Microsoft Azure is a robust, feature-rich cloud platform used by a growing number of technology companies. With its vast array of services, a key challenge to administering an Azure environment is security. How can we ensure that our Azure infrastructure meets strict security standards? This course offers the answer.
In three concise units, the student will learn all about compliance and cloud security. The course delves into several key Azure components, including Azure DevOps, Azure Security Center, Desired State Configuration, and Azure Pipelines. After completing the lessons and watching the video demonstrations, the student will be equipped with the knowledge to automate critical security tasks to ensure a thoroughly hardened cloud architecture.
This skill set will serve infrastructure developers working with live environments or seeking to pass certification exams. Most importantly, it will help students understand cloud security in a comprehensive and thorough way.
For feedback, queries, or suggestions relating to this course, please contact us at support@cloudacademy.com.
Learning Objectives
- Scan infrastructure using Azure tools to prevent drift leading to compliance violations
- Automate configuration using Azure Automation and Desired State Configuration
- Create secure and compliant software pipelines in Azure
Intended Audience
This course is intended for:
- Those looking to learn more about the security and compliance features in Azure
- People studying for Microsoft's AZ-400 exam
Prerequisites
To get the most from this course, you should already have a basic understanding of Microsoft Azure as well as some knowledge of programming and cloud infrastructure.
Howdy friends. So in this demo, we're going to do a brief introduction to Azure Security Center. We'll show how to navigate the ASC dashboard in the browser, check out our security scores, show where the security policies are defined, and talk about how we can improve compliance. The whole demo is only a couple of minutes so just sit back and enjoy.
So let's start with the Azure portal. We're going to assume you already have or know how to set up an Azure account. This isn't a beginner tutorial so if you have an account, Security Center is enabled by default. It will have the basic functionality for free tier accounts. But for this class, we are going to assume that you have upgraded, that you're using the standard tier features because we do cover some standard tier features in this class. So let's first take a look at the dashboard.
So right away, the overview here gives us a nice little snapshot of the world basically. This particular Azure account is just a dummy account. It's very small, it's just running a single VM. However, what's cool is we can see right away how compliant our system is with various regulatory standards, things like PCI DSS or SOC TSP. So, let's think about this though. Let's dig a little bit deeper into what the score means, 295 out of 530.
What exactly is this score? In the Secure Score dashboard here, we can see exactly which areas of our system need attention with regards to security. Here we can see sections for Identity and access management, Networking, Compute, Data and storage, etc, etc. And we can drill down into specific tasks. You can click on one and see here, there should be more than one owner assigned to your subscription. All right, pretty straightforward. It'll guide us toward solving that. So these are tasks that will harden our system. Oh, it's saying Security Center. Okay, so that's just the security score.
But let's be a little more specific here. Let's talk about compliance, let's talk policies here. In the Security Policy section here, we can drill down into our subscription which is a free trial and we can see exactly which policies are in effect. In here, we can see a few. There's the default ASC here, Security Center Policy. And then these policies here, these are industry and regulatory standards, all right. So these are compliance policies that again, deals with things like PCI DSS, SOC, and then here, we see Azure's own standard Azure CIS 1.1.0 and ISO 27001. These are out-of-the-box industry policies that you get and add more if you want. You can click here and add additional policies like Swift and NIST. And then, what's cool is we can also define custom policies here in the custom initiatives section. There's one here I've created called Block VMs and you can see in its description, No public IPs, which actually is not a very good description. But if we drill down on that, we click on it and we can see that it has two policies with distinct effects, built-in effects. Network interfaces should not have public IPs and then also Internet-facing virtual machines should be protected in network security groups. So this is our own custom policy.
So, going from there, as we've said in the earlier lessons, you know, it's one thing to have good policies. The most important thing though is compliance with those policies. That's really what we care about. So, what we're gonna do is look at the Regulatory Compliance dashboard. This is really one of my favorite things about Azure. The Compliance dashboard is a tool for tracking compliance and we get in one neat place a very clear picture of our cloud environment's compliance with multiple industry standards. As a former network security engineer, this is one of my favorite things if I'm working in an Azure environment. We can see here exactly what's failing, what's passing. We can look at specific standards, again, PCI and SOC. Probably one of the coolest things about it is that we can get very granular. We can select individual standards here, like ISO 27001. And then we can see exactly where we have gaps in those standards and drill down to specific issues here like Network Security Management, all the way down to Controls and then, that'll get us down to the exact requirements and recommendations. And click on that and get solutions and advice for solving those issues right away. So here we've drilled down to just in time network access should be applied at virtual machines, right? And then, we can go straight into solving that issue.
So, there you have it really, at a high-level. That is ASC. It's one of Azure's most compelling solutions I think when compared to other cloud providers. There are many helpful features here we didn't even go into. File Integrity Monitoring. You have Adaptive network hardening. You have various other management dashboards and tools. It's just a nice single source of truth for all things security in Azure cloud. And hopefully now with this walkthrough, you have some confidence in managing security policies and compliance in an Azure context. Thanks for watching.
Useful Links
https://docs.microsoft.com/en-us/azure/security-center/security-center-compliance-dashboard
Lectures
Course Introduction - Compliance & Security Scanning - Preventing Drift - ARM, Activity Log & Track Changes Demo - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - Azure Automation State Configuration - VM Agents & Extensions - VM Agents & Extensions Demo - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary
Jonathan Bethune is a senior technical consultant working with several companies including TopTal, BCG, and Instaclustr. He is an experienced devops specialist, data engineer, and software developer. Jonathan has spent years mastering the art of system automation with a variety of different cloud providers and tools. Before he became an engineer, Jonathan was a musician and teacher in New York City. Jonathan is based in Tokyo where he continues to work in technology and write for various publications in his free time.