Azure Architecture Studying Notes

 This post is to summarize some knowledge points regarding Microsoft Azure learned from Internet.

Azure Services

From: https://azurecharts.com/overview

Azure Resources Hierarchy

 

• Tenant - Organization - AAD users
• Management Groups - Centralized management of subscriptions
• Subscriptions - Billing agreement
• Resource Groups - Group related resources together
• Resources - VMs, databases , etc

Identity and Access management

 Components:

Monitoring Azure Environment

Logs

Metrics

Core Services

1. Virtual Machines (Compute)
• Flexibility
• Availability Set
• Scale Set
2. Networking
• vNet - SDN
• Subnets
• Peering/VPN/Express Route
• Network Security Groups / Firewall
3. Storage
• blob, Files, Disks, Queus, Tables.
4. Database and Analytics
• Structured Data - Azure SQL, Cosmos DB, Managed Mysql/PostgreSQL, and others
• Analytics : BI - Azure Synapse - Azure Data Lake
5. App service and Serverless Compute
• Web apps, Mobile apps, API apps, Cloud Services, service Fabric, Notification Hubs, Functions

Pricing Discount

Azure Pricing Calculator

• https://azure.microsoft.com/en-ca/pricing/calculator/

Azure Benefits and Incentives

• https://azure.microsoft.com/en-ca/pricing/offers/

For examples:

• Azure Hybrid Benefits
• Azure Migration and Modernisation Programme
• FastTrack for Azure
• Azure dev/test pricing
• Free Azure Sentinel data ingestion
• Free support for commercial contracts
• Azure savings plan for compute
• Reservations
• Azure Spot Virtual Machines
• Azure dev/test pricing

Microsoft Zero Trust (Assume-Breach)

Zero Trust is a security model that emphasizes the need to verify every user and device before granting them access to company resources. Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles:

• Verify explicitly
• Use least privilege access
• Assume breach

The key tenets of a modern defense-in-depth strategy include:

• Protect privileged access – use privileged access management solutions to monitor and secure access to privileged accounts (superuser accounts, local and domain administrator accounts, application administrative accounts, etc.) by both human and non-human identities (applications, scripts, bots, etc.).
• Lockdown critical endpoints – use advanced endpoint privilege management solutions to lock down privilege across all endpoints, prevent lateral movement, and defend against ransomware and other forms of malware.
• Enable adaptive multifactor authentication – use contextual information (location, time of day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a particular situation.
• Secure developer tools – use secrets management solutions to secure, manage, rotate and monitor secrets and other credentials used by applications, automation scripts, and other non-human identities.

Solutions:

1. Threat detection and response solutions

2. Identity and privileged access management

3. Endpoint and data protection

4. Security services

Best Practices:

1. Always Verify the User with Multi-factor Authentication (MFA)

2. Always Validate the Device

3. Ensure the Device Measures Up to Your Security Standards

4. Least Access and Least Privilege for IT and Everybody Else

5. Use a Solution that Learns and Adapts

Zero Trust vs Defense in Depth

The main difference is that Zero Trust requires continuous verification of users and devices, whereas Defense in Depth relies on multiple layers of security defenses. Additionally, Zero Trust focuses on protecting data and systems from external and internal threats, while Defense in Depth mainly focuses on external threats.

5 Steps to Create a Zero Trust Network

1. Identify your toxic data sources (Crown jewelry)

2. Map the transaction flows regarding toxic data 

3. Architect a Zero Trust network based on the toxic data sources and the way it's used transitionally

4. Write your rules on your segmentation gateway based on expected behavior of the data (users and applications)

5. Monitor the network; inspect and log the traffic; and update rules based the intelligence you get from your security analytics systems

Example:

1. Conduct a data discovery exercise cross the entire organization. For each business area / department, determine the sensitivity of data, data store, the roles of people who need to access the data. Implemented sso and mfa. 

2. Have all workstation identified, inventoried, patched, with anti-virus software, now, starting whitelisting all applications. 

3. Mapped out all applications and data flows and beginning to configure segregation gateway to allow microcore capabilities.  Began implementing PAM.

4. Plan to protect financal and accounting information. Configure Microcore segment, and develop roles and priviliege for finance team. Enforce 2FA.

5 and last. Developing policy for continuous logging and monitong to detect malicous behavior. 

6. Additionally, in a long term, use SIEM more proactively , so we can use login information to have better access decisions. 

Note: MS Learn  Zero Trust Guidance Center

RaMP initiatives for Zero Trust

To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment guidance organized in these initiatives.

Initiative	Steps
Top priority	Critical security modernization initiatives:
User access and productivity	Explicitly validate trust for all access requests Identities Endpoints (devices) Apps Network
Data, compliance, and governance	Ransomware recovery readiness Data
Modernize security operations	Streamline response Unify visibility Reduce manual effort
As needed	Additional initiatives based on Operational Technology (OT) or IoT usage, on-premises and cloud adoption, and security for in-house app development:
OT and Industrial IoT	Discover Protect Monitor
Datacenter & DevOps Security	Security Hygiene Reduce Legacy Risk DevOps Integration Microsegmentation

Here is the overall architecture for Zero Trust.

The RaMP initiatives for Zero Trust address all of the elements of this architecture. As you step through the initiatives, we'll show which parts are being covered.

From John Savil's Zero Trust Video: https://www.youtube.com/watch?v=hhS8VdGnfOU&t=1018s

Azure Icon 

• Azure architecture icons
• Amazing Icon Downloader
• svg to png - https://ezgif.com/optimize

References

• Browse Azure Architectures
• Create Azure diagrams in Visio