Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workload Security How the Public Cloud Changes Everything

Published byGregory Chapman Modified over 6 years ago

Similar presentations

Presentation on theme: "Workload Security How the Public Cloud Changes Everything"— Presentation transcript:

1 Workload Security How the Public Cloud Changes Everything
David Barter, Microsoft Practice Director Justin Gallagher, Solutions Architect #Cloudscape2017

2 Introductions David Barter
Practice Manager, Microsoft Technologies & End User Computing More than 20 years of IT industry expertise—from break-fix technician to CIO Microsoft Virtual Technical Solution Professional and CIE Certified Justin Gallagher Solutions Architect, Microsoft Practice More than 10 years experience as an IT professional Microsoft Virtual Technical Solution

3 Azure Compliance and Data Privacy Data in the cloud is less secure.
My own datacenter is the safest place for my data. I have no control over where my data is located. If I put data in the cloud I lose ownership over it. Azure Compliance and Data Privacy

4 Azure Regulatory Compliance
Microsoft Maintains strict controls and compliance to a huge list of regulatory compliance programs. For any company who has had to comply with some of these regulations will attest these are not easy to achieve or maintain. In some cases the regulatory compliance here applies to Azure and/or other Microsoft services

5 Azure Regions and Data Centers
When you deploy to Azure you select the region. If you choose to replicate data to a secondary region in most cases (SQL geo-redundancy and Azure Site Recovery) you get to pick the secondary region For storage replication each datacenter has a partner in the same regulatory region (US East to US West, Europe East to Europe West)

6 Microsoft’s Stance on Customer Data
"When it comes to the cloud, trust and security are paramount.“ – Satya Nadella, CEO of Microsoft “With Microsoft, you are the owner of your customer data” – Microsoft Trust Center “Microsoft does not share business customer data with our advertiser-supported services, nor do we mine it for marketing or advertising. ” – Microsoft Trust Center ISO/IEC 27018:2014 – includes a prohibition on the use of customer data for advertising and marketing purposes without the customer’s express consent. Microsoft has been very clear that your data belongs to you. They were the first cloud provider to be compliant with ISO with governs what they can do with your data. Microsoft has lead the fight in the industry against National Security Letters with gag orders so enterprise customers can be informed when Microsoft is forced to provide information to the government. I also want to point out that Microsoft has created a Digital Crimes Unit where they address many of the cyber security threats including identifying botnets and bringing legal action against them, responding to zero day threats like WannaCry and Petya.

7 Azure Networking Controls The public cloud is publicly accessible.
Access to the Azure environment is over the public Internet, so it’s insecure I can’t use industry-standard firewalls in Azure Azure Networking Controls

8 Azure Networking Defense In Depth
This concepts of Defense in Depth is not specific to cloud, it is becoming the standard security practice for all organizations and means that multiple layers of protection. In Azure you have Microsoft at the front end protecting workloads from DDoS attacks, you then control the public IP and endpoint access, behind that you have the ability to create micro-segmentation between virtual machines to provide even more protection. This is part of the shared security model. Microsoft provides platform security and you configure workload security.

9 Azure Network Connectivity Options
When it comes to connectivity to an Azure deployment there are multiple approaches. One possible approach is connecting to the Azure workloads via the public internet however the recommendation for most companies is to create a private connection between you on premises environment and Azure This can be done in multiple ways but high level it is a Site to Site VPN connection or ExpressRoute which allows you to drop a leg of your MPLS into the Azure network. In both of these scenarios you can create an Azure environment that is completely private and requires workloads to go through your on premises systems.

10 Azure Network Connectivity Options

11 Azure Network Segmentation
In a previous slide I mentioned microsegmentation and I wanted to point out an example of what this looks like.

12 Third Party Firewall Appliances In Azure
Barracuda F-Series NGFW Cisco ASAv & FirePower Fortinet FortiGate Palo Alto NGFW …And many more One of the groups inside many companies who have the most concerns about the public cloud are the security group. Being able to provide a unified security plane across both on premises and the cloud is important In this way Azure IaaS can and should be treated as “Datacenter as a Service”

13 Virtual Machine Workload Protection
A Cloud Virtual Machine is managed by the cloud provider Microsoft backs up my VM Microsoft provides for High Availability Virtual Machine Workload Protection

14 IaaS Shared Responsibility Model
It’s important to understand what Infrastructure as a Service means. In this cloud computing model the physical systems and network connectivity is managed by Microsoft but the customer manages everything built on top of it. You can think of this as Microsoft managing the hypervisor and below. It’s VM as a Service

