SECURING YOU AZURE ENVIRONMENT PART III / Microsoft Defender for Cloud

So in my previous post we discussed how to approach your cloud project and how everything starts from a correct and secured architect. In this post I am going to address Microsoft Defender for Cloud and also touch on the added capabilities of Defender for workloads.

So what is Defender for Cloud (previously Azure Security Center)? Well in Microsoft’s words Defender for Cloud is a solution for cloud security posture management (CSPM). But what does this actually mean? Well it’s actually a “big brother” that will constantly look at your environment and flag potential security misconfigurations. The idea being that the system helps keep you compliant and running to both Microsoft and your own Best Practices. I say Microsoft and your own as behind the senses there is a policy that by default is set to a baseline recommended by Microsoft, this can of course be edited, you can even configure multiple policies for multiple environments tailored to your requirements. Oh and the system is also multi-cloud, so you can monitor not only your Azure environment but also your AWS and GCP environments.

Some examples of what Defender for cloud has to offer:

• Identify threats and misconfigurations across IaaS, PaaS, AWS, GCP & On-Prem
• Identify VM’s with exposed management ports such as RDP & SSH
• Identify VM’s with out disc encryption
• Identify VM’s with no Virus protection
• Identify unpatched operating systems
• Identify web services not protected by WAF
• Alerts for management users not using MFA
• Alert for lack of hardening on Azure Key Vaults

Of course once configured the system can also send all alerts to E-mail or to your organization SIEM/SOC such as Azure Sentinel. Oh and the major selling point. Microsoft Defender for cloud is free for your Azure environment. So there is no excuse not to use the system.

So to briefly summaries the use of Defender for cloud, the idea is to Harden, Track your posture, protect and streamline. All this will help you Assess, Secure and Defend your cloud while meeting regulatory compliance.

Now taking it a step forward Microsoft also offers Cloud Workload Protection (CWP) Cloud workload protection takes things forward by not not only looking at configuration but at the actual workloads themselves. Think of it as an Anti-Virus but aimed directly at a service and not an OS and not just hunting for viruses. The service can offer protection for

• Virtual Machines
• Azure App Service
• Databases (Both On VM and PaaS)
• Azure Storage
• AKS (Kubernetes)
• Azure DNS

Some examples of what Defender for workload has to offer:

• Service accessed by malicious IP
• Event log cleared
• Anti-Malware disabled
• Brute force login attacks
• Suspicious login (unexpected region, unexpected user)
• Large data extraction (possibly a data leak)
• Unusual change of service permissions
• Guest account with elevated privilege’s

For the full list you can take a look over here

So, to fully summaries, the use of Microsoft Defender for cloud will allow you better posture management and insights into your cloud configuration while the added layer of Defender for workloads can help keep an eye directly on your services.

IN the next and final post on this subject we will address some final points such as Infra as code and why this is also a a point that can help address security

Securing you Azure Environment Part II / Hub n Spoke

So in my previous post I covered the basic concepts of Securing your cloud environment. In this post I want to dive a bit deeper into how we start implementing this process. First I would like to point out that this is kind of a default starter template. Every environment is different and requires specific tailoring to fit the needs of the client.

So to begin with I would like to introduce you to a concept called Hub n Spoke. This concept is nearly always used in enterprise cloud environments. The basics being that the network is segmented into multiple VNets, A single Hub Vnet and multiple Spoke VNets. So what’s a hub VNet you ask? Well a Hub Vnet is a central VNet that holds all shared resources mainly, but not only, from a networking perspective. In most cases the Hub will contain corporate Firewalls, WAF (Web Application Firewall), DDoS protection, Proxies and so on. In many cases the Hub will also contain Domain Controllers, Anti-Virus Servers, SIEM collectors and so on. The spokes will hold the actual workloads, these could range from a standard VM setup to AKS (Kubernetes) and even a mix of PaaS bases services such as webapps, Azure SQL and so on. The reasoning behind this is fairly simple.

1. On the one hand we want to allow different departments access to the cloud. We also would like to offer them a high degree of independence when using the cloud. However we still need to govern and secure these environments. Hence centralizing and isolating all security and shared resources to the hub allows us to have in-place controls while still delegating the spoke environments to the required departments.
2. Many companies are approaching the cloud from a hybrid perspective. They already have in-place on-prem solutions such as firewalls, Anti-Virus solutions etc. These companies have personnel with a high level of expertise on these solutions. It also wouldn’t necessarily make sense for them to use native cloud solutions as this would require them to manage multiple technologies (both on-prem and cloud) therefore the use of Marketplace solutions to deploy existing 3rd party solutions in to the cloud makes more sense to these companies.

