Building a Secure and Compliant Azure Virtual Data Center
- 1. Azure Virtual Datacenter Building a Secure and Compliant Azure Infrastructure-as-a-Service Environment #ILTACON19 #G1238
- 2. Patrick is a founder of Square10 and a proven technology professional with more than 20 years of industry expertise. He works with law firms to deliver technology solutions focused on enabling business outcomes, mitigating risk, optimizing operations and increasing profitability. His areas of specialty include strategic planning and advisory services, cloud services delivery and management, identity management and single sign-on, messaging, technical project management, and complex migrations. Patrick is regularly invited to present on such topics as technology trends, cloud computing, identity management, Microsoft technologies, mobile computing, and disaster recovery. info@square10.net www.sqare10.net PATRICK SKLODOWSKI Principal Square10 Solutions LLC #ILTACON19 #G1238
- 3. Azure Virtual Datacenter Building a Secure and Compliant AZURE Infrastructure-as-a-Service Environment VIRTUAL DATA CENTER (VDC) #ILTACON19 #G1238
- 5. FIRM’S BUSINESS CHALLENGES • Acquisition of firm running MPS hosted virtual desktops • Head count flexes based on economy • Client base is 100% financial institutions • Data localized across offices • Desktops must be local to servers! Photo by Olav Ahrens Røtne on Unsplash
- 6. Photo by Element5 Digital on Unsplash
- 7. TO CLOUD OR NOT TO CLOUD FISH & RICHARDSON – LAW FIRM CLOUD SURVEY (2019) Responses covered multitude of SaaS cloud service.
- 8. Photo by Elena Taranenko on Unsplash
- 9. FIRM’S BUSINESS GOALS • Quickly integrate new firm (8 weeks) • Centralize data • Cost flexes based on staffing • Move to operating expense (OPEX) model • Meet requirements of financial institution client base • Upcoming audit sets compliance precedent Photo by Chris Knight on Unsplash
- 10. PERMISSION OR FORGIVENESS? FISH & RICHARDSON – LAW FIRM CLOUD SURVEY (2019)
- 12. SHARED RESPONSIBILITY MODEL Courtesy of Microsoft
- 13. Outsourced TRUST Maximum CONTROL SPECTRUM OF CONTROL AND TRUST Trusted Execution Environment SQL Transparent Encryption, Azure Services in a VNet Customer Lockbox Azure Active Directory, Azure Key Vault Isolated VMs Azure Control Plane, Just in Time Access, Monitoring, Audit and Reporting Where you land drives service model selection IaaS Courtesy of Microsoft
- 14. AZURE IMPLEMENTATION - WHAT HAPPENED
- 15. AZURE IMPLEMENTATION - WHAT (REALLY) HAPPENED • Successful migration!!! • Order of client audits changed • 1st Audit Client CISO says NO CLOUD! • PANIC!! • (breathe) • Respond Photo by Luka Vovk on Unsplash
- 16. FACTS, PHILOSOPHY & GUIDANCE
- 17. Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies Office 365 Dynamics 365 +Monito r Azure Sentinel – Cloud Native SIEM and SOAR (Preview) SQL Encryption & Data Masking Data Loss Protection Data Governance eDiscovery
- 18. MICROSOFT’S COMPLIANCE • 90+ compliance offerings • $1B+ investment in security R&D and 3,500 cyber security experts • 6.5 trillion threat signals analyzed daily
- 19. VDC IS A TRUSTED ASSET Policy Scoping for RBAC – Least Privilege Model ✓ By Governmental Regulatory Authorities ✓ By Corporate Security Authorities (SecOps) ✓ By Management / Admins / IT Pro (NetOps, InfraOps) ✓ By Application Developers (DevOps) ✓ By End Users (GDPR) Handover: Like racks in their own DC Sandboxes can be surfaced through DevTest Labs. …Azure as a trusted extension to your on-premises VDC Perimeter with your workloads Courtesy of Microsoft
- 20. MICROSOFT GUIDANCE • Cloud Adoption Framework for Azure • Azure Blueprints • Service Trust Portal azure.com/governance
- 21. SERVICE TRUST PORTAL • Compliance Manager • Industry and region specific documents Trust Center servicetrust.microsoft.com • Trust documents – Audit reports (FedRAMP, ISO, PCI DSS, SOC) – Data protection resources (control mappings!) – Security and compliance blueprints
- 22. THIRD PARTY GUIDANCE • Center for Internet Security – Azure Benchmark • Cloud Security Alliance – Security Trust Assurance and Risk Registry (STAR) – Microsoft Self Attestations
- 24. MICROSOFT COMPLIANCE MANAGER • Evolving (use classic portal for Azure) • Key for Compliance Officers and CISOs • GDPR complete / ISO Customer controls coming soon
- 26. AZURE SECURITY CENTER • Holistic security and compliance posturing and assessment • Focus on – Security policy – Security score – Regulatory compliance
