This is the fifth and final article of a five-part series focused on enterprise governance in Microsoft Azure.
In parts one, two, and three, we discussed the four levels of management in the Azure Enterprise Portal, the guiding principles behind dividing resources into resource groups and/or subscriptions, cloud cost management, managing identities through Azure Active Directory (AD), role-based access control (RBAC), and privileged identity management (PIM). In part four we examined enforcement mechanisms and supporting features and tools such as Azure Policy, Resource Locks, Blueprints, and Azure Automation. We will finish out this series with a deep dive into the options and tools available to review, monitor, and track the activity and security posture of your Azure workloads through Azure Security Center, Azure Sentinel, Azure Advisor, and Azure Monitor. We will also review a few best practice recommendations based on our experience working with enterprise Azure deployments.
Azure Security Center
Azure Security Center represents a combination of best practice analysis and security policy management for all resources within an Azure subscription. This powerful and easy-to-use tool allows security teams and risk officers to prevent, detect, and respond to security threats as it automatically collects and analyzes security data from your Azure resources, the network, and partner solutions like anti-malware programs and firewalls. Azure Security Center applies advanced analytics, including machine learning and behavioral analysis, while leveraging global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds. Security governance can be applied broadly at the subscription level or narrowed down to specific, granular requirements applied to individual resources through policy definition. Azure Security Center analyzes resource security health based on those policies and uses this to provide insightful dashboards and alerting for events such as malware detection or malicious IP connection attempts. It can also tie in alerts to centralized logging systems such as Microsoft’s Log Analytics service, a part of Azure Monitor, which enables collection and correlation of events from on-premises and multiple cloud (e.g., Azure, AWS, etc.) sources and ingestion of logs into Azure Sentinel (SIEM).
Figure 1. Azure Security Center
Azure Regulatory Compliance
Azure Security Center routinely compares the configuration of deployed resources with requirements from industry standards, regulatory bodies, and common benchmarks. These comparisons populate the regulatory compliance dashboard and provide insight into your compliance posture. Standard compliance checks center around Azure CIS, PCI DDS, ISO 27001, and SOC TSP with NIST SP 800-53 R4, SWIFT CSP CSCF-v2020, UKO and UK NHS, and Canada PBMM available to be enabled. The list of optional regulatory bodies continues to grow while providing a snapshot of environment compliance across a variety of regulations and policy standards.
Azure Sentinel is a cloud-native security information and event manager (SIEM) platform and security orchestration automated response (SOAR) solution utilizing Microsoft’s AI capabilities to quickly analyze large volumes of data across an enterprise within seconds. Azure Sentinel aggregates data from all sources, including users, applications, servers, and devices running in Azure, on-premise, or in another cloud. Through this, it provides intelligent security analytics, alert detection, threat visibility, proactive hunting, and threat response.
Figure 2. Azure Sentinel
Leveraging Microsoft’s global threat knowledge, Sentinel is capable of detecting, predicting, and protecting against emerging threats and known risks. By analyzing Azure Active Directory and Office 365 user information, Sentinel has the ability to identify anomalous behaviors and suspicious activities (i.e., multiple authentication attempts from various regions of the world) which can result in the detection of a multi-stage attack that are typically low volume, high fidelity, and high severity.
Analytics capabilities help reduce the noise created by traditional SIEM tools by correlating events and learning what alerts should be triggered and which are routine. This reduction in alerts reduces fatigue and increases meaningfulness of alerts. Integration with communication and enterprise workflow systems like Teams, Skype, Slack, ServiceNow, Jira, etc., allow Sentinel to trigger a workflow in these systems to alert and track an incident following your enterprise standard processes and tools.
