Category Archives: Multi-cloud

How to prepare your environment for new hybrid and multicloud scenarios

The will of many companies is to distribute and adopt applications that can reside on various ecosystems: on-premises, across multiple public clouds and at the edges. If you decide to have such distributed architectures it is essential to prepare your environment to be able to guarantee compliance and have an effective method to manage at scale server systems , applications and data, maintaining a high agility. This article discusses the aspects and practices to be taken into consideration to adopt hybrid and multicloud technologies useful to meet your business needs.

The reasons that lead to the adoption of hybrid and multicloud solutions

Microsoft Azure is an enterprise cloud service provider and can support business goals for environments that are public, hybrid and multicloud.

There are many reasons why customers choose to deploy their digital assets in hybrid and multicloud environments. Among the main ones we find:

  • Minimize or remove data lock-ins from a single cloud provider
  • Presence of business units, subsidiary companies or acquired companies that have already made choices to adopt different cloud platforms
  • Different cloud service providers may have different regulatory and data sovereignty requirements in different countries
  • Need to improve business continuity and disaster recovery by distributing workloads between two different cloud providers
  • The need to maximize performance by allowing applications to run close to where users are

What aspects to consider?

To prepare an IT environment and make it effective for any hybrid and multicloud deployment, the following key aspects should be considered:

  • Network topology and connectivity
  • Governance, security and compliance
  • Automation disciplines, unified and consistent DevOps development experience and practices

There are several possibilities for preparing an environment suitable for hosting hybrid and multicloud deployments, reason why before setting up your Azure environment or any other public cloud, it is important to identify how the cloud environment should support your scenario:

Figure 1 – Diagram showing how different customers distribute workloads between cloud providers

In the image above, each dark blue point represents a workload and each blue circle is a business process, supported by a separate environment. Depending on the cloud-mix, a different configuration of the Azure environment may be required:

  • Hybrid-first customer: most of the workloads remain in place, often in a combination of hosting models with traditional and hybrid resources. Some specific workloads are deployed on the edge, in Azure or other cloud service providers.
  • Azure-first customer: most of the workloads reside in Azure. However, some workloads remain local. Furthermore, certain strategic decisions have led some workloads to reside on edges or in multicloud environments.
  • Multicloud-first customer: most workloads are hosted on a public cloud other than Azure, such as Amazon Web Services (AWS) or Google Cloud Platform (GCP). However, some strategic decisions have led some workloads to be placed in Azure or at the edges.

Depending on the hybrid and multicloud strategy you decide to undertake for applications and data, this will be able to direct certain choices.

How to prepare the Azure environment

When dealing with the issue of preparing your IT environment for new hybrid and multicloud scenarios, it is advisable to define the Azure "Landing Zone" which represents, in the cloud adoption journey, the point of arrival. It is an architecture designed to allow you to manage functional cloud environments, contemplating the following aspects:

  • Scalability
  • Security governance
  • Networking
  • Identity
  • Cost management
  • Monitoring

The architecture of the Landing Zone must be defined based on specific business and technical requirements. It is therefore necessary to evaluate the possible implementation options of the Landing Zone, thanks to which it will be possible to meet the deployment and operational needs of the cloud portfolio.

Figure 2 – Conceptual example of an Azure landing zone

What tools to use?

Cloud Adoption Framework

The Cloud Adoption Framework of Microsoft provides a rich set of documentation, guidelines for implementation, best practices and helpful tools to accelerate your cloud adoption journey. Among these best practices, that it is good to commonly adopt and that it is appropriate to decline specifically on the various customers according to their needs, there is one specific section concerning hybrid and multicloud environments. This section covers the different best practices that can help facilitate various cloud mixes, ranging from fully Azure environments to environments where the infrastructure in Microsoft's public cloud is not present or is limited.

Azure Arc as an accelerator

Azure Arc consists of a set of different technologies and components that allow you to have a single control mechanism to manage and govern all your IT resources in a coherent way, wherever they are. Furthermore, with Azure Arc-enabled services, you have the flexibility to deploy fully managed Azure services anywhere, on-premises or in other public clouds.

Figure 3 –  Azure Arc overview

The Azure Arc-enabled servers Landing Zone, present in the Cloud Adoption Framework, allows customers to increase security more easily, governance and compliance status of servers deployed outside of Azure. Together with Azure Arc, services like Microsoft Defender for Cloud, Azure Sentinel, Azure Monitor, Azure Log Analytics, Azure Policy and many others can be extended to all environments. For this reason Azure Arc must be considered as an accelerator for your Landing Zones.

Azure Arc Jumpstart

Azure Arc Jumpstart has grown a lot, with over 90 automated scenarios, thousands of visitors per month and a very active open source community sharing their knowledge about Azure Arc. As part of Jumpstart, ArcBox was developed, an automated sandbox environment for everything related to Azure Arc, deployable to customers' Azure subscriptions. As an accelerator for the landing zone of Azure Arc-enabled servers it has been developed the new ArcBox for IT pro, which serves as a sandbox automation solution for this scenario, with services like Azure Policy, Azure Monitor, Microsoft Defender for Cloud, Microsoft Sentinel and more.

Figure 3 – Architecture showing how Azure Resource Manager, Azure Bicep and Hashicorp Terraform interact in ArcBox

Conclusions

The adoption of consistent operating practices across all cloud environments, associated with a common control plan, allows you to effectively address the challenges inherent in hybrid and multicloud strategies. To do this, Microsoft provides various tools and accelerators, one among which is Azure Arc which makes it easier for customers to increase security, governance and compliance status of servers deployed outside of Azure.

How to increase the security of container-based application architectures

Modern applications based on microservices are increasingly widespread and containers are an interesting building block for the creation of agile application architectures, scalable and efficient. Microservices offer great benefits, thanks to the presence of well-known and proven software design models that can be applied, but they also generate new challenges. One of these is certainly linked to the security of these architectures, which require the adoption of cutting-edge solutions to achieve a high level of protection. In this article is reported as the cloud-native solution for container security, called Microsoft Defender for Containers, is able to guarantee the protection of container-based application architectures, offering advanced capabilities for detecting and responding to security threats.

Functionality offered by the solution

Thanks to Microsoft Defender for Containers it is possible to improve, monitor and maintain the security of clusters, of containers and related applications. Indeed, this plan allows you to obtain the following benefits:

  • Hardening of the environment
  • Vulnerability Scanning
  • Run-time threat protection for the cluster environment and for the nodes

The benefits listed above are detailed in the following paragraphs.

Hardening of the environment

Through a continuous assessment of cluster environments, Defender for Containers provides complete visibility into any misconfigurations and compliance with guidelines. By generating recommendations it helps mitigate potential security threats.

Furthermore, thanks to the use of Kubernetes admission control it is possible ensure that all configurations are done in accordance with security best practices. Indeed, adopting the Azure Policy for Kubernetes you have a bundle of useful recommendations to protect the Kubernetes container workloads. By default, enabling Defender for Containers, these policies are automatically provisioned. In this way, every request to the Kubernetes API server will be monitored against the predefined set of best practices, before being made effective on the cluster environment. You can therefore use this method to apply best practices and enforce them for new workloads that will be activated.

Vulnerability Scanning

Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in Azure Container Registry (ACR). Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in:

  • In case of push: each time an image is sent to the ACR, scan is automatically performed.
  • In case of recent extraction: because new vulnerabilities are discovered every day, comes analyzes, on a weekly basis, Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in 30 days.
  • When importing: Azure Container Registry has import tools to merge images from Docker Hub into it, Microsoft Container Registry or other ACR. All imported images are readily analyzed by the solution.

If vulnerabilities are detected, a notification will be generated in the Microsoft Defender for Cloud dashboard. This alert will be accompanied by a severity classification and practical guidance on how to correct the specific vulnerabilities found in each image.

Furthermore, Defender for Containers expands these scanning capabilities by introducing the ability to get visibility into running images. Through the new recommendation, called “Vulnerabilities in running images should be remediated (powered by Qualys)", groups running images that have vulnerabilities, providing details on the problems found and how to fix them.

Run-time threat protection for the cluster environment and for the nodes

Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts if threats or malicious activity are detected, both at the host level and at the AKS cluster level.

Protection from security threats occurs at several levels:

  • Cluster level: at the cluster level, threat protection is based on the analysis of Kubernetes audit logs. It is a monitor that allows you to generate alerts, monitoring AKS managed services, such as the presence of exposed Kubernetes dashboards and the creation of roles with elevated privileges. To see the complete list of alerts generated by this protection, you can access this link.
  • Host level: with over sixty types of analyzes, through artificial intelligence algorithms and with the detection of anomalies on running workloads, the solution is able to detect suspicious activities. A team of Microsoft security researchers constantly monitors the threat landscape and container-specific alerts and vulnerabilities are added as they are discovered. Furthermore, this solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the matrix MITRE ATT&CK for container, a framework developed by the Center for Threat-Informed Defense in close collaboration with Microsoft and others.

