Let's Build Azure Governance Foundation with me

Introduction

Azure Governance provides mechanisms and processes to maintain control over your applications and resources in Azure. Azure customers get the most advanced set of governance capabilities. It involves planning your initiatives and setting strategic priorities.  There should be a balance between “Agility” to the team and “Governance” to ensure team can work with best practices without compromising security and overhead cost.

Governance in Azure is primarily implemented with two services.

Azure Policy allows you to create, assign, and manage policy definitions to enforce rules for your resources. Stay compliant with internal and external regulations by configuring your templates using policies, access controls, resources, and then deploying them. This feature keeps those resources in compliance with your corporate standards.

Azure Cost Management allows you to track cloud usage and expenditures for your Azure resources and other cloud providers. Customers can ensure compliance at no additional cost, save significant amount of $ expenditures by proper resource management. Example drop unused resources, enable services like ‘Azure SQL Datawarehouse (ASDWH)’ ONLY when required. A lot of extra cost could be saved by automation of resources and correct storage decision.

Prerequisite

  1. Azure Subscription
  2. Basic Azure knowledge
  3. Administrator Access
  4. PowerShell (Good to have)

Five Disciplines of Cloud Governance

Let’s start cloud journey and a journey without a target destination is just wandering. It’s important to establish a rough vision of the end state before taking the first step. It’s not company starting point, but it shows potential destination.

Corporate policies: Corporate policies drive cloud governance. The governance guide focuses on specific aspects of corporate policy:

  • Business risks: Identifying and understanding corporate risks.
  • Policy and compliance: Converting risks into policy statements that support any compliance requirements.
  • Processes: Ensuring adherence to the stated policies.

Five Disciplines of Cloud Governance: These disciplines support the corporate policies. Each discipline protects the company from potential pitfalls:

  • Cost Management
  • Security Baseline
  • Resource Consistency
  • Identity Baseline
  • Deployment Acceleration

Essentially, corporate policies serve as the early warning system to detect potential problems. The disciplines help the company manage risks.

The following infographic provides a frame of reference for the end state.

Governance basics

Following are the key components of the Governance for an Enterprise:

  • Scope & Hierarchy
  • RBAC
  • Policy
  • Azure Resource Manager Templates

Scope & Hierarchy

Resource group stay in a subscription; a subscription is container for the logically similar resources.  Management group is additional level of hierarchy which help to administer subscriptions. 

As per business need Management group hierarchy up to Six level (deep) can be created.

Role-based access control

Access management for resources is a critical function for any organization. Role-based access control (RBAC) helps you to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

Following actions with RBAC:

• Allow one user to manage VM in a subscription and another user to manage virtual networks

• Allow a DBA group to manage SQL databases in a subscription

• Allow a user to manage all resources in a resource group, such as VM’s, websites, and subnets

• Allow an application to access all resources in a resource group

RBAC Recommended Practice

Using RBAC, you can isolate duties within your team and grant only the amount of access to users that they need to perform their jobs.

Instead of giving everybody open permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.

When planning your access control strategy, it’s a best practice to grant users the least privilege to get their work done. The following diagram shows a suggested pattern for using RBAC.

Security Principal

A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.

Security principal for a role assignment

User – An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants. For information about users in other organizations, see Azure Active Directory B2B.

Group – A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role.

Service principal – A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application.

Managed identity – An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.

Azure Built-in Roles

FOUR FUNDAMENTAL built-in roles, please note ‘The first Three’ apply to all resource types:

Owner – Has full access to all resources including the right to delegate access to others.

Contributor – Can create and manage all types of Azure resources but can’t grant access to others.

Reader – Can view existing Azure resources.

User Access Administrator – Lets you manage user access to Azure resources.

Let’s Add some Roles for Enterprise

  1. Go to the Portal and click on the All Services
  1. Search Users and Select Users
  • Add ‘New Guest User’, give our Email Address and Hit Invite
  • Invited Guest will get Email notification (Sample Email) and they need to Accept it.

 

Azure Policy

Azure Policy allow us to have Real-time enforcement, compliance assessment and remediation at scale.

Let’s create new Policy

  1. Go to the Portal and type Policy in search window.
  • Click on the Definition under Policy and give details:

Policy best practices

Azure Resource Manager (ARM)

Azure Resource Manager Template defines the resources you need to deploy for your solution.

Please note that Azure Resource Manager Template is a just a simple JSON file.

Governance Strategy

New Compliance Product: Welcome Azure Blueprints (PREVIEW)

Blueprints enable quick creation of governed subscriptions. This allows Cloud Architects to design environments that comply with organizational standards and best practices – enabling your app teams to get to production faster.

