Microsoft Azure Monitor Insights
You can subscribe here for more at Azure Academy on YouTube Channel
Tag Archives: Security
Optimize Security and Compliancy with #Azure Security Center #ASC #Cloud #GDPR
Microsoft Azure Security Center
When you have your Hybrid Cloud Enterprise Design ready in a Microsoft HUB-Spoke model and your Security in place, you can do your optimize on your Azure workloads and keep up-to-date for your compliancy. Microsoft Azure Security Center can support you in Security and Compliancy (GDPR). Here you see my former blogposts about Microsoft Azure HUB-Spoke model architecture and Security by design :
- Microsoft Azure Hub-Spoke model by Enterprise Design 1 of 4
- Microsoft Azure Policy and BluePrints Overview (Extra Blogpost)
- Microsoft Azure Hub-Spoke model by Enterprise Design 2 of 4 “Lift and Shift”
- Microsoft Azure Hub-Spoke model by Enterprise Design 3 of 4 Data Migration
- Managing and Working with Azure Network Security Groups (NSG)
Security in software is always on the move and changing in this world, when you think you are ready something has changed already. That’s why I love Microsoft Azure Security Center to keep you posted and giving you advise on Security but also on Compliancy.
From here you see a high-level overview of these new possibilities in Microsoft Azure Security Center :
Security Center Overview
Microsoft Azure Security Center is working with the following navigation menu’s on the left :
- General
- Policy & Compliance
- Resource Security Hygiene
- Advanced Cloud Defense
- Threat Protection
- Automation & Orchestration
Microsoft Azure Secure Score Dashboard
Microsoft Azure Security Center is working with Overall Secure Score. In my Test LAB we have some work to do 😉
The Azure secure score reviews your security recommendations and prioritizes them for you, so you know which recommendations to perform first. This helps you find the most serious security vulnerabilities so you can prioritize investigation. Secure score is a tool that helps you assess your workload security posture.
Improve your secure score in Azure Security Center
Azure Security Center Recommendations
Microsoft Azure Security Center gives you advise to make your Security Score higher and you can improve immediately.
Open Subnet without NSG.
From here you can Enable a Network Security Group (NSG) on the Subnet and make your network more secure.
Creating NSG from Azure Security Center.
A subnet with NSG.
Azure Security Center Advise on Disk Encryption
- Description on Applying Disk Encryption on your Virtual Machines
- General Information, with Impact and Implementation Cost.
- Threats, what can happen when you don’t implement the security.
- Remediation Steps from Microsoft Azure Security Center
Like this : Managing security recommendations in Azure Security Center
Security Center – Regulatory Compliance
I really like this feature in Azure Security Policy & Compliancy to help the business with GDPR and keep your Data Save by Security.
PCI DSS 3.2
ISO 27001
So now you can work on your Security and Compliance
SOC TSP
Here you find more information about Microsoft Azure Security Center
Microsoft Azure Security Center Playbooks
Integrate security solutions in Azure Security Center
Conclusion :
Security is a on-going process 24 hours -365 days to monitor, analyze, and prevent security issues. Working on Compliancy for your Business and making your own Security policies is important. Microsoft Azure Security Center can support you in this journey. When you Optimize your Azure workloads or make new solutions in Azure, keep it secure with Microsoft Azure Security Center.
Whitepaper Achieving Compliant Data Residency and Security with #Azure #Cloud
Introduction
Security and compliance–basic elements of the trusted cloud–are top priorities for organizations today. This paper is designed to help customers ensure that their data is handled in a manner that meets their data protection, regulatory, and sovereignty requirements on the global cloud architecture of Microsoft Azure. Transparency and control are also essential to establishing and maintaining trust in cloud technology. Microsoft recognizes that restricted and regulated industries require additional details for their risk management and to ensure compliance at all times. Microsoft provides an industry-leading security and compliance portfolio. Security is built into the Azure platform, beginning with the development process, which is conducted in accordance with the Security Development Lifecycle (SDL), and includes technologies, controls and tools that address data management and governance, Active Directory identity and access controls, network and infrastructure security technologies and tools, threat protection, and encryption to protect data in transit and at rest. Microsoft also provides customers with choices to select and limit the types and locations of data storage on Azure. With the innovation of the security and compliance frameworks, customers in regulated industries can successfully run mission-critical workloads in the cloud and leverage all the advantages of the Microsoft hyperscale cloud. This simple approach can assist customers in meeting the data protection requirements of government regulations or company policies by helping them to:
Understand data protection obligations.
Understand the services and controls that Azure provides to help its customers meet those obligations.
Understand the evidence that customers need to assert compliance.
The paper is structured into these three sections, with each diving deeper into the security and technologies that help Microsoft customers to meet data protection requirements. The final section discusses specific requirements to which industries and organizations in selected European markets are subject.
Download this Awesome whitepaper, “Achieving compliant data residency and security with Azure.”
Learn here more on Compliance, Trust, Security and Responsibilities
Bye Bye 2018 vs Hello 2019 #MVPbuzz #Azure #Cloud #AzureDevOps #Education #Code #Analytics
Happy New Year !
First of all Thank you for following me and Sharing Microsoft Cloud and Datacenter Management content on Social Media 🙂 Sharing & Learning Together is Better.
Here some work I did for the Community in 2018 :
- I wrote 62 Blogposts in 2018 on https://mountainss.wordpress.com and shared them on LinkedIn,
Twitter, Facebook and Microsoft Tech Community - Made a Blogpost Serie about :
It’s all about your Datacenter transition to the Cloud by Design and by Security.
Microsoft Azure Hub-Spoke model by Enterprise Design 
Started Azure DevOps Community Group on LinkedIn- Together with Community Groups : Microsoft Azure Monitor and Security for Hybrid IT and
Containers in the Cloud
@Jamesvandenberg - Welcome 577 New Followers on Twitter of the 5904 Followers 🙂
More then 2.807.000 Tweet impressions in One year ! - Started with Friday is MVPbuzz Day for Education to get Azure Cloud in the Classroom, working together with Teachers and Students in my Free time.
- Working with Microsoft Learn in Teams for the Students.
- Meetings and Speaking for Education, all about Azure and AzureStack Technologies.
- Conferences, like the Global MVP Summit 2018, DevOps Amsterdam, Community Group meetings.
Microsoft Ignite, Microsoft Build, Microsoft Connect events. - Almost every week Microsoft Product Group Intervention (PGI) sessions Online.
- Sharing the News every Day via Twitter, Facebook, LinkedIn, Microsoft Tech Community, Blog
But what is coming in 2019 ?
Rocking with Azure in the Classroom !
I will continue every day sharing knowledge with the Community and continue my Free work on MVPbuzz Friday for Education to get Azure Cloud Technology in the Classroom for Teachers and Students.
The trend I see for 2019 is more Infrastructure and Security by Code with Microsoft Azure DevOps
and of course you have to be in Control with Microsoft Azure Monitor
I will write a blogpost in January 2019 about Microsoft Azure Hub-Spoke model by Enterprise Design 4 of 4 : Optimize your Azure Workload.
More Items in 2019 to come :
- Microsoft Azure Security Center for Hybrid IT
- Windows Server 2019 in combination with Azure Cloud Services.
- More on Containers in the Cloud
- Azure Stack and ASDK
- Integration with Azure Cloud.
- API Management
- Azure DevOps Pipelines and Collabration
- Azure IoT for Smart Cities and Buildings combined with AI Technology
2019 will be a Great year again with New Microsoft Technologies and Features for your business.
Managing and Working with #Azure Network Security Groups (NSG) #Security #IaC #AzureDevOps
Microsoft Azure Network Security Group (NSG)
When you are implementing your Microsoft Azure Design like a HUB-Spoke model you have to deal with security of your Azure environment (Virtual Datacenter). One of them are Network Security Groups to protect your Virtual networks and make communication between Azure subnets possible in a Secure Azure Virtual Datacenter.
You really have to plan your Azure Virtual networks and implement it by Architectural Design. Now I’m writing about Azure Network Security Groups which is important, but there are more items to deal with like :
- Naming Conventions in your Azure Virtual Datacenter
- Azure Subscriptions ( who is Owner, Contributor, or Reader? )
- Azure Regions ( Where is my Datacenter in the world? )
- Azure VNET and Sub-Nets ( IP-addresses )
- Security of your Virtual Networks ( Traffic filtering, Routing )
- Azure Connectivity ( VNET Peering between Azure Subscriptions, VPN Gateway )
- Permissions (RBAC)
- Azure Policy ( Working with Blue prints )
Here you can read more about these Microsoft Azure items
How to Manage Microsoft Azure Network Security Groups (NSG) ?
IMPORTANT: Before you start with Azure Network Security Groups, test every ARM JSON Script first in your Dev-Test Azure Subscription before you do production. Talk with your Cloud Administrators, because when you implement Infrastructure as Code (IaC) and work with ARM Templates you can delete manual settings in NSG’s for example, which will give you troubles like no protocol communication between subnets.
When you start new in Microsoft Azure, It’s easy to make your Azure security baseline for all of your Network Security Groups (NSG’s) by Azure Resource Manager (ARM) templates.
When you have a Microsoft Azure HUB-Spoke model with for example four Azure Subscriptions and a lot of Azure Virtual Networks – Subnets, you got a lot of NSG’s to manage and you don’t want to manage those manually. So there are different ways to manage Azure Network Security Groups via ARM Templates. For example :
ARM Templates from the Azure Portal
Make your ARM Baseline template.
Edit your parameters and Deploy.
Here you saw a standard Virtual Machine Deployment, but you can add of course all of your Azure Resource Manager templates here including your NSG Base Line template. In this way your deployments are documented ( Scripts).
Another awesome solution is Microsoft Azure DevOps for your Deployments in Azure.
Azure DevOps Services is a cloud service for collaborating on code development. It provides an integrated set of features that you access through your web browser or IDE client. The features are included, as follows:
- Git repositories for source control of your code
- Build and release services to support continuous integration and delivery of your apps
- Agile tools to support planning and tracking your work, code defects, and issues using Kanban and Scrum methods
- Many tools to test your apps, including manual/exploratory testing, load testing, and continuous testing
- Highly customizable dashboards for sharing progress and trends
- Built-in wiki for sharing information with your team
The Azure DevOps ecosystem also provides support for adding extensions and integrating with other popular services, such as: Campfire, Slack, Trello, UserVoice, and more, and developing your own custom extensions.
Choose Azure DevOps Services when you want the following results:
- Quick set up
- Maintenance-free operations
- Easy collaboration across domains
- Elastic scale
- Rock-solid security
You’ll also have access to cloud load testing, cloud build servers, and application insights.
Azure DevOps Repo for your Templates
From here you can make your Infrastructure as Code (IaC) Pipelines together with your Cloud Administrator Team 😉
When you have your Azure DevOps Private Repository in place and you like to work with Visual Studio for example, you can connect to your Repo and Check-in your NSG ARM Script but Deploy with Visual Studio to your Azure Virtual Datacenter.
Azure NSG Template Deployment via Visual Studio
Microsoft Visual Studio 2019 Preview is available for download here
Here you can download Microsoft Visual Studio Community Edition
And there is Microsoft Open Source Visual Studio Code
Azure DevOps Repo in Visual Studio Code.
Microsoft Visual Studio Code work with Extensions :
Azure DevOps Pipelines Extension
So you see there are enough ways to deploy ARM Templates and this is not all, because you can also use Azure Cloudshell for example or other CLI command-line interfaces. But now we want to set the NSG Baseline for our Azure Subscription. A good start is to see the possibilities in the JSON scripting for Network Security Groups.
Here you find the settings and explanation of Azure Components.
For Microsoft Azure NSG Template :
Azure NSG Baseline Template
To create a Microsoft.Network/networkSecurityGroups resource, add the following JSON to the resources section of your template.
The Microsoft Azure Quick Create Templates on Github can help you to make your own NSG Template for example.
