In today's digital landscape, securing your network infrastructure is paramount. The Network Device Enrollment Service (NDES) plays a critical role in issuing certificates for network and mobile devices, making its security essential. This post outlines best practices for safeguarding NDES, treating it as a Tier 0 system, using Privileged Access Workstations, employing Hardware Security Modules, and more. By implementing these strategies, you can enhance the security of your network devices and protect your organization from potential threats.

This post is based on https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ndes-security-best-practices/ba-p/2832619 which is a hefty read albeit hugely useful.

Here is an expanded summary of the key points for NDES security best practices which might make more sense:

Treat NDES as a Tier 0 system: NDES is crucial for security, so it must be protected with the highest level of security controls and isolation.

A Tier 0 system is a critical component in an organization's IT infrastructure, representing systems that, if compromised, could lead to the compromise of the entire enterprise. These systems typically include domain controllers, certificate authorities, and other key security and identity management systems. Due to their importance, Tier 0 systems require the highest level of security controls and isolation to protect against attacks that could have severe organizational impacts.

Use a Privileged Access Workstation (PAW): Administer NDES from a PAW to reduce the risk of credential theft and improve security.

A Privileged Access Workstation (PAW) is a dedicated, highly secure computing environment used exclusively for sensitive tasks, such as managing NDES. The use of a PAW helps to reduce the risk of credential theft and other security breaches by isolating administrative activities from standard user environments, which are more likely to be exposed to malware and phishing attacks. PAWs should be configured with strict security controls, including application whitelisting, restricted internet access, and robust authentication mechanisms, ensuring that only authorized personnel can perform administrative tasks on NDES. This approach significantly enhances the overall security posture of your NDES deployment.

System Hardening: Limit administrative access, apply security baselines, and ensure the system is fortified against attacks.

System hardening involves implementing stringent security measures to protect NDES against potential threats. Here are key steps:

1. Limit Administrative Access: Only allow essential personnel to access the system, reducing the risk of unauthorized changes and potential breaches.
2. Apply Security Baselines: Use predefined security settings and policies to ensure a consistent and robust security posture across the system.
3. Regular Updates and Patching: Keep the system up to date with the latest security patches and updates to defend against known vulnerabilities.
4. Network Segmentation: Isolate NDES from other parts of the network to limit the potential impact of a security breach.
5. Monitoring and Logging: Implement comprehensive monitoring and logging to detect and respond to suspicious activities promptly.
   

Hardware Security Modules (HSM): Use HSMs for secure key management to protect cryptographic keys.

Hardware Security Modules (HSM) are dedicated hardware devices designed to manage and protect cryptographic keys. Utilizing HSMs for NDES offers several benefits:

1. Enhanced Security: HSMs provide a physically secure environment for key storage, reducing the risk of key exposure.
2. Tamper Resistance: They are built to resist tampering, providing a robust defense against physical attacks.
3. Performance and Reliability: HSMs are optimized for cryptographic operations, ensuring high performance and reliability in key management.
4. Compliance: Using HSMs can help meet regulatory and compliance requirements for data protection and cryptographic security.

Incorporating HSMs into your NDES deployment ensures that cryptographic keys are securely managed and protected, enhancing the overall security of your network.

Avoid Virtualization on General Servers: Virtualizing NDES on general-purpose servers can expose it to additional risks.

Virtualizing NDES on general-purpose servers can expose it to additional risks and vulnerabilities. Here's why it's important to avoid this practice:

1. Dedicated Resources: NDES requires dedicated hardware resources to ensure optimal performance and security. Sharing resources with other virtual machines can lead to resource contention and performance degradation.
2. Isolation: Virtualizing NDES on a general-purpose server increases the attack surface, as other virtual machines on the same host might be compromised and used as a pivot point for attacks.
3. Security Controls: General-purpose servers might not have the stringent security controls required for a Tier 0 system like NDES. Dedicated hardware can be more effectively hardened and secured.
4. Compliance: Using dedicated hardware can help meet compliance and regulatory requirements that mandate strict isolation and security for critical systems.

By avoiding virtualization on general-purpose servers, you can better protect NDES from potential threats and ensure it operates securely and efficiently.

Reverse Proxies for External Access: Use reverse proxies to manage and secure external access to NDES, reducing exposure to threats.

Using reverse proxies is a key practice for enhancing the security of NDES when it needs to be accessed externally. Here are the benefits and considerations:

1. Traffic Filtering: Reverse proxies can inspect and filter incoming traffic, blocking malicious requests before they reach the NDES server.
2. Load Balancing: They distribute incoming traffic across multiple servers, ensuring optimal performance and reliability.
3. SSL Termination: Reverse proxies handle SSL encryption and decryption, offloading these tasks from the NDES server and enhancing security.
4. Anonymity and Protection: By acting as an intermediary, reverse proxies help obscure the NDES server’s IP address, adding a layer of security against direct attacks.

Implementing reverse proxies thus significantly reduces the exposure of NDES to external threats, enhancing its security and performance.

Separate Certification Authorities: Employ separate CAs for NDES operations to contain any potential compromise and limit impact.

Using separate Certification Authorities (CAs) for NDES operations is a crucial security practice. Here’s why:

1. Containment of Compromise: Isolating NDES-specific CAs ensures that a breach in one CA does not affect other CAs, limiting the impact of potential security incidents.
2. Operational Separation: Different CAs can be tailored to specific operational needs, enhancing the security and efficiency of certificate issuance.
3. Enhanced Security: By separating duties and reducing the attack surface, you strengthen the overall security posture of your certificate infrastructure.
4. Compliance: Helps meet regulatory and industry standards for secure key and certificate management.
   

Secure Certificate Templates: Protect certificate templates and enforce stringent verification processes to ensure the integrity of issued certificates.

Securing certificate templates is essential for maintaining the integrity and security of certificates issued by NDES. Here’s how:

1. Access Control: Restrict access to certificate templates, ensuring that only authorized personnel can create or modify them.
2. Template Security Settings: Enforce stringent security settings on templates to prevent unauthorized issuance and misuse of certificates.
3. Verification Mechanisms: Implement robust verification mechanisms to ensure that certificate requests are legitimate and comply with organizational policies.
4. Monitoring and Auditing: Regularly monitor and audit the use of certificate templates to detect and respond to any suspicious activities promptly.
   

Hope this makes more sense than sense than the original post https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ndes-security-best-practices/ba-p/2832619 although I do recommend following this in detail when you put these measures to practice.

As businesses increasingly rely on Azure for their cloud solutions, maintaining an up-to-date and secure environment becomes crucial. One critical aspect is ensuring that log data is consistently received and analyzed. In this blog post, we'll dive into using Azure's Kusto Query Language (KQL) to identify tables that have not received logs in the last day. By pinpointing these gaps, you can proactively address potential issues in your logging infrastructure and ensure comprehensive monitoring of your cloud resources. Let's explore how KQL can help you maintain a robust and reliable logging system.

union withsource = _TableName *
| where TimeGenerated > ago(10d)
| summarize last_log = datetime_diff("day", now(), max(TimeGenerated))  by _TableName
| where last_log > 1
| project ['Table Name'] = _TableName, ['Last Record Received'] = last_log
| order by ['Last Record Received']  desc

1.

union withsource = _TableName *

This part of the query combines all tables in the database into a single result set. The withsource = _TableName clause adds a column named _TableName to the result, which contains the name of the table each record came from.

2.

| where TimeGenerated > ago(10d)

This filters the combined result set to include only records where the TimeGenerated field is within the last 10 days. The ago(10d) function returns the date and time 10 days ago from the current time.

3.

| summarize last_log = datetime_diff("day", now(), max(TimeGenerated))  by _TableName

Here, the query summarises the data by table name:

• max(TimeGenerated) finds the most recent TimeGenerated value for each table.
• datetime_diff("day", now(), max(TimeGenerated)) calculates the difference in days between the current date and the most recent TimeGenerated value.
• last_log is the name given to this calculated difference.

4.

| where last_log > 1

This filters the summarised results to include only those tables where the difference in days (last_log) is greater than 1. This means it filters out tables that have received records within the last day.

5.

| project ['Table Name'] = _TableName, ['Last Record Received'] = last_log

This part of the query renames the columns for better readability:

• _TableName is renamed to Table Name.
• last_log is renamed to Last Record Received.

6.

| order by ['Last Record Received']  desc

Finally, the query orders the results by the Last Record Received column in descending order, so tables with the most days since their last record are listed first.

Summary

This query identifies tables in the database that have not received any new records in the last day. It lists these tables along with the number of days since their last record, sorted in descending order.

Example Output

This output indicates that Table1 has not received any new records for 5 days, Table2 for 3 days, and Table3 for 2 days.

It's a simple tried and tested method which won't fail you.

Either run it manually or implement it into a recurring logic app to send the message to you by any means such as directly to Teams, Email (don't recommend) or Service Now as a ticket.

Years on and I still scratch my head wondering how to parse JSON data in Azure Logic Apps. Today I've spent some time working it out again and I'll document it here and I hope it helps you.

First off

JSON isn't easy to look at. Make it VISUAL. I'm using Visual Studio Code (it's free) and the extension "JSON Crack" (also free).

Before I visualised JSON in this, it was very difficult to figure out the levels of nested JSON. This will change your life. Trust me.

Challenges in Logic Apps

In some cases you can map a dynamic entity from one of your previous steps that is outputing the JSON. This isn't the case right now for me and as you will have probably come across before, logic apps will sometimes put an action inside a loop and then after adding some more dynamic mapping, it adds another loop then another loop.

The nesting continues....

This is hugely inefficient and isn't logical in most cases. See the screenshot below, there is no need for this to be in another loop as it's already in one.

The method I'm about to reveal below will avoid this.

Parse JSON Data Operation

I'm assumming right now, you've already got a JSON output from some previous action. Here I'm using the parse JSON data operation action in logic apps and have already specified the schema. Maybe I will explain this in another post.

Right now I will focus on the expression to retrieve the data we need.

Complex JSON Data Structures

It can get more complex than this, but for some this is complex enough and this is what I'm working on right this minute.

Let's use the example of accessing the object "fqdn" here which would contain a host name in the real world (redacted data).

We can easily see now it's visual, that the path to our data is body > hostStates > fqdn.

Expressions

Let's focus on the "set variable" action here in my logic.

This is where I want to parse FQDN into so I can use this data elsewhere.

If we view the config for the variable we can see where to specify it's value.

Here we want to add a "Function". You will also see this written as "fx". This is where we create the expression to pull direct object we are looking for in the JSON.

The Key Part - Retrieving the JSON Object

I will try and make this as simple as possible.

If you remember the path to our data is body > hostStates > fqdn

We need to call on the previous action here, the action that is outputting our JSON and in this case it's called "Parse Graph API Response" but you will notice in the code view that it adds underscores. To call it, you will need to add the undercores.

body('Parse_Graph_API_Response')

Reaching hostStates would be easy.

This would dump all the other objects/indexes though and in some cases would work, but here we want to grab one object.

body('Parse_Graph_API_Response')['body']['hostStates']

hostStates contains a number of "indexes".

