As I mentioned in my day one bloghttps://iamitgeek.com/2019/11/05/microsoft-ignite-2019-day-one/), I decided against packing that day full of sessions so I could get my bearings and take in a lot of the Hub as well as the main keynote talks. Day two was very much about sessions, with my main focus of the day being Security.
For those who follow me on social media (see the bottom of this post for the handles) you would have seen a sneak peak of some of the sessions, however I have said the juicy details for this blog post!
My planned sessions for today were:
- ‘Protect your cloud workload from threats using Azure Security Centre’
- ‘Secure your enterprise with strong identity foundation’
- ‘Deep Dive into Azure policy and Governance’
- ‘Top ten security practises in Azure today’
My first session wasn’t until mid morning, so I decided to grab some breakfast in the ‘HUB’ during which I had some amazing conversations with other people in the industry. One of the highlights and take a way’s from this week will definitely be listening to other IT professionals stories, and how they go about managing their customer base, as well as some of the products they use to do this.
One of the other great things about these type of conferences is you get direct, face to face time with the actual vendor engineers which is super helpful and allows you to ask questions around problems you are having with your own ongoing work. I managed to get some amazing information from the SharePoint team and the Intune App deployment team on some problems I am having on an ongoing project which I can take back with me to hopefully solve some issues.
After a very productive morning it was time for session on of the day: ‘Protect your Cloud workload form threats using Azure Security Centre’. The session was broken down into four areas of ‘Intelligent Security’ –
- Identity and Access Management
- Threat Protection
- Information Protection
- Cloud security
Microsoft believe the ‘Workloads are heterogenous and hybrid’ so its not only about protecting your cloud environment, you also need to protect the on premises environment. The most common threats Microsoft see are around the following:
- Virtual Machines
- App Services
- SQL DBs
- Storage Accounts
- Key Vault
To help you manage all these different identities and services, Microsoft have totally re-vamped the Azure Security Centre which now includes the Office 365 Security score. Its now based on two main pillars:
- Strengthening Security Posture
- Protect against threats
For me the one area that really hit home was about ensuring you protect your VM workloads by reducing open network ports and protecting against malware, something I see issues with a lot in my role. New announcements was also becoming a regular theme and this session was no different with the announcement that Microsoft now offer built-in vulnerability assessments for VMs which is available as part of the standard VM pricing!
The session finished with another new announcement was new advanced protection capabilities for data services which is now in preview, which includes:
- Protecting SQL servers on Azure VMs
- Malware reputation screening for Azure storage
- Advanced Threat Protection for Azure Key Vault
After a not so short walk I was at my second session of the day: ‘Secure your enterprise with strong identity foundation’. Although this wasn’t a very technical session it was very insightful into how much development Microsoft are actually putting into Azure AD, and how they actually see it as being more secure than Active Directory on premises.
The session touched on a number of different sub topics around identity management, one being getting to a world without passwords. For me this was a very strange concept as passwords have been present since the day I came into IT, however it is also one of the biggest vulnerabilities as well. How many times have you had to deal with security issue due to a brute force password attack?
The future for Microsoft appears to be based around bio metrics, including face recognition, finger print scanning and biometric key fobs. Now you might think these types of technologies have been around for a while, for example Windows Hello in Windows 10, as well as Banks using biometrics to login into Internet banking. The difference is rather than using these as and when, Microsoft want these to take over from the password, bringing of age a world without passwords!
Another take away from this session for me was around utilising Azure AD for all your 3rd party apps, not just Microsoft based apps, which is done via SSO (Single sign on) and Azure App Proxy. The session also touched on subjects including: –
- Conditional Access and using smart protection policies and risk assessment to grant access
- Azure AD Identity Protection
- Self Service Password reset
After a short lunch break in the Hyatt Regency I was refuelled and ready for the third session of the day: ‘Deep Dive into Azure Policy and Governance’. It turned out that although very interesting, this session went a little over my head, mainly due to it being a lot of live demos using Azure Shell.
The most interesting part of the session for me was seeing the road map for Azure policy which includes:
- Regulatory Compliance
- Multi-tenancy support for Azure Lighthouse
- Authoring and language improvement
- Dataplane policy
- Remediation for custom guest configuration policy
- Continued partner integration
The final part of the session was around Azure Resource Graph and in what type of scenarios you can use it, as well as what’s new this year with this service
The Final session of the day was ‘Top ten best security practises for Azure today’ and a great way to finish off what was a great day two! For those who are familiar with Azure Security there were no real surprises, but for those who aren’t, according to Microsoft the following are a must if you want to keep your Azure resources secure:
- Operationalize Azure Secure Score. What they mean by this is assign stakeholders to use Secure score and monitor your score and continuously improve your security posture. Rapidly identify and remediate common security hygiene and setup regular reviews of the Azure Security score
- Administration – Account protection. This means password-less or MFA for all Admins
- Enterprise Segmentation and Zero trust preparation. Unify network, identity and app teams to align segmentation.
- Monitor for Attacks, including VMs on Azure, 3rd party VMs, Azure SQL DBs, Storage accounts and more.
- Applications – Secure DevOps
- GRC – Key Responsible parties. Ensure there are clear lines of responsibility within your team on network security, network management, server endpoint security, policy management and identity security & standards
- Networks and Containers. This is the Internet and Edge security and ensuring you are using some type of firewall
- Applications – WAF. Use web app firewalls on all internet facing applications
- Network and Containment – DDoS mitigations
- Network – Deprecating legacy technology
This brought an end to day two of the Microsoft Ignite Conference, stay tuned for update through out day three and more blog posts!
Shabaz Darr is a Senior Professional Services Consultant at Concorde Technology Group in the UK. Shabaz’s primary responsibility is providing technical expert knowledge in both Cloud and Security to Concorde’s customers and partners. As an avid techie, Shabaz enjoys learning and working with new technology and can be found on twitter at @ShabazDarr https://www.linkedin.com/in/shabaz-darr-900b8361/ https://twitter.com/ShabazDarr