Microsoft’s Azure public cloud offers hyper-scale infrastructure and availability around the globe; a feat that’s difficult for even large enterprises to achieve. One of the key paradigm shifts of the past half-decade or so, is the move to apps that scale horizontally and are “built for failure”. Being built for failure sounds dubious, however as a concept it’s been influenced by the fault-tolerance and high availability that are required by tech-driven businesses today. With that being said, traditional enterprise applications can absolutely leverage hyper-scale infrastructure to achieve continuous operation while maintaining data security and compliance certification.
One of our goals is to be the on-ramp to hyper-scale infrastructure and cloud computing for security conscious organizations by making the initial transition and the day-to-day management painless. Our team configures each customer environment to meet their unique performance and scalability needs while adhering to best-practice security standards to help our clients maintain compliance with regulatory standards like HIPAA and PCI.
The most critical component to a OpsCompass managed and protected environment is the composition of the individual virtual machine’s themselves. These VM’s are serving up key applications so data integrity, security, availability and performance are all address through our platform and services on Microsoft’s Azure.
Let’s profile OpsCompass virtual machine’s on Azure to get more acquainted the specific components we use and our overall approach although we’ll focus more on security in this post.
Identity and Access Management
If it hasn’t already been done we start by integrating a client’s Active Directory into their Azure services via Active Directory sync and configure two-factor authentication. Many departments bypass IT and setup subscriptions without this in place and it puts the company at risk. Next, we configure any co-administrators that are necessary and proceed to use Role Based Access Control, or RBAC, to control what cloud services employees can access and what they can do with those services through a least-privilege model.
Network security is one of the most important pieces of your overall security design. For each client, we build out custom virtual networks, or VNet’s, that properly segregate the different tiers of the application’s architecture i.e. web tier, application tier, database tier, or even different availability zones. Other network security configurations include VPN and firewall configuration and policy management.
Operating System Hardening
We support most standard operating systems such as the Windows Server family, Red Hat and CentOS, and Ubuntu. Every VM is provisioned via our automated tools with a hardened configuration that ensures every system meets specific standards. Without going into too much detail, this would entail things like disabling ssh for root, renaming the administrator account, custom IP tables and Windows firewall rules, along with a whole lot more. In addition to the setup, we also install some tools we use to do things like gather and inspect logs, monitor configuration changes in real-time, and performs non-intrusive anti-malware activities. It’s a comprehensive process and we ensure each and every VM we deploy into your Azure environment includes these enhancements.
We use host based IPS/IDS that is deployed on every server. They report back to a central interface that is tracked in real time by our support engineers. We also configure alerts that automatically open up support tickets for specific scenarios.
There should never be a trade-off between performance and security. We implement New Relic on every server and alerts come right into our support ticket system.
On-Ramp to Azure and the Public Cloud
Most companies either have some public cloud presence or the desire to dip their toe in, but many don’t know where to start. Hassle-free migrations, high security, compliance, patching and management, and just having real people providing support make the first jump so much easier for mid to large sized organizations.