Azure Sentinel: Enterprise Governance (Part 2 of 3)

By Ashwin Venugopal -

 



To read part 1 of 3 please click here
To read part 3 of 3 please click here

Azure Policies

Azure policy is a service you use to create, assign, and manage policies. Azure policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements. 

There are three main pillars that help in the functionalities of Azure policy:

The first pillar is about real time enforcement and compliance assessment. For example- a policy would block the creation of resources that are located outside of US regions. The data powers the compliance view which aggregates results across all of the applied policies, that in turn can be used to ensure that resource groups are getting tagged properly and automatically inheriting those tags from the resource group down to the resources.

The second pillar of policy is applying policies at scale by leveraging Management Groups. One can easily impact hundreds of subscriptions and all its reach resources through a single policy assignment by applying policy to a management group. The concept called policy initiative allows you to group policies together so that you can view the aggregated compliance result. You can also exclude either the child management group subscription resource group or resources from the policy assignment.

The third pillar of your policy is remediation by leveraging a remediation policy that will automatically remediate the non-compliant resource so that your environment always stays compliant.You can also create a remediation task to bring the resources to compliance. Azure policy is a free service to use.

Policy permissions and custom policies

Azure policy has several permissions, known as operations in two resource providers i.e. Microsoft.Authorization and Microsoft.PolicyInsights. Many built-in roles grant permissions to Azure policy resources, but if none of the built-in roles have the required permissions, you can create a custom role. before creating a custom policy, you should check the policy samples to determine if the policy that matches your needs already exists. the approach to create a custom policy follows these steps:

  • Identify your business requirements
  • Map each requirement to an Azure resource property
  • map the property to an alias
  • Determine which effect to use
  • Compose the policy definition  

Composing an Azure policy

The steps for composing an Azure policy begins with creating:

  • Policy Definition- Every policy definition have conditions under which it is enforced and it has a defined effect that takes place if the conditions are met.

  • Policy Assignment- A policy definition that has been assigned to take place within a specific scope. The term scope refers to all the resources, resource groups, subscriptions, or management groups that the policy definition is assigned to.

  • Policy parameters- They help simplify your policy management by reducing the number of policy definitions you must create. You can define parameters when creating a policy definition to make it more generic.   

Azure Role Based Access Control (RBAC)

Organizations that are considering using the public cloud are always concerned about ensuring that when people leave the organization, they lose access to resources in the cloud and striking the right balance between autonomy as well as central governance. Azure AD and RBAC make it simple for you to carry out these goals. RBAC enables fine-grained access management for Azure. Using RBAC, you can grant just the amount of access that users need to perform their jobs.

Each Azure subscription is associated with one Azure AD directory. A subscription is associated with only one Azure AD tenant while a resource group can have multiple resources but is associated with only one subscription and can be bound to only one resource group.

Azure RBAC vs Azure Policies

There are a few differences between the two like- RBAC focuses on user actions at different scopes while Azure Policy focuses on resource properties during deployment and for already-existing resources. Unlike RBAC, Azure Policy is a default-allow-and-explicit-deny system.

RBAC

RBAC manages who can have access to Azure resources, what areas they have access to, and what they can do with those resources. Examples of RBAC includes:
  • Allowing a user, the ability to only manage virtual machines in a subscription and not the ability to manage virtual networks
  • Allowing a user, the ability to manage all resources, such as virtual machines, websites, and subnets, within a specified resource group.
  • Allowing a app, to access all resources in a resource group
  • Allowing a DBA group, to manage SQL databases in a subscription 
RBAC can grant users the least amount privileged to get their work done without affecting other aspects of an instance or subscription as set by the governance plan.

Policies

Policies on the other hand play a slightly different role governance. They focus on resource properties during deployment and for already existing resources. For example a policy can be issued to ensure users can only deploy DS series VMs within a specified resource if the users have permission to deploy the VMs.

RBAC and Policies in Azure play a vital role in a governance strategy and they work together to ensure organizational business rules are followed by ensuring the proper access and resource management creation guidelines are met.

Azure Built-in Roles

Azure RBAC has several built-in roles that can be assigned to users, groups, service principles, and managed identities. If the built-in roles don't meet the requirements of your organization, you can always create your own Azure custom roles. The four general built-in roles are:

  • Contributor- Allows you to manage everything except granting access to resources.

  • Owner- Allows you to manage everything including access to resources.

  • Reader- Allows to view everything, but not make any changes.

  • User Access Administrator- Lets you manage user access to Azure resources.  

Role assignments are the way you can control access to Azure resources.



To read part 1 of 3 please click here
To read part 3 of 3 please click here




Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more