Let’s Create Azure Blueprint for Enterprise 

The first step in defining a standard pattern for compliance is to compose a blueprint from the available resources. Here we will create a new blueprint to configure role and policy assignments for the subscription. Then we will add a new resource group, and create a Resource Manager template and role assignment on the new resource group.

  • Select All services in the left pane. Search for and select Blueprints. We can create a blank Blueprint or sample Blueprint
  • Select Blueprint definitions from the page on the left and select the + Create blueprint button at the top of the page.

Provide a Blueprint name such as DemoBlueprint. (Use up to 48 letters and numbers, but no spaces or special characters). Leave Blueprint description blank for now.

In the Definition location box, select the ellipsis on the right, select the management group or subscription where you want to save the blueprint, and choose Select.

  • Add a role assignment at the subscription level
  • Select the + Add artifact row under Subscription. The Add artifact window opens on the right side of the browser.
  • Select Role assignment for Artifact type.
  • Under Role, select Contributor. Leave the Add user, app or group box with the check box that indicates a dynamic parameter.
  • Select Add to add this artifact to the blueprint.

Once you completed blueprint should look similar to the following.

Publish a blueprint

Now that all the planned artifacts have been added to the blueprint, it’s time to publish it. Publishing makes the blueprint available to be assigned to a subscription.

  • Select Blueprint definitions from the page on the left.
  • In the list of blueprints, right-click the one you previously created and select Publish blueprint.
  • In the pane that opens, provide a Version (letters, numbers, and hyphens with a maximum length of 20 characters), such as v1. Optionally, enter text in Change notes, such as First publish.
  • Select Publish at the bottom of the page.

Select Publish at the bottom of the page.

Azure Cost Management

Cost Management help enterprise with

  • Analyze cloud costs
  • Monitor with budgets
  • Optimize with recommendations

Enterprise can easily understand Azure costs with

  • Cost Analysis
  • Cost alerts
  • Budgets
  • Advisor Recommendation
  • Cloudyn

Conclusion

Bearing these factors in mind, it is important to consider how this applies to your organization. Any governance model will need to reflect the company’s strategic, compliance, and budgetary goals and requirements. One of first steps should be to model the organization’s hierarchy to map out the pattern for departments, accounts and subscriptions you will use in the Enterprise Portal.

Once you have taken billing and administrative factors into account to devise a subscription strategy, then the next step is to develop a centralized approach. The centralized approach makes it easier to build and maintain hybrid network connectivity, protect data sovereignty, and enforce compliance requirements within the environment.

References

https://docs.microsoft.com/en-us/azure/governance/azure-management

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/index

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/standard/

IoT Coast 2 Coast Webinar: Be #IoT #Security Ninja- Protect & Processed #IoT #Solutions using Device to Cloud Messaging

Webinar: Be #IoT #Security Ninja- Protect & Processed #IoT #Solutions using Device to Cloud Messaging

Saturday, November 23, 2019

9:00 AM – 10:00 AM (1 hours)

Online Microsoft Teams Meeting

Session Details:

  • Secure Your Business with Azure Security #Better #Everyday
  • Understand the value of the Microsoft Azure IoT Hub and other Azure services for IoT solutions
  • Build an end-to-end IoT solution that processes and analyzes data both in the field and in the cloud.
  • Questions & Answers
  • Ask Me Anything

Speakers:

Deepak Kaushik [Microsoft MVP]

Deepak is a Microsoft Azure MVP and C# corner MVP. He is currently working on architecting and building solutions around Microsoft Azure. He is passionate about technology and comes from a development background. He has also led various projects in the Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). 

Nik  Shahriar [C# Corner MVP]


Azure IoT Hub Consultant, Snr Data Engineer, Snr Azure Data Integration Lead/Design, Snr BI Consultant , Snr Technical Team Lead, Snr Data Architect, Azure Stream Analytics,Azure IoT Edge, Azure Logic App, Azure Data Factory, C#MVP

 ________________________________________________________________________________

Join Microsoft Teams Meeting

Link: https://teams.microsoft.com/l/meetup-join/19%3ameeting_YjgyMDkwYjItNDMyOS00YzA2LThhNTQtMTQ5Mjg5ZmVlZWMy%40thread.v2/0?context=%7b%22Tid%22%3a%2258ec5f12-8c9c-4b91-b548-3a4526550560%22%2c%22Oid%22%3a%221ae56dba-cf66-4777-aeff-cc4abbc451a0%22%7d

Learn more about Teams | Meeting options

Register here:

https://www.eventbrite.com/e/be-iot-security-ninja-protect-processed-iot-solutions-using-device-t-tickets-82682673101?ref=estw

Let’s Build Azure Security Foundation for your Enterprise

Introduction

Let’s strengthen your security with Azure As you might know that cloud security covers every assets like Azure Resources, Networking, Data Protection (structured & unstructured), Active directory and much more. Let’s see how new Azure innovations, couple of them announced on Nov 4th , 2019 at the Microsoft Ignite Conference able to help us across security, compliance, and identity needs.

