Guide: Secure Service Fabric Cluster or VM Scale Sets using IaaSAntimalware

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

Microsoft Antimalware provides free real-time protection against viruses, spyware and other malicious software. The solution is built on the same antimalware platform as Microsoft Security Essentials, Forefront Endpoint Protection, System Center Endpoint Protection, Windows Intune and Windows Defender. Microsoft Antimalware is a single-agent malware protection for tenant environments.

Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a detailed guide by Microsoft if you would like to explore about the Microsoft Antimalware. There are many ways to deploy Microsoft Antimalware to your Azure IaaS or Cloud Services infrastructure, but I would like to focus on following two,

IaaSAntimalware extension can be defined in resource manager template (virtualMachineScaleSets\properties\virtualMachineProfile\extensionProfile\extensions).

  • Using virtualMachineProfile ensures consistency across VM cluster.
  • Provisioning of new Virtual Machine or Service Fabric Node ensure the deployment and configuration of IaaSAntimalware.
  • You can roll-out configuration changes easily and consistently across a cluster.

Guide: Setup Operations Management Suite (OMS) with Azure Service Fabric

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

Service Fabric would be a core tool in your computing arsenal for Microservices architecture, very popular among Microsoft and Azure enthusiast. I have covered Service Fabric extensively with in many blog posts. In this post, I would like to focus on Operational and Service Management aspect of the Azure Service Fabric.

Problem Definition

  • Microservices are highly distributed and likely high volume transaction infrastructure, how to efficiently manage an aspect of service management such as Operational Logging, Application Logging, Security Logging, Log Shipping & Aggregation and Log Analytics & Alerting.
  • Tracking Changes and System Updates effectively for vastly distributed logical and physical architecture.
  • Setup comprehensive Incident Management or Outage Tracking for distributed applications.
  • Covering for compliance around log retention and transactional tractability.
  • Segregating logs based on functions and organisational visibility, i.e. finance, legal.

These problems mentioned above are a very common scenario (for Service Fabric or Microservices implementation) at any enterprise scale and business critical Microservices implementation. Clearly, the challenge is the scale. You could be dealing with 100+ logical services and 25-30 machine cluster in typical high-end microservices environments, or even bigger.

Microsoft Operations Management Suite would be an excellent fit if you are in Azure (also if you are not). Let us try to evaluate OMS based on following the business value of IT operations and management criteria.

  • Cost Reduction
  • Reduce Risk (Security)
  • Visibility into IT Systems (through Application, Security and Availability)
  • Automation and Orchestration of IT Operations

Guide: Setup Microsoft Operations Management Suite (OMS) in Azure

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

Following-up on my last month’s Linkedin Digest , I am staring a new Azure Operations Management Suite Blog Series.

Microsoft Operations Management Suite (OMS) enables organisations to gain insight and control with Service Management, Security Orchestration and IT Operations across Azure, Hybrid Cloud and on-premises data centre.

The product provides focus on the following mainstream IT Operations, and Service Management functions.

  • Insight and Analytics
  • Automation and Control
  • Security and Compliance
  • Protection and Recovery

I would do a separate blog post discussing and evaluating the Microsoft Operations Management Suite and the problem definition that the product addresses. In this post, would keep to basics and a step-by-step guide to setup and overview of OMS Portal.

Guide: A Step-by-Step Guide to Setup Service Fabric Cluster in Azure

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

As an Azure Computing enthusiast, I am following the Service Fabric since the platform was available for private preview. The Service Fabric is a distributed platform that addresses significant challenges in managing cloud applications. i.e. Microservices, High-Density Web Services or self-host applications. The Azure Service Fabric avoids complex logistical problems around the infrastructure and service management. It mainly focuses on implementing critical, high-volume workload that is scalable, fault-tolerant, self-healing, stateless or stateful, fast deployable, resource balancing, self-optimising and manageable.

There are mainly two ways to provision the Service Fabric clusters,

Cloud Security Pattern: Secure Application Secrets with Secret Encryption Key using Azure Key Vault and RSA HSM

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

Previous two post explained how to Setup Key Vault in Azure and Access Azure Key Vault using Azure AD Application and Certificates. This blog post would discuss Cloud Security Patterns (or Application Cryptography Patterns) using Microsoft Azure Key Vault.

Two most prominent challenges that any cloud deployment would demand is securing your application configuration or application secrets. i.e. database connection strings, third party API keys, passwords, encryption salts, unsecured endpoints. Cyber forensic evidence suggests that compromised application configuration leads to larger and abysmal organisation security failures. Therefore, it is crucial for every cloud project to consider the aspect seriously. OWASP finds A5 Security Misconfiguration and A6 Sensitive Data Exposure are two most common vulnerability.

The suggested cloud application security patterns, secure Application Secrets using random AES 128-bit symmetric data key, and wrap secure symmetric data key using Application specific RSA HSM (HSM Key). All access points are secured by Azure AD Security Principal and Client Certificates.

  • Azure AD Service Principal based Client Assertion Certificate to authenticate with Key Vault (Perimeter Security),
  • Application Secret is encrypted by random AES 128-bit symmetric key.
  • Random AES 128-bit symmetric key is protected by RSA HSM key.

Guide: Setup Key Vault using Azure AD Application and Certificates

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

In a previous post we have discussed options for setting up an Azure Key Vault. Let’s move to next logical topic, how to access Azure Key Vault securely from client applications.

To access Azure Key Vault securely, you can opt for either of the following options.

Guide: Step-by-Step Runbook to setup Azure Key Vault

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

Setting up an Azure Key Vault is relatively very easy than some Azure deployment. Microsoft Azure supports Web Portal, PowerShell, Shell Scripts, CLI, ARM templates and other scripting languages.

Key decision points are ACL, Service Principal and managing access secrets. The article would discuss all of these aspects of the journey. Let us start from simple and then we would move to advance options (for DevOps).