The complete list of alerts that can be obtained by enabling this protection can be consulted in this document.

Architectures for the different Kubernetes environments

Defender for Containers can protect Kubernetes clusters regardless of whether they are running on Azure Kubernetes Service, Kubernetes on-premise / IaaS oppure Amazon EKS.

Azure Kubernetes Service (AKS) Cluster

When enabling Defender for Cloud for clusters activated through Azure Kubernetes Service (AKS), audit log collection takes place without having to install agents. The Defender profile, distributed on each node, provides runtime protection and collects signals from nodes using the eBPF technology. The Azure Policy add-on for Kubernetes component collects cluster and workload configurations, as explained in the previous paragraphs.

Figure 1 - Defender for Cloud architecture for AKS clusters

Azure Arc-enabled Kubernetes

For all clusters hosted outside Azure it is necessary to adopt the Azure Arc-enabled Kubernetes solution to connect the clusters to Azure and provide the related services, like Defender for Containers. By connecting Kubernetes clusters to Azure, an Arc extension collects Kubernetes audit logs from all cluster control plane nodes and sends them in the cloud to the back-end of Microsoft Defender for Cloud for further analysis. The extension is registered with a Log Analytics workspace used as a data pipeline, but the audit data is not stored in Log Analytics. Information about workload configurations is managed by the Azure Policy Add-on.

Figure 2 – Defender for Cloud architecture for Arc-enabled Kubernetes clusters

Amazon Elastic Kubernetes Service (Amazon EKS)

Also for this type of cluster, activated in the AWS environment, it is necessary to adopt Azure Arc-enabled Kubernetes to be able to project them in the Azure environment. Furthermore, you must connect the AWS account to Microsoft Defender for Cloud. Plans needed are Defender for Containers and CSPM (for the configuration monitor and for recommendations).

A cluster based on EKS, Arc and the Defender extension are the components needed for:

  • collect policy and configuration data from cluster nodes;
  • get runtime protection.

Azure Policy add-on for Kubernetes collects the configurations of the cluster environment and workloads to ensure that all configurations are respected. Furthermore, the AWS CloudWatch solution is used to collect log data from the Control plane.

Figure 3 – Defender for Cloud architecture for AWS EKS clusters

Solution upgrade and costs

This Microsoft Defender plan merges and replaces two existing plans, “Defend for Kubernetes” and “Defender for Container Registries“, providing new and improved features, without deprecating any of the features of those plans. Subscriptions on which previous plans have been activated do not need to be upgraded to the new plan Microsoft Defender for Containers. However, to take advantage of new and improved features, must be updated and to do so you can use the update icon displayed next to them in the Azure portal.

The activation of these protection plans are subject to specific costs that can be calculated using the tool Azure Pricing calculator. In particular, the cost of Microsoft Defender for Containers is calculated on the number of cores of the VMs that make up the AKS cluster. This price also includes 20 free scans for vCore, and the calculation will be based on the consumption of the previous month. Each additional scan has a charge, but most customers should not incur any additional cost for scanning images.

Conclusions

Microservices-based architectures allow you to easily scale and develop applications faster and easier, allowing to promote innovation and accelerate the time-to-market of new features. The presence of a solution such as Microsoft Defender for Containers is essential to enable an adequate level of protection with regards to security threats, more and more advanced to attack these types of application architectures.

The security of AWS environments with Microsoft Defender for Cloud

Microsoft Defender for Cloud, previously known as Azure Security Center and Azure Defender, is a solution of Cloud Security Posture Management (CSPM) and for the protection of workloads, able to identify security weaknesses in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments. For those who are adopting a multi-cloud strategy and who need high security standards for their environment, it is important to know that Microsoft Defender for Cloud can also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). This article describes how to secure AWS environments using Microsoft Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are capable of contemplating two great pillars of cloud security:

  • Cloud Security Posture Management (CSPM) capable of providing the following features:
    • Visibility: to assess the current security situation.
    • Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of theCenter for Internet Security (CIS) and theNational Institute of Standards and Technology (NIST).

