Steps to securing and managing your VMs in production with Azure

Steps to securing and managing your VMs in production with Azure


Coming up on the show we look at the
steps you can take in Azure to secure and manage your VMs in production. From how you can enable threat prevention,
receive security alerts, and take advantage of
the new just-in-time admin capability. To how you can use Azure backup with
multi-factor authentication to protect against ransomware attacks. And how you can leverage your latest in log analytics to discover and mitigate potential issues. Microsoft Mechanics I’m joined today by Praveen from the
Azure team, welcome. Thanks for having me on the show. So this is an interesting
topic because a lot of people will set up their VMs and assume that security and
management is just taken care of. But, there’s more to it than that. That’s right when you provision a VM for the first
time we make sure that you have the latest image and recent updates. We also make sure that you have the performance and availability SLS are met For example, we don’t over utilize a VM host with too many VMs to compromise your uptime. And of course Microsoft takes care of all the physical security and maintenance of the environment that hosts your VM’s? Absolutely, but once you provision your VM, there are few things that you need to take care of. For example you need to be able to enable controls that help you to protect your VM against threats and to set yourself up so that you can actually detect the breaches and mitigate any kind of issues you may face and manage the security overall. Also if something does happen, like your data gets corrupted. You may want to have a back-up plan for it. In addition, overall you would want to get
the right level of visibility into the overall state of your VM spanning across performance, health and availability. And these seem like obvious things for those in IT. And it applies to just about everything we do when we think about managing resources services and data. Absolutely, as obvious as it might sound, there are always some kind of false assumptions where people think that all of this is taken care of automatically for them. But we don’t do that automatically. There are some reasons because typically
in any scenario, in any environment you might have multitude of
permutations of your needs. For instance, you might already have
some form of existing tools that you may want to use. Or you may have a maintenance window
that you want to adhere to. So what we do is we provide you the freedom to control and configure the necessary things you need for your environment. So tell us how easy it is to configure your VMs to be secure and well managed. Sure I’m here in the Azure portal. You could see that we have broadened the set of security and management tools natively available within Azure. Starting with dedicated services such
as Azure security center, backup which is part of the recovery services, and log analytics. We provide a set of services
and tools that help you to manage overall your operations management. So can you walk us through a particular Scenario? I’m here at the Security Center homepage where you can see the set of resources I have. The security state of
all my resources including compute, networking storage
and applications. Information about the VM can be found under compute. What you see here is the overall monitoring recommendations of all my virtual machines including cloud services if I have any. For instance I can find missing system updates. I can also get a high-level assessment of vulnerabilities across all my virtual machines. Specifically if I click on the virtual machines tab here, you will notice that I can get the security state of all my virtual machines individually. So that’s great for visibility for day-to-day operations, but what about detecting specific
threats to the environment? Let me go back to the azure security center homepage. Here you will notice that we have a set of security alerts that detects all the bad things
happening in your environment. It provides me the list of security alerts. For instance, here I look at it and I’m
concerned about the failed RDP brute-force attack . So let me drill down. As soon as I drill down I notice
that a specific VM has been attacked multiple times. So I’m going to click on the individual VM instance. It looks like in the last 49 minutes there
are few failed items. The service also gives me a
set of remediation steps to prevent such attacks. In addition it provides me an
ability to apply just-in-time VM access to reduce the attack surface. Let me go ahead and configure it. I’m going to find the individual VM
under the not configured one. And I’m going to select that and enable
just-in-time VM access. You will notice that I can add specific ports to make sure that I reduce the
attack surface. In this case it has already listed specific ports such as
port 22, 3389, 5985, and 5986. I am just going to continue and save it. Now that it is configured, once the admin needs to get access to the specific server he or she can scroll down to the individual portal and select the particular server and
request access. When they request access you will notice that they can
specifically access a port for a period of 1 to 3 Hertz. And then select the
toggle button here and open the ports. So what we’ve essentially done there is
cut off access to the VM and you’ve allowed a specific admin to tend to it
for a specific amount of time. And it is that a new feature that
we’re just learned of? Absolutely this is a recent feature called
just-in-time VM access that we have enabled in Azure Security center. Awesome, is there anything else
that we need to do? When you launch Azure Security
Center for the first time, you will see the Welcome page here. As soon as you see the Welcome page, you can click on the launch security Center And as soon as you click on this the data collection for all the virtual machines under this subscription is automatically enabled. And you can also configure your settings as needed under security policies at a granular level for the individual VMs under the subscription. That’s awesome and a great proactive mitigation. but what happens in the case
of a VM getting corrupted? Oh, for that you can use Azure backup. Let me show you. I’m here in the Azure portal. This is a virtual machine and it’s called
Contoso SQL server 1. You will notice that within the VM blade settings, there is an option called backup. As soon as I click on the backup, it enables me to
provide an ability to safeguard my data by creating or selecting an existing
recovery services vault where the data is protected and
managed and monitored. For this demo I’m going to select an
existing recovery services vault called Contoso retail HQ. In addition I can also specify a backup policy. In this case you can create a new backup policy which provides the granular controls
of backup frequency which could be daily or weekly. It can specify the time zones as needed. In addition you can also specify the retention range across daily weekly monthly or yearly. For the sake of this demo I’m just going
to select the default policy. The default policy here is a daily policy on
4:30p.m. on a daily basis. And the retention rate ranges a daily backup point that is retained for 30 days. As soon as I click OK and enable backup, your backup is ready right. So just a few clicks to backup your VMs. But, does it help you protect your data
against things like ransomware? They’re typically target the backup
process running inside a VM which ultimately prevents you
getting access to your own data. That’s a great question. For that within Azure backup, we have a capability called multi-factor authentication which actually ensures that for every
critical operation you have in your backup, you have to have a security pin. Let me show you how. I have currently remotely logged into a server and I’m going to simulate a ransomware attack. You can see that this server is currently
under attack by a ransomware. Immediately you will also notice that the live data has been encrypted by the specific ransomware. Typically ransomware not only encrypts the live data, but also would try to get control of the
previously backed up data so that you as a user don’t restore back
to the previous backed up point. In this case it will also try to get
access to the backup process which is running in the server so that it can
delete all the previously backed up data. What I’m going to do here is try to simulate and show you what will happen in that case. Here I have a PowerShell script that is going to simulate what a typical ransomware would try to do. When I’m executing this PowerShell script, I’m going to make sure that I’m also attempting to delete all the backup data I have had. As you can see it’s trying to stop the backup process, but it is not allowed because a
security pin is needed for all the critical operations in Azure backup. So how do we set this up? Let me show you in the Azure portal. I’m here in the Azure
portal under recovery services vault where I have enabled my backup. You can notice that under the recovery services vault, under settings there is propertys. Once you click on it,
you have the ability to make sure that you have already enabled multi-factor authentication and the security settings by clicking on this update link under security settings. So I’m going to click on it. You will notice that the security features
have already been enabled. In this case every time an admin is going
to execute any critical operation, he or she has to generate a pin that they can do in this link under
security pin. You will also notice that the security pin
is only valid for five minutes essentially restricting the access to
only legitimate users to perform any kind of critical operations. And outside of that five minutes no pins will work at all? Absolutely. that’s great so how do we go about
understanding the visibility into what’s going on especially if a problem arises? That’s a great question. Typically the log data is key and the more the log data you can correlate
across different systems the more greater details of visibility you can get. But you know what
it’s kind of like finding a needle in a haystack. So what’s the best way to
navigate all of this log data? Let me show you how with in Azure portal. You have this notion of log analytics workspace where it is a centralized log store that collects all the log data and
provides visibility for you. I’m here in the Azure portal. I have already created a log analytics
workspace called Contoso retail IP. Under that I have the workspace data sources where I have already filtered the virtual machine called Contoso SQL server. I’m just going to click on this and within a single click you can connect this
particular virtual machine into the workspace. And then you can start
collecting all the data so that you can collect, correlate and search for issues
and fix issues quickly. Moreover, you will also notice that we have enabled several built in
management solutions out of the box so that you can easily get insights
into whatever information you need. This is all powered by the analytics and
monitoring capabilities we have within Azure. And those analytics and monitoring
capabilities seem really useful in terms of diagnostics. Oh, for sure. We enhanced
the Azure analytics service and we launched an advanced analytics portal including an interactive query. This portal provides lots of tips and tricks and easy to get started common queries. Let’s assume for example you have been
notified that there has been a slowness identified in some form of services. You as an admin, you don’t know where to get started. Here I’m going to create a new query. This query actually tries to plot the trends across all my performance
counters across all my virtual machines for the past 60 minutes. You will quickly see that the query has shown me that most of my virtual machines have not deviated from their usual behavior. But, there is this virtual machine which
seems to be running slow. And the service is indicating to me to click on this
particular purple data point to click, Get Some Smart Diagnostics. So I’m going to click on this to
understand what is happening in the specific virtual machine
called Contoso Linux one. You can quickly notice that the machine learning
algorithms have crunched the data and identified mutually exclusive graphs pointing to me that the particular spike has been caused by this logical disk category and in the Contoso Linux virtual machine. This indicates to me that there seems
to be an intensive IO operation happening in the specific virtual machine. Nice and you’ve quickly narrowed down the cause using analytics and machine learning. Absolutely, it’s not only that. Beyond this you can also mitigate this issue by recommending to your admin that this
particular IO operation can be remediated in the future by transitioning the spinning disk into an SSD disk. So I’ve notice that you’ve
configured controls within Azure security center, backup and log analytics throughout this scenario. Are we doing anything to streamline
this experience a bit further? Absolutely, that’s a good observation. We are actually working to
make sure that you have the ability to enable all these configurations and
capabilities natively within the virtual machine. Soon you will be able to see
specific settings and services for your virtual machines directly from the VM
blade at the point of creation. Thanks Praveen for walking us through
the options for securing and managing VMs on Azure. How can people learn more? Get hands-on and learn how to create secure and well
managed VMs in Azure by following the links below. And see you next time on
mechanics for the latest in tech updates. Thanks for watching. Microsoft Mechanics www.microsoft.com/mechanics

Author:

Leave a Reply

Your email address will not be published. Required fields are marked *