This course covers the Secure Resources part of the 70-534 exam, which is worth 20-25% of the exam. The intent of the course is to help fill in an knowledge gaps that you might have, and help to prepare you for the exam.
Welcome back. In this lesson, we'll be talking about managing security risks.
I've heard it said, by some in the tech industry, that the cloud is more secure than on-prem systems. Now, while that may be true of specific aspects, it's not a universal truth. Especially considering that cloud-native applications tend to have an increased attack surface.
So if you're planning out Azure based applications, how do you manage the security aspects? Toward the end of 2016, Microsoft published a white paper called "Microsoft Azure Security Response in the Cloud." If you haven't read it yet, I recommend that you check it out for yourself. Part of the paper presented the lifecycle of an incident response, which is broken down into five stages.
The first stage is detection, which is where you first notice some indication of a potential incident. The next is the assessment stage, and that's where you collect information about the incident.
The next stage is to diagnose the incident, looking for ways to contain or mitigate the damage caused by the incident. The next stage is to stabilize the system and recover from the impact of the incident.
And the final stage closes out the incident by performing a post-mortem, which includes steps for ensuring that this type of incident doesn't happen again. Given that Microsoft has a framework in place that details out how security incidents are handled, it makes sense that they'd offer tools to help.
There are two services that will help you manage security for both native Azure and hybrid solutions. They are Azure Security Center and Operations Management Suite, respectively.
I wanna start with Azure Security Center, or just Security Center for short. Security Center is a cloud-native tool for managing the prevention, detection, and resolution of security incidents.
Let's break down the capabilities for Security Center into prevention, detection, and resolution to see how it can help with each of those. For prevention, Security Center monitors your Azure resources, which allows you to make sure that your resources are functioning as intended.
You can set policies for your resource groups per subscription, based on your needs. Security Center will also provide recommendations based on your policies to help proactively identify areas that lack security controls.
Now, prevention is only part of the process. Just because you've taken the steps to lock things down doesn't mean that there aren't going to be attempts to break in, and some might even be successful.
If you didn't know these attacks were taking place, you might go on thinking that everything is fine. So that's where detection comes in. Detection will paint a more complete picture, so that you understand what's really happening.
Security Center will automatically collect security data from our resources, and it uses that data to look for potential threats. It uses several sources of data to determine possible threat patterns to provide the best possible information with fewer false positives. It also uses machine learning to help look for patterns.
Having this level of data analysis will ensure that you're responding to the right issues, and faster than if you had to do this manually by auditing all of this for yourself.
The final part of the process is to respond to any incidents and take the steps to resolve the issues. Now, to help with that, Security Center prioritizes the alerts so that you can focus on the issues that are more likely to be successfully exploited.
There are also some general recommendations given, and that's going to help serve as a starting point for how you might resolve some of these issues.
Now, if your applications that you're creating are entirely inside of Azure, then using Security Center is an easy choice. It's available even on the free tier, and that will help you get a handle on the state of your cloud security.
The other service that Azure offers is called Operations Management Suite, which is typically abbreviated as OMS. While OMS is useful for not only security, that's the aspect that I'm going to focus on for this lesson. OMS is designed to work, not just with your Azure resources, but also on-premises resources.
So OMS will allow you to have an Azure-hosted tool that can help you view the security of your organization holistically. In addition to providing similar tools to Security Center, OMS also offers log analytic tools that will allow you to dig deeper into incidents to get a better idea for what's happening.
Here's an example. Imagine some of your virtual machines are running web servers for your application, and you find out that there's a newly discovered remote code execution bug for the version of software that you're running. Now, you could query against all of your servers and look for any instance where a new process has been started by the web server user.
Imagine you see that there's a Netcat process running as the web server user. Now that's not to say that a Netcat listener is inherently malicious, however, it's probably the indication, in this case, that it's the start of an attack.
As another example, do you know how many failed logins have been made against your system in the past 24 hours, right off hand? Or how many computers are missing important security patches? Being able to fetch that kind of data across your infrastructure is extremely valuable.
And that's the kind of power that OMS provides. So OMS serves as a central security dashboard for, not just your Azure based resources, but your on-premises ones, as well.
Okay, that's going to wrap up this lesson. I recommend checking out not just the security aspects of OMS, however, the entire product, as it's a great tool for understanding your infrastructure and how it's behaving.
So that's the end of this lesson. And, for that matter, that's the end of this course. In the next course, I'm going to talk about the exam itself, and what you should expect. So if you're ready to keep learning, then let's get started with the next course.
About the Author
Ben Lambert is a software engineer and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps. When he’s not building software, he’s hiking, camping, or creating video games.