirror your organization's structure

  • Create a flexible hierarchy that can be updated quickly.
  • The hierarchy does not need to model the organization's billing hierarchy.
  • The structure can easily scale up or down depending on your needs.

Apply policies or access control to any service

  • Create one RBAC assignment on the management group, which will inherit that access to all the subscriptions.
  • Use ARM integrations that allow integrations with other Azure services like Azure Cost Management, Privileged Identity Management, and Azure Security Center.  

By using Azure management groups, workload and risk of error can be reduced by avoiding duplicate assignments. This will same immense time in application of assignments, creates one point for maintenance, and allows for better controls on who can control the assignment.

 

To read part 2 of 3 please click here
To read part 3 of 3 please click here


 

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more