Archive

Posts Tagged ‘Azure’

Is Security a cloud benefit or a shared responsibility?

November 9, 2015 3 comments

Cloud adoption is skyrocketing and there is no doubt about it, with more and more customers realising its benefits: costs, flexibility, availability, etc.

But how about security? Is security a cloud benefit?  Well, sort of. By migrating your systems to a public cloud you certainly be assured that the providers are substantially invest on security measures, policies and certifications to guarantee the underlying infrastructure is a safe place for you to store your data and run your applications. But it stops there.

The conversation you should be having with your cloud provider is not if they are secure. They are! They have all the industry standards and certifications to guarantee that. What you should be asking is if they have real-time data, metric and resources to enable and help you to protect your company data.

The security boundaries are limited to the infrastructure of the public cloud. It is your business responsibility to make sure that your application runs safely and your data is protected and some business don’t get it.

cloudsecurity

Last week when attending a session at the MVP Summit with Brad Anderson about Identity and cloud, I realised how fragile is the conversation that is happening between organisations and the cloud providers – customers are adopting cloud with security in their mind set (In a recent study of IT decision makers by BT, more than three quarters of the respondents (76%) said that security is their main concern when it comes to cloud-based services and). But many of those customers are putting the responsibility to protect their data, solely on the public cloud provider and that is mistake that needs to be addressed.

Let’s take the example of a customer that migrated their email and documents to the cloud: among others benefits, data availability (anywhere, anytime, any device) is in my opinion one of the great cloud realisations. But the data availability also brings a security risk to organisations if they don’t invest on securing and protecting their data from non-authorised access.

Employees who access privileged company data from public Wi-Fi for example are susceptible to all sorts hackers and they have a high risk of having their device compromised. Have you thought about that? Does your company have VPN or other security measures for external access to the company data?

Also, a password only to protect someone from logon on your computer is not sufficient to protect any data you have on it. Is your company making use of solutions to encrypt the local disk? Does your company have policies in place to prevents that company data is not stored locally on your computer?

And how about your mobile? Ransomware is on the rise, with hackers taken over an entire system, holding it hostage until a fee is paid. Take the Whatsapp example – in August 2015, hackers discovered a bug that enabled them to infect devices for those utilising the web version of the app. On another example, you may recall that Lenovo faced trouble earlier this year, when it found that some of its mobiles and notebooks were sold with pre-installed spyware (According to G DATA researchers it happened somewhere along the supply chain by an outside party). The same problem happened with Huawei, Xiaomi and others.

By not having security measures on your mobile, you could let a thief to access your personal and company data if it gets stolen or lost –

  • Do you have a pin to protect your mobile?
  • Is your PIN strong enough or something like 1234 or 0000 or your birthday?
  • If you search yourself on the internet can any of the information led to your password or PIN?
  • Is your company using a device management solution?

A couple of months ago, when running a workshop to architect a solution for a customer to migrate their email to the cloud, I heard incredible the request of their IT manager: “whereas cloud concerns, the solution we want should encompass that some groups of employees should only have access to company email if they are physically connected to our network and data access should be protected from unauthorized people and devices.”.

First you will think that in the cloud times, requests to not allow the data from being accessed outside the company network would not make sense and it is a weird request, as one of the benefits of having the email in the cloud is actually being able to access it elsewhere from any device, right? But the reason is simple: they realised that migrating their email to the cloud, did not mean that their security measures and policies to protect their most precious asset: their customer’s data should not be in place. Their request was true and valid and it got me by surprise as a very few customers really understands that security in the cloud is a shared responsibility.

Security is one on the key concerns when a business decides to migrate to a public cloud and although most of them understand that the level of risk mostly relates to the behaviour and culture of their employees, some still don’t have strict policies in place and lack data access controls, which poses a high risk on their main asset: their data.

I have large experience in Security, Cloud and Datacenter Management. Reach me out and we can organize a workshop for your business at ac@cloudtidings.com

More info on the main public cloud providers security compliance:

Cloud domain controller as a services with @Azure AD Domain Services @microsoftenterprise

October 19, 2015 Leave a comment

That’s right Cloud AD as a services. A fully managed domain by Microsoft : Azure AD Domain Services to manage Azure IaaS workloads.

