Everything You Need to Know About Azure Infrastructure – April 2019 Edition
In my monthly summary, I will summarize all the Azure infrastructure news from April, which appeared to be a month for security announcements.
More Security Is … Better?
I have spent the last 3 months working on secure Azure network architectures for customers. A big emphasis of those designs has been logging, analysis, enforcement, and monitoring. As you can imagine, I have been engaging the Standard Tier of Azure Security Center.
If you blindly follow the recommendations of Security Center then you will:
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
- Enable things you do not need.
- Break things you do need.
- Have a shorter stay with your employer/customer than you previously had planned.
Let me give you some examples:
- Just-in-Time VM Access: I loved this feature in Azure. But a few months ago, The Security Center must have had one of those focus groups where a loud idiot steers things the wrong way. The processes that JIT VM Access (a) determines recommended machines and (b) implements the rules are simply broken. Machines with no external RDP/SSH are being recommended for JIT VM Access. And when you do enable it, the rules are placed in a position in the Network Security Group where they cannot work at all! This isn’t artificial intelligence; this is artificial stupidity.
- Storage Firewalls: I get the concept; bring the storage account firewall online so you do not risk someone connecting to it over the Internet with the really long & random secret key. I tried that. Unfortunately, several features for VM management & security will break once you do enable storage account firewalls. The once I encountered were Boot Diagnostics (and the dependent Serial Console Access), NSG Flow Analytics, and I was told that Azure Site Recovery would also have a meltdown.
- Vulnerability Solutions: Security Center will insist that you deploy expensive third-party software in your virtual machines.
There’s more of that but those a few examples.
Security is a balancing act. More security leads to an unusable system. Less security is a more usable system. You have to find the correct equation for your employer/customer and go with that, understanding, ignoring, and documenting recommendations that are irrelevant. I get that this can be hard, especially if your boss/customer opens Security Center and sees a score of under 400 out of 595 for their Azure deployment!
By the way, there are things I do like about Security Center:
- I use the recommendations as a checklist for me.
- The compliance reports are quite useful – a number of the checks happen inside the guest OS.
- I’ve yet to have a real alert, but that would be useful in the event of an attack.
At last … you can move a recovery services vault from one resource group/subscription to another … if it’s only used for Azure Backup. This has been one of the things that has blocked many customers from migrating from one kind of Azure channel to another, which often requires a subscription migration. This is worth highlighting because of the value it has to those customers.
Other Announcements from Microsoft
Here are other Azure IaaS headlines from the past April:
- Alerts in Azure are now all the more consistent!
- Microsoft Azure portal April 2019 update
- Self-service exchange and refund for Azure Reservations
- Extending Azure security capabilities
- Web application firewall at Azure Front Door service
- Fast and optimized connectivity and delivery solutions on Azure
- Azure Front Door Service is now generally available
- Hybrid storage performance comes to Azure
- Introducing the App Service Migration Assistant for ASP.NET applications
- How to stay informed about Azure service issues
- Move your data from AWS S3 to Azure Storage using AzCopy
- Rewrite HTTP headers with Azure Application Gateway
- Azure Cost Management now generally available for Pay-As-You-Go customers
- Detecting threats targeting containers with Azure Security Center
- Serverless automation using PowerShell preview in Azure Functions
And Now for Something Different
I’m a proud father of two girls. Myself and my wife teach them that they have as much right to attempt anything as the next person – their gender should be irrelevant to opportunity. And that’s why it saddens me to see a complete gender bias in our business.
I’ve grown up from a college grad to where I am now. My class in college was around 50/50 male/female. In my final year, when employers were coming to the class to interview us, it became clear that many of the young women were planning on not following an IT career. Throughout my career I encountered very few women in the business – one was a perfectly skilled job candidate that I fought with HR over so I could get budget to hire her.
I recently ran an online version of the Global Azure Bootcamp using YouTube. When I opened submissions for speakers, no women applied. Being a Google product, YouTube gathered a lot of data about the “attendees” of the event. 100% of the attendees were 25-45 year old males – not a single woman. I was disappointed.
I have worked quite closely with the Windows Server and Azure product groups over the last 10+ years. As long as I’ve known Microsoft, they’ve been a politically correct organization. But in the last two years, I’ve noticed how many more women are in public facing technical roles (program managers) than there was a decade ago. Skeptics might comment that these are token roles after Satya Nadella’s legendary gaff at a women-at-work conference, but I can tell you that these employees are far from tokens – they’ve all been impressive and the pace of work in those groups wouldn’t tolerance insufficiently skilled members. That gives me some hope. Also, in my last company, some of the better young people that attended some of my classes were women.
I’d love to know what’s wrong with our business. I don’t think people have a hiring agenda that leans one way. I don’t think that tech conferences block women from presenting or attending … but if you’ve attended a tech conference you might have observed what I call the “reverse nightclub phenomenon” – queues out the door at every men’s toilet and empty women’s toilet.