Prerequisite

  1. Azure Subscription
  2. Basic Azure knowledge
  3. Administrator Access
  4. PowerShell (Good to have)

Moving to the cloud

As organizations considering and evaluating public cloud services like Azure, AWS etc., it is essential to explore how cloud service models will affect cost, security, compliance, ease of use and privacy. It is equally important that customers understand that how security and compliance are managed by the cloud solution provider, in this case Microsoft enable a safe computing solution.

Many organizations that consider public cloud computing like Azure mistakenly assume that after moving to the cloud their role in securing their data shifts most security and compliance responsibilities to the Microsoft- THIS IS NOT TRUE.

Please don’t assume your resources are automatically protected, while Azure does ensure a secure infrastructure, you are responsible for ensuring protection of your data – not Microsoft.

Azure by design should provide security for certain elements, such as the physical infrastructure and network elements, but customers must be aware of their own responsibilities. MICROSOFT may provide services to help protect data, but customers must also understand their role in protecting the security and privacy of their data. The best illustration of this issue involves the poor implementation of a password policy; a CSP’s best security measures will be defeated if users fail to use complex or difficult-to-guess passwords.

It’s all detailed in Microsoft’s Shared Responsibility Security Model. Understanding where the Shared Responsibility model starts and stops is critical to ensuring your data is secure and compliant. 

Welcome to Share Responsibility Security Model

Great News – Azure infrastructure adhered with many regulatory compliances like Azure CIS 1.1.0, PCI DSS 3.2.1, ISO 27001, SOC TSP providing 24×7 continuity from inside geographically dispersed datacenters.

In compliance with these standards, Microsoft provides security for physical assets, databases, monitoring and operations network infrastructure and availability. Within Azure, Microsoft assumes responsibility for general datacenter components such as compute hosts, datacenter assets, and the networks that connect them. Customers continue to be solely responsible for their user accounts, system endpoints, permissions/access controls and most importantly their data.

Customer data availability and integrity comes with the package when leveraging cloud, however retention, compliance, and rights management are the responsibility of the customer. Microsoft provides many features and tools (discussed below) to help with these challenges, but it is up to the customer to architect and implement the necessary policies and controls for their data.

A layered approach to security

Azure Security Defense is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.

Microsoft applies a layered approach to security, both in physical data centers and across Azure services. The objective of defense in depth is to protect and prevent information from being stolen by individuals who are not authorized to access it, Let’s take a look at each of the layers.

Data

Hackers LOVE data, it’s so precious for everyone. Below are Data storage options:

  • Stored in a database
  • Stored on disk inside virtual machines
  • Stored on a SaaS application such as Office 365
  • Stored in cloud storage

Secure the data can be ensured by controlling access to data only to group of people who need it. Later part of this document we will see step to secure the Data.

Application

Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code.

  • Ensure applications are secure and free of vulnerabilities.
  • Need to store sensitive application secrets in a secure storage medium like Key Vault .
  • Make security a design requirement for all application development.

Compute

  • Secure access to virtual machines.
  • Implement endpoint protection and keep systems patched and current.

Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure your compute resources are secure, and use the proper controls in place to minimize security issues.

Networking

  • Limit communication between resources.
  • Deny by default.
  • Restrict inbound internet access and limit outbound, where appropriate.
  • Implement secure connectivity to on-premises networks.

At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required. By limiting this communication, you reduce the risk of lateral movement throughout your network.

Perimeter

  • Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
  • Use perimeter firewalls to identify and alert on malicious attacks against your network.

At the network perimeter, it’s about protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.

Identity and access

  • Control access to infrastructure and change control.
  • Use single sign-on and multi-factor authentication.
  • Audit events and changes.

The identity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.

Physical security

  • Physical building security and controlling access to computing hardware within the data center is the first line of defense.

With physical security, the intent is to provide physical safeguards against access to assets. This ensures that other layers can’t be bypassed, and loss or theft is handled appropriately.

