Thursday, 16 November 2017

Microsoft Tech Summit Sydney (Day 1)

This week I was fortunate enough to make it to the Sydney Microsoft Tech summit, over Thursday 16th and Friday 17th of November.  There were some great speakers and plenty of excellent material, as well as some fun partner booths, not to mention the Vive, Hololens, and Xbox stands which were always in use.  I thought I'd share some notes and pictures from some of the sessions I attended (it might be a bit disjointed, it's all from a bunch of bullet points).


Implement a Secure and Well-Managed Azure Infrastructure

This session was a high-level introduction into the world of Azure security.  Scott Woodgate started off by saying that as soon as you put even 1 VM onto the public internet you should be thinking about security (it'll be hit 100k times in the first month), and that security is a joint responsibility between Microsoft and the customer.  Microsoft manages things like the physical assets, data-center operations, and cloud infrastructure; the customer should focus on their actual VMs, applications, and data.  Azure has security built into it, but there are plenty of 3rd party options; obviously Microsoft is pushing their option as the better solution.

He then ran through Security Center, which focuses on visibility ("what have I got?"), identification & mitigation ("what do I fix?") and detect & respond.  Security Center gives you ranked issues in order of severity so you can see what you need to fix right now more clearly.  Microsoft has a giant list of known bad actors, their region, and known attack paths. The Investigation Path was an amazing feature of Security Center which shows you, if you've been attacked and breached, the way the hackers managed to access and traverse your network, so you can secure and fix every part.  If you upgrade to the paid Security Center you can also enable JIT management ports, which allow you to only open your management ports (eg. RDP, SSH) on-demand, and only with administrator approval.

The next topic was backup, and as you may know Azure backs everything up to 3 places in the same site - Microsoft expects hardware to fail and this is built in.  Even deleted backups are retained for 14 days in case you end up deleting something by accident.  As the first thing a hacker might do wen they pwn your network is delete your backups, Scott demonstrated how Microsoft has this great method of preventing backups from being deleted from an pwned machine, because you need a PIN (and can also set up MFA) to run the delete backup command.  Backing up is easy, can be scheduled, and is 'hot' so can be restored quickly (using backup vaults) as opposed to some other services.

Scott was adamant that security is a CEO-level issue, even though it's often overlooked.  The challenge with any network is understanding what went wrong, especially when the knowledge about the initial architecture and setup may be gone (when the employee(s) who built it left the company).

Azure Log Analytics was the next topic: this covers everything from one VM, to entire systems, to a code line item (ie. application performance monitoring); it's all stored in the same place, and under-pins everything in Azure.  It's highly-scalable, low latency, has text search and relational queries, and you can query it in a T-SQL-like syntax (easy to learn) as well as build charts, and use machine learning across it.

The Service Map looked like an amazing feature, showing everything in one place: connections / services / ports; you can see incidents (plus related/affected services) in real time. It apparently uses a kernel-level driver to analyse packets. You can also view failed requests on app or VM, can dig into (for example, 500) error codes, and for each issue you can create a work item in VSTS. You can also drill down into which areas of your site your users frequent more often.

Keynote: Microsoft Azure: Cloud for All

Next up was the keynote, where speaker Julia White put a big emphasis on productivity, hybrid, intelligence, and security.  She mentioned that the cloud brought challenges, but that Microsoft was there to be both shield and partner; they believe in open source, and that the cloud must be available for all.  There's lots going on, and this can be overwhelming; Microsoft/Azure wants to help everyone with this challenge, plus help in staying secure, and help everyone be as productive as possible

Productivity
There are lots of interconnected tools to help with this: Azure itself, Visual Studio (/Code), VSTS; everything from tooling to management to security (and dev ops).  Azure has 100+ services, including some of the newer ones like functions, logic apps, Kubernetes.  She compared developers to artists, and their IDE as their paintbrush, so Visual Studio (and Code) are top shelf offerings, with lots of integration to 3rd party apps and dev ops, they want to make life as easy as possible for us.
This section's business example was UPS: they use Xamarin to be cross-platform with a single codebase, and bot as service in Azure (plus app insights which can scale).
Julia re-iterated Microsoft's commitment to open source, last year being Github's biggest open source contributor.  She also demo'd a Powershell browser module which you can use while navigating the Portal, which actually looks very handy.
The demo for productivity was the biggest M-series VM - an absolute beast - with 128 virtual cores, and allowing for nested virtualisation.
With Azure you can be productive by managing multiple computers, in cloud and on-prem; you can also use log analytics to create scripts across multiple machines (in this example, correlate CPU spikes).

Hybrid
Microsoft pushed that migrating to Azure is a lot more cost-effective than alternate cloud providers, but also that hybrid isn't about migrating to the cloud, it's about one consistent experience. Today, it's all about the intelligent cloud and intelligent edge, bringing machine learning etc. from the cloud to on-prem (or close enough). It was also highlighted that SQL migration back and forth from on-prem to the cloud is easy, and reusing existing licences from your on-prem environment can save you 50%, which is a good incentive.
With Azure Stack you can run the cloud experience (same look because it's the same code!) in your data centre, keeping emphasis on cloud-first in a disconnected environment (eg. an oil rig, cruise ship fleet management). It could also be used due to certain industry regulations, or for a modern front end to a mainframe. EY uses it in Russia for legal regulations. The existing tools make it easy to deploy to Azure or Azure Stack.
DocuSign was the business example: "trust is something you earn in a lifetime and lose in an instant" was a quote that resonated with me. They needed the ability lift and move to the cloud with no / minimal change, and ability to scale, and Azure provided this.

Intelligence 
AI should be available for - and usable by - everyone, development and organisation alike.  We need access to good data, and good APIs; the business needs to collect the data and Azure provides the APIs.
ASOS was the example business in this case, who is a digital-only company, and always-on. They have 85k products, 4k added per week. They use microservices, machine learning, and use this for example to show relevant products to create a better experience. They use CosmosDB low latency better elasticity.
The (fantastic) demo for intelligence was an insurance bot: it showcased language detection, suggestions to the customer, voice & camera recognition used for verification, looking up your account history to know about family and make suggestions, car recognition (to show that it identified the car picture you uploaded was not the model you stated it was), sentiment analysis (knows you aren't happy, connects you to live person to continue the sale). On the backend you can see everything in Dynamics 365, including the user flow and recommended actions for a live customer to take to make the sale (in this case offer a discount)

Trust
Microsoft highlights that Azure has more certifications than any other cloud vendor, and is also working with many governments (including here in Australia). It has datacenters in 42 regions, which can be good for controlling where your data is being handled, and to keep things close to where your employees are located. Australia now has 4 regions (2 new ones coming online in Canberra)!
They do provide data centre tours, and a quick video showed that the locations are carbon neutral and have tonnes of security.
Julia pointed out that these days you're not just defending against hackers but nation-state attacks. All Azure's cloud services are built for security, and that they invested $1billion in the last year into security, and that's just going up.  Security centre gives you recommendations, because it's hard to keep up with the latest attacks, and Microsoft is there to be first responder.  Security centre shows you how secure you are, and how to respond when you're attacked; it has the investigation graph (covered above) and provides playbooks for recommended actions.
Azure has great cost management for visibility and accountability. You can split on resource group and tag. You can also get "reserved" VM instances where you pre-purchase 1 or 3 years of compute to save overall.
The final business example was Cabcharge: this is obviously a very disruptive area. They evaluated 16 vendors and ended up with Azure. They wanted PaaS, to keep their .NET skill set, and have something future-proof. They brought all development in-house with (now) 7 agile teams who work to an MVP and improve each sprint; they are language-agnostic and only requirement is TDD with code-coverage. Their struggle is to digitise non-digital tasks like hailing a cab, and not needing a bank account to purchase a ride using the app. The main point they said to take away was to think about what makes you different and focus on your strength.
Julia's final point about trust was that 90% of Fortune 500 companies are on Azire!

Migrating Infrastructure to Azure - VMs, Network + AD

This session was presented by John Pritchard, and John started by showing the IaaS to Saas chart that hopefully you've seen before, stating that generally an organisation first migrates to IaaS because it's easier but it's not necessary.  He re-iterated what I'd heard in a previous session: that Australia Central 1+2 (in Canberra) will be coming first half of next year; this is connected to the ICON high speed government network, and offers secure services at SCEC zone 4 protection ('protected' to 'secret' level). This will only be for Azure, not Office or Dynamics yet. Though it's located in Canberra, it's not a government data centre, but will be used (mainly to start with) federal and state government, partners and suppliers.

Identity, management and security, platform, and development each have a corresponding cloud-based alternative, and Microsoft is trying to facilitate the transition by utilising your existing knowledge base.  Azure has everything: compute, storage, networking; now security and management / monitoring.  Virtual machines are similar to what you're used to on-prem, networking is the same, but scale sets allow you to grow easily.  There are a tonne of different VM types: from general purpose, to burst, to nested virtualisation etc.  There are 4 levels of availability: single (99.9% SLA), availability set (99.95%), availability zone (new, 99.99%) and region pairs.  The different storage options were then outlined, and file sync (a new service) was mentioned - this makes keeping files in sync with the cloud even easier.  The different connectivity options were then outlined (I won't go into detail here).

The first demo showcased how easy it was to spin up a VM: create network & subnet to put it in, create VM (reuse license for discount on Windows server; you can auto shut down with notification), then add various storage disks.  Storage is locally redundant 3x behind the scenes, but can be made up to geo-redundant; premium disks are SSD for high IOPS; standard are HDD for general-purpose; managed are how Azure makes life easier, and can be premium or standard. 
The second demo was a VNnet to VNet communication both via VPN gateway and peering. Peering is much quicker to set up and lower latency, and will soon be cross region. Azure can show you a VNet diagram, and you can use the network watcher for topology, flow control, packet capture (formerly netmon), and a connectivity check.

Finally John quickly went over site recovery, which is usually to paired region. It can be run on a live production environment without interruption, and doesn't have anything running in secondary region until failover (saving you money). You can manually failover and test failover. Behind the scenes Azure sets up a recovery plan.

Simplify hybrid cloud protection with Azure Security Center

This was the second session from Scott Woodgate, and a deeper dive into the security aspects of Azure and walkthrough of Security Center. He reiterated that Security Center is a SaaS offering for VM, on premises (using an agent), and PaaS.

The first time you set up Security Center, you will see a welcome screen where the first step is to turn on data collection. Within SC, Azure uses machine learning based on logs sent from agents, and you can use an existing workspace or create new one. You select how much data you want to collect, the default is minimal. Don't forget to turn it on for all subscriptions! Policies determine what info is relevant (eg. dev is less important, doesn't matter if some errors slip through), but policies extend beyond security centre. For example, in prod subscription disks must be encrypted. You can also save a policy and apply it to multiple subscriptions. Microsoft is investing lots of time and money into governance.  You can set up Security Center to give you emails and alerts, and there's 2 tiers: free (the basics) or standard (including threat protection and lots of other advanced options).

Within the compute section you see prioritised recommendations, and can select to fix one, some, or all (including on-prem VMs which are represented with a purple icon). SC tracks OS vulnerabilities, system updates, and loads more and provides heaps of info and suggestions with more Linux info coming in the next few months.  You can use Qualys (& other 3rd party) integration to check and ensure that certain software is installed on your VMs.

Regarding networking, Scott emphasised the necessity to have NSGs on all subnets.  Security Center shows you which VMs are public facing, and again provides lots of actionable info.  For storage it's the same deal, and covers things like SQL and storage encryption.  SC also covers applications, and Microsoft recommends putting a WAF in front of your apps whenever possible.

In adaptive threat protection you can enable just-in-time access, to enable approval for, and time-cap, your SSH or RDP access, and/or white list IPs. This is important as there are roughly 100k attacks in the first month that you enable a public facing VM in the cloud.  The activity log also shows access attempts so you have an audit log of who requested access and (tried to) access your machines. One of the more advanced tools is app whitelisting (formrely applocker), which is apparently under-utilised because it used to be difficult. Now Azure learns what apps you usually have running in 'audit' mode, then you can turn on 'enforce' mode to ensure no other apps are installed or processes are run. Azure will also recognise similar machines (eg. VMs in a scale set) and recommend you use the same settings for them.

Microsoft has a list of known bad actors updated in real time (SC is a cloud service so it's always up to date), and the demo walked through a few examples of attacks and how Azure links these to known botnets and hacker networks in the Threat Intelligence Map, along with providing a full PDF report on some of the botnets and how to deal with them. SC has built-in anomaly detection, and Wannacry was detected in somewhere around 1hr so that it could be acted upon by Azure customers. SC Fusion merges incidents into one attack profile, and lets you view the 'kill chain' so you can fix every aspect the hackers messed with. We then got to see an example of real attack and analyse how the attacker got in (RDP brute force) and see the chain of destruction they left (further ingress into the network, querying user data from AD).