Figure 3. Regulatory Compliance in Azure Security Center
Another governance tool is Azure Advisor, an automated consulting resource that can examine current configurations and make practical recommendations in the following areas:
High availability (HA)
Many of the recommendations are based on common best practices, like placing virtual machines in availability sets for HA, while the security recommendations originate from Azure Security Center. While actual billing data is restricted to the Azure Enterprise Portal, Azure Advisor has visibility into usage and can identify points of potential cost savings, such as underutilized VMs. Together, these provide a straightforward way to evaluate adherence to many governance and best practice principles within an Azure subscription.
Azure Monitor maximizes the availability and performance of your applications and services by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
Azure Monitor collects logs and diagnostic settings from a variety of sources and tiers including application monitoring data, guest OS monitoring data, Azure resource monitoring, Azure subscription monitoring, Azure Active Directory monitoring, and Azure tenant monitoring.
Figure 4. Azure Monitor Architecture
Azure Monitor can detect and diagnose issues across applications and dependencies with Application Insights, correlate infrastructure issues with Azure Monitor for VM and Containers, and drill into monitoring data with Log Analytics for troubleshooting and deep diagnostics. It also supports operations at scale with automated alerts and automated actions as well as visualizations with Azure dashboards and workbooks.
Log Analytics is a web tool used to write and execute Azure Monitor log queries, aggregate large sets of data, and perform complex query operations using the minimal style of Kusto query language (KQL). All data collected in your environment through Azure Monitor Logs can be queried to perform complex analysis and gain deep insights into Activity within your Azure subscriptions and monitored resources.
Figure 5. Azure Log Analytics query
Application Insights monitors the availability, performance, and usage of your platform-as-a-service (PaaS) web applications hosted in Azure. Using Microsoft’s AI capabilities, Application Insights evaluate and analyze operations, traffic flows, and errors within your web application and correlate them to detect errors and provide deep insights into how your app is performing.
Figure 6. Azure Application Insights
Application Mapping capabilities are a part of Application Insight. These maps graphically display the resources and connections that make up the monitored application and are useful in understanding dependencies and connections.
Based on our experience with a diverse range of Azure enterprise clients in financial services, health care, and energy among others, we have several best practice recommendations to offer. This is not exhaustive but should serve as a starting point to developing a sound governance approach aligned with the standards of your organization.
Governance Best Practices:
Define your organizational hierarchy and map this to a pattern for the Azure Enterprise Portal such that billing, subscription management, and resource group design are aligned with this logical hierarchy.
When establishing an Azure governance model, input from business leaders, security and risk management, and IT should all be considered.
Use consistent, standardized naming conventions throughout the Azure Enterprise Portal and Azure resources.
Sign up for Azure and assign access using Azure AD organizational accounts (i.e., work or school accounts) whenever possible.
If you have on-premises Active Directory, we recommend synchronizing this to Azure AD using Azure AD Connect.
If you have an Office 365 subscription, this includes an Azure AD tenant that we recommend using to sign up for Azure.
Use centralized resource group design to minimize risk, protect critical core infrastructure, and ease management of cross-premises hybrid connectivity, while enabling application teams the access they need to achieve business objectives quickly.
Operations Best Practices:
Leverage Azure Active Directory, role-based access control, Policy, and Blueprints within the Azure hierarchy to facilitate sound security practices such as segregation of duties and least privilege and enforce organizational standards across all cloud resources.
Automate common tasks and virtual machine configuration whenever possible to ensure consistent baselines and reduce the possibility of error.
Tag resources appropriately to facilitate access control, resource identification, and billing consolidation.
Leverage Azure Security Center, Azure Monitor, and Azure Sentinel for insight into the security of the Azure environment, alert on incidents that may occur, and understand usage of Azure resources.
Utilize Cost Management functionality built into Azure to build budgets, alerts, and understand overall and anticipated cloud spend.
Are you interested in exploring Microsoft Azure but concerned about governance and how to make public cloud fit within your IT model? Credera has extensive experience in cloud infrastructure design and implementation. If you have questions or would like to discuss cloud and infrastructure solutions, contact us at firstname.lastname@example.org.