I recently had the privilege and opportunity to attend this year’s DEF CON conference, one of the world’s largest and most notable hacker conventions, held annually in Las Vegas. Deciding what talks and sessions to attend can be a logistics nightmare for a conference that has anywhere between 20,000 – 30,000 people in attendance, but I pinpointed the ones that I felt would be beneficial for myself and AIS.

During the conference, Tanya Janca, a cloud advocate for Microsoft, and Teri Radichel from 2nd Sight Lab did a presentation on “DIY Azure Security Assessment” that dove into how to verify the security of your Azure environments. More specifically they went into detail on using Azure Security Center, and setting scope, policies, and threat protection. With this post, I want to share what I took away from the talk I found most helpful.

Security in Azure

Security is a huge part of deploying any implementation in Azure and ensuring fail-safes are in place to stop attacks before they occur. I will break down the topics I took away that can help you better understand and perform your own security assessment in Azure along with looking for vulnerabilities and gaps.

The first step in securing your Azure environment is to find the scope at which you are trying to assess and protect. This could also include things external to Azure, such as hybrid solutions with on-premises. These items include the following:

  • Data Protection
  • Application Security
  • Network Security
  • Access Controls
  • Cloud Security Controls
  • Cloud Provider Security
  • Governance
  • Architecture

Second, is using the tools and features within Azure in order to accomplish this objective. Tanya and Teri started out by listing a few key features that every Azure implementation should use. This includes:

  • Turning on Multi-Factor Authentication (MFA)
  • Identity and Access Management (IAM)
    • Roles in Azure AD
    • Policies for access
    • Service accounts
      • Least privilege
    • Account Structure and Governance
      • Management Groups
      • Subscriptions
      • Resource Groups

A key item I took away from this section was allowing access at the “least privileged” level using service accounts, meaning only the required permissions should be granted when needed using accounts that are not for administrative use. Along with tightening access, it’s also important to understand at what level to manage this governance. Granting access at a management group level will cast a wider and more manageable net. A more defined level, such as a subscription level, could help with segregation of duties but this is heavily based on the current landscape of your groups and subscription model.

The Center for Internet Security (CIS)

So maybe now you have an understanding of what scope you want to assess the security of your Azure environment at, but do not know where to start. This is where The Center for Internet Security (CIS) can come into play. CIS is crowd-sourced security for best practices and threat prevention which includes members such as corporations, governments, and academic institutions. It was initially intended for on-premises use. However, as the cloud has grown so has the need for increased security. CIS can help you decide what best practices you should follow based on known threat vectors; these include 20 critical controls broken down into the following 3 sections:

Basic Center for Internet Security Controls

Examples of these CIS control practices could be:

  • Inventory and Control of Hardware Assets by utilizing a software inventory tool
  • Controlled Use of Administrative Privileges by setting up alerts and logs

An additional feature is the CIS Benchmark which has recommendations for best practices in various platforms and services, such as Microsoft SQL or IIS. Plus it’s free! Another cool feature that CIS offers is within the Azure Marketplace. They have pre-defined system images that are already hardened for these best practices.

CIS Offers in Azure Marketplace

The figure below shows an example benchmark for control practice that gives you the recommendation to “Restrict access to Azure AD administration portal.” This will then output audits that show what steps need to be taken to be within the scope of that best practice.

Control Practice to Restrict access to Azure AD administration portal

Azure Security Center (ASC)

In this next section, I detail the features of Azure Security Center (ASC) that I took away from this presentation and how to get started using ASC. The figure below is of the dashboard. As you can see, there are a lot of options inside the ASC dashboard, including sections such as Policy & Compliance and Resource Security Hygiene. The settings inside of those can dive deeper into resources all the way down to the VM or application level.

Azure Security Center Dashboard

Making sure you have ASC turned on should be your first step when implementing the features within it. The visuals you get in ASC are very helpful, including things like subscription coverage and your security score. Policy management is also a feature with ASC to use pre-defined and custom rules to keep your environment within the desired compliance levels.

