SlideShare a Scribd company logo

Segmentation on azure platform

Download as PPTX, PDF
Rachata Watthanawong
Rachata Watthanawong

segmentation design principles to design segmentation on Azure

Technology
1 of 23
Internal Use Segmentation on Azure Platform From principle to practice
Internal Use A Good Segmentation Enables Operations – Minimizes operation friction by aligning to business practices and applications Contains Risk - Adds cost and friction to attackers by Isolating sensitive workloads from compromise of other assets Isolating high exposure systems from being used as a pivot to other systems Monitored – Security Operations should monitor for potential violations of the integrity of the segments (account usage, unexpected traffic, etc.)
Internal Use Segmentation Design Principle Split workstations from servers Group by physical locations: Campus/branch, on-premises data center/IaaS. Data center zones: Separate non-production from production, development from QA, and databases/data stores from nondata stores. Group similar assets: IoT, OT, groups of applications (“application fencing”), databases, core services, corperate device, guest device and BYOD, untrusted or unknow device. Split high risk assets: Compliance (PCI, critical infrastructure), risk assessment (high/medium/low), data categorization (highly confidential, internal). Align with authentication strategy: Group unauthenticated public assets separately from authenticated private entities.
Internal Use Azure segmentation options
Internal Use Azure segmentation options: Subscription Subscription: Subscriptions are a high-level construct, which provides platform powered separation between entities. It's intended to carve out boundaries between large organizations within a company. Communication between resources in different subscriptions needs to be explicitly provisioned.
Internal Use Azure segmentation options: Virtual Network Virtual Network: Virtual networks are created within a subscription in private address spaces. The networks provide network-level containment of resources, with no traffic allowed by default between any two virtual networks. Like subscriptions, any communication between virtual networks needs to be explicitly provisioned.
Internal Use Azure segmentation options: Network Security Groups Network Security Groups (NSG): NSGs are access control mechanisms for controlling traffic between resources within a virtual network. An NSG also controls traffic with external networks, such as the internet, other virtual networks, and so on. NSGs can take your segmentation strategy to a granular level by creating perimeters for a subnet, group of VMs, or even a single virtual machine.
Internal Use Azure segmentation options: Application Security Groups Application Security Groups (ASGs): ASGs provide control mechanisms similar to NSGs but are referenced with an application context. An ASG allows you to group a set of VMs under an application tag. It can define traffic rules that are then applied to each of the underlying VMs.
Internal Use Azure segmentation options: Azure Firewall Azure Firewall: Azure Firewall is a cloud native stateful Firewall as a service. This firewall can be deployed in your virtual networks or in Azure Virtual WAN hub deployments for filtering traffic that flows between cloud resources, the Internet, and on-premise. You create rules or policies (using Azure Firewall or Azure Firewall Manager) specifying allow/deny traffic using layer 3 to layer 7 controls. You can also filter traffic that goes to the internet using both Azure Firewall and third parties. Direct some or all traffic through third- party security providers for advanced filtering and user protection.
Internal Use Hub-spoke architecture
Internal Use Hub-spoke network topology in Azure : Use cases • Workloads deployed in different environments, such as development, testing, and production, that require shared services such as DNS, IDS, NTP, or AD DS. Shared services are placed in the hub virtual network, while each environment is deployed to a spoke to maintain isolation. • Workloads that don't require connectivity to each other but require access to shared services. • Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.
Internal Use Hub-spoke network topology in Azure : Architecture • Hub virtual network: The hub virtual network is the central point of connectivity to your on-premises network. It's a place to host services that can be consumed by the different workloads hosted in the spoke virtual networks. • Spoke virtual networks: Spoke virtual networks are used to isolate workloads in their own virtual networks, managed separately from other spokes. Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers.
Internal Use Hub-spoke network topology in Azure: Operational considerations Network monitoring Use Azure Network Watcher to monitor and troubleshoot the network components. Tools like Traffic Analytics will show you the systems in your virtual networks that generate the most traffic. Then you can visually identify bottlenecks before they degenerate into problems. Network Performance Manager is the right tool to monitor information about Microsoft ExpressRoute circuits. VPN diagnostics is another tool that can help troubleshoot site-to-site VPN connections connecting your applications to users on- premises.
Internal Use Hub-spoke network topology in Azure: Cost considerations Azure Firewall An Azure Firewall is deployed in the hub network in this architecture. When used as a shared solution and consumed by multiple workloads, an Azure Firewall can save up to 30-50% over other network virtual appliance Virtual network peering Ingress and egress traffic is charged at both ends of the peered networks. Different zones have different transfer rates. For instance, data transfer from a virtual network in zone 1 to another virtual network in zone 2, will incur outbound transfer rate for zone 1 and inbound rate for zone 2.
Internal Use Microsoft hub and spoke reference architecture
Internal Use By segmentation design principle Azure segmentation design
Internal Use Segmentation at Subscription level • Align with management • Billing • Policy • Line of Responsibility
Internal Use Segmentation at VNet level • Split Clients from Servers • Cloud virtual desktop infrastructure (VDI): • Azure Virtual Desktop • Citrix Virtual App and Desktop • VMWare Horizon Cloud • Cloud PC: • Windows 365 Desktop • Point to Site (P2S) VPN • Group by physical location: Azure region • Split non-production from production • Non-production and production • Dev, test and production
Internal Use Segmentation at VNet level (2) • Separate high potential impact and/or a high potential exposure to risk applications • High potential impact: • Business critical data – Applications that process or store information, which would cause significant negative business or mission impact if an assurance of confidentiality, integrity, or availability is lost. • Regulated data – Applications that handle monetary instruments and sensitive personal information regulated by standards. For example, payment card industry (PCI) and Health Information Portability and Accountability Act (HIPAA). • Business critical availability – Applications whose functionality is critical to organizations business mission such as production lines generating revenue, devices, or services critical to life and safety, and other critical functions. • Significant Access – Applications which have access to systems with a high potential impact through technical • Stored Credentials or keys/certificates that grant access to the data/service • Permissions granted via access control lists or other means • High exposure to attacks: • Applications that are easily accessible to attackers such as web applications on the open internet. • Legacy applications can also be higher exposure as attackers and penetration testers frequently target them because they know these legacy applications often have vulnerabilities that are difficult to fix.
Internal Use Segmentation at NSG Level • Split compute service from data store service • Group similar resources • Group of Applications • Group of Databases • Group of Clients ** recommend associate NSG to subnet
Internal Use Segmentation at ASG Level • Group same resource in NSG • configure network security follow component dependency
Internal Use Q&A
Internal Use Reference • Gartner, The 6 Principles of Successful Network Segmentation Strategies. https://www.gartner.com/document/4002289 • Gartner, Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices. https://www.gartner.com/document/3969768 • Microsoft, Segmentation strategies – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-segmentation • Microsoft, Implement network segmentation patterns on Azure – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-network-segmentation • Microsoft, Application classification for security – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-apps-considerations • Microsoft, Hub-spoke network topology in Azure – Azure Reference Architecture | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke • Microsoft, Management group and subscription organization – Cloud Adoption Framework | Microsoft Docs. https://docs.microsoft.com/en- us/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization • Microsoft, Azure virtual network| Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview • Microsoft, Azure network security group overview | Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups- overview • Microsoft, Azure application security group overview | Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups • Azure, Deploy Enterprise-Scale with hub and spoke architecture. https://github.com/Azure/Enterprise- Scale/blob/main/docs/reference/adventureworks/README.md

