Challenges successful enforcing institution information argumentation astatine scale

As 1 of the largest and astir divers exertion companies successful the world, Microsoft faces a unsocial situation successful securing its network. With implicit 160,000 employees, thousands of devices, and hundreds of applications, the institution needs to guarantee that its web information argumentation is consistent, compliant, and effectual crossed the full organization. This besides means that web information argumentation is applied crossed each services and tin modify rules to conscionable peculiar needs crossed the full organization.

However, enforcing web information argumentation astatine standard isn’t an casual task. Traditional models of web information medication trust connected manual processes, analyzable configurations, and rigid hierarchies that tin present quality errors, inconsistencies, and bottlenecks. Moreover, these models are not designed to header with the dynamic and heterogeneous quality of modern networks, wherever devices, users, and applications tin alteration often and unpredictably.

Azure Virtual Network Manager

Centralize your information with state-of-the creation solutions

Learn more

What are the accepted models?

Network information groups (NSGs) are a halfway constituent of Microsoft Azure web security, allowing users to specify and use granular rules for inbound and outbound traffic. However, managing NSGs crossed aggregate applications and teams tin beryllium challenging, particularly erstwhile determination is simply a request to enforce immoderate communal information policies crossed the organization. There are 3 accepted models for managing NSGs:

• Centralized model—A cardinal governance squad manages each the NSGs and their information rules. This ensures accordant and effectual information enforcement, but besides adds operational overhead and reduces agility.
• Decentralized model—Individual exertion teams negociate their ain NSGs and information rules. This gives them flexibility and autonomy, but besides introduces information risks, arsenic the cardinal governance squad cannot enforce immoderate captious information rules oregon audit the compliance of the NSGs.
• Hybrid model—Individual exertion teams negociate their ain NSGs, but with immoderate guidance and oversight from the cardinal governance team. The cardinal squad tin usage Microsoft Azure Policy to make modular rules for the NSGs and show the changes made by the exertion teams. This combines immoderate of the benefits of the centralized and decentralized models, but besides has immoderate drawbacks. For example, determination is inactive nary hard enforcement of the information policies, and the notifications tin beryllium overwhelming and hard to manage.

A caller attack to web information with Azure Virtual Network Manager

In the past, Microsoft utilized a hybrid exemplary of web security, wherever immoderate NSGs were centrally managed by the governance team, and immoderate were locally managed by the exertion teams. This exemplary had immoderate drawbacks, specified arsenic inconsistency, complexity, and deficiency of enforceability. To flooded these challenges, Microsoft is moving to a caller exemplary based connected Azure Virtual Network Manager, which allows the governance squad to make and use admin rules crossed aggregate NSGs, portion inactive enabling the exertion teams to negociate their ain NSG rules.

To let the absorption of information rules easier, Azure Virtual Network Manager introduced the concept of web group, which is simply a postulation of web resources that tin beryllium defined utilizing logical conditions. With Azure Policy, you tin specify rank rules conditionally for your web groups. Azure Virtual Network Manager integrates with Azure Policy to automatically use the information admin rules to virtual networks that look successful these web groups. In the illustration below, users tin fto Azure adhd to the web radical those virtual networks with the cardinal worth brace of environment=production, and the information admin rules volition automatically use to these virtual networks.

This way, we tin guarantee that information policies are consistently enforced crossed your web groups and resources, without manual intervention.

Using Azure Virtual Network Manager coupled with Azure Policy, Microsoft defines information policies for antithetic units arsenic beneath and manages them cohesively to marque definite some Microsoft and our customers are secured by default.

One of the main usage cases of Azure Virtual Network Manager is to make web baselines (policies) for blocking high-risk ports and implementing zero-trust principles. These baselines are important for customers’ information because:

• High hazard ports are a database of web applications and the mean Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that they use, which are considered to contiguous a precise precocious information hazard to Microsoft and its customers. These ports are often associated with malware, ransomware, oregon unauthorized access, and should beryllium blocked by default connected each NSGs.
• Zero-trust baseline is simply a argumentation that assumes that each web postulation poses immoderate level of risk, and truthful lone allows the minimum required postulation for each service. This is the conception of web information by slightest privilege. In the past, erstwhile caller services were released connected the carnal network, a information reappraisal was performed to find what ports and protocols were perfectly required to beryllium exposed and to what addresses. The routers that the carnal computers were down were past configured to lone let the postulation that was approved by the information review. With the improvement of Azure Virtual Network Manager, this process tin beryllium automated and applied to the full organization.

By utilizing Azure Virtual Network Manager, the governance squad tin make and update these web baselines astatine the web manager level, and use them to aggregate NSGs astatine once, ensuring that immoderate captious information policies are enforced crossed the organization. At the aforesaid time, the exertion teams tin inactive negociate their ain NSG rules, if they bash not struggle with the admin rules, allowing them to accommodate to their circumstantial needs and scenarios, without waiting for the support oregon involution of the cardinal team. This way, Azure Virtual Network Manager provides information for Microsoft and its customers.

The station Using Microsoft Azure Virtual Network Manager to heighten web security appeared archetypal connected Microsoft Azure Blog.