Introduction to Azure Security Compass | Azure Security Basics

January 11, 2020 posted by


(bright music) Welcome to the Azure Security Compass. This is a workshop
designed to bring together all the best practices that we’ve learned from Microsoft and our
experience going to the cloud, all the investments we’ve
made to make it more secure, as well as all of the
things that we’ve learned from our customers’ journeys to the cloud and helping them secure
their Azure workloads. Cool. MARK: So this material
is typically delivered in an actual workshop on
site with our customers and we decided that it
would be helpful to share this with the world. SARAH: Yup. MARK: And so we’d normally
go through this first part here and then we have a
little bit of a discussion about the organization’s
configuration and goals which we’ll touch on in just a moment. And the interesting thing
that we found about this is it tends to be, it’s a discussion with not only the security organization but also the IT organization
is an ideal configuration. Because this is really the
first time that so many of these roles and stakeholders
have had to kinda sit down and look at a new paradigm of how to run their technology space. And so we’ve found it
very beneficial to have the networking team,
the IT operations team, the SOC team, the security architects, all working together to figure out okay, things are a little
different in the cloud. How do we actually get the most of it so we’re not just taking the
old practices one for one and having to, and doing the
same thing we’ve down before. Because there’s a lot of that. Yeah, there is. I mean I’ve talked to a lot of customers while doing this workshop
and sometimes it really is the first time that all
these different teams have actually talked about
what they’re doing in cloud. And there are a lot of
revelations sometimes and some discussions that
really need to happen as well. I’m gonna reveal a little
bit of my gray hairs here but this reminds me of when
we first went to sort of enterprise computing and
the early 2000s, late 90s as Active Directory came online. It really reminds me of that. Everybody’s gotta get together
and kind of figure out this new system and its new paradigm. It very much reminds me of that. Yeah. MARK: Ultimately, the
Azure Security Compass is designed to very quickly
increase your security posture and we tried to get the most prescriptive, the most clear, remove all
the “it depends” that we could out of the guidance and
make it as clear as possible that this is the right way to do it from a security perspective. You know, maybe there’s one
way, maybe there’s a couple ways and there’s a couple choices and we cover that in a few slides here. We wanted to make it as clear
as possible to help people quickly get to the cloud. And, of course, get familiar
with the Azure platform and Azure Security Center
which is an amazing free tool. SARAH: It is. MARK: That really helps get visibility that was just difficult
or nearly impossible in practice to do on premise. Yeah and– Premises, I got it right. (laughing) And it is a really great tool that lots of people
overlooked so we should. Absolutely. Should definitely have a look
at it because it is free. Cool. And one of the big things as
we go through this journey, there’s two big things that we’ve learned just from the sort of step
back and take a look at it which is one, it’s a mix
of the old and the new. So there are some apps, some practices that you’ve been doing
from a security perspective that absolutely would carry forward. And then there’s some
things that are brand new that, you know, like Azure Security Center that just weren’t available before. And there’s some things that you’re doing what you did before but
in a little different way. And so you really have
to sort of be prepared to bring your experience to the cloud but also be ready for changes. SARAH: Yeah. And so it’s a very important to have both of those mindsets. Yeah, it can be, and it
does make people feel fundamentally a little bit uncomfortable because we do have to do
things a bit differently but it’s something that we– Part of the journey. Yeah, part of the journey. Need to approach it with an open mind. Absolutely. Yeah. And then the other thing,
because we do see on occasion, you know, security people,
we have these big egos, we think we have to learn everything, we have to be the expert in everything. And there’s an interesting
sort of physics problem in the cloud where you just can’t because there’s 200 services
with a bunch of features under them in Azure and
they’re all changing and they’re all being
added to and developed and they’re figuring out new
better ways of doing things and fulfilling customers’
needs and requests in all these ways. By the time you, if you
try to learn 100% of it, by the time you get to five or 10%, you’re knowledge is already
getting stale in the beginning. And so it’s really important to understand you can’t actually know
everything about the cloud. You really have to do it
on an on demand basis. Yeah. And that’s a big learning for us, especially us security people. Oh, I know. And, I mean, I log into
Microsoft tools everyday and sometimes there’s something new there. Oh look, they added that! Oh look, that’s new! Yeah, I mean that happens
to me fairly frequently. And that’s okay but as you say,
