This post is my live blog from KCDC. For more, see the 2021 KCDC live blog TOC
Book: Azure Security Handbook
- Need cloud native security – specific to cloud provider using
- ”Cloud can be as safe or unsafe as what you did before”
- Customer responsiblity: data, endpoints
- Shared responsiblity: identity, application, os/middleware, network
- Cloud provider responsiblity: physical
- Need to balance speed/“shadow cloud” (someone signing up for their own cloud account) with existing security requirements/eisting EA, lack of security awareness
- Phases – cloud straegy, governance model, security, guidelines (ex: implementation guidelines and refernee architecture)
- Cloud security framework defines architecture, policies and controls to secure cloud envrionment
- Don’t be a generic list of controls. Just be tailored. Doesn’t make sense to apply anything. Cloud security alliance has a list of about 200 sample controls. Don’t just go thru a list of controls in Excel.
- Terraform (or other tools) typically built by subject matter experts. Ex: database expert writes terraform module for database security
- Certified products/platform concept – if you use products/components/tools that are pre-approved, can get through security faster. Vetted already
Identity and Access Management (IAM)
- Integrate with existing IAM processes
- DevSecOps CI/CD deloys using Azure AD ideneity to application resources. Other identities to actuall run (but not deploy and change things).
- Need to be able to provide the CI/CD credentials not available/used by others
- Create a vending machine type system so have to request things. ex: give me a X. Makes automated to request things
Detection and Monitoring
- Need to enforce logging across landing zone and anything deployed
- Centralize logs.
- Ok to have temporary copy as well to focus on new info. Also some alerts verbose and ony want to monior key ones
- Can build custom alerts, but doesn’t scale. If 10K Azure resources all with own logs, can be unmanagable.
- Integrate with your SIEM an SOC
- Separate resource logs (ex: who accessed X) and application logs (what developers log)
- Cross subscription, cross region and cross cloud
- Traffic from platform and infrastructure as a service + app level
- Can grant access through
- RBAC in the subnet – fast to do, but dev has to do it
- Pre-provisioned NICs – medium, thru centralized cloud operations
- Outside Azure/cloud – slow, thru centralized ops
- New attack with pre-provisioned agent https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
I’ve learned/used AWS. The speaker is an Azure expert. He tried to make the presentation as cloud agnostic as possible. It was realy good for me to see how much is common across clould providers. It was goo to understand how things I’m doing fit into the bigger picture and something I wish we did differently