So much happy to help geeks coming with lot of perspectives / scenarios at ‘Speaker Q&A at Booth 2’.
It’s starts with talks and Ended at white board for one guy LOLZ..
I’m so happy to delivered my TALK on #AZURE #SECURITY at Microsoft Ignite The Tour #TORONTO -Day 1 (Jan 8th, 2020) Great Turnout with more than 250+ attendees, and even many didn’t get the seats!! THANKS for great feedback and lovely tweets 👍, much appreciated!! ☁️
Azure Governance provides mechanisms and processes to maintain control over your applications and resources in Azure. Azure customers get the most advanced set of governance capabilities. It involves planning your initiatives and setting strategic priorities. There should be a balance between “Agility” to the team and “Governance” to ensure team can work with best practices without compromising security and overhead cost.
Governance in Azure is primarily implemented with two services.
Azure Policy allows you to create, assign, and manage policy definitions to enforce rules for your resources. Stay compliant with internal and external regulations by configuring your templates using policies, access controls, resources, and then deploying them. This feature keeps those resources in compliance with your corporate standards.
Azure Cost Management allows you to track cloud usage and expenditures for your Azure resources and other cloud providers. Customers can ensure compliance at no additional cost, save significant amount of $ expenditures by proper resource management. Example drop unused resources, enable services like ‘Azure SQL Datawarehouse (ASDWH)’ ONLY when required. A lot of extra cost could be saved by automation of resources and correct storage decision.
- Azure Subscription
- Basic Azure knowledge
- Administrator Access
- PowerShell (Good to have)
Let’s start cloud journey and a journey without a target destination is just wandering. It’s important to establish a rough vision of the end state before taking the first step. It’s not company starting point, but it shows potential destination.
Corporate policies: Corporate policies drive cloud governance. The governance guide focuses on specific aspects of corporate policy:
- Business risks: Identifying and understanding corporate risks.
- Policy and compliance: Converting risks into policy statements that support any compliance requirements.
- Processes: Ensuring adherence to the stated policies.
Five Disciplines of Cloud Governance: These disciplines support the corporate policies. Each discipline protects the company from potential pitfalls:
- Cost Management
- Security Baseline
- Resource Consistency
- Identity Baseline
- Deployment Acceleration
Essentially, corporate policies serve as the early warning system to detect potential problems. The disciplines help the company manage risks.
The following infographic provides a frame of reference for the end state.
Following are the key components of the Governance for an Enterprise:
- Scope & Hierarchy
- Azure Resource Manager Templates
Resource group stay in a subscription; a subscription is container for the logically similar resources. Management group is additional level of hierarchy which help to administer subscriptions.
As per business need Management group hierarchy up to Six level (deep) can be created.
Access management for resources is a critical function for any organization. Role-based access control (RBAC) helps you to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Following actions with RBAC:
• Allow one user to manage VM in a subscription and another user to manage virtual networks
• Allow a DBA group to manage SQL databases in a subscription
• Allow a user to manage all resources in a resource group, such as VM’s, websites, and subnets
• Allow an application to access all resources in a resource group
RBAC Recommended Practice
Using RBAC, you can isolate duties within your team and grant only the amount of access to users that they need to perform their jobs.
Instead of giving everybody open permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.
When planning your access control strategy, it’s a best practice to grant users the least privilege to get their work done. The following diagram shows a suggested pattern for using RBAC.
A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.
User – An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants. For information about users in other organizations, see Azure Active Directory B2B.
Group – A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role.
Service principal – A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application.
Managed identity – An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.
FOUR FUNDAMENTAL built-in roles, please note ‘The first Three’ apply to all resource types:
Owner – Has full access to all resources including the right to delegate access to others.
Contributor – Can create and manage all types of Azure resources but can’t grant access to others.
Reader – Can view existing Azure resources.
User Access Administrator – Lets you manage user access to Azure resources.
- Go to the Portal and click on the All Services
- Search Users and Select Users
- Add ‘New Guest User’, give our Email Address and Hit Invite
- Invited Guest will get Email notification (Sample Email) and they need to Accept it.
Azure Policy allow us to have Real-time enforcement, compliance assessment and remediation at scale.
Let’s create new Policy
- Go to the Portal and type Policy in search window.