Cloud Networking

Your network design in Azure plays a crucial role in securing against incoming attacks, including more than just closing ports. When you build a network with security in mind you not only limit your attack surface but also make spotting vulnerabilities easier; all while making it harder for attackers to infiltrate your systems. Using Network Security Groups (NSGs) and routes can also help by allowing only the required ports. You can also utilize Network Watcher to test these effective security rules. Other best practices include not making RDP, SSH, and SQL accessible from the internet. At a higher-level, below are some more networking features and options to secure Azure including:

  • Azure Firewall
    • Protecting storage accounts
    • Using logging
    • Monitored
  • VPN/Express Route
    • Encryption between on-premises and Azure
  • Bastion Host
    • Access to host using jump box feature
    • Heavy logging
  • Advanced Threat Protection
    • Alerts of threats in low, medium and high severity
    • Unusually activities such as large amounts of storage files copied
  • Just in Time (JIT)
    • Access host only when needed in a configured time frame.
    • Select IP Ranges and ports
  • Azure WAF (Web Application Firewall)
    • Layer 7 firewall for applications
    • Utilize logging and monitoring

An additional design factor to consider is the layout of your network architecture. Keeping all your resources divided into tiers can be a great security practice to minimize risk to each component. An example would be utilizing a three-tier design. This design divides a web application into three-tier (VNets). In the figure below you can see a separate web tier, app tier, and data tier. This is much more secure because the front-end web tier can still access the app tier but cannot directly talk to the data tier which helps to minimize risk to your data.

Three Tier Network Architecture: web tier, app tier, and data tier

Logging and Monitoring

Getting the best data and analytics to properly monitor and log your data is an important part of assessing your Azure environment. For those in security roles, liability is an important factor in the ‘chain of custody’. When handling security incidents, extensive logging is required to ensure you understand the full scope of the incident. This includes having logging and monitoring turned on for the following recommended items:

  • IDS/IPS
  • DLP
  • DSN
  • Firewall/WAF
  • Load Balancers
  • CDN

The next possible way to gather even more analytics is the use of a SEIM (Security Information and Event Management) like Azure Sentinel. This just adds another layer of protection to collect, detect, investigate, and respond to threats from on-premises to multi-cloud vendors. An important note of this is to make sure you tune your SEIM, so you are detecting the threats accurately and not diluting the alerts with false positives.

Advanced Data Security

The final point I want to dive into is Advanced Data Security. The protection of data in any organization should be at the top of their list of priorities. Beginning by classifying your data is an important first step to know the sensitivity of your data. This is where Data Discovery & Classification can help in labeling the sensitivity of your data. Next is utilizing the vulnerability assessment scanning which helps assess the risk level of your databases and minimize leaks. Overall, these cloud-native tools are just another great way to help secure your Azure environment.

Conclusion

In closing, Azure has a plethora of tools at your disposal within the Azure Security Center to do your own security assessment and protect yourself, your company, and your clients from future attacks. The ASC can become your hub to define and maintain a compliant security posture for your enterprise. Tanya and Teri go into great detail the steps to take and even supply a checklist you can follow yourself to assess an Azure environment.

Checklist

  1. Set scope & only test what’s in scope
  2. Verify account structure, identity, and access control
  3. Set Azure policies
  4. Turn on Azure Security Center for all subs
  5. Use cloud-native security features – threat protection and adaptive controls, file integrity monitoring, JIT, etc.
  6. Follow networking best practices, NSGs, routes, access to compute and storage, network watcher, Azure Firewall, Express Route and Bastion host
  7. Always be on top of alerts and logs for Azure WAF and Sentinel
  8. VA everything, especially SQL databases
  9. Encryption, for your disk and data (in transit and rest)
  10. Monitor all that can be monitored
  11. Follow the Azure Security Center recommendations
  12. Then call a Penetration Tester

I hope you found this post to be helpful and make you, your company, and your clients’ experience on Azure more secure. For the full presentation, including a demo on Azure Security Center, check out this link. 

Image of book coverI recently read Patrick Lencioni’s latest book, Getting Naked: A Business Fable About Shedding The Three Fears That Sabotage Client Loyalty. I found the book useful, well written, and insightful.

Here is a quick summary of the key ideas:

Always Consult instead of Sell

Rather than harping on past accolades and what you can do if the organization hires you, transform every sales situation into an opportunity to demonstrate value. Start adding value from the very first meeting… without waiting to be hired. Don’t worry about a potential client taking advantage of your generosity. (One potential client in 10 may – but you don’t want that one potential client as a customer anyway!)

Tell kind truth

Be ready to confront a client with a problematic message, even if the client might not like hearing it. Don’t sugar coat or be obsequious. Rather, replay the message in a manner that recognizes the dignity and humanity of the client. Be prepared to deal with “the elephant in the room” that everyone else (including your competitors) is afraid to address.

Don’t be afraid to ask questions or suggest ideas, even if they seem obvious

There is a good chance that a seemingly obvious question/suggestion is actually of benefit to many in the audience.

Of course, there is also that chance of posing a “dumb” question. But no one is expecting perfection from their consultants, but they do expect transparency and honesty. There is no better way to demonstrate both than by acknowledging mistakes.