traditional security mindset says, “Oh, that’s something
new, I don’t know what it is, “this is bad, like–” Yup. “I’m not happy with this.” Whereas in cloud, it
happens far more frequently. And it’s a good thing
because a lot of times the security gets better. So the format of the best
practices that are in here, we actually use the term, we have a couple different
terminologies that we bring in. The first is best practice
and that’s really where there’s really one right way
from Microsoft’s perspective on this is the right way to do this. A perfect example is multi-factor or passwordless for admins. We’re always gonna recommend,
100%, there’s no exceptions from Microsoft perspective. There is a disclaimer at the bottom. But there’s never a
good reason to just have a password on the admin account
from Microsoft’s perspective so that’s our clear, you know,
just straight up opinion. No decorations. And there’s some cases where
there’s one or two choices or there’s two or three choices maybe where it’s maybe a multistage journey and you have to kinda choose
how fast you’re gonna go down that journey or a
perfect example of this is whether you use the Azure
Firewall that’s built in or whether you use a third
party’s or like a Palo Alto or Checkpoint or your favorite vendor. That one is one of the few
we actually have an even “it depends” right? Like there’s pros and cons
for either one of those. It’s pretty simple to manage the Azure one and it’s got some really
strong basic capabilities but there’s a lot more
features and capabilities from a dedicated firewall vendor. And so that one’s one of
the few choices that’s even. Most of the time, we try to
nudge in one direction or other to share Microsoft’s opinion
to help make that choice a little bit easier. Another example is do you
hairpin all your traffic back through your on-prem security stack or do you set up a
security stack in Azure? Because there is a
threshold really quickly that you get to in a proof of concept where you don’t want to be
routing that traffic back. That particular one I have
very strong opinions on. (laughing) When we get to networking. It’s still a legitimate choice to route it but it’s not one that we would recommend. No. And so we do wanna give that
wiggle room but the clarity. Yeah, especially because we
can also bring some insight from our customers’ journeys
around how they experienced, particularly take the hairpinning, I know for a fact that that
can cause more problems sometimes as well in
terms of troubleshooting because you just have more
stages of your network, the flow to actually troubleshoot. So, you know, we can bring in
some insight there as well. But officially, it’s a choice, of course. Yup. You know, you know your
business better than we do. Absolutely. And again, this is Microsoft’s opinion. This is based on our
experience with working all of these organizations. You may have special needs in
your particular organization that would drive you to a
choice that not every other organization would go to. And the other piece that we have here is sorta this green versus gray and this is a very basic
set of prioritizations. So we filtered the green
ones, the critical ones, on things that, you
know, they’re on-premise, typical on-premise security posture. You need this to be parity with them. Things that are hard to change, you know, if you make this decision, it would be a lot of
work for you to undo it and make a different decision later. And then high risk stuff that
are things that we’ve seen, especially in the software
defined networking space, we’ve seen a few mistakes
around public IPs that lead to a high degree of risk. So that’s kinda how we
filter the critical ones and all of the other ones are what we put in our general category. And these are all really good ideas but they’re not as important and they’re not the things
that, in most situations, we would say, “You know
what, we can wait on these “before we go to the cloud.” The critical ones we wanna do as we go to the cloud or before. But the general ones,
in most cases, can wait. Yeah, because we know
that all organizations and this is not just security, have limited capacity to do everything so we’re trying to help
prioritize those a little bit. So things for your roadmap and
things to do straight away. Exactly and you always have
the choice of when you do each of these but we
wanted to share that, yup. And we also, in the download section, have a tracking sheet
to help you with this, to track when the
decisions are being made. Hey, we made the decision
on this and we’re set to go. And then the implementation of that, how far along are we on
getting all the admins to MFA or passwordless, et cetera. And so that way you can kinda track that and see where your progress is. And it just makes it a little easier to organize your project. SARAH: Yup. MARK: So one of the other things that we wanted to cover here
that comes up often in our customer conversations
is there’s a lot of compliance regimes, regime
probably isn’t the right word, a lot of compliance regulatory
bodies and standards that organizations have
to meet and comply with. And a lot of them are
involved in IT security. And not all of those
have been updated since the cloud came along and
became a popular thing. And so the conversation’s
constantly coming out because people are trying to, organizations are trying
