Azure

Azure Storage Protection

Ran Xing Azure, Cloud Security , , , , ,

26 JUL

There are serious and tremendous cloud data leaks every year. Different cloud providers supplies different solutions to protect its storage service. I will compare them in the later article. For today, I will try to introduce the Azure policy to protect Azure storage from public access.

In Azure Storage, for a long period of time, there is no REST ARM API for containers. This means that Azure policy couldn’t do anything on the data plan for Azure containers. Sounds familiar? Yes. Only a few services such as Key Vaults supplies the data plan control on the policy level. But things are changing and getting better now. We will see more controls for the policy to take on the data plan.

Continue reading

Terraform patterns: Make Terraform programable

Ran Xing AWS, Azure, DevOps, devsecops, GCP, patterns , , ,

Summary

Terraform as a Declarative Language, are smart to achieve the target state without bothering SecDevOps people to keep track of the procedures. You can easily understand from the high level Terraform flow diagram bellow. But only setting up the end-state sometime couldn’t help. There are scenarios where we need to hook Terraform as an interface to expose infrastructure-as-code to Automation stages or E2E testing cases. Making Terraform more programable will tackle these kinds of challenges. Today, I am going to introduce some patterns around this.

Terraform Flow Continue reading

Multi-cloud comparison: Resource zoning

Ran Xing AWS, Azure, cryptograph, GCP, IAM, Multi-cloud, Network, Security Architect, Storage , , , , , ,

Summary

If you want to understand the cloud infrastructure better, I would suggest you start looking at the resource zoning. Within resource zoning, there will be things like IAM, Data Encryption, network, HA, Disaster Recovery, etc. You can take this “road trip” to walk throughout the Cloud “kingdom”.

If you can compare the services across different cloud providers, you can get more insights horizontally.

In this series, I will compare cloud services in different topics, with resource zoning in this session. I won’t cover all the services, but security related ones as usual.

Compare

Here is the detailed list from my GIT repo. Welcome to contribute to this repo.

Example

A couple of examples here are listed on how to utilise the table.

ex1: Security logging

All the security logging services across different Cloud provider are either global or cross-region. But there is a little bit difference.
GCP Audit Logging
AWS Cloudtrail
AZure Activity Logs

GCP Audit Logging within Stackdriver service is global resource. It has resource types including project, organization, folder, billing account.

AWS Cloudtrail is cross-region resource, but you have to manually enable for all regions.

AZure Activity Logs can exported on the Subscription level while you can select multiple regions for steaming to Event Hub or export to Storage Account.

ex2: Networking

In GCP VPC is global resources. And Subnet is regional resources. So logically you can understand the IP ranges is associated on Subnet level. Routes are global resource, so they are defined on VPC level. In AWS, VPC is regional resources, and Subnet is zonal resources. You can only assign one subnet entirely into one AZ. You can then imagine the IP ranges and routes should be on the VPC level. In Azure because not all the Azure regions support availability zones. So subnets, routes, network security groups and application security groups are all regional resources.

Driving from all the facts above, it would be much easier to explain more details in the following few section around networking in this series.

Note:

GCP all resources, whether global, zonal, or regional, must be unique within the project.

Reference:

Global, regional, and zonal resources
Resource Locations
AWS Global vs Regional vs AZ resources - Certification
What are Availability Zones in Azure?