Recommended

The Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsThe Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsStephanie Locke
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Microsoft Azure Networking Basics
Microsoft Azure Networking BasicsMicrosoft Azure Networking Basics
Microsoft Azure Networking BasicsSai Kishore Naidu
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architectureKarl Ots
 
Microsoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewMicrosoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewDavid J Rosenthal
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsWinWire Technologies Inc
 
On-premise to Microsoft Azure Cloud Migration.
On-premise to Microsoft Azure Cloud Migration. On-premise to Microsoft Azure Cloud Migration.
On-premise to Microsoft Azure Cloud Migration.Emtec Inc.
 

Recommended

The Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsThe Microsoft Well Architected Framework For Data Analytics
The Microsoft Well Architected Framework For Data AnalyticsStephanie Locke
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security FundamentalsLorenzo Barbieri
 
Microsoft Azure Networking Basics
Microsoft Azure Networking BasicsMicrosoft Azure Networking Basics
Microsoft Azure Networking BasicsSai Kishore Naidu
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architectureKarl Ots
 
Microsoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewMicrosoft Windows Server 2022 Overview
Microsoft Windows Server 2022 OverviewDavid J Rosenthal
 
Azure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsAzure Arc - Managing Hybrid and Multi-Cloud Platforms
Azure Arc - Managing Hybrid and Multi-Cloud PlatformsWinWire Technologies Inc
 
On-premise to Microsoft Azure Cloud Migration.
On-premise to Microsoft Azure Cloud Migration. On-premise to Microsoft Azure Cloud Migration.
On-premise to Microsoft Azure Cloud Migration.Emtec Inc.
 
Azure
AzureAzure
AzureKiran Bavariya
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryKrunal Trivedi
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introductionLalit Rawat
 
VMware Esx Short Presentation
VMware Esx Short PresentationVMware Esx Short Presentation
VMware Esx Short PresentationBarcamp Cork
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
Google Anthos - Azure Stack - AWS Outposts :Comparison
Google Anthos - Azure Stack - AWS Outposts :ComparisonGoogle Anthos - Azure Stack - AWS Outposts :Comparison
Google Anthos - Azure Stack - AWS Outposts :ComparisonKrishna-Kumar
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Amazon Web Services
 
Well Architected Framework - Data
Well Architected Framework - Data Well Architected Framework - Data
Well Architected Framework - Data Craig Milroy
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for EndpointCheah Eng Soon
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and ComplianceDavid J Rosenthal
 
Azure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftAzure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftDavid J Rosenthal
 
Azure Storage
Azure StorageAzure Storage
Azure StorageMustafa
 
Cloud Computing and Microsoft Azure
Cloud Computing and Microsoft AzureCloud Computing and Microsoft Azure
Cloud Computing and Microsoft AzureSuhail Jamaldeen
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfBenAissaTaher1
 
Azure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxAzure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxceyhan1
 
cloud computing Multi cloud
cloud computing Multi cloudcloud computing Multi cloud
cloud computing Multi cloudDr.Neeraj Kumar Pandey
 
Cloud computing & security basics
Cloud computing & security basicsCloud computing & security basics
Cloud computing & security basicsRahul Gurnani
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affairGeorge Delikouras
 

More Related Content

What's hot

Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active DirectoryKrunal Trivedi
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introductionLalit Rawat
 
VMware Esx Short Presentation
VMware Esx Short PresentationVMware Esx Short Presentation
VMware Esx Short PresentationBarcamp Cork
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overviewgjuljo
 
Google Anthos - Azure Stack - AWS Outposts :Comparison
Google Anthos - Azure Stack - AWS Outposts :ComparisonGoogle Anthos - Azure Stack - AWS Outposts :Comparison
Google Anthos - Azure Stack - AWS Outposts :ComparisonKrishna-Kumar
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Amazon Web Services
 
Well Architected Framework - Data
Well Architected Framework - Data Well Architected Framework - Data
Well Architected Framework - Data Craig Milroy
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewAllen Brokken
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for EndpointCheah Eng Soon
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and ComplianceDavid J Rosenthal
 
Azure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftAzure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftDavid J Rosenthal
 
Azure Storage
Azure StorageAzure Storage
Azure StorageMustafa
 
Cloud Computing and Microsoft Azure
Cloud Computing and Microsoft AzureCloud Computing and Microsoft Azure
Cloud Computing and Microsoft AzureSuhail Jamaldeen
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfBenAissaTaher1
 
Azure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxAzure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxceyhan1
 

What's hot (20)

Azure
AzureAzure
Azure
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introduction
 
VMware Esx Short Presentation
VMware Esx Short PresentationVMware Esx Short Presentation
VMware Esx Short Presentation
 
Microsoft Azure Technical Overview
Microsoft Azure Technical OverviewMicrosoft Azure Technical Overview
Microsoft Azure Technical Overview
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Google Anthos - Azure Stack - AWS Outposts :Comparison
Google Anthos - Azure Stack - AWS Outposts :ComparisonGoogle Anthos - Azure Stack - AWS Outposts :Comparison
Google Anthos - Azure Stack - AWS Outposts :Comparison
 
Azure 101
Azure 101Azure 101
Azure 101
 
Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)Using Virtual Private Cloud (vpc)
Using Virtual Private Cloud (vpc)
 
Well Architected Framework - Data
Well Architected Framework - Data Well Architected Framework - Data
Well Architected Framework - Data
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
 
Azure Arc Overview from Microsoft
Azure Arc Overview from MicrosoftAzure Arc Overview from Microsoft
Azure Arc Overview from Microsoft
 
Azure Storage
Azure StorageAzure Storage
Azure Storage
 
Cloud Computing and Microsoft Azure
Cloud Computing and Microsoft AzureCloud Computing and Microsoft Azure
Cloud Computing and Microsoft Azure
 
azure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdfazure-security-overview-slideshare-180419183626.pdf
azure-security-overview-slideshare-180419183626.pdf
 
Azure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxAzure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptx
 
cloud computing Multi cloud
cloud computing Multi cloudcloud computing Multi cloud
cloud computing Multi cloud
 

Similar to Segmentation on azure platform

Cloud computing & security basics
Cloud computing & security basicsCloud computing & security basics
Cloud computing & security basicsRahul Gurnani
 
