Best practices for layering on cloud security through Azure Marketplace

by Scott Muniz | Aug 26, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

With so much focus on how the cloud is changing the way we build and deploy applications, cloud security can become an afterthought. Some organizations worry about slowing the momentum of cloud migration. Others find new cloud security processes daunting.

Brad Orluk is the Microsoft Alliance Manager at Check Point, which offers CloudGuard on Azure Marketplace and was recognized as the Most Prolific Integration Partner during Microsoft Security 20/20. He explains common cloud security scenarios, challenges, and best practices below:

Although the concepts may seem similar, cloud security is different than traditional enterprise security. Additionally, there may be industry-specific compliance and security standards.

Public cloud vendors have defined the Shared Responsibility Model where the vendor is responsible for the security “of” their cloud, while their customers are responsible for the security “in” the cloud.

Cloud deployments include multi-layered components, and the security requirements are often different per layer and per component. Often, the ownership of security is blurred when it comes to the application, infrastructure, and sometimes even the cloud platform –  especially in multi-cloud deployments.

Cloud vendors, including Microsoft, offer fundamental network-layer, data-layer, and other security tools for use by their customers. Security analysts, managed security service providers, and advanced cloud customers recommend layering on advanced threat prevention and network-layer security solutions to protect against modern-day attacks. These specialized tools evolve at the pace of industry threats to secure the organization’s cloud perimeters and connection points.

Check Point is a leader in cloud security and a trusted security advisor to customers migrating workloads to the cloud. Check Point’s CloudGuard helps protect assets in the cloud with dynamic scalability, intelligent provisioning, and consistent control across public, private, and hybrid cloud deployments. CloudGuard supports Azure and Azure Stack. Customers using CloudGuard can securely migrate sensitive workloads, applications, and data into Azure and thereby improve their security.

But how well does CloudGuard conform to Microsoft’s best practices?

Principal Program Manager of Azure Networking, Dr. Reshmi Yandapalli (DAOM), published a blog post entitled “Best practices to consider before deploying a network virtual appliance,” which outlined considerations when building or choosing Azure security and networking services. Yandapalli defined four best practices for networking and security ISVs – like Check Point – to enhance the cloud experience for Azure customers:

1. Azure accelerated networking support

Make sure an ISV’s Azure security solution is available on one or more Azure virtual machine (VM) type with Azure’s accelerated networking capability to improve networking performance. Yandapalli recommends that users “consider a virtual appliance that is available on one of the supported VM types with Azure’s accelerated networking capability.”

The diagram below (from this Microsoft tutorial) shows communication between VMs, with and without Azure’s accelerated networking:

Accelerated networking to improve performance of Azure security (source: Microsoft)

Amir Kaushansky, Check Point’s Head of Cloud Network Security Product Management, said, “Check Point was the first certified compliant vendor with Azure accelerated networking. Accelerated networking can improve performance and reduce jitter, latency, and CPU utilization.”

According to Kaushansky – and depending on workload and VM size – Check Point and customers have observed at least a 2-3 times increase in throughput thanks to Azure accelerated networking.

2. Multi-Network Interface Controller (NIC) support

Using VMs with multiple NICs improves network traffic management via traffic isolation. For example, one NIC can be used for data plane traffic and one NIC for management plane traffic. Yandapalli wrote, “With multiple NICs you can better manage your network traffic by isolating various types of traffic across the different NICs.”

This Microsoft article describes the Azure Dv2-series and defines the maximum NICs.

Azure Dv2-series VMs with # NICs (source: Microsoft, June 2020)

CloudGuard supports multi-NIC VMs, without any maximum of the number of NICs. Check Point recommends the use of VMs with at least two NICs – VMs with one NIC are supported but not recommended.

Depending on the customer’s deployment architecture, the customer may use one NIC for internal East-West traffic and the second for outbound/inbound North-South traffic.

3. High Availability (HA) port with Azure load balancer

Azure security and networking services should be reliable and highly available. Yandapalli suggests the use of a High Availability (HA) port load balancing rule.

“You would want your NVA to be reliable and highly available, to achieve these goals simply by adding network virtual appliance instances to the backend pool of your internal load balancer and configuring a HA ports load-balancer rule,” Yandapalli wrote.

The diagram below (from this article) shows an example usage of a HA port:

Flowchart example of High Availability port with Azure Load Balancer (source: Microsoft)

“CloudGuard supports this functionality with a standard load balancer via Azure Resource Manager deployment templates, which customers can use to deploy CloudGuard easily in HA mode,” said Kaushansky, whose responsibilities include the CloudGuard roadmap and coordination with the R&D/development team.

4. Support for Virtual Machine Scale Sets (VMSS)

Use Azure VMSS to provide HA. These also provide the management and automation layers for Azure security, networking, and other applications. This cloud-native functionality provides the right amount of infrastructure as a service (IaaS) resources at any given time, depending on application needs. Yandapalli points out that “scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs.”

