This document discusses automated security and continuous compliance on Azure. It describes challenges to security and compliance when using multiple Azure subscriptions and teams. It then outlines how to implement security and compliance in Azure through organizing subscriptions, defining policies as guardrails, implementing policies, monitoring for adherence, and enabling automatic remediation. Key tools discussed are Azure policies, Azure blueprints, and the Azure Policy Insights API.
Automated Security and Continuous Compliance on Azure
1. Automated Security and Continuous
Compliance on Azure
Ian Willoughby
Chief Architect – 2nd Watch
October 10, 2018
Evolve. Accelerate. Optimize.
2. Your path to the cloud is different from everyone else’s: it’s yours
Address people, process
& technology
Leverage scalable
processes & tools
Apply our unmatched
enterprise experience to
your challenges
Let you move with the agility
of a startup
We custom-tailor cloud strategies that…
3. Public Cloud Experience
Gold Microsoft Partner
Managed Service Partner
100% Certified Engineers
and Architects
Competencies:
DevOps
Financial Services
Marketing and Commerce
Life Sciences
Microsoft Workloads
Migration
4. Why Azure Services by 2nd Watch?
200,000
Cloud Servers monthly
47%
are Windows Machines
+175
Cloud Certified Experts
100s
of Large Customers
Experience
Customer
Service
Faster Benefits
5. Trusted by leading global enterprises
Case Study
Conde Nast Case StudyLenovo Case Study
Case Study
Crate & Barrel Case Study
Case Study
Case Study
Case Study
Learn more and review our case studies
6. Agenda
What is IT Governance
Challenges to security and compliance
How to implement security and compliance in Azure
How to ensure continuous compliance and security
7. What is IT Governance?
Information and Technology (IT) governance is a subset of
corporate governance. It aligns the organization’s business goals
with IT projects and implementation. It incorporates cyber security,
data governance, compliance, enterprise architecture, and other
disciplines to effectively harness the power of IT to achieve
positive business outcomes. The goal is to use governance to
achieve the proper guardrails without sacrificing agility, security
and cost while performing at scale.
8. Challenges
• Multiple Teams
• Multiple Subscriptions
• Compliance Requirements
• Reduce Cloud Sprawl
• Guardrails Working
• Increase Agility
• Maintain Security
• Traditional Model Doesn’t Work Any More
9.
10. Road to Security and Compliance
• Organize Subscriptions
• Define policies
• Implement the policies as guardrails
• Visibility into the adherence of policies
• Automatic remediation
11. Organize Subscriptions
Azure Management Groups
o Align subscriptions to your organizational structure.
o Uses hierarchies and containers to group subscriptions.
o Manage access, compliance, policies and costs
19. VM Guest Policy
Under Preview
• Verifies the Configuration of the Virtual Machine OS
• Works with Chef
• Only Built-in Policies are Support Currently
20. Azure Policy In Action
• Put Policies in Git
• Share with Developers
• Set to Audit Mode to Start
23. Azure Resource Graph
• Query resources with complex filtering, grouping, and sorting by resource properties
• Explore based on governance requirements
• Perform iterative queries
24.
25. Automation for Compliance and Security
• Use the Policy Insights REST API to query policy events and compliance states.
(https://docs.microsoft.com/en-us/rest/api/policy-insights/)
• Codify the actions based on events.
• Create a notification event.
28. Next Steps
• You don’t have to get it all right to start, but start
• Start with Audit effect on policies
• Create playbooks on actions to be taken and implement slowly
• Start your foundation with security and compliance in mind
https://github.com/azure/azure-policy
https://aka.ms/GovernanceDocs
29. Questions
Ian Willoughby – iwilloughby@2ndwatch.com
2ndwatch.com
888-317-7920
October 10, 2018
Evolve. Accelerate. Optimize.