Azure Security

Defense in Depth

  • Physical Hardware – you are responsible for security of hardware, buildings, staff
  • 7 General Layers of Cloud Computing
    • Physical
    • Identity and Access
    • Perimeter
    • Network
    • Compute
    • Gateways and Firewalls
    • Data

Securing Network Connectivity

  • Firewall: Rules, Variations, Critical Part
  • DDoS: 2012 6 US banks flooded with 60GB of traffic every second, 2014 CloudFlare was attacked with 400GB of traffic per second, 2018 GitHub experienced a 1.35Tb of traffic per second (127M requests per second attack!)
  • Azure DDoS protection service, no downtime
  • Network Security Group (resource firewall) around a Virtual Machine/IP endpoint
  • Application Security Group: protects application infrastructure, group VMs and virtual networks into logical application groups

Azure Security Center

  • Threat Alerts
  • Ready for Hybrid architectures
  • Each VM has an agent (on prem works too)
  • Azure analyzes the data
  • policy and compliance metrics
  • “secure score” to entice great security hygiene
  • integrate with other cloud providers
  • Alerts for resources that aren’t secure
  • define policies, protect resources, respond to security alerts
  • regulatory compliance dashboard – assessed in relation to regulatory standards
  • resource and security hygine

Azure Key Vault

  • helps share keys/passwords
  • secure place to store passwords and share them without revealing the keys
  • done on secured hardware

Azure Information Protection

  • classify data according to how sensitive it is
  • track activities with shared data and revoke access
  • share data as you can control who edits/views/prints/forwards

Microsoft Defender for Identity

  • Monitor Users in an on premises environment
  • Create a baseline for behavior
  • Suggest changes to conform with security best practices

Azure Sentinel

  • SIEM tool
  • aggregated and normalized data
  • analysis and threat detection
  • take action
  • Cloud Scale

Azure Dedicated Hosts

  • If you must run dedicated hosts, this is an option
  • hardware isolation at physical layer, no foreign VMs, control over maintenance schedule
  • can still use availability zones, fault isolation, high availability, and scale sets.
  • choose windows, linux, or sql server

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.