2. KARL OTS @ KOMPOZURE
• Co-organizer of Finland Azure User Group and IglooConf
• Podcast host at Cloud Gossip
• Working on Azure since 2011
• Patented inventor
• Worked with tens of different customers on full-scale Azure projects,
from startups to Fortune 500 enterprises
Managing Consultant
karl.ots@kompozure.com
+358 50 480 1102
3. IN THIS SESSION…
• Trusted cloud infrastructure
• Subscription governance
o Policies
o Resource Groups and
Subscriptions as management
level isolation
• Access control
o RBAC
o Azure AD
4. 2 Mil
kilometers
intra-datacenter
fiber
72+
Tb per second
Backbone
100+
datacenters
42
Azure regions
Millions
of servers
ACCESS
APPROVAL
Background check
System
check
PERIMETER
One defined
access point
Video
coverage
Perimeter
fencing
BUILDING
Two-factor
authentication with
biometrics
24x7x365
security
operations Verified single
person entry
SERVER
ENVIRONMENT
Employee &
contractor vetting
Inability to identify location
of specific customer data
Secure
destruction bins
9. ROLE BASED ACCESS CONTROL SCOPES
Subscription
Resource Groups
Resources
10. RBAC ROLES
Owner
• Can perform all management operations for a resource and its child
resources including access management and granting access to
others.
Contributor
• Can perform all management operations for a resource including
create and delete resources. A contributor cannot grant access to
other.
Reader
• Has read-only access to a resource and its child resources. A reader
cannot read secrets.
11. RBAC AND POLICIES
Role Based Access
Control (RBAC)
• Controls what actions a
user may take on Azure
resources
Resource Manager
Policies
• Controls what actions
may be taken at a given
scope
12. RESOURCE POLICIES
• Resource Policies are used for maintaining consistency and enforcing the
governance model.
• Resource Policies are a core governance capability and provide ability
create defined organizational controls on Azure resources which restrict,
enforce or audit certain actions.
• Subscription-scope policies should be used to enforce data location
• Resource-scope policies should be used for appending tags
13. GEOPOLICY POLICIES
• Customers explicitly control geographic
placement of their assets according to their
sovereignty, security, compliance or latency
policies
• Azure also provides centralized Policy
controls to allow/disallow specific
geographies for all Azure services
14. RESOURCES
• Azure Trust Center
o https://www.microsoft.com/en-us/TrustCenter/
• Microsoft Azure Security - Getting Started (free Pluralsight course):
o https://www.pluralsight.com/courses/microsoft-azure-security-getting-
started?twoid=43eb6e26-b9fd-4aa0-b88f-2604b82e810f
• Azure Virtual Datacenter (eBook)
o https://azure.microsoft.com/en-us/resources/azure-virtual-
datacenter/en-us/
• PCI-DSS Compliant PaaS Blueprint
o aka.ms/pciblueprints