DEV Community

Cover image for Examining Security with Azure
Jennifer Davis for Microsoft Azure

Posted on

Examining Security with Azure

Rather than having one long video for Azure Advent, I've tried to make a set of smaller videos that you can watch in any order. In this series of videos I talk about security on Azure. For other great Azure content, check out the contributions to the Azure Advent event.

Security Introduction

What do you think of when someone says security?

A minimal definition I would give for security would be resilience from harm.

Often it feels like we talk about security as an end state. For example, this application or website is secure. Very much like other areas of operability, security is a mind-set and a set of processes and technologies that are continually evolving to respond to malicious and accidental activities that could harm our infrastructure, application, data, and overall impact the value and trust of our customers.

In 2015, Gartner Inc., revealed its top strategic predictions for 2016 and beyond. One of these predictions was that "Through 2020, 95 percent of cloud security failures will be due to some problematic use by customers rather than cloud providers. In 2019, Gartner Inc. updated this prediction up through 2025 increasing the problematic usage to 99%! You could say that it's a competitive advantage to improve security skills.

Looking at the different types of infrastructure you can invest in from on-prem datacenters, infrastructure as a service, platform as a service, to software as a service, there are some elements of security that are taken on by the cloud provider and some that are the responsibility of the customer. This is part of the premium price that comes from a provider handling a part of resilience for you. No matter what architecture is chosen though, data and it's accessibility, identity and access management, and end-point management is the responsibility of the customer.

It's important to talk about how to talk about security. Models are useful ways to inspire conversations and build context between people. One of the first models that I learned about was the CIA triad: confidentiality, integrity, and availability. Confidentiality is the set of rules that limit access to information to the people who should have access to it. Integrity is that assurance that information is true and correct to its original purpose and that only those who should be able to can modify that information. Availability is about the reliable access to information and resources to the individuals who need it and when they need it.

A newer model is the DIE model. It helps orient architecture decisions by framing based on desirable outcomes. When we can choose a distributed architecture, we can better manage the harm that is caused by distributed attacks. When we can choose an immutable infrastructure, we can detect changes and repair those changes. When we can choose ephemeral infrastructure, then often by the time an attacker is able to figure out a vulnerability in our infrastructure it's already gone and the value of trying to compromise the infrastructure approaches zero.

Additional Resources

Designing and Architecting with a Security Focus

Additional Resources

Developing with a Security Perspective

Additional Resources

Monitoring with a Security Perspective

Additional Resources

Twitter

There are a lot of industry discussions that happen on Twitter. If you're interested in learning about current trends and practices, here are a few interesting accounts:

Do you have resources that you'd recommend? Please share below and I'll update this page to include them.

Top comments (0)