Make everything about the client

Be prepared to humble yourself by sacrificially taking the burden off of a client in a difficult situation. Be ready to take on whatever the client needs you to do within the context of the services you offer.

The focus of all of your attention needs to be on understanding, supporting, and honoring the business of the client. Do not try to shift attention to yourself, your skills, or your knowledge. Honor the client’s work by taking an active interest in their business and appreciating the importance of their work.

Admit your weaknesses and limitations

Be true to your strengths and be open to admitting your weaknesses. Not doing so will wear you out and prevent you from doing your best in your areas of strength.

Like many of you, we at AIS attempt to subsume many of the above ideas from Lencioni’s book. For example, rather than “sell” a project, we often co-invest (along with the customer) in a micro-POC* or a one-day architecture and design session that helps lay out the vision for the solution, identify main risks, and crystallize the requirements for a project. With the insights derived from a micro-POC, clients can make an informed decision on whether to move forward or not. Here are a couple of examples of micro-POCs:  Jupyter Notebooks as a Custom Calculation Engine, and Just-in-Time Permission Control with Azure RBAC

* Micro-POC (micro Proof of concept) – a time-boxed (typically ~40 hours) “working” realization of an idea/concept with the aim to better understand the potential, risks, and effort involved. This is *not* an early version of a production application.  Also, see this Wikipedia definition of Proof of concept

Meet some of the AIS Recruiting Team – They’re going to talk you through some of their top recommended job interview tips.

(Transcript)

My name is Francesca Hawk. My name is Rana Shahbazi. My name is Kathleen McGurk. My name is Jenny Wan. My name is Denise Kim.

Tip #1: Be Open, Transparent & Direct

I think it’s important for candidates to be authentic and transparent throughout the entire interview process.

Keeping the line of communication open through the interview process is really important for both sides. If you have other opportunities on the table, say that. The recruiters are your advocates and an essence kind of your best friend. Being direct – give us, you know, enough feedback – if you are not interested, or if you if the commute is an issue, or if you want more money, if your clearance was an issue – just let us know.

Tip #2: Know What You Want

So before even searching for opportunities you have to figure out what you’re looking for in a company. And then once you figure out what you’re looking for – whether it’s the culture of the company, the location the company – definitely asked questions with the recruiter prior to the interview so while you’re at the interview you have a little bit of that information.

Tip #3: Be On Time & Be Prepared

You always want to make sure you’re on time. Generally, you want to arrive about 15 minutes before your interview. You know where you’re going to park, make sure that you look up directions ahead of time. And just be prepared in general.

Preparation is extremely underrated in the interview process, so really doing your research getting familiar with the company and the culture there. Go online. Check out, you know, the general website, check out the job description. Make sure you’re aware of the skills and qualifications and what they’re really looking for. Glassdoor always provides really good reviews from the current employees. I think the company website and certainly LinkedIn is a huge aspect – social media in general.

Tip #4: Ask Questions

Ask questions or have questions ready to us ask. Ask about the process ask about the expectations who you’ll be potentially meeting with, what the potential duration could be. The company can’t provide information unless you ask for it.

You also have to make sure that you are interviewing the company just as much as they’re interviewing you. Ask the interviewers is about the culture because you’re going to get a different response from everybody but if they all seem to check out or are the same then that means the culture is pretty good.

Just make sure that you feel comfortable with the environments that, you know, you’re going to be working in.

Tip #5: Make Sure You Understand the Role

Really use the opportunity to understand the position and then to sell your strengths and also kind of tie it back into your accomplishments.

Make sure that you talk about what you were individually able to accomplish in a project. So you were personally able to
bring to the table and not necessarily what the team accomplished as a whole.

Tip #6: Show Your Interest

I think your presentation and the way you present yourself to the interviewers and anybody that you interact within the interview process is extremely important.

So not just what you say, but how you say it. Eye contact and body language say a lot about your interest in the position and the company as a whole.

Showing your interest makes a recruiter feel that you’re confident and that you can certainly do the role, and also that you are
excited about this opportunity.

I think you should be excited about interviewing a company that you’re interested in. And that sounds silly, but I think that going in excited and I think that’s why body language and eye contact are all very important aspects.

Tip #7: Listen

People are so busy thinking about what they’re going to say next that they don’t actually pay attention to the questions being asked.

So making sure that you’re hearing what they’re saying and then taking the time to respond is really important.

Tip #8: Follow Up

Certainly, you know, asking for next steps is very helpful and also that is another way of expressing your interest. You know, definitely being responsive. I would say the general rule of thumb is within 12 hours of turnaround time. If you’re not interested
and that’s okay if we’re not at AIS where this opportunity is not number one and that’s okay, we like to know that as well.

