A special thanks to Robert Venable, Senior Software Engineer in the Financial Engineering team at Core Services Engineering (formerly Microsoft IT), for sharing his story on empowering development teams while ensuring security and compliance. thanks also toscott hoag, Lead Cloud Solutions Architect at Opsgility, and Rob Dendtler, Account Technology Strategist at Microsoft, for reviewing and providing invaluable feedback.
One of the most common questions that members of the core services engineering and operations teams often ask when speaking with customers in the Executive Briefing Center here in Redmond is how our engineering teams protect while delivering on our Azure footprint. for our line of commercial applications. Developers have the freedom to work faster, gain visibility into our environment, and take advantage of Visual Studio Team Services capabilities for CI/CD, release, and more.
This answer focuses on how we use the combination of subscriptions, resource groups, and role-based access control to ensure compliance with a set of policies.
Let's start at the top tier: Azure subscriptions. As you can imagine, CSEO has many lines of business applications, over a thousand at this time. we follow him vaguelyBusiness areapatternAzure Enterprise Framework - Mandatory Subscription Governance article.
The business unit standard.
In particular, many of our teams have adopted a common mapping of the Company/State/State/Local pattern above. This shared vocabulary provides practical constructions that everyone understands and can relate to to ensure we're on the same page.
What does this translation look like in reality with subscription organization examples? This is how it goes from top to bottom:
- Look for- This is still the same for us as Enterprise in the Azure framework. Business-level items are common concerns across the organization: it could be ensuring we don't count internal consumption of Azure as public revenue, or how secure we are with Azure subscriptions from all our tenants, or other general strategic goals we care about. . concern approximately, regardless of level. Another way to think about it might be how Microsoft reports our quarterly global results: it's company-wide.
- Bund- Our main departments are called Federales. For example, CSEO is one of the federal groups. At this level, we may have additional policies and procedures, automations running in our coverage area, or other things specific to that department. This is where big quotes usually have added views etc.
- Condition- A group of related services or service offerings. For example, offering tax services within the financial IT organization. Here you can have additional policies and procedures such as HIPAA, PCI, SOX controls and procedures. A state has a set of services that are related to each other.
- Local– A subscription is found here and is associated with a service. Each subscription includes several applications related to the provision of the functionalities that make up the service. Each application is usually contained in an explicit resource group. The resource group becomes the container for this application that is part of the service (the subscription). Sometimes there may be a shared or shared application for the service. At the application/function group level, this is where the application development team lives and they are responsible for their footprint in Azure, from security to optimal Azure spend in everything they do. A large development team operating at this level solves most of the reporting issues and concerns that are typically raised by higher levels. If every development team looked at the Azure Security Center blade, the pinned dashboards created from Azure log analysis, and the Azure Advisor blades on a daily basis, they wouldn't have a department-wide effort to reduce spend or increase efficiency. , patch compliance , etc .
This hierarchical construction allows for multiple levels of control and policy while allowing developers to work faster. Here is a typical subscription setup:
An example of a CSEO signature for the control service
In the resource groups above, the typical components you would see in each of the production resource groups (applications) would be the Azure components used to create that particular service, such as: eg:
- Clusters run Azure HDInsight
- storage accounts
- SQL database
- log analysis
- Application Insights
- etcetera etcetera.
Each resource group has the specific components for that application. Occasionally, the subscription may have a resource group for general or shared services. These are elements used in all applications of the service, for example:
- Log Analytics Common Workspace
- General blob storage accounts where files are placed for processing by other services
- Ein ExpressRoute-VNET
There are several applications in our CSEO Tax Service, each in its own functional groups, such as: B. Data Warehouse, Ask Tax (the help web portal and some bots), a calculation engine, an archiving application, reports and much more.
In resource groups and subscriptions, we use the principles of least privilege access to ensure that only the people who need to get work done have access to resources. Therefore, only the technical owners of the service own the subscription. The subscription does not include employees. Some specific identities are added to the reader role, typically accounts used by automated tools.
Only the required identities with the minimum required permissions were added to each resource group. We try to avoid creating custom features that create manageability issues over time and at scale.
In resource groups, the owner and viewer roles are inherited from the subscription. The VSTS build account identity is added as a contributor to the resource group for automated deployments. This means thatOnly the service owner and build identities can continuously touch the production service..
In the pre-production resource group, the engineering staff is added to the reader role. This still means that only the service owner and build accounts can continuously touch the pre-production, but the engineering team can see what's happening in the resource pool. If a developer needs to do some test work, they can't put it in the pre-production or production environment.
There are some variations on this, but they are not common. For example, some teams may want someone from security to be a sub-owner, and some teams may even remove people from the equation and use some kind of service account as a sub-owner. Some teams can provide engineers with pre-production staff when they are not yet mature in the required automation. It all depends on the needs of the team.
Now that we have it all together, what does that mean for typical roles in the organization?
developeryou have access to the pre-production resource pool to see what's going on in dev/pre-production/uat/whatever-you-want-to-call-non-production-in-your-company, but you need to get used to using in-platform telemetry engines for debugging, just as they would have to in production. As teams reach this level, you may see developers with contributor-level access to pre-production resource groups. This discipline often results in much richer Application Insights portals and Azure Log Analytics dashboards. As teams mature, they move to implementing a CI/CD system like Visual Studio Team Services that uses Microsoft Release Management and get really good at creating build and release definitions. Developers also write scripts and automate operational issues like key rotation.
security and operationsGain access across identities with just-in-time access to virtual machines through Azure Security Center for IaaS and Privileged Identity Management through Azure AD. Some operations teams may use automated tools to query our Azure subscription space for configurations to reduce risk, e.g. For example, look for a resource group with a public Internet connection point (PiP) and an ExpressRoute circuit that might pose a security risk. These computers will use these review account identities added at the subscription level.
Another thing implicitly driving this model is shifting responsibility from a core IT team to the development team.It means that there is no change in worries.as security and operations teams are still concerned about compliance and risk. But when the local development team is part of your daily survey, looking at billing, security center and Azure Advisor tools, cost optimization, security compliance, and the concerns that inevitably come from the enterprise levels, the federal and state governments are already optimized. .
Have a question for the engineers at Core Services Engineering? You can contact Lyle Dodge on Twitter at@lyledodgeand our team will work to answer your question in a future article here or later.IT-Display-Website.