Azure Sentinel: Enterprise Governance (Part 1 of 3)


To read part 2 of 3 please click here
To read part 3 of 3 please click here

The Shared Responsibility Model

As computing environments move from customer-controlled datacenters to the cloud, the responsibility of security also shifts and by shifting these responsibilities to a cloud service like Azure, organizations can reduce focus on activities that aren't core business competencies.

In cloud security deifferent scopes of responsibilities exist depending upon the kinds of services you use. For example- if you use virtual machines in Azure, Microsoft will be responsible for securing the physical networks, storage, and virtualization platform, which includes updating the virtualization hosts. However, you will need to help secure your virtual network and public endpoints while updating the guest operating system of your VMs.

Whatever the deployment type may be, you always retain responsibility for data, endpoints, accounts, and access management. 

Azure Cloud Security Advantages

The following diagram shows a traditional approach versus cloud-enabled approach, between which you can shift day to day responsibilities to your cloud provider and reallocate your resources in cloud-enabled approach unlike the traditional approach where many security responsibilities are unmet due to limited resources.


 

In the cloud-enabled approach, you are also able to leverage cloud based security capabilities for more effectiveness and use cloud intelligence to improve your threat detection and response time.

Azure Hierarchy

Azure Resource Manager

Azure Resource Manager (ARM) is the deployment and management service for Azure. It provides a consistent management layer that allows you to create, update, and delete resources in your Azure subscription. You can also use its access control, auditing, and tagging features to help secure and organize your resources after deployment. The ARM  uses APIs and authentication to allow access to resources.

Understand Scope

Azure offers four levels of scope i.e. management groups, subscriptions, resource groups, and resources. You can apply management settings at any of these levels of scope. for example when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription, but when you apply a policy on the resource group, that policy is applied to the resource group and all it resources.

You ca also deploy templates to management groups, subscriptions, or resource groups.

Resource Group

There are some important factors to be considered when defining your resource group:

  • All the resources in your group should share the same life-cycle. You deploy, update, and delete them together. 
  • Each resource can only exist in one resource group.
  • You can add or remove a resource group at any time.
  • You can move a resource from one resource group to another group.
  • A resource group can contain resources that are located in different regions.
  • A resource group can be used to scope access control for administrative actions.
  • A resource can interact with resources in other resource groups.     

If the resource group's region is temporarily unavailable, then you can't update resources in the resource group because the metadata is unavailable. The resources in other regions will still function as expected, but cannot be updated.

Management Groups

Management Groups are an Azure resource to create flexible and very maintainable hierarchies within the structure of your environment. Management Group hierarchies can up to six level deep and provides you with the flexibility to create a hierarchy that combines several of these strategies to meet your organizational needs.

The value of management groups

Group your Subscriptions

  • Provide user access to multiple subscriptions.
  • Allows for new organizational models and logically grouping of resources.
  • Allows for single assignment of controls that applies to all subscriptions.
  • Provides aggregated views above the subscription level.  

Mirror your organization's structure

  • Create a flexible hierarchy that can be updated quickly.
  • The hierarchy does not need to model the organization's billing hierarchy.
  • The structure can easily scale up or down depending on your needs.

Apply policies or access control to any service

  • Create one RBAC assignment on the management group, which will inherit that access to all the subscriptions.
  • Use ARM integrations that allow integrations with other Azure services like Azure Cost Management, Privileged Identity Management, and Azure Security Center.  

By using Azure management groups, workload and risk of error can be reduced by avoiding duplicate assignments. This will same immense time in application of assignments, creates one point for maintenance, and allows for better controls on who can control the assignment.

 

To read part 2 of 3 please click here
To read part 3 of 3 please click here


 

Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)