Azure Architecture Studying Notes
 This post is to summarize some knowledge points regarding Microsoft Azure learned from Internet.
Azure Services
From:Â https://azurecharts.com/overview
Azure Resources Hierarchy
Â
- Tenant - Organization - AAD users
- Management Groups - Centralized management of subscriptions
- Subscriptions - Billing agreement
- Resource Groups - Group related resources together
- Resources - VMs, databases , etc
Identity and Access management
 Components:
Monitoring Azure Environment
Logs
Metrics
Core Services
- Virtual Machines (Compute)
- Flexibility
- Availability Set
- Scale Set
- Networking
- vNet - SDN
- Subnets
- Peering/VPN/Express Route
- Network Security Groups / Firewall
- Storage
- blob, Files, Disks, Queus, Tables.
- Database and Analytics
- Structured Data - Azure SQL, Cosmos DB, Managed Mysql/PostgreSQL, and others
- Analytics : BI - Azure Synapse - Azure Data Lake
- App service and Serverless Compute
- Web apps, Mobile apps, API apps, Cloud Services, service Fabric, Notification Hubs, Functions
Pricing Discount
Azure Pricing Calculator
- https://azure.microsoft.com/en-ca/pricing/calculator/
Azure Benefits and Incentives
- https://azure.microsoft.com/en-ca/pricing/offers/
For examples:
- Azure Hybrid Benefits
- Azure Migration and Modernisation Programme
- FastTrack for Azure
- Azure dev/test pricing
- Free Azure Sentinel data ingestion
- Free support for commercial contracts
- Azure savings plan for compute
- Reservations
- Azure Spot Virtual Machines
- Azure dev/test pricing
Microsoft Zero Trust (Assume-Breach)
Zero Trust is a security model that emphasizes the need to verify every user and device before granting them access to company resources. Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles:
- Verify explicitly
- Use least privilege access
- Assume breach
The key tenets of a modern defense-in-depth strategy include:
- Protect privileged access – use privileged access management solutions to monitor and secure access to privileged accounts (superuser accounts, local and domain administrator accounts, application administrative accounts, etc.) by both human and non-human identities (applications, scripts, bots, etc.).
- Lockdown critical endpoints – use advanced endpoint privilege management solutions to lock down privilege across all endpoints, prevent lateral movement, and defend against ransomware and other forms of malware.
- Enable adaptive multifactor authentication – use contextual information (location, time of day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a particular situation.
- Secure developer tools – use secrets management solutions to secure, manage, rotate and monitor secrets and other credentials used by applications, automation scripts, and other non-human identities.
Solutions:
1. Threat detection and response solutions
2. Identity and privileged access management
3. Endpoint and data protection
4. Security services
Best Practices:
1. Always Verify the User with Multi-factor Authentication (MFA)
2. Always Validate the Device
3. Ensure the Device Measures Up to Your Security Standards
4. Least Access and Least Privilege for IT and Everybody Else
5. Use a Solution that Learns and Adapts
Zero Trust vs Defense in Depth
The main difference is that Zero Trust requires continuous verification of users and devices, whereas Defense in Depth relies on multiple layers of security defenses. Additionally, Zero Trust focuses on protecting data and systems from external and internal threats, while Defense in Depth mainly focuses on external threats.
5 Steps to Create a Zero Trust Network
1. Identify your toxic data sources (Crown jewelry)
2. Map the transaction flows regarding toxic dataÂ
3. Architect a Zero Trust network based on the toxic data sources and the way it's used transitionally
4. Write your rules on your segmentation gateway based on expected behavior of the data (users and applications)
5. Monitor the network; inspect and log the traffic; and update rules based the intelligence you get from your security analytics systems
Example:
1. Conduct a data discovery exercise cross the entire organization. For each business area / department, determine the sensitivity of data, data store, the roles of people who need to access the data. Implemented sso and mfa.Â
2. Have all workstation identified, inventoried, patched, with anti-virus software, now, starting whitelisting all applications.Â
3. Mapped out all applications and data flows and beginning to configure segregation gateway to allow microcore capabilities. Began implementing PAM.
4. Plan to protect financal and accounting information. Configure Microcore segment, and develop roles and priviliege for finance team. Enforce 2FA.
5 and last. Developing policy for continuous logging and monitong to detect malicous behavior.Â
6. Additionally, in a long term, use SIEM more proactively , so we can use login information to have better access decisions.Â
Note: MS Learn  Zero Trust Guidance Center
RaMP initiatives for Zero Trust
To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment guidance organized in these initiatives.
| Initiative | Steps |
|---|---|
| Top priority | Critical security modernization initiatives: |
 User access and productivity | |
 Data, compliance, and governance | |
| Modernize security operations |
|
| As needed | Additional initiatives based on Operational Technology (OT) or IoT usage, on-premises and cloud adoption, and security for in-house app development: |
| OT and Industrial IoT |
|
| Datacenter & DevOps Security |
|
Here is the overall architecture for Zero Trust.
The RaMP initiatives for Zero Trust address all of the elements of this architecture. As you step through the initiatives, we'll show which parts are being covered.
From John Savil's Zero Trust Video:Â https://www.youtube.com/watch?v=hhS8VdGnfOU&t=1018s
No comments