Regarding dealing with issues in SC, the suggested fixes (playbooks) are logic apps, so you can work off the ones provided or create your own.  You could, for example, update Service Now, or post to Slack when an attack happens.

Migrating your applications, data, and workloads to Microsoft Azure

Allistair Speirs started by outlining that managing migration has always been about managing people, processes, and tech.  Generally around 80% of a company's budget in maintenance.  As has been mentioned in many of the sessions, Azure has a tonne of VM options, and lots of 9s in their various SLAs.  Obviously the more you move to Azure the lower the operational costs; it's a scale.

For on-prem you can: leave it alone, or implement Azure Stack;  for cloud you can: lift-and-shift (IaaS), lift-and-modernise (containers/web apps), or just go straight to a SaaS option.
What's getting in the way? Costing, the fact that it's complicated, and any necessary downtime.  There are 3 main steps: discover (which things to move first, which later, which need upgrades / patches), migrate, and optimise/modernise, and Azure has a few migration tools to help with all 3.

For migration: Azure Migrate (free for all Azure customers, mentioned further below), Azure Database Migration Service (free for all customers), Azure Cost Management (free for Azure customers), Azure Hybrid Benefit (for Windows Server, SQL Server, save up to 40% BYOL), Azure Databox (large storage data migration).

There's now an Azure Migrate tool in preview which maps dependencies in your on-prem environment, recommends VM sizes, provides a compatibility report, cost analysis, and recommends migration services. There is no agent required!  Azure then lets you have a free POC for 30 days to ensure it will all work.  

Allistair gave a brief demo of migrating vSphere, and mentioned the process is basically the same for HyperV.  Migrating using Azure Site Recovery (ASR) is the easist option for VMs. Migration is just failing over and not failing back, and as mentioned Azure provides the ability to run the failover environment for 30 days for free, so you can test and ensure it works.

Azure has integrated Cloudyn which you can use to monitor Azure / AWS / Google costs; it's free for Azure. This is great for isolating costs, but also splitting costs between departments (for example ExpressRoute which might be shared between all departments).

For lift-and-modernise, we're talking containers, CI/CD, microservices / server less, all of which Azure caters for. You can 10x savings this way, but obviously it's more effort, and better suited to projects still under development.

For storage, you've got your blob options: hot, cold (more for reads), archive (hrs to retrieve), as well as Azure file share SMB 10c/GB (and now file sync).  Azure data box also provides a 100TB bulk migration option which is encrypted, and provides chain of evidence that you've moved data.

For database you've got your PaaS or IaaS, SQL or no-SQL.  For assessing the migration you can use MS data migration assistant (discovers and provides migration recommendations).  For migrating  you've got the Database Migration service.  Migrating to a Azure SQL instance is the best option if it's possible, as it's totally managed, scalable, and more economical.

Information Protection with AIP

This one was nice and different for me, as I didn't have any background on AIP or its capabilities.  Lou Mercuri covered information protection both from an Office standpoint and in Azure.

In Word, you can "classify" a document as a classification level (set up in Azure below), using a dropdown in the ribbon.  Once this has been applied you can set a custom header, footer, or watermark depending on the classification level.  Classifying a document above your currently assigned level won't lock you out if you're the owner of the document.  Word will also pop up with a suggestion to classify the document based on key words as they are typed (without sending any info to the cloud). In Outlook once you attach a classified document it suggests that you also classify the email.

From an admin perspective, you manage it all in Azure, creating classification levels, custom user groups and assigning classification levels to them (or all users).  There is one super admin, and you can create one admin per classification level who can decrypt documents of that level.

Lou then ran through a few scenarios in Sharepoint and Salesforce through Microsoft Cloud App Security, outlining how a person who hadn't been distrusted should be able to access their document.  Examples of how the user could be blocked from viewing or downloading a document depending on whether they were on a managed device, or working from home, or accessing a certain-classification of document.  The user will also be notified that their “access to Salesforce is being monitored”.  You can also notify an admin via email or text if a user has tried to access a blocked document, and you can monitor all user actvitiy including these attempts.

No comments:

Post a Comment