Azure Sentinel: Enterprise Governance (Part 3 of 3)

By Ashwin Venugopal -

 


To read part 1 of 3 please click here
To read part 2 of 3 please click here



Resource Locks

There is always a need to lock a subscription, resource group or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock level can be easily set to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.

  • CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.

  • ReadOnly means authorized users can read a resource, but they can't delete or update the resource. This lock restricts all authorized users to the permissions granted by the Reader role.

Not every Azure user should have permission to create or remove locks. This requires access to the RBAC permissions like Microsoft.Authorization/, Microsoft.Authorization/locks/ action. However these actions can be added to custom roles as and when required.

Azure Blueprint

Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints allows development teams to rapidly build and stand up new environments with trust they are building within organizational compliance with a set of built-in components such as networking to speed up development and delivery.

Blueprints are a declarative way to orchestrate a deployment of various resource templates and other artifacts such as Role assignments, Policy Assignments, Azure Resource Manager templates, and Resource Groups. Blueprints objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, whatever region Blueprints deploys your resources to.

How is it different from Resource Manager templates?

Environment set up often consists of a set of resource groups, policies, role assignments, and Resource Manager template deployments. A blueprint brings each of these artifact types together and allows you to compose and version that package including through a CI/CD pipeline.Ultimately, they are assigned to a subscription in a single operation that can be audited and tracked.

With blueprints the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing deployments. 

 There is no need to choose between Resource Manager template and a blueprint. Each blueprint can consist of zero or more Resource Manager template artifacts which means that previous efforts to develop and maintain a library of resource Manager templates are reusable in Blueprints.

How it's different from Azure policy?

A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance. 

Including a policy in a blueprint enables the creation of right pattern or design during assignment of  the blueprint. This makes sure that only approved or expected changes can be made to the environment to protect ongoing compliance to the intent of the blueprint.

A policy can be included as one of the many artifacts in a blueprint definition. Blueprints also support using parameters with policies and initiatives. the following example illustrates the power of Azure Blueprints to deploy a complex solution and secure it.

Azure Security and Compliance Blueprint: PaaS Web Application for PCI DSS

  • This provides guidance for the deployment of a Payment Card Industry Data Security Standards (PCI DSS 3.2) compliant PaaS environment suitable for collection, storage, and retrieval of cardholder data.
  • It automatically deploys a PaaS web application reference architecture with pre-configured security controls to help customers achieve compliance with PCI DSS 3.2 requirements.
  • This blueprint uses Azure Resource Manager, Bastion Host, App Service Environment, Azure Web App,Network Security Groups, etc.
  • It is comprised of JSON configuration files and PowerShell scripts that are handled by Azure Resource Manager's API service to deploy resources within Azure.   

  Azure Subscription Management

An azure Active Directory (AD) tenant is created for you when you sign up for Azure. The tenent represents your account. You can use the tenant to manage access to your subscriptions and resources. If you want to create Azure subscriptions under your organization's Enterprise Agreement (EA), you need to have the Account Owner Role for your organization.

An Azure AD tenant is created for you when you sign up for Azure. The tenant represents your account and you can use the tenant to manage access to your subscriptions and resources.

Manage API access to Azure subscriptions and resources

Client applications that consume the published APIs need to include a valid subscription key in HTTP requests when they make calls to those APIs. A subscription is essentially a named container for a pair of subscription keys. API publishers cab also directly create subscriptions for API consumers.

API Management supports additional mechanisms for gaining access to APIs, including OAuth 2.0, Client Certificates, IP allow lists, etc. Azure policies consists of common API management functions, like those for access control, protection, transformation, and caching. You can apply these policies to various scopes, trigger them on an error, and set them in the inbound and outbound directions.

Who can transfer a subscription?

A billing administrator or the account administrator is a person who has the permission to manage billing for an account If you are an Enterprise Agreement customer, your enterprise administrator can transfer billing ownership of your subscriptions between accounts.

To identify your billing administrator accounts, use following steps:
  • Visit the Cost Management + Billing page in Azure portal.
  • Select all billing scopes from the left-hand pane.
  • The subscriptions page lists all subscriptions where you are a billing administrator. 

 


To read part 1 of 3 please click here
To read part 2 of 3 please click here






Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more