Defender for Cloud assigns a global score to the ambient environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

  • Cloud workload protection (CWP): Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and locally:

Figure 1 - Security needs covered by Microsoft Defender for Cloud

AWS resource protection

To protect resources on other public clouds with this solution, there has been a mechanism for some time now that involves the use of interfacing connectors with AWS and GCP accounts. The onboarding process of your AWS account was based on the integration of the solution AWS Security Hub, as detailed in this article.

Now a new native mechanism and, through an approach agentless, allows you to connect to AWS environments. This new method of interfacing take advantage of the AWS API and it has no dependence on other solutions, like AWS Security Hub. The onboarding experience is designed to work easily on a large scale, simply by connecting your AWS master account, which allows you to automatically onboard existing and future accounts.

Figure 2 - Connect AWS to Microsoft Defender for Cloud

This mechanism easily extends Defender for Cloud's advanced security capabilities to your AWS resources and includes the following areas.

Figure 3 - Protection plans available

Cloud Security Posture Management (CSPM) for AWS

Defender for Cloud CSPM capabilities are extended to your AWS resources. This agentless plan evaluates AWS resources against AWS specific security recommendations and these are included in the calculation of the global security score. To provide an overall view on the security status of your multi-cloud environments, AWS security recommendations are also integrated into the Defender for Cloud portal, along with Azure recommendations. Have been implemented by Microsoft beyond 160 ready-to-use recommendations for IaaS and PaaS services and three regulatory standards including AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All this allows you to strengthen your security posture while also contemplating AWS resources in the best possible way. Furthermore, you can customize existing models or create new ones that contain your own recommendations and standards to verify compliance with internal requirements.

Figure 4 - Recommendations for AWS integrated in Defender for Cloud

Cloud workload protection (CWP) for AWS

AWS currently provides enhanced security for the following workloads:

  • Server protection: Microsoft Defender for server offers advanced threat detection and defense for EC2 instances as well, for both Windows and Linux systems. This plan includes the integrated license for Microsoft Defender for Endpoint and several features, including: Security baselines and assessment at the OS level, Vulnerability assessment, Adaptive Application Controls (AAC) and File Integrity Monitoring (FIM).
  • Container protection: Microsoft Defender for Containers extends container threat detection and advanced defenses of Defender for Kubernetes to Amazon EKS Clusters (Elastic Kubernetes Service). For Defender for Kubernetes to be able to protect AWS EKS clusters, Azure Arc-enabled Kubernetes and Defender extension are required.

Figure 5 – Alerts and recommendations for EKS clusters

Note: For those who have already set up an AWS connector using classic cloud connectors, it is recommended to connect the account again using the new mechanism.

The Cost of the Solution

If you decide to activate this integration, the following information on costs applies:

  • The CSPM plan is free. To provide recommendations, the CSPM plan queries the AWS resource APIs multiple times a day. These read-only API calls incur no charge, but they are logged in CloudTrail in case you have enabled the trail for reading events. As noted in the AWS documentation, this does not involve additional costs for maintenance. However, it is necessary to be careful and possibly filter these events if data exports are expected (for example to make them flow into an external SIEM).
  • The Defender for Containers plan will be billed at the same price as the plan Defend for Kubernetes for Azure resources.
  • For each AWS machine connected to Azure through Azure Arc, the Defender per server plan is billed at the same price as the Microsoft Defender for server plan for Azure machines.

Conclusions

Microsoft Defender for Cloud, originally developed with the claim of being the best tool to protect resources in an Azure environment, extend and refine its capabilities to cover other public clouds as well. In particular, Thanks to the new integration mechanism with AWS, you can natively adopt a CSPM solution and enable threat protection for your computing workloads in Amazon Web Services (AWS). This allows to obtain a high degree of security, to improve security postures in multi-cloud environments and to simplify the management of tools useful for governing security.

Protection of multi-cloud environments with Azure Security Center

The tendency of companies to adopt a multi-cloud strategy is increasingly widespread, but this operating model makes it particularly challenging to achieve high safety standards for your environment. To meet this need, Microsoft has officially made multi-cloud security support available in the Azure Security Center solution, allowing you to also contemplate amazon web services resources (AWS) and Google Cloud Platform (GCP). this article describes the features of this solution that provides a high degree of security and improves security postures in multi-cloud environments.

Azure Security Center (ASC) was originally developed as the best tool to protect resources in an azure environment. However, the need for customers to protect resources located on multiple public clouds is widespread and for this reason the product team has decided to expand the capacity for action, simplifying security management tools in multi-cloud environments. Azure Security Center can protect not only resources in hybrid environments but also contemplate multi-cloud architectures, including AWS and GCP.

Figure 1 – Multi-cloud and hybrid protection in Azure Security Center

These are the features that are made available to users to cover multi-cloud scenarios:

  • Connecting your AWS or GCP accounts to Azure Security Center provides a unified multi-cloud view of your environment's security postures. In particular, if the solutions AWS Security Hub or GCP Security Command Center detect incorrect configurations, these reports are included in the Secure Score template and in the compliance assessment against specific regulations (Regulatory Compliance), present in Azure Security Center.
  • Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. In particular, for vulnerability assessment functionality it is possible to perform manual or large-scale scans, and analyze the vulnerabilities detected, on scanned systems, through a unified experience.

These features complement multi-cloud support, also recently announced, of Azure Defender for SQL, this allows you to constantly monitor sql server implementations to detect known threats and vulnerabilities. these features are usable for sql server enabled in an on-premises environment, on virtual machines in Azure and also in multi-cloud deployment, contemplating Amazon Web Services (AWS) and Google Cloud Platform (GCP).

The solutionAzure Arc plays a fundamental role in all this and allows you to extend azure management services and principles to any infrastructure. To achieve this, Microsoft has decided to extend the model Azure Resource Manager to support hybrid and multi-cloud environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Arc for hybrid and multi-cloud environments

The onboarding process and capabilities offered vary depending on the public cloud you intend to incorporate into Azure Security Center. the following paragraphs provide features for both amazon web services (AWS) that for Google Cloud Platform (GCP).

Amazon Web Services (AWS)

The onboarding process of your AWS account integrates the solution AWS Security Hub with Azure Security Center. In this way it is possible to obtain complete visibility and protection of these cloud environments to provide:

  • Automatic agent provisioning. ASC uses Azure Arc to deploy Log Analytics agent on board AWS instances.
  • Policy management.
  • Vulnerability management.
  • EDR (Endpoint Detection and Response) integrated.
  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and AWS Security Hub.
  • An ASC score that also includes AWS resources.
  • Regulatory compliance assessments also for AWS resources.

The moment the connection with AWS Security Hub is configured correctly:

  • ASC scans AWS environment for EC2 instances, onboarding is done in Azure Arc, allowing log analytics agent to be installed. This gives you threat protection and gets security advice.
  • The ASC service scans new AWS EC2 instances each 6 hours and integrates them according to the configuration made.
  • The AWS CIS standard is shown in asc's regulatory compliance dashboard.
  • If the AWS Security Hub are enabled, recommendations will appear in the asc portal and regulatory compliance dashboard, after a few minutes after the completion of the onboarding process.

Figure 3 – AWS recommendations displayed in the ASC portal

To view active recommendations for your resources by type, you can use the security center asset inventory page and apply the specific filter for the type of aws resource that interests you:

Figure 4 – Display filters for AWS resources

Google Cloud Platform (GCP)

The onboarding mechanism of your GCP account allows you to integrate GCP Security Command with Azure Security Center and to have complete visibility and protection, in particular by providing:

  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and GCP Security Command Center.
  • An ASC score that also includes GCP resources.
  • Integration of boards of GCP Security Command Center CIS-based within the Azure Security Center regulatory compliance dashboard.

The moment the connection with GCP Security Command completes:

  • The CIS GCP standard is shown in asc's regulatory compliance dashboard.
  • Security recommendations for resources located in GCP will appear in the Azure Security Center portal and regulatory compliance dashboard within minutes of completing onboarding.

Figure 5 – GCP recommendations displayed in the ASC portal

GCP virtual machine onboarding is currently manual, but you can adopt scripts to do it on a large scale.

On the Azure Security Center recommendations page, you can view all azure resource security recommendations along with AWS and GCP recommendations, thus obtaining a multi-cloud view.

Conclusions

The ability to adopt Azure Security Center as a centralized control solution, where security information from other public clouds also converges, combined with the possibilities given by integration with Azure Arc, to extend the protection of your systems, allows you to achieve a high degree of security and improve security postures in multi-cloud environments. Multi-cloud strategy adoption will become increasingly widespread, and Microsoft will continue to expand Azure Security Center to provide the best solutions to protect Azure, hybrid environments and multi-cloud operating models.