Azure Arc and the Azure control plane enables Security Engineers to take care of Cloud Governance and make sure that their hybrid and multi cloud environment are configured in a secure and compliant state.
In this blog post, we are going to have a look at Azure Arc for Security Engineers. Azure Arc allows you to extend Azure management and Azure services to anywhere. Meaning that you can manage and govern resources running across hybrid and multi cloud environments, and bring services such as Azure SQL Database and Azure PostgreSQL Hyperscale to your on-premise datacenter, edge location, or other cloud providers. Since Azure Arc can help in many different scenarios. I wanted to summarize how Security Engineers, IT Administrators, IT Operators can take advantage of Azure Arc.
Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform. Azure Arc enables you to manage your entire environment, with a single pane of glass, by projecting your existing resources into Azure Resource Manager. You can now manage virtual machines, Kubernetes clusters, and databases as if they are running in Azure. Regardless of where they live, you can use familiar Azure services and management capabilities. Azure Arc enables you to continue using traditional ITOps, while introducing DevOps practices to support new cloud-native patterns in your environment.
Azure Arc Management Overview
This provides you with a single control plane for your hybrid and multicloud environment.
Azure Arc for Security Engineers
Let's have a look at some key Azure Arc scenarios for Security Engineers.
Use the Azure Portal to gain central visibility
In hybrid and multicloud environments, it can be difficult for Security Engineers to get a central view of all the resources they need to manage. Some of these resources are running in Azure, some on-premises, at branch offices, or even at other cloud providers. By connecting resources to the Azure Resource Manager using Azure Arc, Security Engineers can get central visibility of a wide range of resources including Windows and Linux servers, SQL server, Kubernetes clusters, and Azure services running in Azure and outside of Azure.
Azure Arc and Azure resources in the Azure Portal
Organization and Inventory
The single control plane using Azure Resource Manager lets you organize and inventory assets through a variety of Azure scopes, such as management groups, subscriptions, resource groups, and tags.
Azure Arc Tagging
Azure Resource Graph
Establish central visibility in the Azure portal and enable multi-environment search with Azure Resource Graph. This allows you to run queries against the Azure resource graph and provide you with a centralized view of all your resources running in Azure and outside of Azure.
As a Security Engineer, you want to make sure that only people who need to have access can access to these systems. You can delegate access and manage security policies for resources using role-based access control (RBAC) in Azure. With Azure Arc enabled servers, we are seeing customers removing the local access for administrators and only provide them access to the system in the Azure portal using Azure Arc and Azure Management services. If you run in multiple environments and tenants, Azure Arc also integrated perfectly in Azure Lighthouse. Azure Lighthouse is especially interesting for managed services providers.
Role-based Access Control
As a Security Engineer, one of your jobs is to make sure that all the systems have the latest updates and patches installed to protect against vulnerabilities. Often customers spend hours orchestrating or deploying patched or building automation for their patch management. With Update Management you can manage operating system updates for your Windows and Linux servers. It allows you to schedule and automate patching for your servers.
You do not just want to manage your systems; you also want to monitor them and make sure that you get alerted in case anything is happening which you disrupted your environment and applications. You can monitor your Kubernetes clusters and containers, Linux, and Windows Servers. Azure Monitor provides you with monitoring guest operating system performance and discover application components to monitor their processes and dependencies with other resources the application communicates using VM insights.
One of the great features in Azure Monitor which can help Security Engineers is the Microsoft Dependency agent. This provides you with information about the incoming and outgoing connections to a specific server.
Azure Monitor Map
Log collection and analytics
Log collection and analytics can be very helpful to a Security Engineer in many ways. With Azure Log Analytics you can collect, sort, filter, and analyze your logs centrally. It allows Security Engineers to get a central view of all the security logs of the systems they manage. These logs can also be used for thread hunting using Azure Sentinel.
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Change Tracking and Inventory
With change tracking and inventory, you can get an overview of the changes happening in your environment and get an inventory of software installed on your Windows and Linux servers.
Change Tracking and Inventory
You might have managed certificates on your servers using Active Directory and Group Policies for your local environment. In hybrid cloud or mutlicloud environments, servers are often not even domain joined. That can make managing certificates a challenge. With a combination of the Azure AD Managed Identity assigned by the Azure Arc agent and Azure Key Vault you can easily and securely deploy and manage certificates to your Windows and Linux servers.
Making sure that your servers and Kubernetes clusters are secured is often a challenging task, especially in a hybrid or multicloud environment. With Azure Security Center you get threat detection and proactively monitor for potential security threats for your Azure Arc resources. It allows you to deploy Azure Defender for servers and Azure Defender for Kubernetes to your hybrid and multicloud resources.
Get compliance state
As an IT Pro you want to know if your servers or Kubernetes clusters are compliant with the company policies. Or you are even in charge to make sure that all your systems are configured correctly and secure. This is where Azure Policy Guest Configuration on your Azure Arc enabled servers can help you to make sure that everything is compliant.
Learn more about Arc enabled servers, see the following overview
Learn more about Arc enabled Kubernetes, see the following overview
Learn more about Arc enabled data services, see the following overview
Experience Arc enabled services from the Jumpstart proof of concept
Also, check out my video on how to manage your hybrid cloud using Azure Arc on Microsoft Channel 9.
Azure Arc enables Security Engineers and others with the right tooling to manage and operate hybrid and multicloud resources such as Windows and Linux servers, Kubernetes clusters, and other resources. If you have any questions, feel free to leave a comment below.