1.    Azure Sentinel

Microsoft launch new product & services on Nov 4th, 2019 like “Azure Sentinel”.  Azure Sentinel is available to help security analysts, collect data from a variety of sources, including Zscaler, Barracuda, and Citrix. In addition, Microsoft also releasing new hunting queries and machine learning-based detections to assist analysts in prioritizing the most important events.

2.    Azure Security Center

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection & remediation suggestions across your workloads in the cloud.

Here we can see total 8 recommendations from 5 unhealthy resources.

Let’s see ‘Compute & apps resources’ recommendation

Compute recommendation ‘Diagnostic logs in Azure Stream Analytics should be enabled’, Secure Score, Failed Resources and Severity details will be found.

More Details about threats like Data exfiltration and threat resistance and Information can be find by clicking the Description.

Now it’s the time to re-mediate it, so scroll down and let’s fix the remediation.

Fix the issue:

For Manual remediation, follow the steps as mentioned above, alternatively scroll down and select the ‘Unhealthy Resource’ and click Remediate

By Clicking Remediate 1 resource, you have mitigated Security vulnerability.

This is most secure and visualize platform.  Azure ensure best Cloud security and rich tool-sets.  

Need Cloud Security Solution for your Enterprise, please Contact me-Happy to help!!

Image Credit: Google

20 Must follow #Microsoft #Azure #influencers on Twitter

I am so grateful and incredibly humbled to acknowledge as ‘ 20 Must follow #Microsoft #Azure #influencers on Twitter ‘.

My deepest gratitude to all committed & working for #technologies . I always enjoying doodling with the Technologies and helping clients with Azure, IoT and other offering.

Please refer below:

https://www.nigelfrank.com/blog/top-20-microsoft-azure-influencers-on-twitter/

Source: https://www.nigelfrank.com/blog/top-20-microsoft-azure-influencers-on-twitter/

Join us in Regina and learn ‘Leveraging IoT Device in Hydroelectric, Wind Power, Transformers, Heat Recovery & Power Stations and Azure Security Insight’

Leveraging IoT Device in Hydroelectric, Wind Power, Transformers, Heat Recovery & Power Stations and Azure Security Insight

“Azure IOT Coast 2 Coast” First Tour

Stream Big Data and Secure Your Data

Join Deepak and Nik for two presentation focusing on …

  1. Leveraging IoT Device in Hydroelectric, Wind Power, Transformers, Heat Recovery & Power Stations.
Agenda / Topics
IoT SolutionsAzure IoT Central (SaaS)
Azure IoT Solution Accelerator (PaaS)
PaaS Services & IoT Services
Azure IoT Central PortalSetting up a real IoT Device in to Azure IoT Central (demo).
Hydro/Power Transformers in Azure IoT central (demo).  
Nik – Shahriar Nikkhah
  • Azure security defenses you ought to know
Agenda / Topics
How Cloud Security is different & Better
Demo: Azure Advisor, Azure Security Center
Demo: Identity and access management
Advanced Threat Protection for your data  
Deepak Kaushik

Venue: Sunrise Branch Library

  3130 Woodhams Dr, Regina, SK S4V 2P9

  Regina Saskatchewan CANADA

Time:               1 PM – 4 PM

Price:               Free of cost

Parking:           Free of cost 

Speaker Details:


Nik Shahriar:

Nik

Nik is a consultant, Data engineer, tech lead, mentor and founder of “SQL Data Side Inc” and Co-Founder of “Azure IoT Coast 2 Coast”focusing on Microsoft Azure technologies.

Nik has over 25 years of experience in the data field beginning his career as a software developer and programmer who quickly focused on backend products such as SQL server and business intelligence, after the birth of cloud/azure technologies he started adding Azure IoT products to his list.

He is also a C# Corner MVP.

You can find out more about him and his presentation at this link. https://www.linkedin.com/in/nnikkhah/

Deepak Kaushik

Deepak

Deepak is a Microsoft Azure MVP. He is the founder and Chapter Lead at C# Corner Regina Chapter and Co-Founder of “Azure IoT Coast 2 Coast” focusing on Microsoft Azure technologies.

He is also a C# Corner MVP. Find more about Deepak at

https://deepak-kaushik.com/

https://www.linkedin.com/in/davekaushik/

Sponsors:        —

Learn IoT Device Translator & Azure Security Insight at Saskatoon

‘Azure IOT and Azure Defenses: Coast to Coast Tour’ announcing sessions at 3 different cities. We will be at:

Calgary on April 27th.

Saskatoon on May 3rd .

