Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Azure

Everything You Need to Know About Azure Infrastructure – April 2019 Edition

In my monthly summary, I will summarize all the Azure infrastructure news from April, which appeared to be a month for security announcements.

More Security Is … Better?

I have spent the last 3 months working on secure Azure network architectures for customers. A big emphasis of those designs has been logging, analysis, enforcement, and monitoring. As you can imagine, I have been engaging the Standard Tier of Azure Security Center.

If you blindly follow the recommendations of Security Center then you will:

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

  1. Enable things you do not need.
  2. Break things you do need.
  3. Have a shorter stay with your employer/customer than you previously had planned.

Let me give you some examples:

  • Just-in-Time VM Access: I loved this feature in Azure. But a few months ago, The Security Center must have had one of those focus groups where a loud idiot steers things the wrong way. The processes that JIT VM Access (a) determines recommended machines and (b) implements the rules are simply broken. Machines with no external RDP/SSH are being recommended for JIT VM Access. And when you do enable it, the rules are placed in a position in the Network Security Group where they cannot work at all! This isn’t artificial intelligence; this is artificial stupidity.
  • Storage Firewalls: I get the concept; bring the storage account firewall online so you do not risk someone connecting to it over the Internet with the really long & random secret key. I tried that. Unfortunately, several features for VM management & security will break once you do enable storage account firewalls. The once I encountered were Boot Diagnostics (and the dependent Serial Console Access), NSG Flow Analytics, and I was told that Azure Site Recovery would also have a meltdown.
  • Vulnerability Solutions: Security Center will insist that you deploy expensive third-party software in your virtual machines.

There’s more of that but those a few examples.

Security is a balancing act. More security leads to an unusable system. Less security is a more usable system. You have to find the correct equation for your employer/customer and go with that, understanding, ignoring, and documenting recommendations that are irrelevant. I get that this can be hard, especially if your boss/customer opens Security Center and sees a score of under 400 out of 595 for their Azure deployment!

By the way, there are things I do like about Security Center:

  • I use the recommendations as a checklist for me.
  • The compliance reports are quite useful – a number of the checks happen inside the guest OS.
  • I’ve yet to have a real alert, but that would be useful in the event of an attack.

Finally!

At last … you can move a recovery services vault from one resource group/subscription to another … if it’s only used for Azure Backup. This has been one of the things that has blocked many customers from migrating from one kind of Azure channel to another, which often requires a subscription migration. This is worth highlighting because of the value it has to those customers.

Other Announcements from Microsoft

Here are other Azure IaaS headlines from the past April:

And Now for Something Different

I’m a proud father of two girls. Myself and my wife teach them that they have as much right to attempt anything as the next person – their gender should be irrelevant to opportunity. And that’s why it saddens me to see a complete gender bias in our business.

I’ve grown up from a college grad to where I am now. My class in college was around 50/50 male/female. In my final year, when employers were coming to the class to interview us, it became clear that many of the young women were planning on not following an IT career. Throughout my career I encountered very few women in the business – one was a perfectly skilled job candidate that I fought with HR over so I could get budget to hire her.

I recently ran an online version of the Global Azure Bootcamp using YouTube. When I opened submissions for speakers, no women applied. Being a Google product, YouTube gathered a lot of data about the “attendees” of the event. 100% of the attendees were 25-45 year old males – not a single woman. I was disappointed.

I have worked quite closely with the Windows Server and Azure product groups over the last 10+ years. As long as I’ve known Microsoft, they’ve been a politically correct organization. But in the last two years, I’ve noticed how many more women are in public facing technical roles (program managers) than there was a decade ago. Skeptics might comment that these are token roles after Satya Nadella’s legendary gaff at a women-at-work conference, but I can tell you that these employees are far from tokens – they’ve all been impressive and the pace of work in those groups wouldn’t tolerance insufficiently skilled members. That gives me some hope. Also, in my last company, some of the better young people that attended some of my classes were women.

I’d love to know what’s wrong with our business. I don’t think people have a hiring agenda that leans one way. I don’t think that tech conferences block women from presenting or attending … but if you’ve attended a tech conference you might have observed what I call the “reverse nightclub phenomenon” – queues out the door at every men’s toilet and empty women’s toilet.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: