Building Automated Governance Using Code, Platform Services & Several Small Puppies
•Download as PPTX, PDF•
1 like•91 views
This session explores the Azure Scaffold that provides the framework to implement governance in Azure in an automated and enforceable manner.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Building Automated Governance Using Code, Platform Services & Several Small Puppies
Similar to Building Automated Governance Using Code, Platform Services & Several Small Puppies (20)
More from Todd Whitehead
More from Todd Whitehead (9)
Recently uploaded
Recently uploaded (20)
Building Automated Governance Using Code, Platform Services & Several Small Puppies
- 9. Enterprise Enrollment Account A Subscription 1 Subscription 2 Subscription 3 Account B Department A Account C Subscription 4 Department B
- 12. { "if" : { <condition> | <logical operator> }, "then" : { "effect" : "deny | audit | append“ } } Azure Resource Manager Policy Introduction: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-policy/
- 13. Case Study Toddbert Inc Innovation Environment Dev Environment Prod Environment
- 15. Service Catalog Service Option Controls Geographic Limits Resource Locks Tagging Lifecycle & Automation Archiving Notifications Dashboard Integrations To Do
- 16. Resource Manager Policies • Service Catalog • Service Option Controls • Geographic Limits • Tagging Resource Locks Test/Dev Labs • Cost Management • Environment Automation Azure Automation • Lifecycle Management • Azure Automation Azure Monitor • Notifications Alerts (notification groups) • Dashboard • Integrations (jira) • Archiving Azure Security Centre • Dashboards • Advanced Analysis
- 17. { "if" : { <condition> | <logical operator> }, "then" : { "effect" : "deny | audit | append" } } Logical Operator Syntax Not "not" : {<condition or operator >} And "allOf" : [ {<condition or operator >},{<condition or operator >}] Or "anyOf" : [ {<condition or operator >},{<condition or operator >}] Condition Name Syntax Equals "equals" : "<value>" Like "like" : "<value>" Contains "contains" : "<value>" In "in" : [ "<value1>","<value2>" ] ContainsKey "containsKey" : "<keyName>" Exists "exists" : "<bool>"
- 18. • CanNotDelete: athorized users can still read and modify a resource, but they can't delete it. • ReadOnly*: Authorized users can read from a resource, but they can't delete it or perform any actions on it. The permission on the resource is restricted to the Reader role. • Subscription • Resource Group • Resource
- 19. Demo: Azure Resource Policies
- 20. Azure Security Center Enable security at cloud speed Gain visibility and control Detect cyber threats Integrate partner solutions
- 21. Provides a unified view of security across all your Azure subscriptions Makes it easy to understand your security posture, including vulnerabilities and threats detected Integrates security event logging and monitoring, including events from partners APIs, SIEM connector and Power BI dashboards make it easy to access, integrate, and analyze security information using existing tools Gain visibility and control
- 22. Access security data in near real-time from your Security Information and Event Management (SIEM) Export Logs Log Analytics/ SIEM Azure Diagnostics Azure Storage Rehydrate: “Forwarded Events” Flat files (IIS Logs) CEF formatted logs Azure Log Integration Standard Log Connector (ArcSigt, Splunk, etc) Azure APIs
- 23. Enable agility with security Tailors security recommendations based on the security policy defined for the subscription or resource group Guides users through the process of remediating security vulnerabilities Enables rapidly deployment of security services and appliances from Microsoft and partners (firewalls, endpoint protection, and more)
- 24. Prioritized recommendations take the guesswork out of security for resource owners
- 29. Monitoring your environments Hot path Enables real-time service feedback loop Example usage: service availability alerts (60s ingestion latency) Warm Path Enables diagnostics capabilities Example usage: Service degraded alerts, Informational alerts (5m ingestion latency) Cold Path System & Audit Logging Example usage: Statistics and reporting
- 31. Azure Scaffold https://azure.microsoft.com/en-us/documentation/articles/resource-manager-subscription-governance/ https://azure.microsoft.com/en-us/documentation/articles/resource-manager-subscription-examples/ https://github.com/karlkuhnhausen/azure-scaffold ARM Policies https://azure.microsoft.com/en-us/documentation/articles/resource-manager-policy/ Azure Security Centre https://azure.microsoft.com/en-us/services/security-center/ https://myignite.microsoft.com/videos/2752 Azure Monitor https://azure.microsoft.com/en-us/documentation/articles/monitoring-get-started/ https://myignite.microsoft.com/videos/4977 Naming Guidance https://azure.microsoft.com/en-gb/documentation/articles/guidance-naming-conventions/ Resource Locks https://azure.microsoft.com/en-us/documentation/articles/resource-group-lock-resources/
Editor's Notes
- Governance, broadly speaking, can be defined as providing the oversight to ensure that any change to the environment neither causes any degradation of function nor adds any new risks. But different people have very different perspectives on what is involved
- Technical, Business, Security, Scalability
- Conditional Access These are conditions that you can include in a conditional access policy: Group membership. Control a user's access based on membership in a group. Location. Use the location of the user to trigger multi-factor authentication, and use block controls when a user is not on a trusted network. Device platform. Use the device platform, such as iOS, Android, Windows Mobile, or Windows, as a condition for applying policy. Device-enabled. Device state, whether enabled or disabled, is validated during device policy evaluation. If you disable a lost or stolen device in the directory, it can no longer satisfy policy requirements. Sign-in and user risk. You can use Azure AD Identity Protection for conditional access risk policies. Conditional access risk policies help give your organization advance protection based on risk events and unusual sign-in activities.
- There are a few key differences between policy and role-based access control, but the first thing to understand is that policies and RBAC work together. To use policies, you must be authenticated through RBAC. Unlike RBAC, policy is a default allow and explicit deny system. RBAC focuses on the actions a user can perform at different scopes. For example, a particular user is added to the contributor role for a resource group at the desired scope, so the user can make changes to that resource group. Policy focuses on resource actions at various scopes. For example, through policies, you can control the types of resources that can be provisioned or restrict the locations in which the resources can be provisioned.
- Basically, a policy contains the following elements: Condition/Logical operators: a set of conditions that can be manipulated through a set of logical operators. Effect: what happens when the condition is satisfied – either deny or audit. An audit effect emits a warning event service log. For example, an administrator can create a policy that causes an audit event if anyone creates a large VM. The administrator can review the logs later. Policies and RBAC Work together Must be authenticated via RBAC to use policies RBAC is default deny, policies are default allow RBAC concerned with actions user can perform at a scope Policies focuses on resource actions and rules Policies Defined as JSON documents Policy supports three types of effect - deny, audit, and append. Deny generates an event in the audit log and fails the request Audit generates an event in audit log but does not fail the request Append adds the defined set of fields to the request For append, you must provide the following details:
- Applying ReadOnly can lead to unexpected results because some operations that seem like read operations actually require additional actions. For example, placing a ReadOnly lock on a storage account prevents all users from listing the keys. The list keys operation is handled through a POST request because the returned keys are available for write operations. For another example, placing a ReadOnly lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.
- Gain visibility and control Get a central view of the security state of all your Azure resources. At a glance, you could verify that the appropriate security controls are in place. And, you could quickly identify any resources that require attention. Enable secure DevOps Say ‘Yes’ to agility by enabling DevOps with policy-driven recommendations that guide resource owners through the process of implementing required controls – taking the guesswork out of cloud security. Stay ahead of threats Stay ahead of current and emerging threats with an integrated and analytics-driven approach. Detect actual threats earlier and reduce false alarms.
- Set security policies for subscriptions and resource groups Monitor the security state of resources – quickly identify vulnerabilities Gain insight into the security state of subscriptions in Power BI
- Prioritized recommendations take the guesswork out of security for resource owners