An introduction to the cloud 11 v1
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1charan7575
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxkkhhusshi
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing pptJagriti Rai
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraRogerChaucaZea
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...EC-Council
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudAjit Bhingarkar
 
Cloud Security_Module2.ppt
Cloud Security_Module2.pptCloud Security_Module2.ppt
Cloud Security_Module2.pptArunKumbi1
 

Similar to Segmentation on azure platform (20)

Cloud computing & security basics
Cloud computing & security basicsCloud computing & security basics
Cloud computing & security basics
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
An introduction to the cloud 11 v1
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptx
 
Unit-II-part 3.pdf
Unit-II-part 3.pdfUnit-II-part 3.pdf
Unit-II-part 3.pdf
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud computing ppt
Cloud computing pptCloud computing ppt
Cloud computing ppt
 
Presentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion seguraPresentacion de solucion cloud de navegacion segura
Presentacion de solucion cloud de navegacion segura
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Cloud Analytics and VDI
Cloud Analytics and VDICloud Analytics and VDI
Cloud Analytics and VDI
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
 
Implementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloudImplementing zero trust architecture in azure hybrid cloud
Implementing zero trust architecture in azure hybrid cloud
 
Cloud Security_Module2.ppt
Cloud Security_Module2.pptCloud Security_Module2.ppt
Cloud Security_Module2.ppt
 
Azure security
Azure securityAzure security
Azure security
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 