- Click on the Definition under Policy and give details:
Azure Resource Manager Template defines the resources you need to deploy for your solution.
Please note that Azure Resource Manager Template is a just a simple JSON file.
Blueprints enable quick creation of governed subscriptions. This allows Cloud Architects to design environments that comply with organizational standards and best practices – enabling your app teams to get to production faster.
The first step in defining a standard pattern for compliance is to compose a blueprint from the available resources. Here we will create a new blueprint to configure role and policy assignments for the subscription. Then we will add a new resource group, and create a Resource Manager template and role assignment on the new resource group.
- Select All services in the left pane. Search for and select Blueprints. We can create a blank Blueprint or sample Blueprint
- Select Blueprint definitions from the page on the left and select the + Create blueprint button at the top of the page.
Provide a Blueprint name such as DemoBlueprint. (Use up to 48 letters and numbers, but no spaces or special characters). Leave Blueprint description blank for now.
In the Definition location box, select the ellipsis on the right, select the management group or subscription where you want to save the blueprint, and choose Select.
- Add a role assignment at the subscription level
- Select the + Add artifact row under Subscription. The Add artifact window opens on the right side of the browser.
- Select Role assignment for Artifact type.
- Under Role, select Contributor. Leave the Add user, app or group box with the check box that indicates a dynamic parameter.
- Select Add to add this artifact to the blueprint.
Once you completed blueprint should look similar to the following.
Now that all the planned artifacts have been added to the blueprint, it’s time to publish it. Publishing makes the blueprint available to be assigned to a subscription.
- Select Blueprint definitions from the page on the left.
- In the list of blueprints, right-click the one you previously created and select Publish blueprint.
- In the pane that opens, provide a Version (letters, numbers, and hyphens with a maximum length of 20 characters), such as v1. Optionally, enter text in Change notes, such as First publish.
- Select Publish at the bottom of the page.
Select Publish at the bottom of the page.
Cost Management help enterprise with
- Analyze cloud costs
- Monitor with budgets
- Optimize with recommendations
Enterprise can easily understand Azure costs with
- Cost Analysis
- Cost alerts
- Advisor Recommendation
Bearing these factors in mind, it is important to consider how this applies to your organization. Any governance model will need to reflect the company’s strategic, compliance, and budgetary goals and requirements. One of first steps should be to model the organization’s hierarchy to map out the pattern for departments, accounts and subscriptions you will use in the Enterprise Portal.
Once you have taken billing and administrative factors into account to devise a subscription strategy, then the next step is to develop a centralized approach. The centralized approach makes it easier to build and maintain hybrid network connectivity, protect data sovereignty, and enforce compliance requirements within the environment.
Webinar: Be #IoT #Security Ninja- Protect & Processed #IoT #Solutions using Device to Cloud Messaging
Saturday, November 23, 2019
9:00 AM – 10:00 AM (1 hours)
Online Microsoft Teams Meeting
- Secure Your Business with Azure Security #Better #Everyday
- Understand the value of the Microsoft Azure IoT Hub and other Azure services for IoT solutions
- Build an end-to-end IoT solution that processes and analyzes data both in the field and in the cloud.
- Questions & Answers
- Ask Me Anything
Deepak Kaushik [Microsoft MVP]
Deepak is a Microsoft Azure MVP and C# corner MVP. He is currently working on architecting and building solutions around Microsoft Azure. He is passionate about technology and comes from a development background. He has also led various projects in the Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).
Nik Shahriar [C# Corner MVP]
Azure IoT Hub Consultant, Snr Data Engineer, Snr Azure Data Integration Lead/Design, Snr BI Consultant , Snr Technical Team Lead, Snr Data Architect, Azure Stream Analytics,Azure IoT Edge, Azure Logic App, Azure Data Factory, C#MVP
Let’s strengthen your security with Azure As you might know that cloud security covers every assets like Azure Resources, Networking, Data Protection (structured & unstructured), Active directory and much more. Let’s see how new Azure innovations, couple of them announced on Nov 4th , 2019 at the Microsoft Ignite Conference able to help us across security, compliance, and identity needs.