In a similar way to the previous best practice, customers can use an Azure Resource Manager deployment template to deploy CloudGuard in VMSS mode. Check Point recommends the use of VMSS for traffic inspection of North-South (inbound/outbound) and East-West (lateral movement) traffic.

Learn more and get a free trial

As can be seen above, CloudGuard is compliant with all four of Microsoft’s common best practices for how to build and deploy Azure network security solutions. Visit Check Point’s website to understand how CloudGuard can help protect your data and infrastructure in Microsoft Azure and hybrid clouds and improve Azure network security. If your customers are evaluating Azure security solutions, they can get a free 30-day trial license of CloudGuard on Azure Marketplace as well as Azure sponsorship credits* to evaluate the technology first hand.

• Download the Check Point Cloud Security Blueprint to learn additional best practices for designing secure Azure deployments.

• Read this solution brief for scalable and secure remote access on Azure.

• Visit http://www.checkpoint.com to learn more about how CloudGuard can help you protect your data and infrastructure in Microsoft Azure and hybrid clouds and improve Azure network security.

• Contact Check Point to schedule your personalized demo of CloudGuard.

*Some restrictions may apply to Azure sponsorship credits. Contact the Check Point team to explore further.

Azure Gov Virtual Meetup: Strategies to stand up a modern gov software factory + cloud PMO

by Scott Muniz | Aug 26, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

Today’s government organizations face ever-increasing and evolving mission demands, requiring greater speed and agility to modernize IT. Some agencies have discovered a path to success by establishing software factories and cloud PMOs to accelerate development and delivery of better mission apps.

To learn more about this new approach, we invite you to RSVP and join us for this virtual Azure Government meetup, “Strategies to stand up a modern gov software factory + cloud PMO, via Teams Live Event. You can register for free here. 

During this meetup, which is free and open to the public, you’ll hear from government and industry experts who will share best practices, insights and demos covering:

• Strategies and approaches to get your software factory up and running
• How to take a factory approach to developing and modernizing applications
• Best practices for establishing and running a cloud-native PMO
•Tips for driving necessary talent development and culture change initiatives
•Demos of tools and technologies to accelerate delivery of mission apps

AGENDA (*subject to change)

6:3O PM – 6:40 PM
Welcome & announcements
•Karina Homme, Senior Director, Microsoft Azure Government
•Vishwas Lele, CTO, AIS, and Microsoft MVP/RD

6:40 PM – 7:00 PM
Presentation: 3 pillars that make up a successful cloud PMO
•Bob Ritchie, VP, Software Practice, SAIC

7:00 PM – 7:20 PM
Demo: Automated modern gov software factory in Azure
•Nirali Shah, Program, Manager, Microsoft Azure Government
•Michael Herndon, Chief Transformation Architect, CloudFit Software

7:20 PM – 8:00 PM
Panel: Strategies to stand up a modern gov software factory + cloud PMO
•Jyoti Anand, Lead AI/ML Architect, US Food and Drug Administration
•Irven Ingram, Cloud Architect, Spatial Data Branch, US Army Corps of Engineers
•Jason Payne, Chief Architect, US Regulated Industries, Microsoft Federal
•Karina Homme, Senior Director, Microsoft Azure Government (moderator)

We look forward to “seeing you” for this virtual meetup. Please help us get the word out and share this event with your colleagues and connections.

Be sure to also join the conversation using #AzureGovMeetup on social media.

*We will be adding the video of the session to this post after it has concluded

Enterprise-Scale and Azure Policy for policy-driven governance

by Scott Muniz | Aug 26, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

After an introduction to Enterprise-Scale and further information about possible use cases, I would like to focus on one of the design principles: policy-driven governance.

Policy-driven governance means the usage of Azure Policy to build and provide guardrails, and to enable autonomy for the platform and application teams, regardless of their scale points. Those guardrails ensure that deployed workloads and applications are compliant with your organization’s security and compliance requirements, and therefore a secure path to the public cloud.

What is Azure Policy?

From the Azure Policy overview:[1]

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions. To simplify management, several business rules can be grouped together to form a policy initiative (sometimes called a policySet). Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The assignment applies to all resources within the scope of that assignment. Subscopes can be excluded, if necessary.

Azure Policy uses a JSON format to form the logic the evaluation uses to determine if a resource is compliant or not. Definitions include metadata and the policy rule. The defined rule can use functions, parameters, logical operators, conditions, and property aliases to match exactly the scenario you want. The policy rule determines which resources in the scope of the assignment get evaluated.

In order to understand the behavior of policies in the context of Enterprise-Scale, some basic Policy characteristics must be known.