15 Protecting IaaS Workloads
Install Malware Protection Install Updates Limit Public Exposure Backup & Disaster Recovery Availability Sets Azure Disk Encryption Just-in-Time VM Access Because of this many of the things on this list are best practices regardless of if you are on prem or in the cloud Malware protection, updates, limiting public accessibility However Azure provides integrated and innovative ways to do some of this. Backup and recovery is one example of this where backup and cross regional replication can be done with a couple clicks. Just-In-Time VM Access is another example of a new feature where you can setup a request process for enabling public ports for specific VMs

16 Monitoring & Logging I have less visibility and control of VMs in the cloud

17 Logging In Azure Audit Logs Performance Logs
Application and Diagnostic Logs Virtual Machine Logs Platform Logs The sheer volume of logging available in the azure platform is overwhelming. Microsoft provides several tools to see the signal in the noise. One of the primary ways is Azure Log Analytics in Operations Management Suite. This is the native SIEM however there are ways to send logs to an on premises SIEM – Security information and even management For our GreenPages managed Services customers we use the Vistara platform which integrates directly into Azure and pulls data via API

18 Azure Monitor For performance and utilization there is Azure Monitor
This is built into the Azure Portal and allows for simplified direct dashboarding of data. Custom dashboards can be shared within an azure subscription to provide a consistent view of the environment across team members.

19 Azure Security Center Another big value add is the Azure Security Center which will review an entire Azure subscription. It will report on security vulnerabilities, insecure configurations of VMs an other resource. The great thing about this is that it will not only recommend and direction on how to resolve the issue but in many cases make it as easy as clicking a button.

20 Azure Identity I can’t use my work credentials to access Azure
I can’t control who does what in the cloud Azure Identity

21 Azure AD Connect All of the Microsoft Cloud (Azure and Office 365) use Azure Active Directory as it’s Identity and Authoriation provider. Microsoft Provides a free tool called Azure AD Connect that will synchronize Active Directory to Azure Active Directory creating a common username and password both on prem and in the cloud. Even beyond that Azure Active Directory and be integrated into a huge library of 3rd party SaaS products

22 Microsoft Hybrid Cloud Identity Models
Azure AD has multiple models for how to setup identities and each of these models solves different challenges and has different risks. There are some new advancements to the Azure AD connect tool that allows for better user experience and security posture without requiring ADFS.

23 Azure Role Based Access Control
When you talk about Azure the smallest unit we talk about are Resources To use the analogy of a File server Subscriptions are servers Resource Groups are folders And Resources are files In this way you can create granular controls at multiple levels that inherit permissions down You can also grant rights to perform only specific actions. Liking giving your DBAs rights to only database resources

24 Next Steps If you have an existing public cloud and want to ensure your solution is configured to best practices, GreenPages has offerings that can help assess and report on your environment. If you are new to the cloud, we have Cloud Workshops that are 4-5 day sessions where we review key concepts of cloud and deploy a proof of concept workload to the cloud with you.

25 Thank You Q&A David Barter David.Barter@logicsone.com Justin Gallagher
#Cloudscape2017 Thank You Q&A David Barter Justin Gallagher

Download ppt "Workload Security How the Public Cloud Changes Everything"

Similar presentations

System Center 2012 R2 Overview

System Center 2012 R2 Overview
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.

© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
1 Getting Started with the Microsoft Cloud David Barter, Practice Manager, Microsoft Technologies & EUC Justin Gallagher, Enterprise Consultant.

1 Getting Started with the Microsoft Cloud David Barter, Practice Manager, Microsoft Technologies & EUC Justin Gallagher, Enterprise Consultant.
Clouding with Microsoft Azure

Clouding with Microsoft Azure
Azure Stack Foundation

Azure Stack Foundation
Accelerating Your Journey to a Safe Cloud

Accelerating Your Journey to a Safe Cloud
Your Office 365 Journey Prepare, Migrate, and Operate with Barracuda

Your Office 365 Journey Prepare, Migrate, and Operate with Barracuda
IT06 – HAVE YOUR OWN DYNAMICS NAV TEST ENVIRONMENT IN 90 MINUTES

IT06 – HAVE YOUR OWN DYNAMICS NAV TEST ENVIRONMENT IN 90 MINUTES
Microsoft Azure Virtual Machines

Microsoft Azure Virtual Machines
Grow Your Business with the Security Leader

Grow Your Business with the Security Leader
Hybrid Management and Security

Hybrid Management and Security
Volume Licensing Readiness: Level 100

Volume Licensing Readiness: Level 100
Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery
Grow Your Business with the Security Leader

Grow Your Business with the Security Leader
Enterprise Security in Practice

Enterprise Security in Practice
Business Continuity Robert Hedblom | sumNERV John Joyner | ClearPointe

Business Continuity Robert Hedblom | sumNERV John Joyner | ClearPointe
Volume Licensing Readiness: Level 100

Volume Licensing Readiness: Level 100
Deployment Planning Services

Deployment Planning Services

Similar presentations

Ads by Google