So, how does it work. Lets take a look at the following diagram

On the left we have the Hub-VNet. The hub here contains both Firewalls, WAFs & some Virtual Machines. Each deployed to it’s own subnet, so we also have segmentation within the VNet itself. All of this is managed by IT staff. On the right we have the Spoke-VNet or in other words the actual workload which in this scenario is an AKS cluster. Now you can see between the two VNets that we have peering and a UDR. The peering effectively connects the Vnets together to allow for network data flow. The UDR (user defined route) will route all outbound traffic from the VNet to the firewalls in the Hub. So now we have full control of all traffic leaving the Vnet, similar to what we would expect in an on-prem environment. Finally we would implement an Azure policy to force the use of both peering and UDR. Finally we also make use of Private Endpoints. Private Endpoints allow us to use PaaS based services as if they were part of are VNet. While these services usually have only public endpoints, the used of a private link will assign them a private IP from are VNet range hence allowing us to restrict and control access to internal resources only. Once all of this is in place we can delegate control of the spoke VNet to the required department. Knowing that all traffic is flowing through are hub and that we have control and governance of the environment.

This is what I like to call a well architected approach

Stay tuned for the next post where we will discuss the use of Microsoft Defender for cloud

Securing you Azure Environment Part I

One of the things I get asked on a a weekly basis is, How do we secure an Azure environment? So I though I’d take some time to write a few blogs on the subject, a slight change from my usual new Azure tech blogs.

When using Azure or any public cloud for that matter security as always is a big subject that has to be addressed. Now I’ve had people say to me, hey we’re using the cloud because then Microsoft will deal with security for us. NO, NO, NO this is not true! And basically a bit of a mis concept. While it is true that Microsoft do address security and offer you a secure and hardened platform you still have a responsibility to secure and harden your environment. I mean hey if you go an open a port to your VM and expose it, that’s not something Microsoft can control. The same regarding brute force attacks, customized WAF rules and the list goes on and on and on.

In a nutshell, that I will expand on in following posts, Microsoft offers us multiple solutions to help secure and harden our environments, these include:

• Microsoft Defender for Cloud (Previously Azure Security Center)
• Microsoft Defender for Workloads
• Azure Front Door (Globally distributed WAF)
• DDoS Protection plans
• Azure Sentinel
• A large array of 3rd party solutions available in the Azure Marketplace

Now with respect to all security solutions be them Microsoft or 3rd party everything starts with a correctly architected and configured environment. No solution in the world can fully protect you if you mis-configure your environment in a catastrophically way.

Microsoft also come to our aid at this stage. For those of you not familiar Microsoft have the Cloud Adoption Framework documentation. The Cloud Adoption Framework is a fully documented framework and methodology to help you Asses, Prepare and Migrate your environments to the cloud. This of course includes modernization of your environment and most importantly SECURING it. In other words this is Microsoft Best Practices for your cloud journey including Securing your environment. This includes full explanations as to what Microsoft do and what your responsibility is, guide lines on how to fulfill that responsibility and also guidelines for different Azure services with detailed explanations on how to address each service.

In my next post I will address initial architecting of an Azure environment and how we stress security from the platform level with all the basics in place such as: MFA, Access Control, Segmentation, governance and more

Azure Database for MySQL – Flexible Server hits GA

Lets take a trip down memory lane. Azure originally had two managed database options

1. Azure SQL – A fully managed cloudy version of MSSQL
2. DocumentDB – A NoSQL cloud database that has since morphed into Comos DB

Then a few years ago Microsoft did the deed and started adding Opensource DB’s as fully managed PaaS offerings. This initially included MYSQL and PostgreSQL and later they added both MariaDB and Apache Cassandra.

Now after a year in preview Azure Database for MySQL – Flexible Server is now Generally Available. While not a new DB offering this is a new deployment offering offering us finer control over the setup and management of the service, effectively allowing you to quickly achieve specific performance, scaling, high availability, and cost optimization goals.

