Azure has finally released their Well-Architected documentation, which contains a wealth of knowledge on a range of topics as it relates to the cloud. As part of this release, they have also released a questionnaire. The goal of this post is to have a look at the first security question in the assessment.
You can find the assessment here.
I am honestly a fan of this question, although I think the options need a bit of work from an application perspective. When we start down a security track, the first objective to accomplish with clients is to establish security goals for the organization. The process involves bringing up various considerations (along the people, process, technology lines) that the company needs to pay attention to when driving their solutions. So this question is pretty fitting here. Lets go through a couple of the asks.
When doing a top-down approach to security, this is usually step one for most organizations. Ultimately, you want to be able to justify why you are implementing a particular security control, since those controls require effort/money/time etc.
I think the interesting advice to consider here is that how much time you spend classifying your applications (and justifying controls) likely depends on the size of your organization. If you are a startup, your focus should likely be less on classification exercises, and more on defining security baselines for the app itself. In fact, one classifies applications solely to understand the security rigour that should be applied to said application.
If I were to redirect this ask, it would be more along the lines of designing security baselines taking into consideration the security landscape of the applications (or business) utilizing it.
Here are some resources to get you started:
Saweet. Can I please take four orders of devops security guidance? Here’s my credit card!
I like to think that I’m a security professional (by day at least) and so I should likely know what they mean by “devops security guidance”. A google search yields ads (one of them for gartner, which I click on to further my eDOS attack) and a 2019 blog post from Microsoft.
I think a discussion of devops and security is beyond the scope of this post, suffice to say, if you are confused about exactly what they mean by this….. You are not alone.
Best I can tell, this checkbox is probably more around setting up appropriate security principles and then enforcing it with automation and continuous improvement. For some ideas, see https://docs.microsoft.com/en-us/azure/architecture/framework/security/security-principles
Other relevant links:
I really like this question. Much like question 1, I think that one’s approach to securing the cloud can be placed on a continuum from small to large enterprises. When I engage with large enterprise security teams, they are typically routed in the past. Initially, their goals are to “extend” their existing security capabilities to the cloud. I feel that this approach is mostly taken from a position of comfort, rather than a practical decision on the effectiveness of alternate toolsets.
To start your journey, have a look at https://docs.microsoft.com/en-us/azure/security/fundamentals/security-controls
In conclusion, I think that these types of questions and assessments are a good thing, overall, for the cloud industry. It is important that while the cloud seems like something you just “turn on”, in reality, there is much more to it. Hopefully these types of assessments will lead to more organizations taking a conscious look at their cloud strategy up front.
Shamir is a Microsoft Most Valuable Professional (MVP – Azure) and has extensive experience building solutions in the cloud, from strategy to deployment to automation