Azure Resource Lock: Safeguard Your Critical Resources

Prevention is better than Cure – There were quite a few instances when I thought I should have applied this logic and this has even more significance if you are playing around public cloud more so while dealing with mission critical resources there. There are numerous occasions when you want to protect your resources from some unwarranted human actions or to put it bluntly we are seeking a solution to prevent other users in organization from accidentally deleting or modifying critical resources.

Azure has given us couple of ways to apply that level of control, firstly with role-based access control (RBAC), With the Reader and various Contributor roles RBAC is a great way to help protect resources in Azure. You can effectively limit the actions that a user can take against a resource. However, even with one of the Contributor roles, it is still possible to delete specific resources. This makes it very easy to accidentally delete an item.

Azure Lock provides you the options using which you can effetely control any such adventure. Unlike RBACK, you use management locks to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure Role-based Access Control. Using Resource lock you can lock a particular subscription, a particular resource group or even a specific resource. With this in place authorize users can still be able to read or modify the resources but they CAN NOT breach that lock and delete the same.

To make this happen you have to apply the Resource Lock Level to aforementioned scopes. You can set the lock level toCanNotDelete or ReadOnly(As of now these two are the only options supported). CanNotDelete means authorized users can still read and modify a resource, but they can’t delete it. ReadOnly means authorized users can only read from a resource, but they can’t modify or delete it.

When you apply a lock at a parent scope, all child resources inherit the same lock.

One point worth mentioning here is that you will also need to be in either an Owner or User Access Administrator role for the desired scope, because to play with Resource Lock it’s prerequisite to have access to Microsoft.Authorization/* orMicrosoft.Authorization/locks/* actions (only these two have appropriate permissions).

Create Resource Lock Using ARM Template

With Azure Resource Manager template we can lock the resources at the time of its creation. An ARM template is a JSON-formatted template file which provide a declarative way to define the deployment of Azure resources. Here is the example of how to create a lock on particular Storage Account-

linkedin_sponsor_sentiment_v1

linkedin_sponsor_sentiment_v1

If you see the example clearly the name of storage account coming via parameter while the most important section to be noticed is how the lock (utLock) has been created by concatenating the resource name with /Microsoft.Authorization/ and the name of the lock.

Create Resource Lock using PowerShell

Placing a resource lock on an entire group could be helpful in situations where you want to ensure no resources in that group are deleted. With below example I have tried to create a resource lock on a particular resource Group” UT-RG”

linkedin_sponsor_sentiment_v1

To remove the resource Lock make use of Remove-AzureResourceLock cmdlet, make sure you are providing proper ResourceId.

linkedin_sponsor_sentiment_v1

Off late Azure has brought this support to ARM Portal as well, to achieve the similar things via portal click the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks. Once prompted Give the lock a name and lock level and you are immune to those talked about unwanted situations. It gives you options to lock an entire subscription to ReadOnly if malicious activity was detected.

 

Author Credits: This article was written by Utkarsh Pandey, Azure Solution Architect at 8KMiles Software Services and originally published here.

 

Enhanced Security In Cloud Computing – A Traditional Approach In Modern Technology

Cloud computing is now a part of our day to day activities and we can’t deny the fact that all applications in smartphones are integrated with cloud. The data which is uploaded, stored or downloaded via the cloud needs to be secured during its static and dynamic status.

Watermarking is a technique of authenticity and helps to secure data which enhances cloud computing security. Have you ever thought how we use watermarking in our everyday activities and how it is available in our wallets or purses? Yes! Am talking about the currency notes which has the watermark on it.

Can this be digitized? Yes, it has already been digitized which we often see in our TV channels which are digital watermarked with logo: be it BBC or our local channels.

Consider introducing the traditional approach of watermarking techniques in cloud computing which has enabled to prevent breaches and alleviate security threats that has risen due to technology growth.

We all know that cloud business model supports on-demand, pay-for-use, and economies-of-scale IT services over the Internet. The virtualized data centers combine to form the internet cloud. To enhance the multiple data residence on the same cloud, the cloud needs to be designed to be secure and private because security breaches will lead to data being compromised. Cloud platforms are dynamically built through virtualization with provisioned hardware, software, networks, and data sets. The idea is to migrate desktop computing to a service-oriented platform using virtual server clusters at data centers.

We need to identify best practice process for cost effective security enhancements in cloud computing and watermarking has been analyzed to fit into this category . Increasing the public cloud usage with security enhanced clouds like using digital watermarking techniques helps in betterment of revenue for the cloud service providers and client.

Digital watermarking is a method that can be applied to protect documents, images, video, software, and relational databases.These techniques protect shared data objects and massively distributed software modules.

This combined with data coloring can prevent data objects from being damaged, stolen, altered, or deleted. Protecting data center must first secure cloud resources and uphold user privacy and data integrity.

cloudsecurity2
(Image Source: Google)

The new approach could be more cost-effective than using the traditional encryption and firewalls to secure the clouds. This can be implemented to protect data-center access at a coarse-grained level and secure data access at a fine-grained file level. This can be interlinked with security as a service (SECaaS) and data protection as a service (DPaaS) and be widely used for personal, business, finance, and digital government data. It safeguards user authentication and tighten the data access-control in public clouds.

Public Watermarked clouds are an effective solution for security threats
It ensures confidentiality, integrity, and availability in a multi-tenant environment. Computing clouds with enhanced privacy controls demands ubiquity, efficiency, security, and trustworthiness.

Effective trust management, guaranteed security, user privacy, data integrity, mobility support, and copyright protection are crucial to the universal acceptance of cloud as a ubiquitous service. Effective less cost usage of public clouds leads to satisfied customers.

This blog would have thus enabled to identify the different security threats in cloud computing and identify best practice process for cost effective security enhancements in cloud computing which will in turn benefit the organization.

Author Credits: This article was written by Ramya Deepika, Cloud Architect at 8KMiles Software Services and originally published here

EzIAM – IAM Made Easy on Cloud

8KMiles’ EzIAM combines the power of a reliable user provisioning and user management solution with the benefits of an AWS-hosted, cloud-based deployment model. Whether your organization is interested in provisioning to cloud-based applications and on-premise applications or providing user management for end users, 8KMiles EzIAM provides robust capabilities for user management, user provisioning, and access requests.