to apply compliance stairs that were written before the cloud model and the dynamic ephemeral
resources, the elasticity, all those things came along and so it’s very important to understand that there is a distinction
between compliance and security because compliance meets that specific, generally pretty static standard. There’s a few of them
that are outcome-driven like a GDPR would be outcome-driven. But most of them tend to be very specific prescriptive control-driven. And that’s great because it
puts you at sort of a minimum baseline of security. But security is really based on the risk and what the attackers can do today and the risk to your business,
it’s much more dynamic. And so it’s very important, we’ve found, to distinguish between
compliance and security because they are both
moving towards the same goal but they’re taking a very
different approaches to it. Yeah and we know that
compliance regimes often take a number of years to
catch up with the reality of the technology so that can
always be a challenge as well. Obviously, if you are a
business that’s subject to regulatory compliance,
you have to adhere to that. But it doesn’t necessarily
mean that you actually– That you’re secure against
the current threats of today. Yeah, that you’re actually secure and that’s a big challenge
for any business so. And so we take both of these seriously. But we just wanna make
sure that folks understand that the dynamics are
a little bit different on each of those. And this next piece is just,
usually this is how we guide the conversations on really learning about the organizations that we’re working with so that we understand the context of how these best practices
will fit for them. But these are the things
that, in any project, you’re gonna really wanna
have a good understanding about your own organization. What are you actually
doing in the cloud today? We frequently find that
organizations are already using the cloud and haven’t
quite connected the fact that, “Hey, we’re using ServiceNow
or Salesforce or Office 365 “or OneDrive or Dropbox,” or one of those and they’ve already kinda figured out how to do cloud security to a degree and they just haven’t applied
that same set of logic to the infrastructure of the service or platform as a service and
so just understanding that can also help get these folks in the room, some of which don’t talk
to each other all the time in regular meetings, to
actually have good conversations around, “Oh, well this
is how we did this here.” Yeah and sometimes this is
a really useful conversation with all these teams
because not all the teams always know what’s being done
in cloud by the other teams. That comes up quite a lot. There tend to be a lot
of bottom up projects we’ve found, yeah. Yeah, people just go buy
some machines or parts and go for it. (laughing) MARK: And then it’s also
important to consider what is security focusing on? What are the initiatives? Is there a particular regulation that is, “Hey, we’re gonna become compliant.” Are we trying to do a paperless initiative to get rid of some of the
papers and go electronic? Those kind of things
that the IT organization or the security organization
are driving often really can affect a cloud
project and what things go to the cloud first or not. So those are very important
things to understand. The next piece is geographic presence, really understanding is it,
to use your part of the world, is it an organization that only services the Australian market or
is it something that works with the entire Asia Pacific region or is it a global organization? So really understanding these helps shape these conversations and
apply the best practices. Yeah and because we have
so many, a big focus on geographic presence and where data resides and geolocation. Even in big multinational
companies, they can’t put everything everywhere
necessarily so that’s, geographic presence is always an important discussion to have and where
things need to be because– MARK: Absolutely. I don’t think I can think
of a single organization that doesn’t have to consider that to a certain extent nowadays. Completely agreed. And the next one is the
compliance so depending where you do business,
you’re gonna be regulated. Depending what industry,
you’re gonna be regulated by different pieces and
so that comes into play because sometimes those
compliance regimes require certain advanced security
features or certain approaches that would take something that would be a general recommendation
and make it critical for you. SARAH: Yeah. MARK: And last is really
that context of what are the goals and the plans
for Azure usage in general. So what is the organization trying to do? Is it, you know, “Hey, we’re going all in “and we’ve got a date
where we’re gonna turn off “the data centers on June of next year.” Or is this something where, you know, “We’re still in the trial phases,” and people haven’t figured it out yet. So it’s very important. Or maybe it’s an IOT, like, “Hey, we’re gonna do all of our brand new “new technology there and
then we’re gonna figure out “the old applications later.” So understanding that really
affects which elements you need to focus on. Yeah. And with that, that is the intro to the Azure Security Compass and we’ll head to the next module. Thank you. (bright music)

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *