Wednesday, September 27, 2017

Microsoft Ignite 2017: Azure Security and Management for hybrid environments Jeremy Winter Director, Security and Management

Jeremy Winter is going to do a deep dive on Azure’s Management and Security announcements. Everyone is a different state when it comes to cloud. This digital transformation is having a pretty big ground level impact. Software is everywhere and it is changing the way we think about our business.

Digital transformation requires alignment across teams. This includes Developers, Operational teams and the notion of a Custodian who looks after all the components. It requires cross-team collaboration, automated execution, proactive governance and cost transparency. This is not a perfect science, it is a journey Microsoft is learning, tweaking and adjusting as they go. Operations is going to become more software based as we start to integrate scripting and programmatic languages.

Microsoft’s bet is that management and security should be part of the platform. Microsoft doesn't think you should have to take enterprise tooling and bring it with you to the cloud. You should expect this management and security to be a native capability. Microsoft thinks about this according to  a full stack of cloud capabilities


Security is integral, Protect is really about Site Recovery, Monitoring is about visibility to what is going on, Configuration is about automating what you are doing. Microsoft believes they have a good baseline for all these components in Azure and is now focused on Governance.

Many frameworks try to put a layer of abstraction between the developer and the platform. Microsoft’s strategy is different. They want to allow the activity to go direct to the platform but to protect it via policy. This is a different approach and is something that Microsoft is piloting with Microsoft IT. Intercontinental Hotels is used as a reference case for digital transformation.

Strategies for successful management in the cloud:

1. Where to start “Secure and Well-managed”

You need to secure your cloud resources through Azure Security Center, Protect your data via backup and replication and Monitor your cloud health. Ignite announced PowerShell in Azure Cloud Shell as well as Monitoring and Management built right in to the Azure portals.

Jeremy shows an Azure Monitoring a Linux VM. The Linux VM has management native on the Azure Panel. In the Panel you can see the inventory of what is inside the VM. You no longer have to remote in. It is done programmatically.

In the demo the internal version of Java is shown on the VM and we can not look at Change tracking to determine why the version of Java appears to have changed. This is important from an audit perspective as you have to be able to identity changes. You can see the complete activity log of the guest.

Also new is update management. You can see all the missing updates on individual or multiple computers. You can go ahead and schedule patching by defining your own maintenance window. In the future Microsoft will add pre and post activities. You also have the ability to use Azure Management for non-Azure based VMs.

For disaster recovery you are able to replicate from one region to another. You can use this from enterprise to Azure now, but now also region-to-region. For backup it is now exposed as a property of the virtual machine which you simply enable and assign a backup policy to.

With the new Azure Cloud Shell you have the ability to run PowerShell right inline. There are 3449 commands that have been ported over so far.

2.  Governance for the cloud is in tech preview. Jeremy switches to the demo for Azure policies. You now have the ability to create policy and see non-compliant and compliant VMs. The example shows a sample policy to ensure that all VMs do not have public IPs. With the policy you are able to quickly audit the environment. You can also enforce these policies. It is based on JSON so you can edit the policies directly. Other use cases include things like auditing for unencrypted VMs.

3.  Security Management and threat detection

Microsoft is providing unified visibility, adaptive threat and detection and intelligent response. Azure Security Center is fully hybrid, you can apply it to  enterprise and Azure workloads. Jeremy switches to Azure Security Center which provides an overview of your entire environments security posture.

Using the portal you can scan and get Microsoft's Security recommendations. Within the portal you can use ‘Just in Time Access’. This allows the developer to request that a port be open but it is enabled for a window of time. Security Center Analysis allows you to whitelist ports and audit what has changed.

Microsoft can track and group Alerts through Security Center. Now you have a new option through continuous investigation to see visually what security incident has been logged. It takes the tracking and pushes it through the analytics engine. It allows you to visually follow the investigation thread to determine the root cause of the security exploit. Azure Log Analytics is the engine that drives these tool sets.

Azure Log Analytics now has an Advanced Analytics component that provides an advanced query language that you can leverage across the entire environment. It will be fully deployed across Azure by December.

4.  Get integrated analytics and monitoring

For this you need to start from the app using application insights, bring in network visibility as well as infrastructure perspective. There is a new version of Application Insights. Jeremy shows Azure Monitor which was launched last year at Ignite. Azure Monitor is the place for end-to-end monitoring of your Azure datacenters.

The demo shows the ability to drill in on VM performance and leverage machine learning to pin point the deviations. The demo shows slow response time for the ‘contoso demo site’. It shows that everything is working but slowly. You can see the dependency view of every process on the machine and everything it is talking to. Quickly you are able to see that the problem has nothing to do the website but is actually a problem downstream.

Microsoft is able to do this because they have a team of data scientists baking in the analytics directly into the Azure platform through the Microsoft Smarts Team.

5. Migrate Workloads to the Cloud.

Microsoft announced a new capability for Azure Migration. You can now discover applications on your virtual machines and group them. From directly within the Azure portal you can determine which apps are ready for migration to Azure. In addition it will recommend the types of Migration tools that you can use to complete the migrations. This is in limited preview.

No comments:

Post a Comment