Cloud Security

Storage is one of the members of Infrastructure either is the cloud or in on-premises followed by Compute and Networking. Every enterprise has heavily invested in storage to store and retain data for a various compliance reason as well as to run the day to day business. And, its growth is inevitable. As of to get competitive advantages, its time to consider the Cloud offerings rather than to look for SAN and maintain it. This will result in saving time, maintenance and manpower cost with affordable operational cost. Initially, there were two-tier: Hot and Cold and new offering is Archival Storage which is added on top of Azure Storage Blob. Thus, now there are 3 storage options available for General Purpose V2(GPV2) storage account. Choosing the best tier depends on the nature of data it will be holding. Remember you are paying for storage as well as for operations performed on those datasets. Storing the frequently used data on the cold tire may result in the unexpected bills as i

Microsoft offers numbers of ways to reduce the cost of workload running in the Azure. Initially, it started with AHUB benefits, low priority virtual machine and recently they had gone to GA of Reserve Instance. It offers huge price cut, we could save up to 72% and combined with AHUB benefits up to 82% saving can be achieved which is very luring factor for many. Source: Microsoft Off-course we all want to save money, but it comes at a cost. That cost is ‘Performance’. So, are we ready for that? Then, why Microsoft might have come up the idea of Reserve Instance? Microsoft has one of the world largest datacenters scattered throughout the world. And, those resources are not always fully utilized in some of the regions. At the same time, some regions might have been fully utilized.   Thus, they allocated some portion of their resources in the Reserve Instances, and let the customer take this offer on available location based on the availability at low cost. And, most importa

With the maturity of cloud, usages of the Cloud Computing is rocketing as they are offering enrich services at affordable price. It's normal that an organization having multiple subscriptions and multiple users' managing it. Azure logs every user's activities that are performed against its resources including the action performed by pre-defined code using Runbook. What so ever the error collection domain the Microsoft gives, I prefer to group this into two. Logs auto-generated by System/Application or User Activates Log, which will trigger the previous logs. In this blog, I will discuss how user activities can be traced down to the various events so that anomalies (defined by the organizational norms) can be detected. User Login User's identity could be cloud only, federated or hybrid. Depending on their identity model, Azure Active directory will handle the authentication or will forward to the identity handler. For example, if ADFS is in place, then it will re

Application Security Group let us create and manage security rules for our Virtual Machine more intuitively. It provides the ability to bundle the VM's as per their workload and let us enforce rules on it as a group. So far we were applying Network Security Rules on individual VM using their IP. Now, we have the flexibility of grouping them and applying rules on them using Application Security Group name as source and destination. it eliminates the needs to remember IP address of resources. Working with Application Security Group requires planning as we need to define the security policies. These policies are similar with Network Security Group but this features add value to Network Security Group and become more useful when you have multiple virtual machines which perform the similar works and requires same rules. If it's combined with the Tag Policy, it increases the manageability as well as increase governance. This feature is in preview in US West Central, so we need to

There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Name: vmseries300 Im

"Identity revolves around who am I ? and how can I prove that I am the one who is claiming to be."  Proving absolute need of access to the right people is key to success for every organization. Due to the growth of modern workspace and social life, identity management has become more challenging. Every day we deal with multiple identities within a corporate setting and forgetting identities of least recently used has become common. Thanks to "Forget Passport" - Self Service Password Reset features.   To deal with this situation Microsoft usages its most powerful tools Active Directory - Single Source of Authority for on-premises domain user's and applications, known as On-Premises Identity , Azure Active Directory - Cloud Identity for all cloud-based application and resources and Hybrid Identities - which extends on-premises identities to the Azure Active Directory so that existing users can access cloud-based application using their identities. It enables

Organization lean towards cloud is growing. Many enterprises are planning to fully deploy their infrastructure to the cloud. As an initial step they are embracing Software as a Service and extending their workload to the cloud, making it as a secondary site for compute and storage resources. Creating resources in Azure is simple, will finishes within few clicks, however if we missed few steps or rule of thumbs on provisioning resources, it might leave a loop hole which could be easily exploited. Below is the checklist for consideration to ensure that you have securely deployed your resources (VM) to Azure Cloud. Network Setup Is your network Isolated and breakdown into different zones?  Do you need to stop different zones/subnets communicating with each other?  Is Network Security Group applied?  Can you justify the need of PublicIP? How you are planning to RDP VM?  Did you have list of endpoints of Azure VM to be provisioned? Do you need all those endpoints? How secur