So much happy to help geeks coming with lot of perspectives / scenarios at ‘Speaker Q&A at Booth 2’.
It’s starts with talks and Ended at white board for one guy LOLZ..
So much happy to help geeks coming with lot of perspectives / scenarios at ‘Speaker Q&A at Booth 2’.
It’s starts with talks and Ended at white board for one guy LOLZ..
I’m so happy to delivered my TALK on #AZURE #SECURITY at Microsoft Ignite The Tour #TORONTO -Day 1 (Jan 8th, 2020) Great Turnout with more than 250+ attendees, and even many didn’t get the seats!! THANKS for great feedback and lovely tweets 👍, much appreciated!! ☁️
Azure Governance provides mechanisms and processes to maintain control over your applications and resources in Azure. Azure customers get the most advanced set of governance capabilities. It involves planning your initiatives and setting strategic priorities. There should be a balance between “Agility” to the team and “Governance” to ensure team can work with best practices without compromising security and overhead cost.
Governance in Azure is primarily implemented with two services.
Azure Policy allows you to create, assign, and manage policy definitions to enforce rules for your resources. Stay compliant with internal and external regulations by configuring your templates using policies, access controls, resources, and then deploying them. This feature keeps those resources in compliance with your corporate standards.
Azure Cost Management allows you to track cloud usage and expenditures for your Azure resources and other cloud providers. Customers can ensure compliance at no additional cost, save significant amount of $ expenditures by proper resource management. Example drop unused resources, enable services like ‘Azure SQL Datawarehouse (ASDWH)’ ONLY when required. A lot of extra cost could be saved by automation of resources and correct storage decision.
Let’s start cloud journey and a journey without a target destination is just wandering. It’s important to establish a rough vision of the end state before taking the first step. It’s not company starting point, but it shows potential destination.
Corporate policies: Corporate policies drive cloud governance. The governance guide focuses on specific aspects of corporate policy:
Five Disciplines of Cloud Governance: These disciplines support the corporate policies. Each discipline protects the company from potential pitfalls:
Essentially, corporate policies serve as the early warning system to detect potential problems. The disciplines help the company manage risks.
The following infographic provides a frame of reference for the end state.
Following are the key components of the Governance for an Enterprise:
Resource group stay in a subscription; a subscription is container for the logically similar resources. Management group is additional level of hierarchy which help to administer subscriptions.
As per business need Management group hierarchy up to Six level (deep) can be created.
Access management for resources is a critical function for any organization. Role-based access control (RBAC) helps you to manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Following actions with RBAC:
• Allow one user to manage VM in a subscription and another user to manage virtual networks
• Allow a DBA group to manage SQL databases in a subscription
• Allow a user to manage all resources in a resource group, such as VM’s, websites, and subnets
• Allow an application to access all resources in a resource group
RBAC Recommended Practice
Using RBAC, you can isolate duties within your team and grant only the amount of access to users that they need to perform their jobs.
Instead of giving everybody open permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.
When planning your access control strategy, it’s a best practice to grant users the least privilege to get their work done. The following diagram shows a suggested pattern for using RBAC.
A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.
User – An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants. For information about users in other organizations, see Azure Active Directory B2B.
Group – A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role.
Service principal – A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application.
Managed identity – An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.
FOUR FUNDAMENTAL built-in roles, please note ‘The first Three’ apply to all resource types:
Owner – Has full access to all resources including the right to delegate access to others.
Contributor – Can create and manage all types of Azure resources but can’t grant access to others.
Reader – Can view existing Azure resources.
User Access Administrator – Lets you manage user access to Azure resources.
Azure Policy allow us to have Real-time enforcement, compliance assessment and remediation at scale.
Let’s create new Policy
Azure Resource Manager Template defines the resources you need to deploy for your solution.
Please note that Azure Resource Manager Template is a just a simple JSON file.
Blueprints enable quick creation of governed subscriptions. This allows Cloud Architects to design environments that comply with organizational standards and best practices – enabling your app teams to get to production faster.
The first step in defining a standard pattern for compliance is to compose a blueprint from the available resources. Here we will create a new blueprint to configure role and policy assignments for the subscription. Then we will add a new resource group, and create a Resource Manager template and role assignment on the new resource group.
Provide a Blueprint name such as DemoBlueprint. (Use up to 48 letters and numbers, but no spaces or special characters). Leave Blueprint description blank for now.
In the Definition location box, select the ellipsis on the right, select the management group or subscription where you want to save the blueprint, and choose Select.
Once you completed blueprint should look similar to the following.
Now that all the planned artifacts have been added to the blueprint, it’s time to publish it. Publishing makes the blueprint available to be assigned to a subscription.
Select Publish at the bottom of the page.
Cost Management help enterprise with
Enterprise can easily understand Azure costs with
Bearing these factors in mind, it is important to consider how this applies to your organization. Any governance model will need to reflect the company’s strategic, compliance, and budgetary goals and requirements. One of first steps should be to model the organization’s hierarchy to map out the pattern for departments, accounts and subscriptions you will use in the Enterprise Portal.
Once you have taken billing and administrative factors into account to devise a subscription strategy, then the next step is to develop a centralized approach. The centralized approach makes it easier to build and maintain hybrid network connectivity, protect data sovereignty, and enforce compliance requirements within the environment.
Webinar: Be #IoT #Security Ninja- Protect & Processed #IoT #Solutions using Device to Cloud Messaging
Saturday, November 23, 2019
9:00 AM – 10:00 AM (1 hours)
Online Microsoft Teams Meeting
Deepak Kaushik [Microsoft MVP]
Deepak is a Microsoft Azure MVP and C# corner MVP. He is currently working on architecting and building solutions around Microsoft Azure. He is passionate about technology and comes from a development background. He has also led various projects in the Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).
Nik Shahriar [C# Corner MVP]
Azure IoT Hub Consultant, Snr Data Engineer, Snr Azure Data Integration Lead/Design, Snr BI Consultant , Snr Technical Team Lead, Snr Data Architect, Azure Stream Analytics,Azure IoT Edge, Azure Logic App, Azure Data Factory, C#MVP
Let’s strengthen your security with Azure As you might know that cloud security covers every assets like Azure Resources, Networking, Data Protection (structured & unstructured), Active directory and much more. Let’s see how new Azure innovations, couple of them announced on Nov 4th , 2019 at the Microsoft Ignite Conference able to help us across security, compliance, and identity needs.
As organizations considering and evaluating public cloud services like Azure, AWS etc., it is essential to explore how cloud service models will affect cost, security, compliance, ease of use and privacy. It is equally important that customers understand that how security and compliance are managed by the cloud solution provider, in this case Microsoft enable a safe computing solution.
Many organizations that consider public cloud computing like Azure mistakenly assume that after moving to the cloud their role in securing their data shifts most security and compliance responsibilities to the Microsoft- THIS IS NOT TRUE.
Please don’t assume your resources are automatically protected, while Azure does ensure a secure infrastructure, you are responsible for ensuring protection of your data – not Microsoft.
Azure by design should provide security for certain elements, such as the physical infrastructure and network elements, but customers must be aware of their own responsibilities. MICROSOFT may provide services to help protect data, but customers must also understand their role in protecting the security and privacy of their data. The best illustration of this issue involves the poor implementation of a password policy; a CSP’s best security measures will be defeated if users fail to use complex or difficult-to-guess passwords.
It’s all detailed in Microsoft’s Shared Responsibility Security Model. Understanding where the Shared Responsibility model starts and stops is critical to ensuring your data is secure and compliant.
Great News – Azure infrastructure adhered with many regulatory compliances like Azure CIS 1.1.0, PCI DSS 3.2.1, ISO 27001, SOC TSP providing 24×7 continuity from inside geographically dispersed datacenters.
In compliance with these standards, Microsoft provides security for physical assets, databases, monitoring and operations network infrastructure and availability. Within Azure, Microsoft assumes responsibility for general datacenter components such as compute hosts, datacenter assets, and the networks that connect them. Customers continue to be solely responsible for their user accounts, system endpoints, permissions/access controls and most importantly their data.
Customer data availability and integrity comes with the package when leveraging cloud, however retention, compliance, and rights management are the responsibility of the customer. Microsoft provides many features and tools (discussed below) to help with these challenges, but it is up to the customer to architect and implement the necessary policies and controls for their data.
Azure Security Defense is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
Microsoft applies a layered approach to security, both in physical data centers and across Azure services. The objective of defense in depth is to protect and prevent information from being stolen by individuals who are not authorized to access it, Let’s take a look at each of the layers.
Hackers LOVE data, it’s so precious for everyone. Below are Data storage options:
Secure the data can be ensured by controlling access to data only to group of people who need it. Later part of this document we will see step to secure the Data.
Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code.
Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure your compute resources are secure, and use the proper controls in place to minimize security issues.
At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required. By limiting this communication, you reduce the risk of lateral movement throughout your network.
At the network perimeter, it’s about protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.
The identity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.
With physical security, the intent is to provide physical safeguards against access to assets. This ensures that other layers can’t be bypassed, and loss or theft is handled appropriately.
Microsoft launch new product & services on Nov 4th, 2019 like “Azure Sentinel”. Azure Sentinel is available to help security analysts, collect data from a variety of sources, including Zscaler, Barracuda, and Citrix. In addition, Microsoft also releasing new hunting queries and machine learning-based detections to assist analysts in prioritizing the most important events.
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection & remediation suggestions across your workloads in the cloud.