These indexes have a value and start here from the top as [0] through to [8]. The index does not start at [1].

Simply, now we have stated "hostStates" in our expression, we now need to specify the index [0] (with no single quotes).

We still must specify the name of the object so this is then followed by ['fqdn'].

body('Parse_Graph_API_Response')['body']['hostStates'][0]['fqdn']

Hit update to save it. If you click anywhere else it won't save!

Checking Output

Assuming you know the next steps to get the data flowing and push the JSON into your action, let's now check it.

The variable is now set with the hostname I need and I'm not stuck in unneeded nested loops by trying to use dynamic mapping!

Basic Syntax

• Use the | (pipe) operator to separate multiple commands.
• Use the let keyword to create variables.
• Use the where keyword to filter results.
• Use the project keyword to select specific columns.
• Use the summarize keyword to group and aggregate data.

Filtering Data

• where keyword: where ColumnName == "Value"
• in keyword: where ColumnName in ("Value1", "Value2")
• contains keyword: where ColumnName contains "Value"
• startswith keyword: where ColumnName startswith "Value"
• endswith keyword: where ColumnName endswith "Value"
• has keyword: where ColumnName has "Value"

Selecting Columns

• Use the project keyword to select specific columns: | project Column1, Column2, ...
• Use the extend keyword to add calculated columns: | extend NewColumn = Column1 + Column2

Aggregating Data

• summarize keyword: | summarize Aggregation(Column1), Aggregation(Column2) by Column3
• count keyword: | summarize count() by Column
• max keyword: | summarize max(Column) by Column2
• min keyword: | summarize min(Column) by Column2
• avg keyword: | summarize avg(Column) by Column2

Joining Data

• join keyword: Table1 | join kind=inner Table2 on Column1, Column2
• join with project: Table1 | join kind=inner Table2 on Column1, Column2 | project Column1, Table2.Column2
• join with summarize: Table1 | join kind=inner Table2 on Column1, Column2 | summarize Aggregation(Column1), Aggregation(Table2.Column2) by Column3

Securing Azure Active Directory (Azure AD) is critical to protecting your organization's identity and access management system. Here are some best practices to follow:

1. Implement multi-factor authentication (MFA): MFA adds an additional layer of security by requiring users to provide two or more forms of authentication. This can include something they know (like a password) and something they have (like a mobile device). Enabling MFA for all users is one of the most effective ways to prevent unauthorized access to Azure AD. Going passwordless might even be the route you should be going down but it depends on the organization. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless?culture=en-us&country=us
2. Use conditional access policies: Conditional access policies allow you to define conditions that must be met before a user is granted access to Azure AD. For example, you can require MFA for users accessing Azure AD from outside the organization's network or for users accessing sensitive data. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview?culture=en-us&country=us
3. Limit administrative access: Limit the number of users who have administrative access to Azure AD, and ensure that administrative accounts have strong passwords and are protected by MFA.
4. Enable auditing and logging: Enable auditing and logging to monitor and track access to Azure AD. This can help detect and investigate potential security incidents. Identity Protection is top priority. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection?culture=en-us&country=us
5. Regularly review and update security configurations: Regularly review and update security configurations, including authentication methods, conditional access policies, and administrative access. This can help ensure that Azure AD is configured in a way that aligns with your organization's security requirements.
6. Follow security best practices for applications and services that integrate with Azure AD: Ensure that applications and services that integrate with Azure AD follow security best practices. This can include requiring MFA for application access and implementing secure coding practices.

Overall, securing Azure AD requires a multi-layered approach that includes implementing MFA, using conditional access policies, limiting administrative access, enabling auditing and logging, regularly reviewing security configurations, and following security best practices for applications and services that integrate with Azure AD.

Read more about Azure AD here:

Azure Active Directory | Microsoft Azure

Explore Azure Active Directory, which provides an identity platform with enhanced security, access management, scalability, and reliability.

Microsoft was recognized by Gartner® as a Leader in the November 2021 Magic Quadrant™ for Access Management.

Based on current trends and patterns, there are several potential cloud security threats that organizations should be aware of and prepare for. Here are a few examples:

1. Cloud Misconfigurations: Cloud misconfigurations continue to be a significant security risk for organizations. Cloud environments are complex and constantly changing, and it can be easy for mistakes to be made during setup or configuration. Misconfigurations can expose sensitive data, allow unauthorized access to cloud resources, or create opportunities for cybercriminals to launch attacks.
2. Insider Threats: Insiders, whether malicious or accidental, can pose a significant risk to cloud security. Insiders can use their privileged access to sensitive data or systems to steal information or cause damage, or they may inadvertently expose sensitive data due to mistakes or misunderstandings.
3. Ransomware: Ransomware continues to be a major threat to cloud environments. Attackers can use ransomware to encrypt or lock users out of their data, and then demand payment in exchange for restoring access. As more organizations move their data and applications to the cloud, it's likely that attackers will increasingly target cloud environments with ransomware attacks.
4. Supply Chain Attacks: Cloud environments are often built on a complex network of third-party services and components, and these dependencies can create vulnerabilities that attackers can exploit. Supply chain attacks can allow attackers to inject malicious code into legitimate software components or services, which can then be used to compromise cloud environments.
5. Zero-Day Vulnerabilities: Zero-day vulnerabilities are previously unknown security flaws that can be exploited by attackers before a patch or fix is available. As cloud environments continue to evolve, it's likely that new zero-day vulnerabilities will be discovered, which could be used by attackers to compromise cloud security.

To mitigate these and other cloud security risks, organizations should ensure that they have comprehensive security policies and procedures in place, implement strong access controls and monitoring, stay up-to-date on security best practices and emerging threats, and work closely with cloud service providers and third-party vendors to maintain a strong security posture.

Microsoft Sentinel is a cloud-native security information and event management (SIEM) system. It is designed to help organizations collect, analyze, and investigate security data from various sources in real-time.

Using Sentinel, security teams can centralize and aggregate data from various sources such as cloud services, endpoints, servers, applications, and network devices. Sentinel can then apply artificial intelligence (AI) and machine learning (ML) to analyze this data and detect potential security threats.

Sentinel provides a range of features for security operations centers (SOCs) and security professionals, including:

1. Threat detection: Sentinel uses AI and ML to analyze security data and detect potential threats in real-time.
2. Incident response: Sentinel provides built-in playbooks to help security teams automate incident response and streamline investigations.
3. Integration with other security tools: Sentinel integrates with other Microsoft security tools, as well as third-party tools, to provide a unified view of an organization's security posture.
4. Compliance: Sentinel helps organizations meet regulatory and compliance requirements by providing built-in reports and dashboards.

Overall, Microsoft Sentinel provides organizations with a comprehensive security solution that can help them proactively identify and respond to security threats, ultimately improving their security posture.

Branding

Microsoft Azure Sentinel was actually initially launched with that name in February 2019 as a cloud-native SIEM and security analytics service that was built on Azure. It was designed to help security teams collect, analyze, and investigate security data from various sources.

In April 2020, Microsoft announced that Azure Sentinel was becoming part of the broader Microsoft Defender brand, and that it would be known as "Microsoft Defender for Cloud" going forward. This was part of a broader rebranding effort to unify Microsoft's security products under a single brand. However, Microsoft later reversed this decision and decided to keep the Azure Sentinel name.

So, to summarize, the name "Azure Sentinel" has been in use since February 2019 and it remains the current name of the product as of my knowledge cutoff in September 2021.

Sentinel vs Splunk

It's difficult to say definitively whether Microsoft Sentinel is better than Splunk, as both products have their own strengths and weaknesses and are designed to meet different needs.

Splunk is a well-established SIEM tool with a wide range of capabilities and integrations. It is known for its powerful search and analytics capabilities, which allow it to collect and analyze large volumes of data from diverse sources. Splunk is also highly customizable, which makes it a good fit for organizations with specific requirements.

Microsoft Sentinel, on the other hand, is a cloud-native SIEM that is built on top of the Azure cloud platform. It is designed to integrate seamlessly with other Microsoft security products, such as Microsoft Defender, and uses artificial intelligence and machine learning to detect and respond to security threats in real-time. Additionally, Sentinel provides pre-built connectors for many common data sources and offers a simple pricing model that is based on data usage.

Ultimately, the best choice between these two products will depend on your organization's specific needs and preferences. If you're already invested in the Microsoft ecosystem and are looking for a cloud-native SIEM with good out-of-the-box integrations, Microsoft Sentinel may be a good fit. If you need a highly customizable SIEM with powerful analytics capabilities, Splunk may be a better choice. It's important to evaluate your organization's needs and carefully compare the features and costs of both products before making a decision.

China and Russia are generally considered to be two of the most significant cyber threats to the UK, along with other nation-state actors and non-state actors such as criminal groups and hacktivists.

Both China and Russia have been linked to a range of cyberattacks against the UK in recent years, including espionage, intellectual property theft, and attempts to disrupt critical infrastructure. These attacks are often highly sophisticated and well-coordinated, and they can pose a significant threat to UK national security and economic interests.

For example, in 2020, the UK's National Cyber Security Centre (NCSC) warned that a Russian hacking group known as APT29, or "Cozy Bear," was targeting organizations involved in COVID-19 vaccine research. The NCSC also identified China as a major cyber threat, with Chinese state-sponsored hacking groups being linked to a range of cyber espionage and intellectual property theft activities.

In response to these threats, the UK has been taking steps to improve its cybersecurity posture and increase its resilience to cyberattacks. This includes strengthening partnerships with other countries, investing in cybersecurity research and development, and working with industry to improve cybersecurity standards and practices.

Overall, while it's impossible to completely eliminate the cyber threat posed by China, Russia, and other actors, the UK is taking steps to mitigate these threats and protect its national security interests in cyberspace.

How can we protect ourselves from Russian and Chinese cyber attacks?

Protecting against cyber attacks from China and Russia, or any other nation-state actor, requires a multi-faceted approach that involves a combination of technical, organizational, and procedural measures. Here are some best practices that can help protect against these types of cyber threats:

1. Keep software and systems up-to-date: One of the most effective ways to protect against cyber attacks is to keep all software and systems up-to-date with the latest security patches and updates. This can help prevent attackers from exploiting known vulnerabilities.
2. Use strong passwords and multi-factor authentication: Using strong passwords and multi-factor authentication can make it more difficult for attackers to gain unauthorized access to accounts and systems.
3. Implement access controls and monitoring: Access controls and monitoring can help limit access to sensitive data and systems, and alert security teams to potential intrusions or malicious activity.
4. Conduct regular security assessments and testing: Regular security assessments and testing can help identify vulnerabilities and weaknesses in systems and networks before attackers can exploit them.
5. Develop a cybersecurity incident response plan: Developing a cybersecurity incident response plan can help organizations respond quickly and effectively to cyber attacks and minimize the impact of a breach.
6. Train employees on cybersecurity best practices: Employees can be a weak point in an organization's cybersecurity defenses, so it's important to train them on best practices for email security, social engineering, and other common attack vectors.
7. Work with trusted vendors and partners: Working with trusted vendors and partners who have strong cybersecurity policies and practices can help minimize the risk of a cyber attack.

Overall, protecting against cyber attacks from China, Russia, or any other nation-state actor requires a proactive and vigilant approach to cybersecurity. It's important to regularly assess and improve security measures, stay up-to-date on emerging threats and best practices, and work with partners and experts to build a strong and resilient security posture.

What is the UK doing to protect our country from state-sponsored cyber attacks?

The UK has a comprehensive approach to protecting the country from cyber attacks, including those originating from Russia, China, and other nation-state actors. Here are some key initiatives and strategies:

1. National Cyber Security Centre (NCSC): The NCSC is the UK's leading authority on cyber security, and is responsible for providing guidance and support to government, critical national infrastructure, and the wider public and private sectors. The NCSC also operates the UK's national cyber incident response service, and provides advice and support on a range of cyber security issues.
2. Cyber First programme: The Cyber First programme is a series of initiatives aimed at developing the next generation of cyber security professionals. This includes a range of training and development programmes, as well as scholarships and bursaries to support students studying cyber security.
3. Cyber Essentials: Cyber Essentials is a government-backed scheme designed to help organizations protect themselves against common cyber attacks. It provides a set of basic security controls that organizations can implement to protect against the most common cyber threats.
4. Active Cyber Defence (ACD): The ACD programme is a range of measures designed to protect the UK's cyber space and make it more resilient to cyber attacks. This includes initiatives to block known malicious websites and email domains, and to identify and block spoofed emails.
5. International partnerships: The UK works closely with international partners to share information and intelligence on cyber threats, and to coordinate responses to cyber attacks. This includes partnerships with the Five Eyes intelligence alliance (which includes the UK, US, Canada, Australia, and New Zealand) and with the European Union.
6. Legislation: The UK has a range of legislation designed to combat cyber crime and protect critical national infrastructure. This includes the Computer Misuse Act, the Investigatory Powers Act, and the Network and Information Systems Regulations.

Overall, the UK takes a proactive and comprehensive approach to protecting itself from cyber attacks, including those originating from Russia, China, and other nation-state actors. This includes a range of initiatives to improve cyber security awareness, build cyber security capacity, and strengthen international partnerships to combat cyber threats.

Cloud FinOps, short for Cloud Financial Operations, is a set of practices that helps organizations optimize their cloud spending and align it with business objectives. Cloud FinOps combines financial management, cloud engineering, and modern software development practices to provide a framework for managing cloud costs.

Having worked in cloud for some years now, Cloud FinOps has become very prominent not only in my day-to-day but the whole industry.

Cloud FinOps involves several key activities, including:

1. Cost visibility: Gaining visibility into cloud costs is essential to effective cost management. Cloud FinOps teams use cost management tools to analyze and monitor cloud costs in real-time, allowing them to track spending and identify opportunities for optimization.
2. Cost allocation: Cloud FinOps teams allocate cloud costs to specific departments, teams, or projects to ensure that each group is accountable for its cloud spending.
3. Cost optimization: Cloud FinOps teams work to identify areas where costs can be optimized, such as through rightsizing underutilized resources, using reserved instances, or choosing the most cost-effective cloud service.
4. Cost control: Cloud FinOps teams set and enforce budgets and cost controls to prevent overspending and help keep cloud costs within budget.
5. Collaboration: Cloud FinOps requires cross-functional collaboration between finance, engineering, and business teams to ensure that cloud spending is aligned with business objectives and budgets.

The 6 principles of Cloud FinOps

The six principles of FinOps, as defined by the FinOps Foundation, are as follows:

1. Accountability: Every team should have visibility into the costs they are responsible for, and there should be clear ownership and accountability for those costs.
2. Efficiency: Teams should continuously optimize cloud usage and costs by making data-driven decisions, automating where possible, and using the most cost-effective resources.
3. Transparency: Cloud costs should be transparent and accessible to all stakeholders, with a clear understanding of how costs are allocated and managed.
4. Optimization: Teams should regularly analyze and optimize cloud usage and costs, seeking to eliminate waste, reduce costs, and improve efficiency.
5. Culture: A culture of cost management and optimization should be fostered across the organization, with a focus on continuous improvement and collaboration.
6. Governance: Policies and processes should be established to ensure compliance with regulations, industry standards, and organizational policies.

By following these principles, organizations can establish a framework for managing cloud costs, promoting cross-functional collaboration and accountability, and achieving better financial control over cloud usage.

For more information check out the FinOps Foundation website:

FinOps Foundation - What is FinOps?

Find out what FinOps is and more about the operating model for the cloud. Understand the three phases of FinOps, Inform, Optimize and Operate, key principles, capabilities, and best practices from our global community.

FinOps Foundation Logo

One of my book recommendations

Absolutely recommend this book:

"Cloud FinOps: Collaborative, Real-Time Cloud Financial Management" by J.R. Storment and Mike Fuller is a comprehensive guide to cloud financial management, aimed at helping organizations optimize their cloud spending.

The book covers various aspects of Cloud FinOps, including cost visibility, cost allocation, cost optimization, cost control, and collaboration. It provides insights into how to use cloud cost management tools and analytics to monitor, analyze, and optimize cloud costs in real-time. The book also offers guidance on how to align cloud spending with business objectives, budget effectively, and create a culture of accountability for cloud spending.

The authors stress the importance of cross-functional collaboration between finance, engineering, and business teams in implementing Cloud FinOps practices. The book provides practical advice on how to build and operate Cloud FinOps teams, set budgets, allocate costs, and enforce cost controls. It also provides examples of how different organizations have implemented Cloud FinOps practices and achieved success in managing their cloud costs.

Overall, the "Cloud FinOps" book offers a comprehensive guide to implementing Cloud FinOps practices, providing practical advice on how to optimize cloud spending and achieve better financial control over cloud usage.

Overall, Cloud FinOps aims to help organizations achieve better financial control over their cloud usage and optimize cloud costs. By implementing Cloud FinOps practices, organizations can improve cost management, better align cloud spending with business objectives, and achieve greater return on investment (ROI) from their cloud investments.

"Cloud FinOps: Collaborative, Real-Time Cloud Financial Management" by J.R. Storment and Mike Fuller is a comprehensive guide to cloud financial management, aimed at helping organizations optimize their cloud spending.

The book covers various aspects of Cloud FinOps, including cost visibility, cost allocation, cost optimization, cost control, and collaboration. It provides insights into how to use cloud cost management tools and analytics to monitor, analyze, and optimize cloud costs in real-time. The book also offers guidance on how to align cloud spending with business objectives, budget effectively, and create a culture of accountability for cloud spending.

The authors stress the importance of cross-functional collaboration between finance, engineering, and business teams in implementing Cloud FinOps practices. The book provides practical advice on how to build and operate Cloud FinOps teams, set budgets, allocate costs, and enforce cost controls. It also provides examples of how different organizations have implemented Cloud FinOps practices and achieved success in managing their cloud costs.

Overall, the "Cloud FinOps" book offers a comprehensive guide to implementing Cloud FinOps practices, providing practical advice on how to optimize cloud spending and achieve better financial control over cloud usage.

Cloud FinOps

O’Reilly Online Learningby

A new setting (not sure how new..) has appeared under Users > User Settings that allows users to create Azure AD tenants. This seems to default to "Yes" which seems crazy, especially in a corporate environment.

This is course gives users Global Admin to that tenant allowing them to do anything they want.

Flick the switch to "No" to prevent users creating tenants.

I can see particular security challenges around DLP (data loss prevention) and if users create new tenants, then all that hard work putting security controls in place in the main tenant go out the window. Your SOC team will be blind.

Hope you enjoyed this quick Azure security tip. Please look out for more!

Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS) are the three major cloud service providers. Here are some differences between them:

1. Market share: AWS is the largest cloud service provider with the highest market share, followed by Azure and then GCP.
2. Pricing and services: Each provider has a different pricing model and a unique set of services, which can make it challenging to compare. However, AWS and GCP offer more services than Azure, while Azure has a broader range of enterprise software integrations and better support for hybrid cloud deployments.
3. Support for open source technologies: GCP has a reputation for being more supportive of open source technologies, while Azure and AWS also offer support for open source tools and services.
4. Security and compliance: All three providers offer high levels of security and compliance certifications, but Azure and AWS are considered to have stronger security capabilities than GCP.
5. Machine learning and artificial intelligence: All three providers offer machine learning and artificial intelligence services, but GCP is known for its expertise in this area and is often considered the best choice for machine learning and data analysis workloads.
6. Customer service: AWS and Azure are considered to have better customer service than GCP, with both providers offering 24/7 support and a range of support options, including online chat and phone support.

Overall, each provider has its strengths and weaknesses, and the best choice depends on your organization's specific needs and requirements. It's important to carefully evaluate the features, pricing, and services offered by each provider to determine which one is the best fit for your business.

Who's more secure?

All the major cloud service providers - Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) - have strong security measures in place and are designed to be highly secure. Each provider offers security features such as identity and access management, encryption, network security, and compliance certifications to protect their customers' data.

The security of your cloud environment also depends on how well you configure and manage it. The provider's security measures are only one part of the overall security picture. You must also follow security best practices, including proper user access management, secure application design, and network security measures.

Ultimately, the most secure cloud provider for your organization depends on your specific needs and requirements. You should evaluate the security features, compliance certifications, and support offered by each provider and choose the one that best meets your organization's security requirements. It's also important to ensure that you have skilled personnel who can properly configure and manage your cloud environment to maintain its security.

Which provider has the best security tooling?

Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) have strong native security tooling to help protect their customers' data and applications.

AWS provides a wide range of native security tooling, including AWS Identity and Access Management (IAM) for user access management, AWS Config for compliance and governance, and Amazon GuardDuty for threat detection. AWS also offers a range of other security services, such as AWS CloudTrail, AWS CloudHSM, and AWS WAF, to help customers secure their cloud environments.

Azure has a broad range of native security tooling, including Azure Active Directory (AAD) for identity and access management, Microsoft Defender for Cloud (MDC) for threat protection and compliance management, and Microsoft Sentinel for security information and event management. Azure also provides other security services, such as Azure Key Vault for storing and managing cryptographic keys and secrets, and Azure DDoS Protection for preventing distributed denial of service (DDoS) attacks.

GCP provides several native security tooling options, including GCP Identity and Access Management (IAM) for access management, Cloud Security Command Center for threat detection and security management, and Cloud Data Loss Prevention (DLP) for sensitive data protection. GCP also provides additional security services, such as GCP Key Management Service for secure key storage and management and GCP Firewall Rules for network security.

Each provider has a unique set of native security tooling, so the best option for your organization will depend on your specific needs and requirements. However, all three providers offer robust native security tooling to help protect their customers' data and applications.

I've been having a think about what are the most valuable documents a Microsoft cloud security person should always have in their back pocket... Even if you're looking to get into this field. Read ahead and take note:

The Microsoft Cloud Adoption Framework for Azure

Best practices is key. I've already experienced fixing security architecture that didn't follow best practice. It's a lot of work and time to rectify... Get it RIGHT the first time so you don't set yourself up for more (not-fun) work in the future. You might also cause someone else a headache. Let's not do that. This document is I'd say, a fundamental.

