There are many things to think about when securing an environment, and this is an especially hot topic with the cloud. Many ask, how do we secure the cloud and make sure we think about data and network security?
Today, I’d like to share something I recommend to clients when it comes to access control for the resources you have within your Azure environment. There are a few components you should have a basic knowledge of before you jump in. It’s important to have an idea of what is available to you as you’re building out your strategy to make sure you’re putting things in the right place to avoid a future mess.
One great thing within the Microsoft Azure portal is RBAC (Role Back Access Control). With this you can do granular, custom security on your resources within Azure. There is also a great set of default rules to take advantage of. Using these, you can get a long way to keeping your environment secure if you apply them right and stick with the basics.
Something to be aware of is the hierarchal structure of access control within Azure: from subscription to resource group to resources. Let’s start with a piece called Azure Active Directory. Here you decide the users that are going to have access to your resources and within subscriptions. A subscription can tie to only one Azure Active Directory, but an Active Directory can be tied to multiple subscriptions.
One of the first ways to segment your Azure environment is to break them up by subscriptions, either by department or separate development and production subscriptions. You can secure via this segmenting through higher levels of subscriptions.
Within each subscription, you have resource groups, which is a container of resources within a subscription. Resources can only be in one resource group. So, within the 3 levels (subscription, resource group, resources) you can apply roles and get down to the granularity of which people get access to which Azure databases. Or you can set up a resource group and assign people to have access to set up anything within this group, but not access to anything else.
There’s also a log that maintains what roles were allowed access to areas and you can do reporting on this.
My advice is to understand this hierarchal structure and the availability of Role Based Access Control. If you have a good understanding of how you want to set this up and segment it, then you won’t end up with a bunch of stuff in one subscription that you’ll have to separate out later.
If you want help with setting this up, using RBAC or anything within Azure, or help with getting your Azure strategy together, we’d love to help. Click the link below and speak to any of our experts to help you with anything Azure.