You definitely want to send a thank you note – it goes a long way and it shows you’re very interested in the company and it always leaves a great impression.

We’re Hiring!

AIS is always looking to connect with talented technologists that are passionate about learning and growing to staff exciting new projects for our commercial and federal clients. If you’re interested in working at AIS, check out our current career openings.

It started off as a small idea – a donation drive to support a local organization – and quickly expanded into multiple drives across the country.   

The AIS Women’s Network began in October 2018 as a small group of 10 individuals and quickly grew to 54 members strong.  To support part of our mission, we set out to lead an effort to help a local charitable organization. But it quickly became apparent that the logistics of multiple offices across the country supporting one organization wasn’t an easy task. But through these challenges grew an even better idea: Why not support multiple organizations? 

This month, the AIS Women’s Network launched the AIS Community Drives. Thanks to the hard work and creativity of each local office lead, AIS was able to support five worthy organizations across Maryland, Virginia, North Carolina, Ohio, and Texas. Each organization received non-perishable foods, household, paper, baby and personal hygiene products, plus gift cards, monetary donations, and many more items! 

AIS Community Drives

“Everyone got extremely creative in finding ways to gain participation in their offices – from Pi Day in Dayton [Ohio], to an ice cream social in Reston [Virginia] to soliciting User Group members in Raleigh [North Carolina]!  It is this kind of out-of-the-box thinking that made this event a great success!” 

 -AIS Women’s Network Member

The donations collected went to five worthy organizations, each one local to an AIS office, including:

  • Grassroots Crisis Intervention Center, a multi-service crisis intervention center in Columbia, Maryland that provides 24-hour crisis intervention services, emergency, and transitional shelter, and community education. (You can read more about our work with Grassroots here and here.)
  • LINK, Inc., a nonprofit charity that provides emergency food to people in need in the Herndon, Sterling, and Ashburn communities in Virginia.
  • Food Bank of Central & Eastern North Carolina, a nonprofit organization that has provided food for people at risk of hunger in a 34-county service area for over 35 years.
  • Feed the Creek, an organization that provides food for children in the Beavercreek, Ohio area in order to reduce childhood hunger and promote healthier bodies, minds, relationships, and grades.
  • Austin SAFE Alliance, a human service agency in Austin, Texas serving the survivors of child abuse, sexual assault and exploitation, and domestic violence.

“Thanks for your support! You are now classified as a go-to donor. 

  -Monteith Mitchell, Grassroots 

 “It’s just what we neededthank you, thank you, thank you! 

 – Joe Kruse, Grassroots

Please visit the links above to learn more about the incredible work these organizations do across our AIS communities! 

The mission of the AIS Women’s Network is to unify and organize those who are interested in empowering the women of AIS, by way of creating a nurturing community in which they can develop and foster their leadership, technical, and professional skills. 

Grassroots Crisis Intervention logoAs I was nearing retirement from the Air Force, I received briefings reminding me that the world outside of the military is nothing like the one inside of it. It’s a dog eat dog world out there; companies only care about their bottom line; companies won’t help anyone else unless it’s beneficial for them, etc.

When I came onboard with AIS, however, I was told that our Managed Services practice provides pro-bono support for the Grassroots Crisis Intervention Center. I was taken aback to learn that AIS is the total opposite of what I’d been taught. This company really cares for the community — and doesn’t just say it, but proves it.

About Grassroots

Grassroots Crisis Intervention Center is the only homeless shelter in Columbia, Maryland that provides beds and round-the-clock support for those in need of professional crisis intervention, suicide prevention, or outreach services for personal, situational, mental health, and domestic violence crises. In 2018, they fielded 38,914 calls on their 24-Hour Crisis Intervention Hotline, served 2,028 clients in their various shelters, and ensuring the safety of 262 children. While Grassroots is a private non-profit agency and receives funding from grants, private foundations, community donations, and local businesses, it’s simply not enough to ensure their IT is ready to handle the day-to-day demands Grassroots volunteers endure.

Grassroots was lucky to have a volunteer donate their time to providing IT support. Unfortunately, there’s only so much one person can do for an organization like Grassroots. They continue to grow and face new IT challenges each day.

Providing 24/7 Support for a 24/7 Organization

AIS offered to help Grassroots’ volunteer IT person manage their needs and growth at no cost. Our Managed Services team worked with them to define their needs and bottlenecks so we could best support them. The result was an arrangement where the Grassroots volunteer IT staff handle onsite demands, while AIS Managed Services support any IT needs that can be handled remotely, 24/7/365.