Microsoft Cloud Adoption Framework for Azure - Cloud Adoption Framework

Proven guidance and best practices that help you confidently adopt the cloud and achieve business outcomes.

Microsoft DocsJanetCThomas

Azure Architecture Center

Best practices and patterns for building applications on Microsoft Azure. Covering design for cloud, optimising your workloads, choosing the right technologies, devops and much more. Get it right the first time!

Azure Architecture Center - Azure Architecture Center

The Azure Architecture Center provides guidance for designing and building solutions on Azure using established patterns and practices.

Microsoft Docsbennage

Microsoft Azure Well-Architected Framework

This lives within Azure Architecture Center and forms an absolute solid base to work upon. The Azure Well-Architected Framework is a set of guiding tenets that can be used to improve the quality of a workload. Take note of the 5 important pillars that make up this framework.

Microsoft Azure Well-Architected Framework - Azure Architecture Center

Learn about the five pillars of the Azure Well-Architected Framework and how they can produce a high quality, stable, and efficient cloud architecture.

Microsoft Docsdavid-stanford

Microsoft Sentinel Documentation

Use cases to get started using this SIEM. Covering all that Sentinel does such as KQL (Kusto), threat intelligence and detection, threat hunting, investgation and response.

Microsoft Sentinel documentation

This article presents use cases and scenarios to get started using Microsoft Sentinel. See and stop threats before they cause harm, with SIEM reinvented for a modern world. Microsoft Sentinel is your birds-eye view across the enterprise.# Required; article description that is displayed in search res…

Microsoft Docsyelevin

Microsoft Sentinel Documentation - Decision Tree

Part of the documentation above is the Decision Tree; if you're designing your Sentinel workspace and CSOC architecture (which I hope you are and not just winging it...) then this will help you. Even for established environments I've found this handy when it comes to the possibility of multiple workspaces in other regions.

Design your Microsoft Sentinel workspace architecture

Use a decision tree to understand how you might want to design your Microsoft Sentinel workspace architecture.

Microsoft Docsbatamig

Kusto Query Language (KQL) Overview

This will bolster your skill set in cloud security. You don't have to know every single query, but Azure runs on Kusto. You'll need to know a little and once you know that you can figure things out. It's very friendly! The operators, statements and functions are worth looking at.

Kusto Query Language (KQL) overview- Azure Data Explorer

This article is a general overview of the Kusto Query Language in Azure Data Explorer.

Microsoft Docsshsagir

Zero Trust Implementation Guidance

As it says on the tin - hugely useful documents for creating a secure environment following Zero Trust principles.

Zero Trust Guidance Center

Learn what the Zero Trust security model is and how to implement deployment steps to apply the security architecture in your organization.

Microsoft Docsmjcaparas

Fundamentals Documentation - Zero Trust Security

This is important and not everyone understands Zero Trust. If you can explain it, you'll look pretty good and do some decent work.

Zero Trust security in Azure

Learn about the guiding principles of Zero Trust and find resources to help you implement Zero Trust.

Microsoft DocsTerryLanfear

Microsoft 365 Security - Deploying Zero Trust for Microsoft 365

Quite new to me, but after doing some digging I've found this section important. It includes an illustration representing the work of deploying Zero Trust capabilities. I think that's content for another few posts....

Microsoft 365 Zero Trust deployment plan

Learn how to deploy Microsoft 365 Zero Trust security into your environment to defend against threats and protect sensitive data.

Microsoft DocsBrendaCarter

These documents are what I think is important for new and seasoned cloud security folk who work with Microsoft slash Azure. I'm sure when I delve to the darkside (AWS) I'll do a similar post.

I've just (finally) joined the Microsoft Cloud Security Private Community and I recommend you do to, if you work primarily in Azure and the Microsoft cloud ecosystem. You're unlikely to get in if you're not a corporate customer with a signed NDA though.

What you'll get: Future vision, roadmaps and features

The form will take between 5-10 minutes and private features will be available on the subscriptions that you state, as many as you like, comma-delimited. Near the end of the form it'll ask you for which subscriptions you'd like the Preview features to be enabled on. If you have sandbox/dev subscriptions I'd recommend using these to begin with.

Oh, and you'll be added to a handy community Teams channel!

Hope you enjoy!

MAY 24th 2022  Microsoft Defender for IoT | Section 52 - Investigating Malicious Ladder Logic

In this session, our researcher, Maayan, will share some interesting techniques for investigating potentially malicious Ladder Logic code. Maayan will briefly overview the basics of Ladder Logic programming and demonstrate it on our lab equipment.

MAY 26th 2022   Microsoft Defender for Cloud | Azure Security Benchmark V3 Workbook

The Azure Security Benchmark workbook is designed to enable Cloud Architects, Security Engineers, and Governance Risk Compliance Professionals to gain situational awareness for cloud security posture and hardening.

MAY 31st 2022   Microsoft Sentinel | Transforming Data at Ingestion Time in Microsoft Sentinel

The new version of the custom logs API in Log Analytics together with the new pipeline transformation feature open up many new scenarios for Microsoft Sentinel customers, like filtering, masking or tagging. Join this session as we explore these scenarios and show practical examples on how to implement them.

JUN 2nd 2022   Diversity in Cybersecurity | Building Community for Underrepresented Minorities in Cybersecurity

In this session, Roger will share his story on building community, mentorship, and job opportunities for underrepresented minorities in cybersecurity.