• Policy operates at a level above other Azure services by applying policy rules against PUT and PATCH requests and GET responses of resource types going between Azure Resource Manager (ARM) and the owning resource provider (RP).[2]
• A newly assigned policy or policySet, to any supported scope, takes around 30 mins for the assignment to be applied scope.[3]
• Compliance data is updated as follows:[3]
  • New policy assignments: 30 mins
  • Update existing policy definition: 30 mins
  • Update existing policy assignment: 30 mins
  • On-demand scan (REST API, PowerShell): 3 mins
  • Standard compliance evaluation cycle: 24 hours
• Policy provides different effect types (what happens when the policy rule is evaluated), which do behave differently.[4] The effect types are also evaluated in a specific order, as shown below:[6]
  1. Disabled
  2. Append and Modify
  3. Deny
  4. Audit
  5. AuditIfNotExists and DeployIfNotExists

In order to understand how the compliance works and when a resource is marked as non-compliant, you need to understand the following:[5]

• For Audit and Deny: It requires IF statement to be TRUE then effect takes place.
  • For Audit resource is marked as non-compliant.
  • For Deny, new deployment (for new or update resource) is denied while existing resource is marked as non-complaint.
• For DeployIfNotExists and AuditIfNotExists: It requires IF statement to be TRUE and existence condition to be FALSE.

Azure Policy in the context of Enterprise-Scale

As outlined in the Enterprise-Scale design principles, Policy is used build and provide the required guardrails for all landing zones. For example, a policy ensures that all required activity logs for all subscriptions (selected categories in diagnostic settings) are sent to a central Azure Log Analytics workspace. Or all virtual machines are protected by Azure Backup, as another example. For this, Enterprise-Scale is primarily focusing on proactive and preventive policies (e.g. with DeployIfNotExists, or in short DINE) to enable autonomy for the platform, autonomy for the application teams, and ensures that resources are in their compliant goal state, no matter how those resources got created.

In order to simplify the adoption of those proactive and preventive policies, Enterprise-Scale includes three reference implementations for three different customer use cases, all with an extensive list of policy definitions and policy assignments.[7] For example:

• Enable Azure Security Center with Standard tier
• Deploy a virtual network including network peering
• Deploy and enable security features for Azure SQL Databases (Transparent Data Encryption, auditing, etc.)

The three included reference implementations are:[8]

• Contoso – a hybrid networking example using Azure Virtual WAN
• AdventureWorks – a hybrid networking example using the traditional hub and spoke network architecture
• WingTip – an Azure-only example

The provided user experience allows you to easily deploy (bootstrap) the selected reference implementation, with all included definitions and assignments. Furthermore, policy definitions and assignments can also be deploy out-of-band on targeted management groups and subscriptions. The user experience when deploying a reference implementation is shown in the figure below:

User experience when deploying a reference implementation.

Resource deployment and remediation

Although ARM templates can be deployed to all scopes (tenant, management group, subscription, and resource group scope), policies can only deploy to the subscription and resource group scope.[3] This has an impact on the behavior when deploying resources and policy remediations:

• If a deployment is created via Enterprise-Scale, the remediation for the subscription scope is included; consequently, the policy is evaluated and the specific resources (e.g. with DINE) are deployed.
• If a deployment is created outside of Enterprise-Scale, the remediation is not included; consequently, remediation tasks must be created manually or by using Azure CLI or PowerShell.

Finally, a big thank you to @KristianNese for reviewing and providing feedback.

[1] https://docs.microsoft.com/en-us/azure/governance/policy/overview

[2] https://github.com/Azure/azure-policy

[3] https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data

[4] https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

[5] https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#how-compliance-works

[6] https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#order-of-evaluation

[7] https://github.com/Azure/Enterprise-Scale/tree/main/azopsreference

[8] https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-reference-implentations.md

New transactable offers from Zaloni, Seeq Corporation, and CloudEngage in Azure Marketplace

by Scott Muniz | Aug 26, 2020 | Azure, Microsoft, Technology, Uncategorized

This article is contributed. See the original author and article here.

Microsoft partners like Zaloni, Seeq Corporation, and CloudEngage deliver transact-capable offers, which allow you to purchase directly from Azure Marketplace. Learn about these offers below: Zaloni Arena: Arena, an augmented data operations platform by Zaloni, provides an active data catalog that enables self-service data enrichment and consumption. Arena drives business and analytics success while providing the controls and extensibility needed across today’s decentralized, multi-cloud data complexity. Safeguard data assets and conquer data sprawl with Arena. Seeq Software – User License: Seeq from Seeq Corporation is an advanced analytics solution that enables process manufacturers to rapidly investigate and share insights from data on Microsoft Azure, as well as contextual data in manufacturing and business systems. Seeq’s extensive support for time series data accelerates analytics, publishing, and decision-making. Personalization Platform: CloudEngage helps retailers give website visitors a personalized, relevant, and intuitive experience. It works seamlessly with any content management or commerce system, and it automatically builds 360-degree audience profiles and segments with machine learning. Serving content based on the individual needs and interests of site visitors improves customer engagement and increases web and mobile conversion rates.   Chord: CloudEngage’s live-chat product, built on a personalization core with machine learning, makes it easy for customers to connect with a real person when browsing your website. Chord keeps track of a visitor’s interests and browsing history, and smart profile cards show ads, interest categories, geolocation, and weather. Adapt in real time to whatever your customer is looking for, and make it easy for your agents to pick up where they left off.