7. Azure Resource Graph is a service in Azure designed to extend Azure Resource
Management by providing efficient and performant resource exploration to effec-
tively govern your environment. Azure Resource Graph has the ability to query
resources with complex filtering, grouping and sorting by resource properties
from resource groups, subscriptions or management groups, with the resulting
expression feeding into a policy definition.
Azure Security
1. Secure DevOps Kit for Azure (AzSK) is a collection of scripts, tools, extensions,
automation, etc., that addresses end-to-end Azure subscription and resource
security needs by integrating security into native DevOps workflows. AzSK
focuses on key security controls such as subscription level security, security inte-
gration to CI/CD, continuous assurance, etc., by running security validation tests
(SVTs) with deployment pipelines.
Provision security
in subscription 1
Make data-driven
improvements 6
to security
Subscription
Security
(Policy, ASC Con-
fig, Alerts, RBAC,
etc.)
Cloud Risk
Governance
OMS Solution
for Alerting &
Monitoring
5
Single security
dashboard across
DevOps stages
Security
IntelliSense,
Security Verifica-
tion Tests
(SVTs)
CI/CD Build/
Release
Extensions
Continuous
Assurance
Runbooks
Develop securely,
2 spot check secu-
rity via scripts
Deploy securely
3 from VSP build/
release pipeline
4 Periodically scan in production
to watch for drift
Figure 5: Secure DevOps Kit for Azure
2. Service EndPoints provides a direct connection from virtual networks (VNets)
to Azure services. Endpoints allow you to secure your critical Azure service
resources to only your virtual networks with private IP ranges. Today, Azure sup-
ports service endpoints to most of the Azure data services such as Azure Stor-
age, Azure Key Vault, Azure SQL, Service Bus, Event Hubs etc.,
3. Azure Security Center (ASC) has been enhanced to provide functionalities to
protect workloads at scale. These include: security score; regulatory dashboards
to meet compliance standards, such as CIS, PCI, SO and ISO; advanced threat
detection; JIT VM access; and APIs to manage ASC. Today, you can even enable
automatic provisioning monitoring agents on all Azure VMs.
32 | THE DOPPLER |
WINTER 2019