Azure Sentinel: Enterprise Governance (Part 3 of 3)

By Ashwin Venugopal -

 


To read part 1 of 3 please click here
To read part 2 of 3 please click here



Resource Locks

There is always a need to lock a subscription, resource group or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock level can be easily set to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.

  • CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.

  • ReadOnly means authorized users can read a resource, but they can't delete or update the resource. This lock restricts all authorized users to the permissions granted by the Reader role.

Not every Azure user should have permission to create or remove locks. This requires access to the RBAC permissions like Microsoft.Authorization/, Microsoft.Authorization/locks/ action. However these actions can be added to custom roles as and when required.

Azure Blueprint

Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints allows development teams to rapidly build and stand up new environments with trust they are building within organizational compliance with a set of built-in components such as networking to speed up development and delivery.

Blueprints are a declarative way to orchestrate a deployment of various resource templates and other artifacts such as Role assignments, Policy Assignments, Azure Resource Manager templates, and Resource Groups. Blueprints objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, whatever region Blueprints deploys your resources to.

How is it different from Resource Manager templates?

Environment set up often consists of a set of resource groups, policies, role assignments, and Resource Manager template deployments. A blueprint brings each of these artifact types together and allows you to compose and version that package including through a CI/CD pipeline.Ultimately, they are assigned to a subscription in a single operation that can be audited and tracked.

With blueprints the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing deployments. 

 There is no need to choose between Resource Manager template and a blueprint. Each blueprint can consist of zero or more Resource Manager template artifacts which means that previous efforts to develop and maintain a library of resource Manager templates are reusable in Blueprints.

How it's different from Azure policy?

A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance. 

Including a policy in a blueprint enables the creation of right pattern or design during assignment of  the blueprint. This makes sure that only approved or expected changes can be made to the environment to protect ongoing compliance to the intent of the blueprint.

A policy can be included as one of the many artifacts in a blueprint definition. Blueprints also support using parameters with policies and initiatives. the following example illustrates the power of Azure Blueprints to deploy a complex solution and secure it.

Azure Security and Compliance Blueprint: PaaS Web Application for PCI DSS

  • This provides guidance for the deployment of a Payment Card Industry Data Security Standards (PCI DSS 3.2) compliant PaaS environment suitable for collection, storage, and retrieval of cardholder data.
  • It automatically deploys a PaaS web application reference architecture with pre-configured security controls to help customers achieve compliance with PCI DSS 3.2 requirements.
  • This blueprint uses Azure Resource Manager, Bastion Host, App Service Environment, Azure Web App,Network Security Groups, etc.
  • It is comprised of JSON configuration files and PowerShell scripts that are handled by Azure Resource Manager's API service to deploy resources within Azure.   

  Azure Subscription Management

An azure Active Directory (AD) tenant is created for you when you sign up for Azure. The tenent represents your account. You can use the tenant to manage access to your subscriptions and resources. If you want to create Azure subscriptions under your organization's Enterprise Agreement (EA), you need to have the Account Owner Role for your organization.

An Azure AD tenant is created for you when you sign up for Azure. The tenant represents your account and you can use the tenant to manage access to your subscriptions and resources.

Manage API access to Azure subscriptions and resources

Client applications that consume the published APIs need to include a valid subscription key in HTTP requests when they make calls to those APIs. A subscription is essentially a named container for a pair of subscription keys. API publishers cab also directly create subscriptions for API consumers.

API Management supports additional mechanisms for gaining access to APIs, including OAuth 2.0, Client Certificates, IP allow lists, etc. Azure policies consists of common API management functions, like those for access control, protection, transformation, and caching. You can apply these policies to various scopes, trigger them on an error, and set them in the inbound and outbound directions.

Who can transfer a subscription?

A billing administrator or the account administrator is a person who has the permission to manage billing for an account If you are an Enterprise Agreement customer, your enterprise administrator can transfer billing ownership of your subscriptions between accounts.

To identify your billing administrator accounts, use following steps:
  • Visit the Cost Management + Billing page in Azure portal.
  • Select all billing scopes from the left-hand pane.
  • The subscriptions page lists all subscriptions where you are a billing administrator. 

 


To read part 1 of 3 please click here
To read part 2 of 3 please click here






Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more