Last week on the Cloud Clinic we talked about what bad things can happen to your cloud when technical people have all the wrong access to your cloud assets. We’re talking costs running amok, instable work environment that are prone to environment drift and that cause your development to slow down to a crawl, and risk for mistakes that should not be possible to make. Those and more issues we list in that episode. Check it out: Establishing and monitoring access to different environments (part 1 of 2)

Now, let’s talk about the remedy! What do you do to avoid all the many problems that come from technical people having wrong access to the cloud?

Read on below and find out in this week’s episode!

Establishing and monitoring access to different environments (part 2)

Please enjoy this episode on YouTube:

[https://www.youtube.com/watch?v=8DckLrOulzA]

Here is the episode on Microsoft Learn:

[https://learn.microsoft.com/en-us/shows/azure-enablement/the-cloud-clinic-establishing-and-monitoring-access-to-different-environments-part-2]

There are two remedies to consider: Role Based Access Control and Privileged Identity Management. The former is what the Japanese call “kata”. It’s just good form. The latter is a bit tricker to manage, but when well rolled out, it empowers your organisation so very much!

Role Based Access Control (RBAC)

The way you grant someone, or something (a system) access to resources in Azure is by means of Role Based Access Control (RBAC). The thing about this is that RBAC data is stored in Azure, while identities of the people accessing the cloud are stored in Azure Active Directory (AAD). This leads to inconsistent access that is difficult to manage in Azure.

What I propose you do instead is take advantage of the AAD for what it is good at – users and group membership. The AD has “security groups” that are used to group users together to grant them access to something. You put users as members in the group, and then you grant the group, which is just another AD object just like a user identity, access to the intended system!

This means, in Azure, you will see only groups having access. You can create and maintain these as standard groups and standard access using automation, and you can easily automatically audit these groups. This makes your cloud access management cleaner!

Back in your AAD, to grant a person access to a system in Azure is as easy as making them a member of the right security group. AD is GREAT with auditing and managing who is a member of what group. This is what the AD is built for!

The outcome is that you now play the strength of each system, rather than ending up in this very uncomfortable split that gives you an inevitable pain in the groin!

But wait, theres’s more!

Use the AAD security group owner to delegate membership

To let group leaders in your projects, self-manage who are members in their teams, and consequently who has access to the systems in Azure they oversee, you can delegate ownership of AAD security groups to them!

Regular users in the AAD do not necessarily have the right to add or remove members from security groups. This means they must ask someone else to set up access, say when a new team member joins the team, or revoke access when one leaves. The access administrator role in AAD has this privilege, but that creates an inconvenient bottleneck and leads to an access request granting system that is not very quick and agile.

Instead, what you should do is consider granting security group owner privileges to your team leads. They will then be able to manage membership of the security group themselves! This affords them a limited right to decide who is in the team and so have access to the Azure resources. This little trick is so very valuable it should come in gold!

Privileged Identity Management (PIM) is the next level of access control

Privileged Identity Management is a premium Active Directory feature that allows you to preconfigure access that can be activated only when needed. The tough bits here are two. One is that you need to pay for the AAD P2 license. But again, trust the doctor, it is well worth the money if used properly. Two is that you must invest some effort into fully adopting the feature into your organisation.

It is a bit tricky to configure PIM and that’s why I see organisations struggling to adopt it. You should start with a POC for PIM, if you will, and enable it for one team all the way. Then you take those experiences to learn how to roll out in your company all the way!

PIM means, as alluded above, that you configure access as the potential to have access, but the user does not really have access right now. It is just-in-time activated by the user. The main power here is that, if a user does not have access to a system, they cannot inadvertently make mistakes and modify that system by accident.

Use multi-factor authentication to further strengthen security

Another great combination here is MFA, or Multi-Factor Authentication. This is a standard feature that means you must use your phone or similar in conjunction with your password to authenticate. It is a great security addon that almost entirely removes the risk of credentials being stolen.

That plus other AAD features such as geofencing which blocks sign-ins from users that “all of a sudden” are attempting to gain access from Russia och China when they were in the office five minutes ago.

Manager approval is another method for controlling access to production

Activation of your access using PIM can be set up in such a way that you have to give written justification for the elevation of privileges. You can have the process that a work item must be related to why the user needs access, and this may be audited after the fact.

For additional security, again a risk of bottlenecks, you can also activate manager approval for users’ PIM activations. Just make sure you don’t have that activated for the support team that would need to phone a manager in the middle of the night on a weekend to grant access during maybe a critical security incident. That’s not going to sit well with upper management. Use this power only where it makes sense, and make sure more than one manager can be on call to grant access!