Here we can see total 8 recommendations from 5 unhealthy resources.
Let’s see ‘Compute & apps resources’ recommendation
Compute recommendation ‘Diagnostic logs in Azure Stream Analytics should be enabled’, Secure Score, Failed Resources and Severity details will be found.
More Details about threats like Data exfiltration and threat resistance and Information can be find by clicking the Description.
Now it’s the time to re-mediate it, so scroll down and let’s fix the remediation.
Fix the issue:
For Manual remediation, follow the steps as mentioned above, alternatively scroll down and select the ‘Unhealthy Resource’ and click Remediate
By Clicking Remediate 1 resource, you have mitigated Security vulnerability.
This is most secure and visualize platform. Azure ensure best Cloud security and rich tool-sets.
Need Cloud Security Solution for your Enterprise, please Contact me-Happy to help!!
Image Credit: Google
My deepest gratitude to all committed & working for #technologies . I always enjoying doodling with the Technologies and helping clients with Azure, IoT and other offering.
Please refer below:
Thanks C# Corner for recognizing me an influential Community Leader. On April 7th C#
Corner published this video. Thanks a lot to the technical fraternity.
Meet Featured Community Leader Deepak Kaushik, #MicrosoftMVP:
https://lnkd.in/fnvZ2et C# Corner Microsoft Azure #Azure
Leveraging IoT Device in Hydroelectric, Wind Power, Transformers, Heat Recovery & Power Stations and Azure Security Insight
Stream Big Data and Secure Your Data
Join Deepak and Nik for two presentation focusing on …
| Agenda / Topics |
IoT SolutionsAzure IoT Central (SaaS)
Azure IoT Solution Accelerator (PaaS)
PaaS Services & IoT Services
Azure IoT Central PortalSetting up a real IoT Device in to Azure IoT Central (demo).
Hydro/Power Transformers in Azure IoT central (demo).
|Nik – Shahriar Nikkhah|
|Agenda / Topics |
How Cloud Security is different & Better
Demo: Azure Advisor, Azure Security Center
Demo: Identity and access management
Advanced Threat Protection for your data
Venue: Sunrise Branch Library
3130 Woodhams Dr, Regina, SK S4V 2P9
Regina Saskatchewan CANADA
Time: 1 PM – 4 PM
Price: Free of cost
Parking: Free of cost
Nik is a consultant, Data engineer, tech lead, mentor and founder of “SQL Data Side Inc” and Co-Founder of “Azure IoT Coast 2 Coast”focusing on Microsoft Azure technologies.
Nik has over 25 years of experience in the data field beginning his career as a software developer and programmer who quickly focused on backend products such as SQL server and business intelligence, after the birth of cloud/azure technologies he started adding Azure IoT products to his list.
He is also a C# Corner MVP.
You can find out more about him and his presentation at this link. https://www.linkedin.com/in/nnikkhah/
Deepak is a Microsoft Azure MVP. He is the founder and Chapter Lead at C# Corner Regina Chapter and Co-Founder of “Azure IoT Coast 2 Coast” focusing on Microsoft Azure technologies.
He is also a C# Corner MVP. Find more about Deepak at
‘Azure IOT and Azure Defenses: Coast to Coast Tour’ announcing sessions at 3 different cities. We will be at:
Calgary on April 27th.
Saskatoon on May 3rd .
Regina on May 4th .
Join us for the great sessions on ‘IOT and Azure Coast to Coast’ at Saskatoon – Saskatchewan. Sessions will be held at Cliff Wright Branch Library on May 3rd
“Learn IoT Device Translator & Azure Security Insight”.
Venue: Cliff Wright Branch Library
Address: 1635 McKercher Dr, Saskatoon, SK S7H 5J9
Time: 5:30 PM – 8 PM
IoT Device Translator Nik Shahriar
6 PM-7 PM
We will have Nik Shahriar from Toronto and he is presenting at Saskatoon and Regina.
Azure Security Insight Deepak
7:15 PM – 8:15 PM
We will serve Pizza, Snacks and Beverages
Join us for a new webinar on “Learn Transfer Learning for AI & Azure Defenses”. Transfer learning is embracing the concept of artificial general intelligence. Artificial general intelligence is leading us to make intelligent machines with less computations and data. We can use one pre-trained network for multiple tasks through transfer learning and get better accuracy with least amount of data. In this session, we will talk about different approaches of transfer learning and ways to use it.
Time: March 09, 2019 9:00 AM (CT)
Protect yourself by using Awesome Azure defenses
Transfer Learning for Artificial General Intelligence
Session details are as follows,
|Protect yourself by using Awesome Azure defenses||Deepak Kaushik||09:00 AM – 09:45 AM|
|Transfer Learning for Artificial General Intelligence||Rahat Yasir||09:45 AM – 10:30 AM|