In the past year, we’ve helped resolve over 100 different issues ranging from account creation/deletion and email connectivity problems to agency-wide network outages. Managed Services resolved each one of these tickets with a 100% satisfaction rate. Along with resolving tickets, the Managed Services team also provides basic IT training to Grassroots counselors to help increase their understanding of the system… so that they can quickly get back to the important work of helping people.

Service Before Self

In the Air Force, one of our core values was service before self. It’s refreshing to see that AIS is a company that puts community service ahead of self. It makes this veteran honored to work with this company and their support of the Grassroots Crisis Intervention Center.

CMMI ML3 logoThe AIS Team is very proud to announce that we’ve successfully completed our first appraisal under the CMMI Institute’s Capability Maturity Model Integration (CMMI) for Services at Maturity Level 3 (ML3).

So…what does that mean? It means that after an extremely rigorous approval process, CMMI has independently validated and recognized AIS’ excellence and dedication to continuous improvement in our Service Management practices. It means our existing and future customers can count on continued increases in quality, productivity, efficiencies, and performance…while seeing decreases in defects, re-work, and risks.

Attaining CMMI ML3 means that we’ve defined our processes at the organizational level and take a proactive approach of continuous process evaluation and improvement to meet the business goals of our clients. We consistently improve upon existing organizational delivery standards, processes and procedures instead of redefining them on a project-by-project basis. This ensures that the best practices of AIS (and our industry) are not just adopted or implemented once, but captured over the long term. It also means that our team members can move seamlessly across multiple projects and exiting employees won’t take critical business information away with them.

CMMI not only rates the maturity of our processes, the distinction provides a level of assurance that AIS will always complete our work in both the time and price quoted for the project. CMMI ML3 allows organizations to improve consistency and deliver cost-effective solutions for current and future projects. And that consistency results in less money spent on detecting errors, less remediation and less manpower spent reworking old solutions.

In short, this achievement means we will always meet our customers’ demands, and consistently and predictably deliver the products, services, and sourced goods they want, when they want them, and at a price they’re willing to pay. All very good things!

Congrats and a big thank you to the AIS Team members who worked extra hard over the last year to make this happen.

AIS CMMI team members

Steve Iacovelli & Fred Elleman
A small delegation from AIS joined Stephen Iacovelli, his family, and his military peers to recognize his promotion to Brigadier General and observe the Change of Command ceremony.

Brigadier General Iacovelli took command of the 94th Training Division based in Ft. Lee, Virginia. The Army expressed their appreciation for AIS’ support of Stephen as he completed the Army War College and our continued flexibility that allows Stephen to balance his work responsibilities with those of a citizen Solider.

Fred Elleman, speaking for AIS, summed up perfectly how we all felt that morning: “Thank you for recognizing our company; our contributions seem trivial compared to what each of you does for our country. We thank each of you and Stephen for your service and for the opportunity to be here today and play a small role in this event.”

Microsoft US SI of the Year Award at Microsoft Inspire
AIS won the 2018 Microsoft US SI of the Year award for Azure Performance at Microsoft Inspire in Las Vegas. The award recognizes AIS’ work in Azure consumption values, as well as our success as the #1 United States Co-Sell Partner in the Microsoft Co-Sell Initiative. With over $26 million in Azure consumption and over $12 million in total contract value, AIS assisted Microsoft in retiring over $1 million in Azure goals.

Microsoft generated more than 11,000 co-sell wins with partners like AIS during the past 12 months, equating to roughly $5 billion in contract value through the channel. The figures are the result of Microsoft’s newly-formed One Commercial Partner (OCP) roll-out, designed to drive deeper collaboration between internal direct sellers and partners.

Microsoft described the OCP-driven co-sell program as the “largest sales transformation” in decades.

“In less than a year, AIS partnered with the OCP team to conceive and deliver our co-sell offerings with market-leading results,” said Larry Katzman, AIS Vice President of Marketing and Sales. “We leveraged our Cloud Adoption Framework, which is a collection of services we’ve delivered multiple times while helping our clients adopt Azure. We also included our Legacy Modernization offerings.”

AIS will be expanding our co-sell offerings to include our Office 365 and Dynamics 365 adoption programs in the coming year,

“Congratulations to the OCP Team and the AIS Marketing and Sales Teams for turning the OCP vision into a reality so quickly,” said Tom O’Connell, AIS Managing Partner. “This is only the beginning. We built a solid pipeline and see even better results in FY19.”

AIS Team Members Accepting Award

2018 Microsoft US SI of the Year Award

We can do this for you too! Check out our Azure QuickStart offering here.