AZ-304 Microsoft Azure Architect Design – Design a Monitoring Strategy for Identity and Security

1. Using Privileged Identity Management Alerts

So let’s wrap up the discussion of identity and security with a discussion of monitoring identity and security. Now monitoring is always going to be a key feature. We’ll talk about it when we’re talking about data. We’re going to talk about it in other sections of this course. But monitoring identity is something that some people don’t even think to do. They set up the security, they make their Azure ad managing the user and passwords, and maybe they use Privilege Identity Management to add additional layer security for administrators.

They use conditional access to prevent some of those obvious attacks. And it would be good to be able to set up a type of monitoring or reporting for some of these things. Now you can set up alerts. Azure’s privileged identity management module does have an alert feature. If we go into it, we can see under PIM, under roles, you can see alerts and there’s some predefined alerts. So you don’t even have to sort of dream up what it is that you want to be alerted about. If there are too many administrators, that’s an alert. If there is roles that are being assigned outside of privileged identity management, that could be an alert, et cetera.

And so setting up the security such that if people are doing things that you want to be notified about, there’s five of them on screen that you predefined that you can choose from. Those are basically a predefined set of potential policy violations and so you can just sort of choose from that list. Now under each of those, like it says, too many administrators.

Well, what is too many? You can go into each of those alerts and there’s going to be settings and you can say, okay, I want to be notified if there’s more than ten global administrators on my account. And for your organization, that would be like an excessive number for other organizations that might not be. So for instance, one of the alerts says administrators aren’t using their privileged roles. So if you are given administrator permissions, but you haven’t actually used an administrator permission in 30 days, well that could be something that needs to be alerted about. So in this case you can just set that and you see you the slider looks like it can probably go up to six months or more. So you can just basically choose what is an appropriate amount.

2. Other Ways to Monitor the Security of Identity

So we’re talking about monitoring of identity and security. And what is basically our approach to monitoring identity security? Well, our approach is basically to start from the beginning. You know, if we look at identity, the fact that you’ve got maybe tens of thousands of users in your organization and they’ve all got various levels of permission, it’s a very daunting task to try to ensure that everyone’s got the right levels of permission and that unauthorized people are not getting in. And we can really look at identity as being this sort of the doorway, right? There’s probably other ways to hack into your system that is not relating to identity.

But if someone can get that working, administrator, user ID, and password, and that’s all they need to get into your application, well, it’s like having the key to your house. So identity is the door and you want to secure that door. What I would suggest is that we start when we’re doing auditing and monitoring, is we want to start from the very beginning. A lot of companies have an on premises Active Directory and are using a synchronization tool to synchronize that into Azure ad. Well, if your on premises ad is not secure, well, then those people are going to be able to get into your Azure Accounts and your Azure Ads. So security is going to start with your on premises ad. Who has access to that and how is that controlled outside that? The scope of this course obviously talk about securing on premises Active Directory, but that’s where it starts.

So your security of your entire system is the root, the seed, if you will, is the on premises Active Directory. We use Ad Connect to get from our on premises Active Directory users into Azure Active Directory. We already talked about Ad Connect health to make sure that is working and secure, getting various reports about how the synchronization is going. You can monitor Ad Connect in order to monitor the health of the connection. When you go into Azure, you can go into Log Analytics. Now, Log Analytics allows you access to various security logs. So Log Analytics has a back end connection into subscriptions and resource groups and IAM itself.

And so if you want to see who’s getting access, who’s denied access, you can set up and run reports within Log Analytics. Another policy and strategy, of course, is to make sure your systems are up to date. We’ve seen examples in the past few years of companies who didn’t have a patching strategy or let some of their Java struts versions get out of date and there becomes a known exploit and those systems can basically be hacked. And so making sure that you’re running Firewalls Antivirus and all your OS is making sure that all of your software that you’re being used is up to date in terms of the latest patches. Pay attention when the companies are coming out and saying patch. Now we’ve got a vulnerability that is now a zero day exploit. Get that updated. That’s part of the policy. And you’re going to have to ensure as the security part make sure the people that are running those systems are not falling.

• Category: Uncategorized