Security in hybrid cloud environments
Tailwind Traders plans to adopt a hybrid cloud posture. This move makes its environment more complicated than it was when workloads were deployed only on-premises. Also, the security configuration and telemetry of these workloads are increasingly complex.
In this unit, you learn how Tailwind Traders can monitor the configuration of its on-premises and cloud workloads and be alerted to any suspicious activity. You also learn how Tailwind Traders can streamline updates to its on-premises and cloud server operating systems.
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud allows you to assess the security configuration of various workloads. You can use Microsoft Defender for Cloud to:
- Implement security best practices across infrastructure as a service (IaaS), platform as a service (PaaS), data, and on-premises resources.
- Track security configuration compliance against regulatory standards.
- Protect data by identifying suspicious activity, such as patterns associated with the exfiltration of data.
- Classify data hosted in SQL databases.
In hybrid environments, Defender for Cloud can be integrated with the Log Analytics agent to collect event-log events, event-tracing telemetry, and crash dump files. Defender for Cloud can then perform an analysis of that data to make recommendations or generate alerts that can be forwarded to an organization's Security Incident and Event Management (SIEM) system.
Tailwind Traders has various tools they use to assess whether the security configuration of its Windows Server and Linux workloads complies with published third-party standards. As it adopts more hybrid technologies, Tailwind Traders can use Microsoft Defender for Cloud to monitor and remediate the security configuration of its on-premises server operating system, and its growing deployment of workloads in the cloud.
What is Microsoft Sentinel?
Microsoft Sentinel allows organizations with hybrid cloud solutions to ingest telemetry from security event logs for both on-premises and the cloud. Microsoft Sentinel is both a SIEM and a Security Orchestration, Automation, and Response (SOAR) solution.
SIEM solutions store and analyze log data and event telemetry that they ingest from external sources. Microsoft Sentinel supports the ingestion of data from on-premises, Azure, and third-party cloud locations, including from other SIEM systems. SOAR solutions allow you to orchestrate analysis of data. They assist you in creating an automated response to known threats.
The following image shows a Microsoft Sentinel hybrid architecture.
Microsoft Sentinel can perform the following tasks when it's supporting hybrid environments:
- Collect data across cloud-based and on-premises users, devices, applications, and infrastructure.
- Use AI and deep learning to identify potentially malicious activity in event data.
- Detect threats through analysis of event data based on attack signatures generated by Microsoft's security research.
- Automate the response to incidents with known characteristics by using security playbooks.
Microsoft Sentinel includes built-in workbooks that help you analyze data and can provide recommendations for you. You can then quickly comprehend suspicious security telemetry instead of sorting through it to try to understand its meaning. You can also import or use custom workbooks. The workbooks are based on the experiences of other security researchers who found effective methods of security telemetry analysis that differ from the methods included in Microsoft Sentinel.
Tailwind Traders has an on-premises SIEM system that collects and analyzes event-log data from various computers and devices. Although this SIEM system was adequate when Tailwind Traders had only an on-premises deployment, adopting Microsoft Sentinel allows Tailwind Traders to extend this capacity into its hybrid cloud.
Tailwind Traders is likely to connect its existing SIEM solution to Microsoft Sentinel. This connection gives the company the benefits of Microsoft Sentinel's AI and deep learning without having to substantially modify the existing on-premises configuration.
What is Azure Automation Update Management?
Azure Automation Update Management allows you to manage the updates to your on-premises and cloud server operating systems by using a single console in the cloud. Update Management works with Microsoft Windows Server workloads and with supported Linux operating system workloads running physically and virtually.
Update Management can use Microsoft Update or Windows Server Update Services (WSUS) as a source of updates for Windows Server operating systems. Update Management can also use a public or custom Linux package repository for updates to Linux operating systems. Update Management allows you to determine which updates are currently missing from enrolled operating systems.
The following diagram shows how Update Management integrates with Azure Automation and Log Analytics workspaces.
When you configure an update deployment, you specify:
- Whether the update deployment targets Windows or Linux computers, you can't target both types at the same time.
- The specific enrolled servers that you want to target with the deployment.
- The update classifications that should be installed.
- Whether specific updates should be included or excluded from the deployment.
- The schedule for the deployment, including whether the deployment should occur periodically.
- Any preupdate and post-update scripts that should be run.
- The maximum length of the maintenance window, with the last 20 minutes of the window devoted to system restart.
- The restart options that determine whether the system should restart, if it's necessary for the updates to complete installation.
The company has WSUS and other tools to manage the updates to its on-premises Windows and Linux operating systems. By configuring its operating system workloads for IaaS virtual machines (both on-premises and in the cloud) to connect to Azure Software Update, Tailwind Traders can ensure that all operating systems that host critical workloads stay up to date.