Regina on May 4th  .

Join us for the great sessions on ‘IOT and Azure Coast to Coast’ at Saskatoon – Saskatchewan. Sessions will be held at Cliff Wright Branch Library on May 3rd

“Learn IoT Device Translator & Azure Security Insight”.

Venue: Cliff Wright Branch Library

Address: 1635 McKercher Dr, Saskatoon, SK S7H 5J9

Free Parking

Time: 5:30 PM – 8 PM

IoT Device Translator Nik Shahriar

6 PM-7 PM

Nik Shahriar 
  • Environmental settings (Visual Studio Code, Arduino, …)
  • IoT Hub translator architecture
  • IoT Hub, Speech Service, Azure Function.
  • Chinese to English, French to English, real demo

We will have Nik Shahriar from Toronto and he is presenting at Saskatoon and Regina.

Azure Security Insight Deepak

Deepak

7:15 PM – 8:15 PM

  • How Cloud Security is different & Better
  • Demo: Azure Advisor, Azure Security Center
  • Demo: Security Playbook & Identity and access management
  • Advanced Threat Protection for your data

We will serve Pizza, Snacks and Beverages

Learn Transfer Learning for AI & Azure Defenses

Join us for a new webinar on “Learn Transfer Learning for AI & Azure Defenses”. Transfer learning is embracing the concept of artificial general intelligence. Artificial general intelligence is leading us to make intelligent machines with less computations and data. We can use one pre-trained network for multiple tasks through transfer learning and get better accuracy with least amount of data. In this session, we will talk about different approaches of transfer learning and ways to use it. 

 Event URL:TBD

Time:
March 09, 2019 9:00 AM (CT) 

Agenda:

Protect yourself by using Awesome Azure defenses

  • How Cloud Security is different & Better
  • Demo: Azure Advisor, Azure Security Center
  • Demo: Security Playbook & Identity and access management
  • Advanced Threat Protection for your data

Transfer Learning for Artificial General Intelligence

  • Artificial general intelligence is leading us to make intelligent machines with less computations and data
  • Use one pre-trained network for multiple tasks through transfer learning
  • Different approaches of transfer learning and ways to use it.
  • Demo

Session details are as follows, 

Protect yourself by using Awesome Azure defenses
Deepak Kaushik
09:00 AM – 09:45 AM
Transfer Learning for Artificial General Intelligence
Rahat Yasir09:45 AM – 10:30 AM

Learn Deep Learning Best Practices & Azure Storage

Join us for webinar on “Deep Learning Best Practices for Run time Optimization & Performance Acceleration” and “Why you need to Store your data in Azure”. 

Event URL:https://goo.gl/76aMSm

March 02, 2019 9:00 AM (CT)

Agenda:Deep Learning Best Practices for Run time Optimization and Performance Acceleration

  • Deep Learning is one of the most advanced AI algorithms of the world now.
  • Deep learning applications on second category and third category data takes a lot of time and resources. We will share the best ways for data augmentation, run time optimization and performance acceleration with less data.

Why you need to Store your data in Azure

  • Why Azure storage?
  • Introduction to Azure storage options
  • Demo: Creating data stores in Azure Portal
  • Introduction to Cosmos DB
  • Demo: Cosmos DB

Session details are as follows, 

Deep Learning is one of the most advanced AI algorithms
Rahat Yasir09:00 AM – 09:45 AM
Why you need to Store your data in Azure
Deepak Kaushik
09:45 AM – 10:30 AM

Please have ‘Recording’ of session

My Interview at ‘The Voice Of Saskatoon’

On Cold Sunday morning of Feb 10, 2019 at 8 AM, feel like temperature – 30°C 🙂 (outside) , I appeared at ‘The Voice of Saskatoon’ CFCR FM 90.5 .

But it was such a warm welcome by an amazing team of ‘The Voice Of Saskatoon’ !!

It was a Live event on Facebook and Radio and I’m super happy to talk about #Azure #Cloud #Technology # Future Technology changes etc.

I want to thanks both ‘Viewers (Facebook Live)’ and ‘Listerners (Radio)’ for incredible questions and feedback.

I also shared, how I started ‘First C# Corner Chapter’ in Canada and Future/ Upcoming events of Saskatchewan Chapter.

If you are a University or College Student, feel free to connect me for mentoring.

I will also like to grab a coffee with professionals, if they have specific cloud related queries/questions.  

Thanks everyone for such sweet and lovely comments ! Thank you great hosts, it has been such an enriching morning meeting with you folks !

Here is video Recording

Thanks for your time and see you later..