Microsoft designed the new deployment mode to:

• Simplify the application development experience using pre-integrated tools with GitHub, Terraform, Azure Kubernetes Services, and Web Apps
• Enable the development of highly available, resilient, and scalable applications with the option to select same-zone or zone-redundant high availability and the ability to scale-out up to 10 read replicas
• Allow users to fine-tune over 300 database parameters, choose their maintenance schedule, scale IOPS independent of provisioned storage, and specify the optimal amount of CPU and memory resources
• Allow users to optimize their costs
• Secure data with total network isolation, data at rest encryption, and encrypted connections with complete control over TLS and SSL enforcement

Flexible servers are best suited for

• Ease of deployments, simplified scaling and low database management overhead for functions like backups, high availability, security and monitoring
• Application developments requiring community version of MySQL with better control and customizations
• Production workloads with same-zone, zone redundant high availability and managed maintenance windows
• Simplified development experience
• Enterprise grade security, compliance and privacy

You can also find a chart comparing the Azure database for MySQL single sever and Flexible Server over here

Azure App Service Automatic Scaling

For those of you not familiar with it, Azure App Service in a managed PaaS service for running your apps, be they .net, php, python, Java etc, with out the need for managing VM’s, load balancers, OS etc. The service is extremally popular and allows to run your apps on both Linux or Windows, but again you won’t actually see the OS itself. All management is performed via the Azure portal and deployments can be handled in a CI/CD manner with Azure Devops, GitHub or a plan old FTP.

One of the great things about App Service is that it has Auto-Scaling capabilities. You basically set your scaling point such as 75% CPU usage or 75% memory usage and when the threshold is met an additional instance will spin up, hook up to the load balancer, again you don’t actually see or have to configure the load balancer, and spread the traffic between the two instances. This is a great feature as it allows you to keep your app running on a smaller instance, this of course equals lower running costs and scale only when there is a higher load of traffic.

However you are required to configure the scaling points, and in a large application this can be challenging as it may be CPU, RAM, concurrent connections, http queue etc. This is where the new automatic scaling comes in. Automatic scaling will automatically scale out the number of running instances as the request count increases and scale things down again when demand subsides.

At the moment this is in preview and enabling the feature is performed via the CLI. We expect to see the functionality in the GUI when the service hits GA. You can find the initial release notes for the service over here.

Azure Pureview

Azure Pureview has now been released to GA.

For those of you not familiar with Preview it is quiet a unique solution.

Azure Purview is a unified data governance solution that helps you manage and govern your on-premises, multicloud, and software-as-a-service (SaaS) data. Easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. Enable data consumers to find valuable, trustworthy data.

Basically allowing you to create so called “maps” to map out your entire organization data

Establish the foundation for effective data governance and usage with Azure Purview Data Map.

• Automate and manage metadata from hybrid sources.
• Classify data using built-in and custom classifiers and Microsoft Information Protection sensitivity labels.
• Label sensitive data consistently across SQL Server, Azure, Microsoft 365, and Power BI.
• Easily integrate all your data systems using Apache Atlas APIs.

While also allowing for a birds eye view of sensitive data

• View your whole data estate and its distribution by asset dimensions such as source type, classification, and file size.
• Get status updates on how many scans succeeded, failed, or were canceled.
• Gain key insights to add or redistribute glossary terms for better search results.

Azure Automanage

So we’ve all been there, we’ve setup a new Azure environment based on Windows Server and started configuring everything: Backup, Monitor, Log Analytics, Security Center, Updates…

Now to be honest configuring each of these services separately is a bit of a pain and also requires onboarding of each VM to each service. Just to make it worst, you may in the future add an additional VM and forget to configure one of the required services.

This is where the new Azure Automanage comes into play. Azure Automanage allows you to onboard your VM automatically to these services.

Azure Automanage will allow you to:

• Intelligently onboards virtual machines to select best practices Azure services
• Automatically configures each service per Azure best practices
• Monitors for drift and corrects for it when detected
• Provides a simple experience (point, click, set, forget)

Once onboarded, VM’s are automatically configured based on Best Practices from the Microsoft Cloud Adoption Framework. These include:

• VM Insights Monitoring
  Azure Monitor for VMs monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn more.
• Backup
  Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Learn more. Charges are based on the number and size of VMs being protected. Learn more.
• Azure Security Center
  Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud. Learn more. Automanage will configure the subscription where your VM resides to the free-tier offering of Azure Security Center. If your subscription is already onboarded to Azure Security Center, then Automanage will not reconfigure it.
• Microsoft Antimalware
  Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. Learn more.
• Update Management
  You can use Update Management in Azure Automation to manage operating system updates for your virtual machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Learn more.
• Change Tracking & Inventory
  Change Tracking and Inventory combines change tracking and inventory functions to allow you to track virtual machine and server infrastructure changes. The service supports change tracking across services, daemons software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Learn more.
• Azure Automation Account
  Azure Automation supports management throughout the lifecycle of your infrastructure and applications. Learn more.
• Log Analytics Workspace
  Azure Monitor stores log data in a Log Analytics workspace, an Azure resource, and a container where data is collected, aggregated, and serves as an administrative boundary. Learn more.