JUN 14th 2022   Diversity in Cybersecurity | Connecting Women in Technology

Join this webinar to learn about connecting women in the technology sector through attracting, retaining and promoting programs.

JUN 16th 2022   Microsoft Defender for Cloud | The Latest Microsoft Defender for Cloud News from RSA

Join us for this webinar to learn more about the latest announcements directly from the Microsoft Defender for Cloud product team, with in-depth feature overviews and demos.

JUN 21st 2022  Microsoft Defender for Cloud | Protect Your Azure Service Layer with Microsoft Defender for ARM & Defender for DNS

Microsoft Defender for Cloud can give you breadth security protection across your Azure resources, in just a few clicks! Find out how through Defender for ARM (Azure Resource Manager) and Defender for DNS!

JUN 23rd 2022   Microsoft Sentinel | Leverage New and Existing Features to Optimize Costs in Microsoft Sentinel

Join us for this webinar for a recap on pre-existing cost management strategies as well as additional ones supported by a set of recently released product features.

JUN 28th 2022  Microsoft Sentinel | Codeless Connector Platform: Create Your Data Connector in Microsoft Sentinel

In this webinar, we will discuss how you can use the Codeless Connector Platform to create custom connectors, connect them and ingest data to Microsoft Sentinel.

JUN 30th 2022   Microsoft Defender for Cloud | Protect Your Databases Anywhere with Microsoft Defender for Cloud

Microsoft Defender for Cloud can protect your databases anywhere, including your SQL servers, SQL VMs, Open-source databases, and just recently announced CosmosDB! Find out why protecting the data in your databases is so crucial, and see a demo for how to secure your databases!

JUL 12th 2022  Microsoft Sentinel | Zero Trust (TIC 3.0) Solution

The Microsoft Sentinel Zero Trust (TIC 3.0) Solution provides a mechanism for viewing log queries aligned to Zero Trust and Trusted Internet Connections models across the Microsoft and partner ecosystem. This solution enables governance and compliance teams to design, build, monitor, and respond to Zero Trust (TIC 3.0) requirements across 25+ Microsoft and 3rd party products.

JUL 14th 2022  Microsoft Sentinel | Cyber Threat Intelligence Demystified in Microsoft Sentinel

In this webinar, we will provide an overview of Microsoft Sentinel threat intelligence capabilities and demonstrate how Microsoft Sentinel allows you to bring in this threat intelligence into its ecosystem and use it to find actionable threats, investigation, and hunting.

JUL 19th 2022  Microsoft Defender for Cloud | What’s New in the Last 3 Months

(Microsoft Defender for Cloud) is in active development and receives improvements on an ongoing basis. In this session we will summarize and demo what we've released for Microsoft Defender for Cloud in the last 3 months that you need to know about!

JUL 20th 2022  Microsoft Defender for IoT | Securing Critical Networks Through Defender for IoT and Horizon DPI

Deep packet inspection in the Defender for IoT platform can be easily extended by developing plug-ins that use the Horizon ODE for deep packet inspection. A patent has been granted to Microsoft for innovative, ICS-aware threat analytics and machine learning algorithms relating to OT/IoT/ICS security.

JUL 21st 2022   Microsoft Sentinel | Microsoft Sentinel Fusion: New Detection Capabilities & Features Explained

In this webinar, we will cover: New Fusion detection capabilities including Insider Threat and Data Exfiltration. After this session, you will have a deeper appreciation of how prevalent Insider Threat and Data Exfiltration attacks are and how Fusion can enable you to detect such attacks that would otherwise be difficult to catch. The new Fusion health metrics that helps you to validate whether Fusion is working as expected, from processing alerts and anomalies to creating incidents. The supervised scoring model we recently added to further improve Fusion’s detection accuracy.

JUL 26th 2022  Microsoft Defender for Cloud | Improving Your Security Posture with Policy Enforcement and Governance

Are you struggling to understand, how to ensure the security posture of your environment does not start deteriorating again or how to apply guardrails at the beginning of the deployment phase of every service in Azure? Come join us to learn how Defender for Cloud and Azure Policies work together to help you improve your security posture with policy enforcement & Governance.

JUL 28th 2022   Microsoft Sentinel | IT/OT Threat Monitoring Solution

There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Microsoft Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Microsoft Sentinel (IT) alerting. This solution includes Workbooks and Analytics rules providing a guide OT detection and Analysis.

AUG 4th 2022   Microsoft Defender for Cloud | How to Ensure Maximum Security Posture For Your Government Cloud Environment and How to Protect It U...

In this session, we will present Microsoft Defender for Cloud and how it allows Azure Government Cloud customers to properly secure their environments, either in the cloud or on-premises.

AUG 11th 2022   Microsoft Sentinel | Building on Microsoft Sentinel Platform

Microsoft Sentinel is a cloud-native SIEM, enabling enterprises to collect, correlate, and analyze data at cloud speed. Join us in this session to get the most recent updates on Microsoft Sentinel solutions, learn how to create new codeless connectors in Microsoft Sentinel and build your very own Microsoft Sentinel solution. Also learn how you can contribute to the new unified SIEM + XDR GitHub repository to add value to Microsoft Sentinel and Microsoft Defender.

AUG 16th 2022   Microsoft Sentinel | Cybersecurity Maturity Model Certification (CMMC) 2.0 Solution

This solution enables Compliance Teams, Architects, SecOps Analysts, and Consultants to gain situational awareness for cloud workload security posture. This solution is designed to augment staffing through automation, visibility, assessment, monitoring and remediation.

Courtesy or https://techcommunity.microsoft.com/t5/security-compliance-and-identity/join-our-security-community/ba-p/927888