- Azure Subscription
- Basic Azure knowledge
- Administrator Access
- PowerShell (Good to have)
As organizations considering and evaluating public cloud services like Azure, AWS etc., it is essential to explore how cloud service models will affect cost, security, compliance, ease of use and privacy. It is equally important that customers understand that how security and compliance are managed by the cloud solution provider, in this case Microsoft enable a safe computing solution.
Many organizations that consider public cloud computing like Azure mistakenly assume that after moving to the cloud their role in securing their data shifts most security and compliance responsibilities to the Microsoft- THIS IS NOT TRUE.
Please don’t assume your resources are automatically protected, while Azure does ensure a secure infrastructure, you are responsible for ensuring protection of your data – not Microsoft.
Azure by design should provide security for certain elements, such as the physical infrastructure and network elements, but customers must be aware of their own responsibilities. MICROSOFT may provide services to help protect data, but customers must also understand their role in protecting the security and privacy of their data. The best illustration of this issue involves the poor implementation of a password policy; a CSP’s best security measures will be defeated if users fail to use complex or difficult-to-guess passwords.
It’s all detailed in Microsoft’s Shared Responsibility Security Model. Understanding where the Shared Responsibility model starts and stops is critical to ensuring your data is secure and compliant.
Great News – Azure infrastructure adhered with many regulatory compliances like Azure CIS 1.1.0, PCI DSS 3.2.1, ISO 27001, SOC TSP providing 24×7 continuity from inside geographically dispersed datacenters.
In compliance with these standards, Microsoft provides security for physical assets, databases, monitoring and operations network infrastructure and availability. Within Azure, Microsoft assumes responsibility for general datacenter components such as compute hosts, datacenter assets, and the networks that connect them. Customers continue to be solely responsible for their user accounts, system endpoints, permissions/access controls and most importantly their data.
Customer data availability and integrity comes with the package when leveraging cloud, however retention, compliance, and rights management are the responsibility of the customer. Microsoft provides many features and tools (discussed below) to help with these challenges, but it is up to the customer to architect and implement the necessary policies and controls for their data.
Azure Security Defense is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
Microsoft applies a layered approach to security, both in physical data centers and across Azure services. The objective of defense in depth is to protect and prevent information from being stolen by individuals who are not authorized to access it, Let’s take a look at each of the layers.
Hackers LOVE data, it’s so precious for everyone. Below are Data storage options:
- Stored in a database
- Stored on disk inside virtual machines
- Stored on a SaaS application such as Office 365
- Stored in cloud storage
Secure the data can be ensured by controlling access to data only to group of people who need it. Later part of this document we will see step to secure the Data.
Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code.
- Ensure applications are secure and free of vulnerabilities.
- Need to store sensitive application secrets in a secure storage medium like Key Vault .
- Make security a design requirement for all application development.
- Secure access to virtual machines.
- Implement endpoint protection and keep systems patched and current.
Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure your compute resources are secure, and use the proper controls in place to minimize security issues.
- Limit communication between resources.
- Deny by default.
- Restrict inbound internet access and limit outbound, where appropriate.
- Implement secure connectivity to on-premises networks.
At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required. By limiting this communication, you reduce the risk of lateral movement throughout your network.
- Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
- Use perimeter firewalls to identify and alert on malicious attacks against your network.
At the network perimeter, it’s about protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.
- Control access to infrastructure and change control.
- Use single sign-on and multi-factor authentication.
- Audit events and changes.
The identity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.
- Physical building security and controlling access to computing hardware within the data center is the first line of defense.
With physical security, the intent is to provide physical safeguards against access to assets. This ensures that other layers can’t be bypassed, and loss or theft is handled appropriately.
Microsoft launch new product & services on Nov 4th, 2019 like “Azure Sentinel”. Azure Sentinel is available to help security analysts, collect data from a variety of sources, including Zscaler, Barracuda, and Citrix. In addition, Microsoft also releasing new hunting queries and machine learning-based detections to assist analysts in prioritizing the most important events.
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection & remediation suggestions across your workloads in the cloud.
Here we can see total 8 recommendations from 5 unhealthy resources.
Let’s see ‘Compute & apps resources’ recommendation
Compute recommendation ‘Diagnostic logs in Azure Stream Analytics should be enabled’, Secure Score, Failed Resources and Severity details will be found.
More Details about threats like Data exfiltration and threat resistance and Information can be find by clicking the Description.