————————————————————————–
“apiVersion”: “2017-06-01”,
“type”: “Microsoft.Network/networkSecurityGroups”,
“name”: “[parameters(‘parkingzoneNSGName’)]”,
“location”: “[parameters(‘location’)]”,
“properties”: {
“securityRules”: [
/* {
“name”: “Allow_RDP_Internet”,
“properties”: {
“description”: “Allow RDP”,
“protocol”: “Tcp”,
“sourcePortRange”: “*”,
“destinationPortRange”: “3389”,
“sourceAddressPrefix”: “Internet”,
“destinationAddressPrefix”: “*”,
“access”: “Allow”,
“priority”: 500,
“direction”: “Inbound”
}, */
{
“name”: “AllowAzureCloudWestEuropeOutBound”,
“properties”: {
“protocol”: “*”,
“sourcePortRange”: “*”,
“destinationPortRange”: “*”,
“sourceAddressPrefix”: “*”,
“destinationAddressPrefix”: “AzureCloud.WestEurope”,
“access”: “Allow”,
“priority”: 999,
“direction”: “Outbound”
}
},
{
“name”: “DenyInternetOutBound”,
“properties”: {
“protocol”: “*”,
“sourcePortRange”: “*”,
“destinationPortRange”: “*”,
“sourceAddressPrefix”: “*”,
“destinationAddressPrefix”: “Internet”,
“access”: “Deny”,
“priority”: 2000,
“direction”: “Outbound”
}
}
]
}
},
————————————————————–
By Default is Internet available in a NSG ! So here you see that Internet is not allowed only the AzureCloud West Europe resources because some Azure SDK Component work via ” Public internet” ( Microsoft IP-Addresses).
(RDP protocol is marked and not set in this example for Security reasons)
Internet by Default Rules, so you must set your security Rules !
Conclusion :
You really have to implement Azure Security by Design, make your Base-line with ARM Templates in a Private Repo for your Azure Network Security Groups with the Correct RBAC Configuration for your Cloud Administrator Team. Don’t make them manually and do settings manually when you have a lot of NSG’s ! Versions of your ARM templates are documented in your Repository 😉
Test Always first in a Dev-Test Azure Subscription or in Azure DevOps with a Test plan before you implement in Production.
#Microsoft Azure virtual datacenter HUB-Spoke Model: A network perspective #Cloud #Azure #Security
Microsoft Azure HUB-Spoke Model
When you have your Microsoft Azure Architectural Design in place like a HUB-Spoke model this Microsoft documentation can help you with the Security and networking design in Microsoft Azure Cloud services.
The Virtual Data Center (VDC) isn’t just the application workloads in the cloud. It’s also the network, security, management, and infrastructure. Examples are DNS and directory services. It usually provides a private connection back to an on-premises network or datacenter. As more and more workloads move to Azure, it’s important to think about the supporting infrastructure and objects that these workloads are placed in. Think carefully about how resources are structured to avoid the proliferation of hundreds of workload islands that must be managed separately with independent data flow, security models, and compliance challenges.
Read this Awesome Microsoft Azure Virtual Data Center documentation from a Network perspective here
Conclusion :
When you have your Microsoft Azure High Level Design, get your security and network in Azure in place in a manageable way for your Cloud Administrators and your Business. Here are some tips:
- Understand the data workflows in your Azure Virtual Data Center.
- Make a Detailed network and security design (Low level)
- Keep it Simple but Secure.
- Before you go into production, do a Security assessment (Pentest) by 3rd party Professionals
( For example via Company CQURE )
BlueHat v18 Hardening #Hyperv through offensive security research #Security #Bluehatv18 #Bluehat
BlueHat v18 || Hardening Hyper-V through offensive security research
From Microsoft Security Response Center (MSRC) :
“Humans are susceptible to social engineering. Machines are susceptible to tampering. Machine learning is vulnerable to adversarial attacks. Singular machine learning models can be “gamed” leading to unexpected outcomes.”
In this talk, they compare the difficulty of tampering with cloud-based models and client-based models. Then discuss how they develop stacked ensemble models to make machine learning defenses less susceptible to tampering and significantly improve overall protection for customers. They talk about the diversity of base ML models and technical details on how they are optimized to handle different threat scenarios. Lastly, they describe suspected tampering activity they have witnessed using protection telemetry from over half a billion computers, and whether mitigation worked.
BlueHat v18 Content Now Available
