Originally posted on Microsoft Security
As an executive security advisor at Microsoft and a former CISO, I meet with other CISOs every week to discuss cybersecurity, cloud architecture, and sometimes everything under the sun regarding technology. During these discussions with CISOs and other senior security executives of large enterprises—who are in the beginning stages of a cloud migration—I find they’re excited about the increased flexibility of Microsoft Azure services and the consumption-based model it offers their business units. Regardless of where they are in the journey, they also have some concerns. For example, they need to figure out how to enforce security policies when IT no longer serves as the hub for services and applications.
Specifically, they come to me with the following three questions:
- We are interested in Microsoft and already have many of your security solutions. How do these tools translate to a hybrid-cloud solution and where do we start?
- Security impacts many parts of the organization outside of the security team. Who do we need to bring to the table across the organization for this to be a successful migration to a secure cloud?
- Can we create a roadmap or strategy to guide our journey to the cloud?
It really comes down to balancing agility with governance. Many of my customers have found that the Azure enterprise scaffold and Azure Blueprints (now in preview) can help them balance these two critical priorities. I hope my suggestions and insight help you to understand how to use these tools to smooth your cloud migration.
Establish a flexible hierarchy as the baseline for governance
Scaffolding and blueprints are concepts borrowed from the construction industry. When a construction crew builds a large, complex, and time-consuming project they refer to blueprints and erect scaffolding. Together these tools simplify the process and provide guardrails to guide the builder. You can think of the Azure enterprise scaffold and Azure Blueprints in the same way.
- Scaffolding is a flexible framework that applies structure and anchors for services and workloads built on Azure. It is a layered process designed to ensure workloads meet the minimum governance requirements of your organization while enabling business groups and developers to quickly meet their own goals.
- Blueprints are common cloud architecture examples that you can customize for your needs.
Customers find the Azure enterprise scaffold valuable because it can be personalized to the needs of the company for billing, resource management, and resource access. It is grounded in a hierarchy that gives you a structure for subdividing the environment into up to four nested layers to match your organization’s structure:
Enterprise enrollment—The biggest unit of the hierarchy. Enterprise enrollment defines the specifics of your contracted cloud services.
Departments—Within the enterprise agreement are departments, which can be broken down according to what works best for your organization. Three of the most popular patterns are by function (human resources, information technology, marketing), by business unit (auto, aerospace), and by geography (North America, Europe).
Subscriptions—Within departments are accounts and then subscriptions. Subscriptions can represent an application, the lifecycle of a service (such as production and non-production), or the departments in your organization.
Resource groups—Nested in subscriptions are resource groups, which allow you to put resources into meaningful groups for management, billing, or natural affinity. This hierarchy serves as the foundation for security policies and processes that you will layer on next.
Safeguard your identities and privileged access
When I talk with security executives about implementing security policies, we always start our discussion with identity. You can do the same by identifying who and what systems should have access to what resources—and how you want to control this access. Once you connect your Azure Active Directory (Azure AD) to your on-premises Active Directory (AD)—using the AD Connect tool—you can use role-based access control (RBAC) to assign users to roles, such as owner, contributor, or others that you create. Don’t forget to set up Multi-Factor Authentication (MFA) and adhere to the principle of granting the least privilege required to do the work. See Azure identity management best practices for more resources and security tips.
With your hierarchy established and resources assigned, you can use Azure Policy and Initiatives to define policies and apply them to subscriptions.
A couple examples of popular policies include:
- Restrict specific resources to a geographical region to comply with country or region-specific regulations.
- Prohibit certain resources, such as servers or data, from being deployed publicly.
Policies are a powerful tool that let you give business units access to the resources they need without exposing the enterprise to additional risk.
You will also need a plan for securing privileged accounts. I recommend creating a privileged access workstation when you start building out your security forest for administrators. Privileged access workstations provide a dedicated operating system for sensitive tasks that separates them from daily workstations and provide additional protection from phishing attacks and other vulnerabilities. With a good identity and access policy in place you have started down the path of “trust but verify” or building a “zero-trust” environment.
Gain greater visibility into the security of your entire environment
One big advantage of moving to the cloud is how much more visibility you get into the security of your environment versus on-premises. Azure offers several additional capabilities that allow you to protect your resources and detect threats. The Azure Security Center provides a unified view of the security status of resources across your environment. It includes advanced threat protection that uses artificial intelligence (AI) to detect incoming attacks and sends alerts in a way that’s easy to digest. Security DevOps toolkits are a collection of scripts, tools, and automations that allow you to integrate security into native DevOps workflows. Azure update management ensures all your servers are patched with the latest updates.
Get started with Azure Blueprints
Using the scaffolding and blueprints framework can help you establish a secure foundation for your Azure environment by safeguarding identities, resources, networks, and data. I’ve touched on a few of the components, and you can dig into the nitty gritty in this article. When you’re ready to get started, Azure Blueprints are available in preview. This capability will allow you to deploy the Azure enterprise scaffold model to your organization. Numerous organizations have used the blueprints and followed the scaffolding approach to successfully roll out their cloud strategy securely and faster than they expected.
As a final note of consideration as you work through your organization’s cloud/security strategy—make sure you have all the stakeholders in the room. Many times, there are other parts of the organization who own security controls but are outside of the security organization. These might include operations, legal, human resources, information technology, and others. These stakeholders should be brought into the scaffolding and blueprint discussions, so they understand their roles and responsibilities as well as provide input.