Currently only available for Windows, and in preview, Linux support will be added in the future. Also joining the preview the service is offered at no additional cost.

Onboarding is pretty straight forward, just navigate to the Automanage Blade in the portal.

Click the enable on existing VM button and choose the VM’s you wish to onboard. You will also be offered a choice of profiles to choose from (currently Production or Dev/Test). You can of course customize the profile with your own preferences, allowing you to choose backup times & change Anti-malware configuration.

If you wish to automate this process for all future VM’s then you can use Azure Policy to assist.

New Microsoft Azure Communications Service launched

Sometimes it’s the smaller things in life that catch your eye or get you excited. Such is the case for me with the newly announced Azure Communications service. Why you may ask? Simple, this new service provides some basic features that until now developers were forced to “outsource” to 3rd parties such as Twilio & SendGrid. I am of course talking about SMS communications.

The newly announced service (currently in preview) allows developers access to not only SMS messaging but also to Voice and Video calling, Chat & optional integration of Azure supplied phone numbers.

All this meaning that developers can now access secured Azure API’s that also include a high level of encryption that are compliant, among others, to HIPPA & GDPR.

At a basic level, you can now use the service to send SMS notifications to your users, no more need to rely on a 3rd party provider.

Going a step further, you can also integrate chat directly into your site/application.

Both voice & video conferencing are also part of the service and coming soon (October) you will also be able to receive Phone Numbers allowing for both incoming and outgoing calls. These numbers can even be integrated into an existing on-prem SIP.

You can read the full documentation over here. And you can find examples for or group calling here, chat here and SMS here and the SDK here

Just think of a mix of this new service with existing services such as Cognitive Services, Bot Services, Functions & Logic Apps just to name a few and the options are endless

Automatic VM guest patching

Up until now if you wanted to keep your VM’s up to date (or in other words – PATCHED) you had the option of using Azure Update Manager. Now while this is a great solution and still probably the preferred solution for mission critical workloads, it does require a fair level of configuration and management.

So now Microsoft have come out with a new offering called Automatic VM guest patching. The service is currently in preview and only supports Windows 2012-2019 Server OS at present. It is however much simpler to manage.

So how does it work?

If automatic VM guest patching is enabled on a VM, then the available Critical and Security patches are downloaded and applied automatically on the VM. This process kicks off automatically every month when new patches are released through Windows Update. Patch assessment and installation are automatic, and the process includes rebooting the VM as required.

The VM is assessed periodically to determine the applicable patches for that VM. The patches can be installed any day on the VM during off-peak hours for the VM. This automatic assessment ensures that any missing patches are discovered at the earliest possible opportunity.

Patches are installed within 30 days of the monthly Windows Update release, following availability-first orchestration described below. Patches are installed only during off-peak hours for the VM, depending on the time zone of the VM. The VM must be running during the off-peak hours for patches to be automatically installed. If a VM is powered off during a periodic assessment, the VM will be automatically assessed and applicable patches will be installed automatically during the next periodic assessment when the VM is powered on.

The service will consider both Availability sets & Zones and not simultaneously update VMs deployed as such.

In its current preview you need to first register for the preview. This can be enabled via Powershell, API or CLI.

Once enabled you will see the new option in the GUI when creating a new VM.

The full documentation can be found here.

Azure Shared Disks

A new, fairly, exciting feature that was announced at Inspire this month was Shared disks in Azure. In a nutshell this allows you to attach the same managed disk to multiple VM’s. Making it perfect for clustered applications where both nodes require access to the same data disk. Think of a shared storage LUN for comparison.

How it works

VMs in the cluster can read or write to their attached disk based on the reservation chosen by the clustered application using SCSI Persistent Reservations (SCSI PR). SCSI PR is an industry standard leveraged by applications running on Storage Area Network (SAN) on-premises. Enabling SCSI PR on a managed disk allows you to migrate these applications to Azure as-is.

Shared managed disks offer shared block storage that can be accessed from multiple VMs, these are exposed as logical unit numbers (LUNs). LUNs are then presented to an initiator (VM) from a target (disk). These LUNs look like direct-attached-storage (DAS) or a local drive to the VM.

Shared managed disks do not natively offer a fully managed file system that can be accessed using SMB/NFS. You need to use a cluster manager, like Windows Server Failover Cluster (WSFC) or Pacemaker, that handles cluster node communication and write locking.

So for anyone looking to host failover shared disk clusters in Azure, You now have your solution.