Azure Architecture Studying Notes - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, November 8, 2022

Azure Architecture Studying Notes

 This post is to summarize some knowledge points regarding Microsoft Azure learned from Internet.

Azure Services


Azure Resources Hierarchy


  • Tenant - Organization - AAD users
  • Management Groups - Centralized management of subscriptions
  • Subscriptions - Billing agreement
  • Resource Groups - Group related resources together
  • Resources - VMs, databases , etc

Identity and Access management


Monitoring Azure Environment



Core Services

  1. Virtual Machines (Compute)
    • Flexibility
    • Availability Set
    • Scale Set
  2. Networking
    • vNet - SDN
    • Subnets
    • Peering/VPN/Express Route
    • Network Security Groups / Firewall
  3. Storage
    • blob, Files, Disks, Queus, Tables.
  4. Database and Analytics
    • Structured Data - Azure SQL, Cosmos DB, Managed Mysql/PostgreSQL, and others
    • Analytics : BI - Azure Synapse - Azure Data Lake
  5. App service and Serverless Compute
    • Web apps, Mobile apps, API apps, Cloud Services, service Fabric, Notification Hubs, Functions

Pricing Discount

Azure Pricing Calculator


Azure Benefits and Incentives

For examples:

  • Azure Hybrid Benefits
  • Azure Migration and Modernisation Programme
  • FastTrack for Azure
  • Azure dev/test pricing
  • Free Azure Sentinel data ingestion
  • Free support for commercial contracts
  • Azure savings plan for compute
  • Reservations
  • Azure Spot Virtual Machines
  • Azure dev/test pricing

Microsoft Zero Trust (Assume-Breach)

Zero Trust is a security model that emphasizes the need to verify every user and device before granting them access to company resources. Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles:
  • Verify explicitly
  • Use least privilege access
  • Assume breach

The key tenets of a modern defense-in-depth strategy include:

  • Protect privileged access – use privileged access management solutions to monitor and secure access to privileged accounts (superuser accounts, local and domain administrator accounts, application administrative accounts, etc.) by both human and non-human identities (applications, scripts, bots, etc.).
  • Lockdown critical endpoints – use advanced endpoint privilege management solutions to lock down privilege across all endpoints, prevent lateral movement, and defend against ransomware and other forms of malware.
  • Enable adaptive multifactor authentication – use contextual information (location, time of day, IP address, device type, etc.) and business rules to determine which authentication factors to apply to a particular user in a particular situation.
  • Secure developer tools – use secrets management solutions to secure, manage, rotate and monitor secrets and other credentials used by applications, automation scripts, and other non-human identities.
1. Threat detection and response solutions
2. Identity and privileged access management
3. Endpoint and data protection
4. Security services

Best Practices:
1. Always Verify the User with Multi-factor Authentication (MFA)
2. Always Validate the Device
3. Ensure the Device Measures Up to Your Security Standards
4. Least Access and Least Privilege for IT and Everybody Else
5. Use a Solution that Learns and Adapts

Zero Trust vs Defense in Depth

The main difference is that Zero Trust requires continuous verification of users and devices, whereas Defense in Depth relies on multiple layers of security defenses. Additionally, Zero Trust focuses on protecting data and systems from external and internal threats, while Defense in Depth mainly focuses on external threats.

5 Steps to Create a Zero Trust Network

1. Identify your toxic data sources (Crown jewelry)
2. Map the transaction flows regarding toxic data 
3. Architect a Zero Trust network based on the toxic data sources and the way it's used transitionally
4. Write your rules on your segmentation gateway based on expected behavior of the data (users and applications)
5. Monitor the network; inspect and log the traffic; and update rules based the intelligence you get from your security analytics systems

1. Conduct a data discovery exercise cross the entire organization. For each business area / department, determine the sensitivity of data, data store, the roles of people who need to access the data. Implemented sso and mfa. 
2. Have all workstation identified, inventoried, patched, with anti-virus software, now, starting whitelisting all applications. 
3. Mapped out all applications and data flows and beginning to configure segregation gateway to allow microcore capabilities.  Began implementing PAM.
4. Plan to protect financal and accounting information. Configure Microcore segment, and develop roles and priviliege for finance team. Enforce 2FA.
5 and last. Developing policy for continuous logging and monitong to detect malicous behavior. 
6. Additionally, in a long term, use SIEM more proactively , so we can use login information to have better access decisions. 

Note: MS Learn  Zero Trust Guidance Center

RaMP initiatives for Zero Trust

To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment guidance organized in these initiatives.

Top priorityCritical security modernization initiatives:
User Access and Productivity
User access and productivity
  1. Explicitly validate trust for all access requests
Data, compliance, and governance
Data, compliance, and governance
  1. Ransomware recovery readiness
  2. Data
Modernize security operations
  1. Streamline response
  2. Unify visibility
  3. Reduce manual effort
As neededAdditional initiatives based on Operational Technology (OT) or IoT usage, on-premises and cloud adoption, and security for in-house app development:
OT and Industrial IoT
  • Discover
  • Protect
  • Monitor
Datacenter & DevOps Security
  • Security Hygiene
  • Reduce Legacy Risk
  • DevOps Integration
  • Microsegmentation

Here is the overall architecture for Zero Trust.

The overall architecture for Zero Trust

The RaMP initiatives for Zero Trust address all of the elements of this architecture. As you step through the initiatives, we'll show which parts are being covered.

From John Savil's Zero Trust Video:

Azure Icon 


No comments:

Post a Comment