- 27. AZURE SECURITY SCORE • Part of Security Center • Security posturing across Azure
- 29. REGULATORY COMPLIANCE • Part of Security Center • Maps to compliance controls
- 31. AZURE POLICY • Policy and compliance management • Technical, security and regulatory compliance • Many features in preview
- 32. AZURE POLICY
- 33. AZURE ADVISOR • Best practice recommendations – High availability – Security – Performance – Cost
- 34. AZURE BLUEPRINTS (SERVICE) • Deploy and update cloud environments in a repeatable manner using templates • Currently in preview
- 35. PRACTICAL TIPS
- 36. QUICKSTART • Access control • Infrastructure • Security auditing and logging • Governance tools Photo by Jon Tyson on Unsplash
- 37. ACCESS CONTROL • Identity Management / Access Control – Azure AD Premium 1 / EMS Suite – Conditional Access – MFA – Trusted assets / device management • Identity Governance • Privileged Identity Management
- 38. Pre-screened Admin requests access Leadership grants temporary privilege ✓ No standing access to the platform and no access to customer Virtual Machines ✓ Grants least privilege required to complete task; access requests are audited and logged ✓ Multi-factor authentication required for all administration Just-in-Time & Role-Based Access Microsoft Corporate Network Microsoft Azure BLOBS TABLES QUEUES VMs MICROSOFT’S ACCESS Mature platform governanceCourtesy of Microsoft
- 39. INFRASTRUCTURE • Consider with ISO 27001 blueprint? • Networking – Connectivity – Firewall • Network Security Group • Virtual Firewall • Azure Firewall • Encryption – BitLocker – Key Management • Third party vs Azure Key Vault Courtesy of Microsoft
- 40. Azure Customer Azure Monitor Platform Application level audit logs • Customer audits go to the customer via Azure Monitor • Audit logs for Internal management services (internal only) Worker roleCloud ServiceVM Web Apps SQL Azure Logging and reporting drives confidence and transparency SECURITY AUDITING AND LOGGING Courtesy of Microsoft
- 41. AZURE SENTINEL Courtesy of Microsoft
- 42. GOVERNANCE TOOLS
- 43. HOW DOES THE STORY END?
- 44. Photo by James Douglas on Unsplash
- 45. HOW DID WE GO FROM “NO CLOUD” TO PASSING? • CFO provided – Business justification – Offered to explain rationale and work with client – Focused on controls (Microsoft and internal) • Written audit response – Heavy use of Microsoft documentation – Focused on controls (self attestation) and technologies • Audit – Deep dives with auditors – Open book Photo by James Douglas on Unsplash
- 47. CAN WE BE COMPLIANT IN AZURE?
- 48. GUIDANCE TOOLS TECHNOLOGY USE WHAT’S AVAILABLE
- 49. RESOURCES
- 50. Resources Azure Architecture Center • https://docs.microsoft.com/en-us/azure/architecture/ Azure Virtual Datacenter • https://docs.microsoft.com/en-us/azure/architecture/vdc/ Microsoft Cloud Adoption Framework for Azure • https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/ Microsoft Shared responsibility model • https://docs.microsoft.com/en-us/azure/security/fundamentals/infrastructure • https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared- responsibility-in-the-cloud-mean/ Azure governance • https://azure.com/governance Overview of Microsoft Azure compliance • https://gallery.technet.microsoft.com/Overview-of-Azure-c1be3942 Microsoft Service Trust Portal • https://servicetrust.microsoft.com CIS Azure Benchmark • https://www.cisecurity.org/benchmark/azure/ CIS Hardened Images on Azure • https://www.cisecurity.org/cis-hardened-images/microsoft/ Cloud Security Alliance • https://cloudsecurityalliance.org/ Cloud Security Alliance STAR Registry • https://cloudsecurityalliance.org/star/registry/Microsoft/ Microsoft Compliance Manager • https://servicetrust.microsoft.com/ • Use Classic Portal for Azure Azure Security Center • https://azure.microsoft.com/en-us/services/security-center/ Azure Security Score • https://docs.microsoft.com/en-us/azure/security-center/security-center-secure-score Regulatory compliance in Security Center • https://docs.microsoft.com/en-us/azure/security-center/security-center-compliance- dashboard/ Azure Policy • https://azure.microsoft.com/en-us/services/azure-policy/ Azure Advisor • https://azure.microsoft.com/en-us/services/advisor/ Azure Blueprints Service • https://docs.microsoft.com/en-us/azure/governance/blueprints/overview Fish & Richardson Cloud Security Survey • https://www.linkedin.com/pulse/cloudy-chance-meatballs-beau-mersereau/
- 51. 55