Our decision to host #MicrosoftMornings sessions came out of an observation that there is still a lot of FUD (Fear/Uncertainty/Doubt) about Cloud adoption. This is both from companies that are looking at adopting Cloud technologies, but also from those that have invested in a Cloud strategy already, may be unsure of what they actually have under the hood and how to use it effectively. Trust and comfort are massive elements of adopting new technologies.
We decided to focus on the Cloud security in the Microsoft 365 offering (security gets seen as a Cloud adoption inhibitor), high level considerations and practical learnings of how to set up an Azure environment and the key considerations that need to be taken into account.
The key concepts from each area are summarised in this post.
Microsoft Intelligent Security Graph
The foundation for the Microsoft Security offering for 365 and Azure is built on the Intelligent Security Graph. The statistics of information being processed is difficult to wrap your head around.
The dictionary defines a graph as: “a diagram representing a system of connections or interrelations among two or more things by a number of distinctive dots, lines, bars, etc.”. In the context of security, John Lambert describes it in better details as:
The graph in your network is the set of security dependencies that create equivalence classes among your assets.
So what does this mean practically?
The design of your network, the management of your network, the software and services used on your network, and the behaviour of users on your network all influence this graph.
Take a domain controller for example. Henk admins the DC from a workstation. If that workstation is not protected as much as the domain controller, the DC can be compromised.
Any other account that is an admin on Henk’s workstation can compromise Henk AND the DC. Every one of those admins logs on to one or more other machines in the natural course of business. If attackers compromise any of them, they have a path to compromise the DC.
"Essentially what Microsoft is doing is using the interconnectedness of the Cloud, its reach across all aspects of systems and the ability to use AI to discover correlations between data that ultimately protect users and systems in an intelligent way." - Graham Elston, Technical Director at Velocity Group
A practical view of this is the M365 Security Centre that allows you to quickly identify security holes in your environment as well as benchmark your security posture against industry standards and quickly do something about it.
Azure IaaS Design and Implementation Considerations
We have found that there are some fundamental issues with Azure environments that we have been called in to assist with remediating and optimising.
They can be summed up in the following key areas:
Correct VM Selection
The first problem facing many customers is the sheer volume of selecting the correct VM for your application needs.
This simple guide helps you to navigate through the many options available to you:
An often overlooked area of consideration. Taking time to logically group resources together makes it easy to manage from an administration perspective. As an example, if you have a test and development environment in your JHB office and you want to delete it or create a template and copy it for a CT deployment, having a Resource Group something like JHB-DEVTST would easily allow you to identify it and do something with all the compute, networking, storage, database and application components contained within it.
Another consideration is around cost visibility and the ability to distribute it to departments or subsidiaries that you may want to account for individually. Our billing platform allows you to see costs by Resource Group. making it easy to see exactly what that mobile sales app is costing to run, without having to sift through thousands of lines on a detailed bill.
Ensuring that you have considered your networking design prior to deployment of any VM's is critically important.
"The ease of which you can go through a VM Deployment Wizard means that you can deploy 2 or 3 VM's in minutes and they will all be associated to a default network with public IP's. A practical example of this problem is that if you deploy an application VM and then a SQL VM, but haven't taken networking considerations into account, you could have servers talking to each other through internet breakout (over those public IP's) vs through a VLAN directly to each other. Disastrous from a performance perspective and costing you unnecessary breakout costs."- Garth Elston, Senior Cloud Architect at Velocity Group
Take time to plan your networks, subnets and how you will connect this back to your on-premises environment. There is no right or wrong, it is what works best for you.
We encourage you to engage our Microsoft Cloud and Services team to plan your Hybrid Cloud journey and ensure you have successful implementations.
For information or advice: