What's new and changing in Azure - Trustmarque · CLOUD. SIMPLIFIED. DEFINE | ACCELERATE | ASSURE Azure covers 69 compliance offerings & S v Global Regional ry # ISO&27001:2013& #

DEFINE | ACCELERATE | ASSURE CLOUD. SIMPLIFIED.

What's new and changing in Azure

Eliot Mansfield Prac%ce Director -‐ Cloud


Cloud is changing how IT works •  Constant innova0on and updates

•  Azure releases new services almost every month •  Exis0ng services are improved constantly •  New regions coming online

•  Need to learn new skills and adapt to change

•  Provide staff access to sandpit areas to develop skills •  Pay aAen0on to MicrosoB newsleAers for updates

•  Last years best prac0ce could be this years legacy design


Looking towards Azure

•  It’s evolving very rapidly •  Significant ac0vity in central and local government •  Support for specialist workloads such as SAP •  Constant wave of releases and enhancements •  Solu0ons such as “Azure stack” eliminate governance issues for on-‐prem

•  A cloud first strategy isn’t a cloud only strategy •  Use cloud to innovate rather than duplicate •  Does it reduce complexity, improve service or reduce cost? •  You can’t sweat an asset in the cloud


Code isn’t a dirty word •  Infrastructure as code (IaC)

•  Standardised reusable assets •  Visual Studio to develop templates •  Source Control (VS-‐TS or GITHUB)

•  Developers and Opera0onal staff must work together •  Devs no longer beholden to techies to build servers for them J •  However, devs s0ll don’t care much about the overall picture L

•  Infrastructure people need to “learn up” into developer mindset •  Visual studio has replaced Virtual centre on my start menu!


Azure covers 69 compliance offerings

US

G

ov

Glo

bal

Reg

iona

l In

dust

ry

þ  ISO 27001:2013 þ  ISO 27017:2015 þ  ISO 27018:2014

þ  ISO 22301:2012 þ  ISO 9001:2015 þ  ISO 20000-‐1:2011

þ  SOC 1 Type 2 þ  SOC 2 Type 2 þ  SOC 3

þ  CSA STAR Cer0fica0on þ  CSA STAR AAesta0on þ  CSA STAR Self-‐Assessment þ  WCAG 2.0

þ  FedRAMP High þ  FedRAMP Moderate þ  EAR

þ  DoD DISA SRG Level 5 þ  DoD DISA SRG Level 4 þ  DoD DISA SRG Level 2 þ  DFARS

þ  DoE 10 CFR Part 810 þ  NIST SP 800-‐171 þ  NIST CSF þ  Sec0on 508 VPATs

þ  PCI DSS Level 1 þ  GLBA þ  FFIEC þ  Shared Assessments þ  FISC (Japan)

þ  FCA (UK) þ  MAS + ABS (Singapore) þ  23 NYCRR 500 þ  HIPAA BAA þ  HITRUST

þ  21 CFR Part 11 (GxP) þ  MARS-‐E þ  NHS IG Toolkit (UK) þ  NEN 7510:2011 (Netherlands) þ  FERPA

þ  CDSA þ  MPAA þ  FACT (UK)

þ  Argen0na PDPA þ  Australia CCSL / IRAP þ  Canada Privacy Laws þ  China GB 18030:2005 þ  China DJCP (MLPS) Level 3

þ  Germany C5 þ  India MeitY þ  Japan CS Mark Gold þ  Japan My Number Act þ  Netherlands BIR 2012 þ  New Zealand Gov CIO Fwk

þ  Singapore MTCS Level 3 þ  Spain ENS þ  Spain DPA þ  UK Cyber Essen0als Plus þ  UK G-‐Cloud þ  UK PASF

þ  FIPS 140-‐2 þ  ITAR þ  CJIS þ  IRS 1075

þ  China TRUCS / CCCPPF þ  EN 301 549 þ  EU ENISA IAF þ  EU Model Clauses þ  EU – US Privacy Shield þ  Germany IT-Grundschutz workbook


(On-

Premises)

IaaS “Just add Apps”

PaaS “Just add Data”

As a what?

Storage

Servers

Networking

O/S

Middleware

Virtualization

Data

Applications

Runtime

Storage

Servers

Networking

Middleware

Virtualization

Data

Applications

Runtime

You

man

age M

anaged by vendor

Man

aged

by

vend

or

You

man

age

You manage

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

SaaS “Just add users”

Managed by vendor

Storage

Servers

Networking

O/S

Middleware

Virtualization

Applications

Runtime

Data

O/S

Most Flexible Lowest Cost


Reducing the cost of Azure •  Reserved instances

•  Commitment for 1 or 3 years •  Can amend if your needs change

•  Hybrid use benefit •  Use your on-‐premise licences

•  99.9% SLA for single instance machines •  Avoids need to double up instances •  Advanced no0ce of maintenance


Modernise and reduce costs •  Leverage the pay as you use model

•  Business hours are just 1/3rd of a calendar month •  Scale up in working hours, scale down out of hours

•  Consider PaaS rather than IaaS when possible •  IaaS is s0ll requires feeding and watering..


Compute •  Dv3 Series –General purpose produc0on applica0on workloads •  Ev3 Series – Database workloads, high-‐memory to core ra0os •  M Series – Large in-‐memory databases such as SAP •  B Series – Smaller workloads that are idle much of the 0me – •  Fv2 Series – Scien0fic modelling, cluster compu0ng, gaming and analy0cs


Availability options •  Single VM SLA •  Availability Zones •  Azure to Azure Site Recovery Manager


IaaS meets PaaS •  Service Endpoints

•  SQL PaaS •  Storage Accounts

•  Azure File Sync •  Centralise file storage in Azure •  Cache hot files locally

IaaS VM

SQL PaaSStorage blob

IaaS VM

SQL PaaS Storage blob

Before Service Endpoints:

With Service Endpoints:


Network Improvements •  Global vNet peering; link your primary and secondary DC’s for replica0on •  Expressroute simplified; Only 2 peering’s & ability to overlay encryp0on •  Simplified support for HA network virtual appliances (Preview)

Primary Site Hub vNet

PeeringDR Site – Hub vnet

Primary SharedSecondary Shared

Local Peering

ExpressRoute

Primary Region (UK SOUTH)DR Region (UK WEST)


Accelerated Networking •  Direct communica0on with the network interface •  Significantly reduced latency and jiAer •  Run the most performance-‐sensi0ve workloads •  25 Gbps networking speed


Your path to cloud •  LiB and shiB exis0ng Infrastructure

•  Quick and rela0vely easy, remember; rubbish in – rubbish out •  S0ll need networking and security •  ASR or Velostrata

•  Migrate / Upgrade into cloud •  More 0me consuming – but architected for cloud

•  Scratch built in the cloud •  Can modernise and leverage PaaS and Func0ons as a Service


Questions.. Any Ques0ons….

Supporting Content


Azure DDOS protection •  Basic DDOS mainly protects the plauorm •  Standard DDOS will clean and mi0gate aAacks


From the team •  Plan before you deploy

•  Don’t paint yourself into a corner by hivng limits •  Don’t obsess with long term design •  Be prepared to refine and redeploy (IaC)

•  Subscrip0ons, Resource Groups, Roles and Policy •  Update security principles for cloud •  Establish naming and tagging standards


IaaS – It’s still your problem •  You s0ll need a network and you s0ll need to secure it

•  Outbound traffic is open •  Consider firewall appliances

•  Your VM’s s0ll need patching •  They s0ll run out of disk space!

•  Latency; some apps are ‘chaAy’


Secure your cloud •  Secure the network

•  All outbound traffic is allowed by default •  All traffic between vNets and on-‐premise is allowed by default •  Use ACLs or Firewalls

•  Storage accounts •  Change the keys and monitor access to the keys •  Use Managed disks

•  Aler0ng and monitoring •  Use inbuilt or third party log monitoring tools •  Configure alerts for unusual and sensi0ve ac0vity


3 Tier Apps

Peering-vnet-003-vnet-001

Vnet

WAHL

EDM

File Share

SQL PaaS

Web Front EndVirus Checker AD

Content Man

WAF

ADMail Citrix

SQL PaaSNSGNSGNSG

SFTP


Maintenance

•  Control the 0ming of impacuul planned maintenance on your VMs prior to plauorm maintenance. •  Configure alerts about upcoming maintenance via SMS, email, webhook, and through in-‐VM REST API.


IoT cloud project •  HomeSeer •  Azure IoT Hub •  Stream Analy0cs •  Azure SQL PaaS •  Power BI •  Azure App Service


Azure Iot & Power BI

Documents

What's new and changing in Azure - Trustmarque · CLOUD. SIMPLIFIED. DEFINE | ACCELERATE | ASSURE Azure covers 69 compliance offerings & S v Global Regional ry # ISO&27001:2013& #