Is security a big deal? Is the same-old-systems approach of the past still securing you? If 2020 didn’t teach you that being flexible, modern, and staying out of technical debt wasn’t important, then along came “Solorigate” to end our year with a smack of a cold, wet fish across the face.
Microsoft announced that ARM Template Specs is now Public Preview. Let the happy dancing begin! Wait – you probably don’t know what Template Specs are because you’re … normal.
Imagine that you created something that you think is cool – it speeds up doing complex things that normally take a lot of time. With your cool invention, people could quickly and easily replicate your results and everybody wins.
In Microsoft Azure, ARM templates can be something cool. The idea is that you might create a template that does something – maybe it deploys a VNet with App Service Environment and SQL Managed Instance in a firewalled environment. If you’ve read up on that stuff, then you know that’s a lot of work! But if you can run a template, it might be a couple of minutes work for you while Azure spins for a few hours while you’re binge-watching something at home.
But ARM templates have never had a good method for being shared internally. Managed Applications is suitable only for third-party vendors selling their wares through the Azure Marketplace. Blueprints … they’ve been in preview for since the Earth started spinning and we all know what that means in the era of “fail fast”!
The idea of Template Specs is that I can take an ARM Template and share it across my tenant with other Azure users. They can then run my template to deploy their own services. This is the sort of thing I’ve had customers ask for and we wasted endless hours investigating what Azure had. Eventually, we created our own Git-based system, but Template Specs might be much more user-friendly – normal people don’t seem to like living a DevOps life.
When Microsoft makes an announcement about a new Azure location, the media get all confused and tell us about a new data center. What Microsoft really announces is a new Azure region. In some cases, for example, Norway West, The region is in a single data center (hosted by a third-party with this example). But in many examples, the region is made up of many data centers, such as East US or North Europe.
I can remember a case a few years ago when a single sensor failed in North Europe and brought down a single storage cluster in a single room, in a single data center. For a lot of customers, including my then employer, that meant downtime. Yes, we had run availability sets, but that just guaranteed that our virtual machines were running on different hosts in a cluster; the machines were still in the same data center.
Availability zones is where the data centers in the region are broken down into multiple zones. Each zone has independent power and networking and can survive independently of the other zones in the region. We can then leverage this higher level of availability:
When possible, I use availability zones to increase the availability of my customers’ services. The number of regions supporting availability zones is still low, but it is increasing. In the last month, the following regions were added:
Wow, didn’t 2020 end with a bang? I was on a month’s personal leave and the Solarwinds breach was one of the only IT-related things I read during December. The hackers were clever – they understood that even in the most secured networks (with “secure zones” or micro-segmentation), certain products, such as monitoring or anti-malware, always have open ports from/to every machine. If you can compromise that software, then you can penetrate entire networks with ease. I don’t know how we stop that – how does customer X stop supplier Y from being hacked?
We do need to rethink IT security. We need to understand how we’re being attacked (ID and email first). We need to implement micro-segmentation. And I think we need to assume that we have been breached; my customers have heard me discuss running a network like a ballistic nuclear submarine – isolated from the outside, untrusting of the inside, and if a compartment is breached, its already locked down and you can survive without those sailors.
All this requires work and using new tools. Microsoft Azure makes it easy to deploy things quickly and at scale. I apply that to securing networks. If you enable all the possible logging from Network Security Groups and Azure Firewall, then you can quickly track network/rules failures. If you use Service Map you can plan those rules in advance.
If you send all your security and security-adjacent data to a Log Analytics Workspace then querying and reporting is easy. But you can also become the hunter instead of the prey by using Azure Sentinel – there’s a huge wealth of work already done by the open-source community for incident hunting/alerting, but you can do more yourself.
The days of saying “it’s all too much work” are over. Security is more than anti-malware. The hackers know that, and you’re leaving the castle gates open if you do not.