Don’t forget to audit access and review if a person still needs that extra access

Having limited access also provides useful audit logs so that you can determine who had access to certain environments at specific times. Any time a person accesses a system in Azure it is audited in the Activity Log. Same goes for any time a user elevates access using PIM, and the AAD also audits when users are added to or removed from security groups. Feed all this data into your SEIM system and have it analysed there, for example using Azure sentinel, which is purposefully built for exactly this type of auditing and security management.

Summary

There are so very many things you can do to have a proper access control, and which brings you so many benefits in terms of saving time and money, and in mitigating risk of data loss and thwarting attacks. Use proper RBAC with AAD security groups and consider PIM! You will not regret that investment, because you end up saving a ton!

References:

• Implement role-based access control in applications
• What is Privileged Identity Management?

I was recently on the Evo Nordics’ Evolution Exchange Nordics Podcast together with three other great people to talk about “Ways To Improve As A Leader”. Diogo Del Gaudio, Fredrik Arenhag, and David Božjak. Thanks to Rachel Owen for having us on!

Listen here:

In the episode we covered important topics like:

• What practical tools and habits do you use to enable you as a leader?
• How important is office presence when it comes to understanding a team’s efficiency?
• How does your support circle look: Who do you confide in, where do you get advice, and how does that help you grow?
• As technology is driving a more current and modern workplace, how do you ensure everyone feels included and has the drive to move forward with you?

We wanted to be mindful and helpful about challenging work-life situations as a leader, and I really think we hit some good solid points!

Enjoy the listen!

This week on The Cloud Show I interview the incomparable Miri Rodriguez who has the deeply fascinating job of “storyteller” at Microsoft. A storyteller in the corporate world is a person who works with a brand to tell the right stories about the brand. A storyteller needs to understand enough about technology to know they are saying the technical right things, and their true skill is to tell a captivating tale about whatever it is that goes on inside company.

[Follow the show]

On this episode we talk about how cloud leaders can make sense of the company strategy by telling the right stories both externally, but perhaps even more importantly, internally in the company! Storytelling is THE ONLY WAY to make sure all your employees know to pull together in the same direction. The power of uniform motion created by storytelling inside your business cannot be overstated! Miri knows all about this and is here to talk to us today on The Cloud Show!

Reach out to me if YOU want to be a gues on the Cloud Show, or if you know someone who would make a great guest star! Hope you enjoy the show!

By the way, I particularly like this frame from the show:

About the Show Star Miri Rodriguez: A Latina Immigrant Living in The U.S. A Storyteller, Mindfulness Advocate, Brand Consultant, And International Keynote Speaker. Also, the owner & CEO of Be Mindful Be Happy and the best-selling author of the award-winning book Brand Storytelling. She helps brands big and small design their brand identity and stories for influence and impact. Combining over 15 years of personal branding, design thinking, and storytelling practice, she’s mastered the best ways to design brands and stories that matter: authentic, deeply personal, emotionally connected, and driven by inclusion and empathy. She holds a master’s degree in integrated communications and marketing from Georgetown University and various certifications including Copyrighting, Technical Writing, Design Thinking, Six Sigma, and Prosci Change Management. Miri has published the book Brand Storytelling: Put Customers at the Heart of Your Brand Story.

The question this week in the Cloud Clinic is a very interesting one and one that I see a lot of companies are struggling with and suffering the consequences of not managing optimally!

Too many people have too much access to production, and now our security team is saying this is not compliant and it has to change! In fact, this question is such a doozie that first we will answer – “why is it such a problem if too many people have too much access”. I mean of course other than it not being considered compliant. What problems emanate from incorrect access?

Next week we will delve into how to approach a sounder access control – so don’t for get to join us for that!

Read on below and find out in this week’s episode!

Establishing and monitoring access to different environments (part 1)

Please enjoy this episode on YouTube:

[https://www.youtube.com/watch?v=KmmHrNNZdEw]

Here is the episode on Microsoft Learn:

[https://learn.microsoft.com/en-us/shows/azure-enablement/the-cloud-clinic-establishing-and-monitoring-access-to-different-environments-part-1]

What happens when you grant too much access?

• You might need to live up to a certain security and compliance standard, because your customers require it. This means you can lose customers or fail to gain new ones if your business is not living up to your customers’ requirements. Sort if a consequence by proxy. This can really hurt in the wallet area.
• If a person has the wrong access, mistakes can occur. It is like inviting the inevitable opportunity for human error. It is also very disrespectful to your employees to put them in the position where they can make bad mistakes, if that situation can be technically avoided, or at least very much mitigated!
• When you have too much access, you also tend to become careless with such things as leaving test resources around. Because it seems to you that does not really matter, right? You can create those resources, so why not just leave them lying around. Again, this is a slippery and costly slope. There is power in the psychology of “running a tight ship”. When employees feel empowered and like things they do matter and are important, they will behave more responsibly too!
  

How do companies get into this position?

Use automation to change testing and production environments-never grant individual access

Technically humans “never” have access to production! Only automation may touch production! When that does not fully fill the need, and a human does need to “enter production”, they should be granted minimal access, just-in-time to do the task, and that access should be automatically revoked again.

For development and sometimes test environments, it is more okay to grant more access to “people”. DO still consider granting appropriate access levels. For example – everyone can have Read access. The web developers are “Contributors” on the web resources, but not the databases. The database maintainers have Contributor access to the databases, but not the web apps. I realize I am oversimplifying here, but you get the drift. Consider gravitating to security groups with appropriate access control, rather than lazily granting everyone on the team “all the access”. You’ll thank me later.

Privileged Identity Management (PIM) is a huge area of focus which is wonderful to work with once you have set it up. Reality is that it can be tricky to set it up. The rewards are worth it though. What you get is the situation where your team members are eligible for access, but they don’t have access all the time. When they need access, they can activate their access and make the changes they need to make. Apart from this being very secure and compliant – which is an awesome bonus, the main benefit here is that people who need to activate access to environments to make changes, tend to think more about why they are doing what they are doing, rather than “just doing it”. Word of caution though – the proverbial thumb screws of being required to activate access every time you make a change can become quite annoying. You should use PIM only where you need it the most. For example, in production and test environments that you want to limit “fiddling” in.

Also have a watch at the next episode that talks about what to do to avoid the problems described in this episode: Establishing and monitoring access to different environments (part 2 of 2).

References:

• Implement role-based access control in applications
• What is Privileged Identity Management?

Slowly but surely your monthly Cloud bill is climbing. If the increase is releated to more customers and more business opportunity with a good ROI, that’s great! Congratulations! However, what if it is related to an untidy state of affairs in your cloud house, and unused, unoptimised cloud resources is wasting company money? Well, that’s very bad! How can you tell the difference?

Read on below and find out in this week’s episode!

We are in the Cloud spending money; how do we know we are getting business value from what we are paying for?

Please enjoy this episode on YouTube:

[https://www.youtube.com/watch?v=LB4XAKIh2eQ]

Here is the episode on Microsoft Learn:

[https://learn.microsoft.com/en-us/shows/azure-enablement/the-cloud-clinic-making-sure-youre-getting-full-value-from-your-cloud-spend]

Are you sure you are spending on the right things?

As noted in the intro you MUST know, when you are spending a significant amount of company money on running resources in the cloud, that you are spending the money in the right places! Technically that means you need to add cost management tags to your resources, but that part is just mechanics, and as such it is not very interesting.

What is more important is that you understand in the business what you are willing to spend money on in the cloud! Here is where an experienced technical cloud person will come in handy. This person needs to be a universal translator between businesspeople (normal people, or muggles – as in non-magical/non-technical folks) and tech people (wizards or geeks).

Find out what the business needs, and then make sure you are using the right and appropriate cloud resources for the job! Re-examining your Azure spend on a routine basis helps to ensure that you’re spending wisely. Next…

Find out how to technically measure the right things from the Cloud resources

All cloud resources that cost money for your company can have their performance metrics and cost data collected. Are you using the right resources, but also, are you using them appropriately? Obvious issues such as incorrectly sized machines or incorrectly scaled clusters can spend a lot of money and provide very little value.

Consider using Cloud native tooling to collect the right cost data

In Azure I would personally recommend Azure Monitor. It is a unified and comprehensive monitoring solution for your cloud and on-premises environments. But, hey! If you want to use another tool, knock yourself out! All cost data collected in Azure is Your Data! If you want to take that data and export it to any other analysis service, you are completely free to do so! There is great advantage in using the native tooling of your cloud provider because it is both purpose-built and fully integrated into the offering. This is, again in my opinion, perhaps not the first place where you want to get “creative” or “exotic” in your tool choices.

If your company is not yet well versed in Azure Monitor, this is probably one of the best pieces of advice you can get on your road to the cloud: Invest in your whole team, certainly technical staff, but also business people, and financial operations, to learn what Azure Monitor can do for you!

Make available to business owners a live dashboard of real valuable cost data!

You have business running in the cloud. You have resources deployed. You have tagged them appropriately. The consumption is incurring cost. You collect both performance data and cost data. OK, so far so good!

One critical piece remains – to use the data to perform intelligent analysis and investigate the cost. You need to set up an empowering, live, and useful dashboard that shows what is going on with cost over time! For example, using Azure Dashboards for the more technical and project managers, and using PowerBI for businesspeople. Get started by skilling your technical team then creating a performance dashboard!

Good luck on your path to true wisdom in cloud spend!