Compliance and security are two critical concepts in the world of cloud software systems. They reinforce each other in important ways, so I would like to start by making sure you understand the distinction early and clearly. Security refers specifically to how well-protected our system is from threats. And by threats we might mean external agents and bad actors like hackers, and also how well protected we are from internal actors like careless employees, any other thing that might compromise our systems. So that's security. Compliance refers to the degree to which our architecture conforms to a specific standard. So we may have defined an amazing security standard to protect for everything. However, our system is not really safe unless it is also compliant with that standard. So by the same token, being compliant is not helpful if our standard is too weak.

I'm going to reiterate this for emphasis 'cause it's important. The state of having a secure software environment comes from both having a solid security standard and ensuring that your system is compliant with that standard. In practice, it's very difficult to ensure security without thinking about compliance. Security just on its own is very abstract and nebulous, am I secure or not? Compliance gives us a framework for defining threats and prioritizing solutions for hardening our systems.

In this first lesson as part of section one, we're going to demonstrate how we can define security standards in Azure and gain confidence that we are compliant with those standards.

So let's start by talking about Azure Security Center and policies. So Azure Security Center, or ASC as we can call it, is Azure's comprehensive platform-wide infrastructure security tool set. ASC is deeply integrated with all Azure services and does not require any additional deployment. It can be used with other clouds or on-prem solutions, it is at its most intuitive, though, in an Azure environment. ASC includes scanning tools for general vulnerability assessment. There's a VM scanning tool for checking Azure instances as well as a newer container image scanner that will identify known vulnerabilities within containers, software containers, in your Azure Registry. Scans occur automatically when containers are uploaded and run continuously on a schedule. Note that these features are part of the standard tier price, not the free tier. So you do have to enable that in your subscription.

A basic construct of Azure Security Center is the policy. ASC policies are what define the security standards used for measuring compliance. ASC includes dozens of pre-defined industry standards such as SOC TSP, ISO 27001, PCI. These standards are widely used and exhaustively studied and audited. They cover things like access control, incident response, encryption, and a host of other security concerns. Some will apply to specific Azure services. ASC also has support for defining custom policies if you have needs specific to your organization.

The ASC dashboard lets us see all of our policies in one place and map them to specific resource groups and subscriptions. Of particular use is the Regulatory Compliance dashboard which lets us see precisely how compliant our system is with industry and org-specific standards. What's more, ASC also gives an overall security score with severity rankings. Thanks to this in practice, you really don't need to spend a lot of time actually creating original policies from scratch and updating them. With the built-in industry security standards, the compliance dashboard, and the security score, you have all the tools you need to lock down your environment just by following Security Center's lead.

Compliance with ASC security policies is tracked automatically over time in the dashboard. We can easily see which subscriptions are covered by specific ASC policies and which resources are compliant. This is all just extremely helpful for auditing purposes, particularly for businesses that are in industries with very strict regulations regarding data security. The dashboard will give us an audit trail should something go wrong and should there be a need for forensic investigation.

So that's basically it for ASC. We will go deeper into the actual dashboard in the demo. In the next lesson, we're gonna talk about drift which is a phenomena of systems that may be compliant but they don't always stay compliant. So we'll see ya there, thanks for listening.

Lectures

Course Introduction - Security Center Demo - Preventing Drift - ARM, Activity Log & Track Changes Demo - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - Azure Automation State Configuration - VM Agents & Extensions - VM Agents & Extensions Demo - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary