Azure Cloud management and auditing

INSA CVL Engineering School 5th
Year of the Security Department – 4AS Option
© CHRISTIAN TOINARD Cloud Security - 9/01/2019
Azure
Professor Christian Toinard
[Some elements come from ’’Exam Ref 70-533 Implementing Microsoft Azure
Infrastructure Solutions 2nd Edition’’ second Edition. Microsoft Press. 2018]
[Other elements come from the Microsoft Online Documentation]
[However, the experiments come from the author work]

Introduction
In Azure, functionalities are constantly changing with new capabilities added
and new scenarios opening to make it easier to protect the data. Security is a key
topic of the evolutions. Ensure you read the large and precise documentation to
stay up-to-date on supported and unsupported scenarios at
https://docs.microsoft.com/en-us/azure/security.
This documentation is an introduction. It does not cover all the large range of
security functionalities. Advanced mechanisms of security operation center are
also available such as proposed in Azure Security Center.

Comparison with other approaches [1]

https://www.znetlive.com/blog/comparing-top-4-public-cloud-providers-in-2018-microsoft-
azure-vs-aws-vs-ibm-vs-google/

A global approach
IaaS, PaaS and SaaS service for both Azure resources
and on-premise resources.
Propose management, monitoring, IAM and security
services for both Azure and on-premise resources.
Five different kinds of service are proposed:
Azure App Service enables to build and host web apps in any programming
language without managing infrastructure (auto-scaling, high availability,
Windows and Linux, automated deployments from GitHub, Azure DevOps, or
any Git repo).
Azure virtual machines allow to create and deploy Windows and Linux virtual
machines and VM templates. It supports a wide range of solutions for creating
and managing virtual IT associated with on-premise hosts (monitoring,
authentication, access control, encryption, threats detection, …).
Azure Service Fabric is a platform that makes it easy to package, deploy, and
manage scalable and reliable microservices and containers. It manages the
complex infrastructure problems. Developers and administrators focus on
implementing mission-critical, demanding workloads that are scalable, reliable,
and manageable.
Azure Cloud Services is a platform as a service (PaaS) designed to support
applications that are scalable, reliable, and inexpensive to operate. In contrast with
App Service, Azure Cloud Services offers more control over the infrastructure.
Software for general purpose such as IoT, AI and machine learning and SaaS.
These components enable to develop end-user application for medicine, finance
and so on.

Methods for managing VM

Opening an access

Overview of the portal

Opening a subscription

Creating a virtual machine

Creating a virtual machine and model

Deploying a virtual machine

Advisor recommendations

Supervision: Insights a virtual machine

Distant connection to the virtual machine

Log analysis workspace

Creating an alert rule for a network load

Analysis of network load with Excel export

Viewing alerts for a network load

Encryption
There are many ways to encrypt data:
- programmatically encrypting it in your own
application and storing the encryption keys in
Azure Key Vault
- encrypting VM disks
- taking advantage of the Azure Storage Service
Encryption feature
- implementing encryption plus role-based access
control with Azure Data Lake Store

Azure Disk Encryption
You can take direct control of key management by
enabling disk-level encryption directly on your
Windows and Linux VMs.
Azure Disk Encryption leverages the industry standard
BitLocker feature of Windows, and the DM-Crypt
feature of Linux to provide volume encryption for the
operating system and the data disks.
The solution is integrated with Azure Key Vault and
Azure Active Directory to help you control and manage
the disk-encryption keys and secrets in your key vault
subscription.

Azure Storage Service Encryption
Azure Storage Service encryption automatically
encrypts and decrypts data using 256-bit AES
encryption as it is written in an Azure Storage Account.
https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
The feature automatically encrypts data in:
• Azure storage services:
o Azure Managed Disks
o Azure Blob storage
o Azure Files
o Azure Queue storage
o Azure Table storage.
• Both performance tiers (Standard and Premium).
• Both deployment models (Azure Resource Manager and classic).
You can use Microsoft-managed encryption keys with Storage Service Encryption, or
use your own keys, see Storage Service Encryption using customer-managed keys in
Azure Key Vault.

Azure Storage Service Encryption

Azure Data Lake Store
Azure Data Lake is a repository designed for big data
workloads. It provides both encryption and access
control.

Azure Data Lake Store
Azure Data Lake Store implements an access control
model that derives from HDFS, which in turn derives
from the POSIX access control model.
To configure permissions on a data item in your data
lake, open the Data Lake Store in the Azure portal and
click Data Lake Explorer.

Azure Monitoring
Azure Monitor
This tool allows you to get base-level infrastructure metrics and logs across your Azure subscription including alerts,
metrics, subscription activity, and Service Health information. The Azure Monitor landing page provides a jumping off point
to configure other more specific monitoring services such as Application Insights, Network Watcher, Log Analytics, Manage-
ment Solutions, and so on. You can learn more about Azure Monitor at https://docs.microsoft. com/en-
us/azure/monitoring-and-diagnostics/monitoring-overview-azure-monitor.
Application Insights
Application Insights is used for development and as a production monitoring solution. It works by installing a package into
your app, which can provide a more internal view of what’s going on with your code. Its data includes response times of
dependencies, exception traces, debugging snapshots, and execution profiles. It provides powerful smart tools for analyzing
all this telemetry both to help you debug an app and to help you understand what users are doing with it. You can tell
whether a spike in response times is due to something in an app, or some external resourcing issue. If you use Visual Studio
and the app is at fault, you can be taken right to the problem line(s) of code so you can fix it. Application Insights provides
significantly more value when your application is instrumented to emit custom events and exception information. You can
learn more about Application Insights including samples for emitting custom telemetry at https://docs.microsoft.com/en-
us/azure/application-insights/.
Network Watcher
The Network Watcher service provides the ability to monitor and diagnose networking issues without logging in to your
virtual machines (VMs). You can trigger packet capture by setting alerts, and gain access to real-time performance
information at the packet level. When you see an issue, you can investigate in detail for better diagnoses. This service is
ideal for troubleshooting network connectivity or performance issues.
Azure Log Analytics
Log Analytics is a service in that monitors your cloud and on-premises environments to maintain their availability and
performance. It collects data generated by resources in your cloud and on-premises environments and from other
monitoring tools to provide analysis across multiple sources. Log Analytics provides rich tools to analyze data across
multiple sources, allows complex queries across all logs, and can proactively alert you on specified conditions. You can even
collect custom data into its central repository so you can query and visualize it. You can learn more about Log Analytics at
https://docs.microsoft.com/en-us/azure/log-analytics/ log-analytics-overview, as well as in Chapter 7.
Azure Diagnostics Extension
The Azure Diagnostics Extension is responsible for installing and configuring the Azure Diagnostics agent on both Windows
and Linux VMs to provide a richer set of diagnostics data. On Windows, this agent can collect a comprehensive set of
performance counter data, event and IIS log files, and even crash dumps. It also provides the ability to automatically
transfer this data to Azure Storage as well as surfacing telemetry to the Azure portal for visualization and alerts. The
capabilities on Linux are more limited, but they still expose a broad range of performance telemetry to act on for reporting
and alerts.

Logs analysis

Azure Cloud management and auditing

Recommended

Recommended

More Related Content

Similar to Azure Cloud management and auditing

Similar to Azure Cloud management and auditing (20)

Recently uploaded

Recently uploaded (20)

Azure Cloud management and auditing