101415_1620_AzureADDoma4

Azure AD Domain Services It’s a cloud based service which gives you a fully Windows Server Active Directory compatible set of API’s and protocols, delivered as a managed Azure service.

You don’t need to provision a Virtual Machine running Domain Controller on Azure as a IaaS anymore and have those domain controllers synchronize to their on-premises Active Directory servers using a VPN/Expressroute connection.

You can now turn on support for all the critical directory capabilities your application and server VM’s need, including Kerberos, NTLM, GROUP POLICY and LDAP.

For scenarios like Disaster Recovery and hybrid cloud deployments, it is just perfect. It means a full value of Windows Server AD in the cloud domain, without having to deploy, manage, monitor and patch domain controllers.

There are many scenarios that can be explored with this new feature.

You can enable Azure AD Domain Services for any existing Azure AD tenant – the same tenant you use with Office 365 or other SaaS applications. Azure AD Domain Services are available now.

For pricing, please check : http://azure.microsoft.com/pricing/details/active-directory-ds/

To start:

  1. You already deployed Azure AD Connect (to sync identity information from the on-premises Active Directory to your Azure AD tenant. This includes user accounts, their credential hashes for authentication (password sync) and group memberships)
  2. Create the ‘AAD DC Administrators’ group and then add all users who need to be administrators on the managed domain to it. These administrators will be able to join machines to the domain and to configure group policy for the domain.
  3. Configure the Network. Select or create the Azure virtual network you’d like to make domain services available in. Ensure the following:
    • The virtual network belongs to a region supported by Azure AD Domain Services. See the region page for details.
    • Ensure the virtual network is a regional virtual network and doesn’t use the legacy affinity groups mechanism.
    • Ensure your workloads deployed in Azure Infrastructure services are connected to this virtual network

    101415_1620_AzureADDoma8

  4. Enable Azure AD Domain Services for your Azure AD tenant, by going to the Configure tab of your Directory, selecting Yes on ‘Enable Domain Services for This Domain’, specifying the domain name and selecting the Azure Virtual Network. Click on Save to confirm.
  5. Update DNS settings for the Azure virtual network to point to the new IP address of the Azure AD Domain Services you just enabled.
  6. Enable synchronization of legacy credential hashes to Azure AD Domain Services. This is a required step. By default, Azure AD does not store the credential hashes required for NTLM/Kerberos authentication. You need to populate these credential hashes in Azure AD so users can use them to authenticate against the domain.
     Done. In simple tasks yu setup your AD as a Services in Azure.
 A few notes:

A few salient aspects of the managed domain that is provisioned by Azure AD Domain Services are as follows:

  • This is a stand-alone managed domain. It is NOT an extension of your on-premises domain.
  • You won’t  need to manage, patch or monitor this this managed domain.
  • There is no need to manage AD replication to this domain. User accounts, group memberships and credentials from your on-premises directory are already synchronized to Azure AD via Azure AD Connect.
  • Since the domain is managed by Azure AD Domain Services, there is no Domain Administrator or Enterprise Administrator privileges on this domain.

Modern Infrastructure: Provisioning private clouds and virtualized data centers. September 8th @Microsoft Brisbane

September 2, 2015 Leave a comment

post

What’s New in System Center VMM 2016?

System Center 2016 will continue to speed time to value with new provisioning, monitoring and automation capabilities designed for your software-defined datacenter. Optimized for both traditional management and private cloud environments.

Tuesday 8 September I will be presenting an event at Microsoft Brisbane about the new features in System Center VMM and the rich enhancements provided with Microsoft Azure Operational Insights and Automation. Learn best practices for using VMM to manage your datacenter fabric. Come and see how other customers are using System Center.

We will also have a sneak peek of Containers and management of Windows Server Containers using PowerShell.

When
Tuesday, 8 September 2015 from 6:00 PM to 8:00 PM (AEST) Add to Calendar
Where
Microsoft Brisbane – Level 28. 400 George st. Brisbane 4000 AU – View Map

VMM 2012 R2: Unified (almost) on premise and Azure management through the VMM console

April 30, 2015 Leave a comment

Although it is only simple actions (i.e such as restart, refresh, and view) you can use Virtual machine Manager 2012R2 to manage both on premises and Azure Virtual Machines, by adding Azure subscription to VMM.

Let’s hope the VMM team extend those tasks beyond that.