Now it’s the time to re-mediate it, so scroll down and let’s fix the remediation.
Fix the issue:
For Manual remediation, follow the steps as mentioned above, alternatively scroll down and select the ‘Unhealthy Resource’ and click Remediate
By Clicking Remediate 1 resource, you have mitigated Security vulnerability.
This is most secure and visualize platform. Azure ensure best Cloud security and rich tool-sets.
Need Cloud Security Solution for your Enterprise, please Contact me-Happy to help!!
Image Credit: Google
My deepest gratitude to all committed & working for #technologies . I always enjoying doodling with the Technologies and helping clients with Azure, IoT and other offering.
Please refer below:
Thanks C# Corner for recognizing me an influential Community Leader. On April 7th C#
Corner published this video. Thanks a lot to the technical fraternity.
Meet Featured Community Leader Deepak Kaushik, #MicrosoftMVP:
https://lnkd.in/fnvZ2et C# Corner Microsoft Azure #Azure
Leveraging IoT Device in Hydroelectric, Wind Power, Transformers, Heat Recovery & Power Stations and Azure Security Insight
“Azure IOT Coast 2 Coast” First Tour
Stream Big Data and Secure Your Data
Join Deepak and Nik for two presentation focusing on …
- Leveraging IoT Device in Hydroelectric, Wind Power, Transformers, Heat Recovery & Power Stations.
| Agenda / Topics |
IoT SolutionsAzure IoT Central (SaaS)
Azure IoT Solution Accelerator (PaaS)
PaaS Services & IoT Services
Azure IoT Central PortalSetting up a real IoT Device in to Azure IoT Central (demo).
Hydro/Power Transformers in Azure IoT central (demo).
|Nik – Shahriar Nikkhah|
- Azure security defenses you ought to know
|Agenda / Topics |
How Cloud Security is different & Better
Demo: Azure Advisor, Azure Security Center
Demo: Identity and access management
Advanced Threat Protection for your data
Venue: Sunrise Branch Library
3130 Woodhams Dr, Regina, SK S4V 2P9
Regina Saskatchewan CANADA
Time: 1 PM – 4 PM
Price: Free of cost
Parking: Free of cost
Nik is a consultant, Data engineer, tech lead, mentor and founder of “SQL Data Side Inc” and Co-Founder of “Azure IoT Coast 2 Coast”focusing on Microsoft Azure technologies.
Nik has over 25 years of experience in the data field beginning his career as a software developer and programmer who quickly focused on backend products such as SQL server and business intelligence, after the birth of cloud/azure technologies he started adding Azure IoT products to his list.
He is also a C# Corner MVP.
You can find out more about him and his presentation at this link. https://www.linkedin.com/in/nnikkhah/
Deepak is a Microsoft Azure MVP. He is the founder and Chapter Lead at C# Corner Regina Chapter and Co-Founder of “Azure IoT Coast 2 Coast” focusing on Microsoft Azure technologies.
He is also a C# Corner MVP. Find more about Deepak at
‘Azure IOT and Azure Defenses: Coast to Coast Tour’ announcing sessions at 3 different cities. We will be at:
Calgary on April 27th.
Saskatoon on May 3rd .
Regina on May 4th .
Join us for the great sessions on ‘IOT and Azure Coast to Coast’ at Saskatoon – Saskatchewan. Sessions will be held at Cliff Wright Branch Library on May 3rd
“Learn IoT Device Translator & Azure Security Insight”.
Venue: Cliff Wright Branch Library
Address: 1635 McKercher Dr, Saskatoon, SK S7H 5J9
Time: 5:30 PM – 8 PM
IoT Device Translator Nik Shahriar
6 PM-7 PM
- Environmental settings (Visual Studio Code, Arduino, …)
- IoT Hub translator architecture
- IoT Hub, Speech Service, Azure Function.
- Chinese to English, French to English, real demo
We will have Nik Shahriar from Toronto and he is presenting at Saskatoon and Regina.
Azure Security Insight Deepak
7:15 PM – 8:15 PM
- How Cloud Security is different & Better
- Demo: Azure Advisor, Azure Security Center
- Demo: Security Playbook & Identity and access management
- Advanced Threat Protection for your data
We will serve Pizza, Snacks and Beverages