Segmentation on azure platform

  • 1. Internal Use Segmentation on Azure Platform From principle to practice
  • 2. Internal Use A Good Segmentation Enables Operations – Minimizes operation friction by aligning to business practices and applications Contains Risk - Adds cost and friction to attackers by Isolating sensitive workloads from compromise of other assets Isolating high exposure systems from being used as a pivot to other systems Monitored – Security Operations should monitor for potential violations of the integrity of the segments (account usage, unexpected traffic, etc.)
  • 3. Internal Use Segmentation Design Principle Split workstations from servers Group by physical locations: Campus/branch, on-premises data center/IaaS. Data center zones: Separate non-production from production, development from QA, and databases/data stores from nondata stores. Group similar assets: IoT, OT, groups of applications (“application fencing”), databases, core services, corperate device, guest device and BYOD, untrusted or unknow device. Split high risk assets: Compliance (PCI, critical infrastructure), risk assessment (high/medium/low), data categorization (highly confidential, internal). Align with authentication strategy: Group unauthenticated public assets separately from authenticated private entities.
  • 5. Internal Use Azure segmentation options: Subscription Subscription: Subscriptions are a high-level construct, which provides platform powered separation between entities. It's intended to carve out boundaries between large organizations within a company. Communication between resources in different subscriptions needs to be explicitly provisioned.
  • 6. Internal Use Azure segmentation options: Virtual Network Virtual Network: Virtual networks are created within a subscription in private address spaces. The networks provide network-level containment of resources, with no traffic allowed by default between any two virtual networks. Like subscriptions, any communication between virtual networks needs to be explicitly provisioned.
  • 7. Internal Use Azure segmentation options: Network Security Groups Network Security Groups (NSG): NSGs are access control mechanisms for controlling traffic between resources within a virtual network. An NSG also controls traffic with external networks, such as the internet, other virtual networks, and so on. NSGs can take your segmentation strategy to a granular level by creating perimeters for a subnet, group of VMs, or even a single virtual machine.
  • 8. Internal Use Azure segmentation options: Application Security Groups Application Security Groups (ASGs): ASGs provide control mechanisms similar to NSGs but are referenced with an application context. An ASG allows you to group a set of VMs under an application tag. It can define traffic rules that are then applied to each of the underlying VMs.
  • 9. Internal Use Azure segmentation options: Azure Firewall Azure Firewall: Azure Firewall is a cloud native stateful Firewall as a service. This firewall can be deployed in your virtual networks or in Azure Virtual WAN hub deployments for filtering traffic that flows between cloud resources, the Internet, and on-premise. You create rules or policies (using Azure Firewall or Azure Firewall Manager) specifying allow/deny traffic using layer 3 to layer 7 controls. You can also filter traffic that goes to the internet using both Azure Firewall and third parties. Direct some or all traffic through third- party security providers for advanced filtering and user protection.
  • 11. Internal Use Hub-spoke network topology in Azure : Use cases • Workloads deployed in different environments, such as development, testing, and production, that require shared services such as DNS, IDS, NTP, or AD DS. Shared services are placed in the hub virtual network, while each environment is deployed to a spoke to maintain isolation. • Workloads that don't require connectivity to each other but require access to shared services. • Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.
  • 12. Internal Use Hub-spoke network topology in Azure : Architecture • Hub virtual network: The hub virtual network is the central point of connectivity to your on-premises network. It's a place to host services that can be consumed by the different workloads hosted in the spoke virtual networks. • Spoke virtual networks: Spoke virtual networks are used to isolate workloads in their own virtual networks, managed separately from other spokes. Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers.
  • 13. Internal Use Hub-spoke network topology in Azure: Operational considerations Network monitoring Use Azure Network Watcher to monitor and troubleshoot the network components. Tools like Traffic Analytics will show you the systems in your virtual networks that generate the most traffic. Then you can visually identify bottlenecks before they degenerate into problems. Network Performance Manager is the right tool to monitor information about Microsoft ExpressRoute circuits. VPN diagnostics is another tool that can help troubleshoot site-to-site VPN connections connecting your applications to users on- premises.
  • 14. Internal Use Hub-spoke network topology in Azure: Cost considerations Azure Firewall An Azure Firewall is deployed in the hub network in this architecture. When used as a shared solution and consumed by multiple workloads, an Azure Firewall can save up to 30-50% over other network virtual appliance Virtual network peering Ingress and egress traffic is charged at both ends of the peered networks. Different zones have different transfer rates. For instance, data transfer from a virtual network in zone 1 to another virtual network in zone 2, will incur outbound transfer rate for zone 1 and inbound rate for zone 2.
  • 15. Internal Use Microsoft hub and spoke reference architecture
  • 16. Internal Use By segmentation design principle Azure segmentation design
  • 17. Internal Use Segmentation at Subscription level • Align with management • Billing • Policy • Line of Responsibility
  • 18. Internal Use Segmentation at VNet level • Split Clients from Servers • Cloud virtual desktop infrastructure (VDI): • Azure Virtual Desktop • Citrix Virtual App and Desktop • VMWare Horizon Cloud • Cloud PC: • Windows 365 Desktop • Point to Site (P2S) VPN • Group by physical location: Azure region • Split non-production from production • Non-production and production • Dev, test and production
  • 19. Internal Use Segmentation at VNet level (2) • Separate high potential impact and/or a high potential exposure to risk applications • High potential impact: • Business critical data – Applications that process or store information, which would cause significant negative business or mission impact if an assurance of confidentiality, integrity, or availability is lost. • Regulated data – Applications that handle monetary instruments and sensitive personal information regulated by standards. For example, payment card industry (PCI) and Health Information Portability and Accountability Act (HIPAA). • Business critical availability – Applications whose functionality is critical to organizations business mission such as production lines generating revenue, devices, or services critical to life and safety, and other critical functions. • Significant Access – Applications which have access to systems with a high potential impact through technical • Stored Credentials or keys/certificates that grant access to the data/service • Permissions granted via access control lists or other means • High exposure to attacks: • Applications that are easily accessible to attackers such as web applications on the open internet. • Legacy applications can also be higher exposure as attackers and penetration testers frequently target them because they know these legacy applications often have vulnerabilities that are difficult to fix.
  • 20. Internal Use Segmentation at NSG Level • Split compute service from data store service • Group similar resources • Group of Applications • Group of Databases • Group of Clients ** recommend associate NSG to subnet
  • 21. Internal Use Segmentation at ASG Level • Group same resource in NSG • configure network security follow component dependency
  • 23. Internal Use Reference • Gartner, The 6 Principles of Successful Network Segmentation Strategies. https://www.gartner.com/document/4002289 • Gartner, Segmentation or Isolation: Implementing Best Practices for Connecting ‘All’ Devices. https://www.gartner.com/document/3969768 • Microsoft, Segmentation strategies – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-segmentation • Microsoft, Implement network segmentation patterns on Azure – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-network-segmentation • Microsoft, Application classification for security – Azure Architecture Center | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/framework/security/design-apps-considerations • Microsoft, Hub-spoke network topology in Azure – Azure Reference Architecture | Microsoft Docs. https://docs.microsoft.com/en- us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke • Microsoft, Management group and subscription organization – Cloud Adoption Framework | Microsoft Docs. https://docs.microsoft.com/en- us/azure/cloud-adoption-framework/ready/enterprise-scale/management-group-and-subscription-organization • Microsoft, Azure virtual network| Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview • Microsoft, Azure network security group overview | Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups- overview • Microsoft, Azure application security group overview | Microsoft Docs. https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups • Azure, Deploy Enterprise-Scale with hub and spoke architecture. https://github.com/Azure/Enterprise- Scale/blob/main/docs/reference/adventureworks/README.md