To Download: KB3050317Update Rollup 6 for System Center 2012 R2 Virtual Machine Manager (https://support.microsoft.com/en-us/kb/3050317/)

 

for more information on new features on VMM 2012 R2 UR6 check http://blogs.technet.com/b/scvmm/archive/2015/04/29/an-overview-of-the-new-features-in-vmm-2012-r2-update-rollup-6.aspx

Unified management through the VMM console

With VMM 2012 R2 UR6, Virtual Machine Manager offers a very simple way for a VMM Fabric administrator to add a Microsoft Azure subscription to VMM. After users have added the Microsoft Azure subscription to VMM, they can get a view of their Azure instances directly from the VMM console, and they can perform some simple actions on these instances.

Although in the long term Microsoft vision is to establish WAP as the console of choice for on-premises and Azure workload management, we still see this feature as a value-add to a large set of users who don’t yet use WAP or who don’t want to incur the overhead of WAP. This option of performing simple VM management tasks such as restart, refresh, and view on Azure VMs through VMM consoles gives Fabric administrators the flexibility to manage both on-premises and Azure public cloud VMs from within a single VMM management console

 

Azure BootCamp in Brisbane: We’re heading for the big day! Join us.

April 21, 2015 1 comment

We’re heading for the big day. Come and join us. This will be a one day deep dive Azure sessions held on Saturday, 2nd May.

A conference for learning about Microsoft Azure right here in Brisbane.  Saturday, 2nd May 2015 – 9:00am – 5:00pm

The location will be at Microsoft, 400 George Street, Level 28.

Event Organizers: Alessandro Cardoso, Daniel Toomey and Damien Berry

Our sponsors: MicrosoftMexia and Readify will ensure that we have resources to bring in high profile speakers

Notes:

  • Given the requirement to set up tables, we must limit the attendance to 50* persons. Therefore, if you RSVP and then find you are unable to attend, please change your RSVP so that another party will have the opportunity.

– Because this event is on a Saturday, lifts will be locked. Please arrive within the 30 minute window prior to start time so we can activate the lift for you. Latecomers will not be able to gain access.

Event Websitehttp://tinyurl.com/BrisbaneAzureBootcamp2015

Essence of Cloud Computing with Azure and SQL Seminar. Register Now. Free Event. [Limited seats]

January 7, 2015 1 comment

I am presenting two amazing sessions showing what’s new in Hyper-V vNext and how to migrate your workloads to Azure, from VMware, AWS and Hyper-v. Don’t miss out this unique opportunity! It is time again for the annual MVP event across Asia Pacific. Register now for this Free Event. [Limited seats]

Cloud and Identity Access

December 8, 2014 1 comment

Identity and Access

Controlling who can access which resources is key for Cloud projects. Recently I was talking with a customer that has external users (partners) and internal users and the ability to  centralize and manage the access for those users is essential.

Azure provides ways for customers to federate user identities to Azure Active Directory as well as enabling  Multi-Factor Authentication and the new Role Based Access Control (RBAC) features can be used to restrict access and permissions for specific cloud resources.

Monitoring

To help detect suspicious access, Azure Active Directory offers reports that alert you to anomalous activity, such as a user logging in from an unknown device. In addition, operational logging and alerting capabilities can notify customers if someone stops a website or if a virtual machine is deleted. It is possible also to use an on premise System Center Operations Manager to monitor  the availability and performance of resources that are running on Windows Azure.

The reports provides up to 30 days of data representing key changes in the directory, providing the action, timestamp, the user/application that performed the action, and the user/application on which the action was performed.

Network

With new VNET-to-VNET connectivity, multiple virtual networks can be directly and securely linked to one another. In addition, ExpressRoute is now generally available, enabling customers to establish a private connection to Azure datacenters, keeping their traffic off the Internet. Building on those enhancements, Microsoft also introduced Network Security Groups  for easier subnet isolation in multi-tier topologies.

Security

Azure uses industry-leading capabilities, including recent enhancements to TLS/SSL cipher suites and Perfect Forward Secrecy, to encrypt content flowing over the internet between the customer and the Azure service

Microsoft is committed to advancing cloud security with a goal to not only meet, but exceed the level of protection most enterprises have in place on-premises or in their own datacenters. For the latest information on security features and best practices, visit the Microsoft Azure Trust Center.