Azure Blueprint Automation: Web Applications for FedRAMP

As I spend more time developing work that helps drive cloud adoption I like to be reminded that moving to the cloud is hard!. And understanding Microsoft, or AWS's terminology and responsibilities can be complex in ways that are frequently overlook. 

I've addressed shared responsibility when moving to the cloud in my paper shared responsibility in cloud computing, as it's essential to understand the cloud role you take on before you adopt cloud computing. The role of security changes each time you move up the stack from IaaS, to SaaS. And overall your attack surface area may get smaller but your security posture cannot change... you must stay on top of your security effort.

In IaaS the role to secure your environment is a bit tougher, as you have to protect data, users, applications, and hosts. That means you own your VM, you have to patch it, run AV/AM, configure it correctly, and monitor the VM -- that's a lot of operational items that are easy to miss, or overlook.

Recently the Azure Blueprint team released it's second blueprint automation, Azure Blueprint Automation: Web Applications for FedRAMP which showcases a common reference architecture and demonstrates how you can deploy a secure workload in Azure federal space!. As we all know we want our government solution to be built securely!

So for those of you that are in the US federal space, and looking to try a secure cloud deployment - I'd recommend you give this blueprint a try, it will save you time and effort to learn how to build and secure a solution.


The rest of you that think NIST 800-53 is the right control set, and are considering the cloud move, can also grab a copy. The current solution is designed to run in the Azure fed. space, but if your a bit Azure and Powershell savvy, you'll be able to adopt the work into any Azure deployment. Overall it will still save you time to review the work and understand what it takes to build secure in the cloud.






Comments

Post a Comment

Popular posts from this blog

Protecting sensitive data

Image
Last month I wrote an article on key things to consider when protecting high valued assets or sensitive data. The article called Security Tip of the Month: Protecting Highly Sensitive Information addressed some of the key items that organizations should consider when protecting data that has the possible impact on an organization that is irreparable. As my article stated the cost of protecting this data tends to be higher than most data. Fact is that this data is not traditionally just sensitive such as credit card data, or HR data. Key indicators of what is High Value Data can be summed up like this. Assets that are considered to be of high value will frequently have the potential to cause the following conditions if they are lost or divulged: •        Loss of life - such as an informant list •        Regulatory fines - such as financial performance data •        Significant damage to the business - such as code signing and encryption keys (private) or trade secrets
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can
Read more

Why is privileged access important?

Image
Last year about this time I had published updates to the Azure Secure Workstation that was originally released two years ago. And This month the solution has been considerably rewritten and revised to provide a better more complete management for privileged access!  Collaborating with two great security experts James Noyce, and Mark Simos The content got a massive overhaul, and a broad perspective on what it takes to build and manage a comprehensive privileged access solution, including account management, device management, intermediaries such as VPN's and interfaces such as Web and Cloud services. Additionally, the solution was uniformly designed with three distinct security levels that anyone reading the article can deploy from a more flexible Enterprise security, to a comprehensive isolated PAW or privileged Access Management. Over the past two years I've been working to explain and illustrate how you can use a cloud-based solution to build an effective Zero tr
Read more