1624622160
Implementing Zero Trust Architecture on Azure Hybrid Cloud
This article outlines an approach to model NIST’s Zero Trust Security Architecture while migrating to MS Azure but still working with hybrid cloud deployments, and using tools and services offered by Azure.
What Is a Zero Trust Architecture (ZTA)?
The term ZTA has been in use in the domain of enterprise security models and architectures for organizations since 2010 when Forrester coined the term but became popular after NIST published it as a framework (SP 800-207, final version published in Aug. 2020). ZTA further got a lot of visibility after the US govt recently mandated all Federal agencies to adopt ZTA.
ZTA evolves security much beyond the scope of the conventional perimeter (AKA enterprise firewalls) based approach. Its core principle is that organizations should not automatically trust anything inside or outside their perimeter(s) and, instead, must verify anything and everything trying to connect to their systems before granting access.
So, no access should be granted to any resource unless we know who wants to access it and if the principle of least privilege (POLP) is satisfied.
Tenets of ZTA and how Azure-Based Tooling Can Be Employed
I will try to elaborate on the core tenets of ZTA as per NIST (Italicized) and, then, propose the corresponding mapping in the MS Azure services and tooling.
To begin with, following basic infrastructure/configuration changes or enablement of services is a must.
Micro-segmentation: Broad perimeters need to be broken down into smaller networks, each having its own network access. This micro-segmentation approach reduces the threat surface area significantly. In Azure, it’s easily doable using a variety of virtual networks (VNets), each with its custom configuration of Network Security Group (NSG) to restrict the visibility of the resources within the VNets to only desired networks.
A set of microservices can be easily segmented out this way for limiting access on the network.
Azure AD and IAM: Subscribe to Azure Active Directory (AAD), Azure Active Directory Identity Protection, and Azure AD Privileged Identity Management (PIM). This will require AAD Premium P2 licenses.
These advanced tools help with several aspects of Zero Trust Architecture is covered below. AAD can also manage users and groups for hybrid environments very well. There is also an option to use a federated authentication model.
1. All data sources and computing services are considered resources. A network may be composed of multiple classes of devices. A network may also have small footprint devices that send data to aggregators/storage, software as a service (SaaS), systems sending instructions to actuators, and other functions. Also, an enterprise may decide to classify personally owned devices as resources if they can access enterprise-owned resources.
Azure AD allows for the provisioning of users and configuring identity and access management (IAM) for the users using its portal. In addition, it allows for device registrations. Users can register their work as well as personal devices as “trusted” ones. Users get SSO ability as a benefit.
Azure also allows managed identities which allow for machine/application to machine/application access without requiring specific access granted to individual users. One can also create service principal objects and register applications in Azure AD. Together they satisfy SaaS scenarios.
2. All communication is secured regardless of network location. Network location alone does not imply trust. Access requests from assets located on enterprise-owned network infrastructure (e.g., inside a legacy network perimeter) must meet the same security requirements as access requests and communication from any other non-enterprise-owned network.
For our use cases, this tenet primarily meant API calls from inside the firewall need to be secured as well. Using TLS even for internal API calls/requests, making them offload at API Gateway, which then routes the requests as per rules defined.
#cloud #security #architecture #azure #enterprise security #azure hybrid cloud
What is GEEK
Buddha Community
1594162500
Multi-cloud Spending: 8 Tips To Lower Cost
A multi-cloud approach is nothing but leveraging two or more cloud platforms for meeting the various business requirements of an enterprise. The multi-cloud IT environment incorporates different clouds from multiple vendors and negates the dependence on a single public cloud service provider. Thus enterprises can choose specific services from multiple public clouds and reap the benefits of each.
Given its affordability and agility, most enterprises opt for a multi-cloud approach in cloud computing now. A 2018 survey on the public cloud services market points out that 81% of the respondents use services from two or more providers. Subsequently, the cloud computing services market has reported incredible growth in recent times. The worldwide public cloud services market is all set to reach $500 billion in the next four years, according to IDC.
By choosing multi-cloud solutions strategically, enterprises can optimize the benefits of cloud computing and aim for some key competitive advantages. They can avoid the lengthy and cumbersome processes involved in buying, installing and testing high-priced systems. The IaaS and PaaS solutions have become a windfall for the enterprise’s budget as it does not incur huge up-front capital expenditure.
However, cost optimization is still a challenge while facilitating a multi-cloud environment and a large number of enterprises end up overpaying with or without realizing it. The below-mentioned tips would help you ensure the money is spent wisely on cloud computing services.
- Deactivate underused or unattached resources
Most organizations tend to get wrong with simple things which turn out to be the root cause for needless spending and resource wastage. The first step to cost optimization in your cloud strategy is to identify underutilized resources that you have been paying for.
Enterprises often continue to pay for resources that have been purchased earlier but are no longer useful. Identifying such unused and unattached resources and deactivating it on a regular basis brings you one step closer to cost optimization. If needed, you can deploy automated cloud management tools that are largely helpful in providing the analytics needed to optimize the cloud spending and cut costs on an ongoing basis.
- Figure out idle instances
Another key cost optimization strategy is to identify the idle computing instances and consolidate them into fewer instances. An idle computing instance may require a CPU utilization level of 1-5%, but you may be billed by the service provider for 100% for the same instance.
Every enterprise will have such non-production instances that constitute unnecessary storage space and lead to overpaying. Re-evaluating your resource allocations regularly and removing unnecessary storage may help you save money significantly. Resource allocation is not only a matter of CPU and memory but also it is linked to the storage, network, and various other factors.
- Deploy monitoring mechanisms
The key to efficient cost reduction in cloud computing technology lies in proactive monitoring. A comprehensive view of the cloud usage helps enterprises to monitor and minimize unnecessary spending. You can make use of various mechanisms for monitoring computing demand.
For instance, you can use a heatmap to understand the highs and lows in computing visually. This heat map indicates the start and stop times which in turn lead to reduced costs. You can also deploy automated tools that help organizations to schedule instances to start and stop. By following a heatmap, you can understand whether it is safe to shut down servers on holidays or weekends.
#cloud computing services #all #hybrid cloud #cloud #multi-cloud strategy #cloud spend #multi-cloud spending #multi cloud adoption #why multi cloud #multi cloud trends #multi cloud companies #multi cloud research #multi cloud market
1624622160
Implementing Zero Trust Architecture on Azure Hybrid Cloud
This article outlines an approach to model NIST’s Zero Trust Security Architecture while migrating to MS Azure but still working with hybrid cloud deployments, and using tools and services offered by Azure.
What Is a Zero Trust Architecture (ZTA)?
The term ZTA has been in use in the domain of enterprise security models and architectures for organizations since 2010 when Forrester coined the term but became popular after NIST published it as a framework (SP 800-207, final version published in Aug. 2020). ZTA further got a lot of visibility after the US govt recently mandated all Federal agencies to adopt ZTA.
ZTA evolves security much beyond the scope of the conventional perimeter (AKA enterprise firewalls) based approach. Its core principle is that organizations should not automatically trust anything inside or outside their perimeter(s) and, instead, must verify anything and everything trying to connect to their systems before granting access.
So, no access should be granted to any resource unless we know who wants to access it and if the principle of least privilege (POLP) is satisfied.
Tenets of ZTA and how Azure-Based Tooling Can Be Employed
I will try to elaborate on the core tenets of ZTA as per NIST (Italicized) and, then, propose the corresponding mapping in the MS Azure services and tooling.
To begin with, following basic infrastructure/configuration changes or enablement of services is a must.
Micro-segmentation: Broad perimeters need to be broken down into smaller networks, each having its own network access. This micro-segmentation approach reduces the threat surface area significantly. In Azure, it’s easily doable using a variety of virtual networks (VNets), each with its custom configuration of Network Security Group (NSG) to restrict the visibility of the resources within the VNets to only desired networks.
A set of microservices can be easily segmented out this way for limiting access on the network.
Azure AD and IAM: Subscribe to Azure Active Directory (AAD), Azure Active Directory Identity Protection, and Azure AD Privileged Identity Management (PIM). This will require AAD Premium P2 licenses.
These advanced tools help with several aspects of Zero Trust Architecture is covered below. AAD can also manage users and groups for hybrid environments very well. There is also an option to use a federated authentication model.
1. All data sources and computing services are considered resources. A network may be composed of multiple classes of devices. A network may also have small footprint devices that send data to aggregators/storage, software as a service (SaaS), systems sending instructions to actuators, and other functions. Also, an enterprise may decide to classify personally owned devices as resources if they can access enterprise-owned resources.
Azure AD allows for the provisioning of users and configuring identity and access management (IAM) for the users using its portal. In addition, it allows for device registrations. Users can register their work as well as personal devices as “trusted” ones. Users get SSO ability as a benefit.
Azure also allows managed identities which allow for machine/application to machine/application access without requiring specific access granted to individual users. One can also create service principal objects and register applications in Azure AD. Together they satisfy SaaS scenarios.
2. All communication is secured regardless of network location. Network location alone does not imply trust. Access requests from assets located on enterprise-owned network infrastructure (e.g., inside a legacy network perimeter) must meet the same security requirements as access requests and communication from any other non-enterprise-owned network.
For our use cases, this tenet primarily meant API calls from inside the firewall need to be secured as well. Using TLS even for internal API calls/requests, making them offload at API Gateway, which then routes the requests as per rules defined.
#cloud #security #architecture #azure #enterprise security #azure hybrid cloud
1600624800
Getting Started With Azure Event Grid Viewer
In the last article, we had a look at how to start with Azure DevOps: Getting Started With Audit Streaming With Event Grid
In the article, we will go to the next step to create a subscription and use webhook event handlers to view those logs in our Azure web application.
#cloud #tutorial #azure #event driven architecture #realtime #signalr #webhook #azure web services #azure event grid #azure #azure event grid #serverless architecture #application integration
1594166040
What are the benefits of cloud migration? Reasons you should migrate
The moving of applications, databases and other business elements from the local server to the cloud server called cloud migration. This article will deal with migration techniques, requirement and the benefits of cloud migration.
In simple terms, moving from local to the public cloud server is called cloud migration. Gartner says 17.5% revenue growth as promised in cloud migration and also has a forecast for 2022 as shown in the following image.
#cloud computing services #cloud migration #all #cloud #cloud migration strategy #enterprise cloud migration strategy #business benefits of cloud migration #key benefits of cloud migration #benefits of cloud migration #types of cloud migration
1602315003
Microsoft Innovates Its Azure Multi-Cloud, Multi-Edge Hybrid Capabilities
During the recent Ignite virtual conference, Microsoft announced several updates for their Azure multi-cloud and edge hybrid offerings. These updates span from security innovations to new edge capabilities.
From its inception onward, Microsoft Azure has been hybrid by design, providing customers with services that allow ground to cloud and cloud to ground shifts of workloads. Moreover, Microsoft keeps expanding its cloud platform hybrid capabilities to allow customers to run their apps anywhere across on-premises, multi-cloud, and the edge. At Ignite, the public cloud vendor announced several innovations for Azure Arc, Stack, VMWare and Sphere.
At Ignite last year, Microsoft launched Azure Arc, a service allowing enterprises to bring Azure services and management to any infrastructure, including AWS and Google Cloud. This service was an addition to Microsoft’s Azure Hybrid portfolio, which also includes Azure Stack and Edge. Later in 2020, the service received an update with support for Kubernetes. Now Azure Arc has more capabilities with the new Azure Arc enabled data services in preview. Furthermore, the Azure Arc enabled servers are now generally available.
#amazon #microsoft azure #cloud #iaas #kubernetes #iot #edge #google #azure #edge computing #microsoft #hybrid cloud #deployment #aws #containers #devops #architecture & design #development #news