In this chapter, we emphasize and explain the importance of security in the cloud. We will explore security architecture, explaining the paradigm shift in identity in the cloud. Finally, we will drill into several use cases in order to show the practical applications of our recommendations.

We will more specifically cover the following topics:

• Introducing cloud-native security
• Reviewing the security architecture map
• Delving into the most recurrent Azure security topics
• Adding the security bits to our Contoso use case

By the end of the chapter, you will have a better understanding of cloud-native security and a better knowledge of recurrent and typical Azure security topics.

Let's begin by reviewing the technical requirements.

There are no hands-on exercises, so there are no specific technical requirements. All the diagrams and maps are available (in full size) at https://github.com/PacktPublishing/The-Azure-Cloud-Native-Architecture-Mapbook/tree/master/Chapter07.

First, let's introduce cloud-native security.

In light of what we have seen so far in previous chapters, we know that the cloud can help us develop and deploy solutions faster and at a better cost. However, that is only true if we also modernize the way that we secure our workloads. Cloud-native security relies on the Shift-Left principle, which consists of integrating security processes earlier in the life cycle of an asset. Considering security from the ground up prevents unexpected delays and surprises later, prior to the production deployment. However, this is easier said than done!

Often, we see developers (usually early adopters) and infrastructure engineers embracing this modernized way of working (with Infrastructure as Code (IaC)), while security remains organized in a traditional way (waterfall and reactive). Often, you must wait weeks, if not more, to have a firewall rule ticket request accepted and implemented. This way of working is the exact opposite of the Shift-Left mindset...

In this section, we will browse the main security-related services, with a special focus on identity, the cloud's primary defense layer. Our objective is to make you realize the importance of identity in Azure. We already covered most of the network plumbing in Chapter 3, Infrastructure Design, so we will now essentially review some service-specific network features. We will also look at the various encryption possibilities, and more globally, how to handle your security posture. Figure 7.1 shows the security areas that we will explore:

Figure 7.1 – The security architecture map

Important note

To see the full security architecture map (Figure 7.1), you can download the PDF file at https://github.com/PacktPublishing/The-Azure-Cloud-Native-Architecture-Mapbook/blob/master/Chapter07/maps/Security%20Architecture.pdf.

Our map has six top-level groups:

• RECURRENT SERVICES: We will see the different...

In this section, we will focus on the most recurrent security features, which are highly discussed and that you will surely be confronted with. They are also not typical of the traditional on-premises security arsenal, which often makes security experts clueless on the matter. After reading this section, you will be more familiar and more confident in any upcoming security conversations. Let's start with Azure managed identities.

Exploring Azure managed identities in depth

Azure managed identities solve a problem that was around for ages: storing credentials. We know that we can use Azure Key Vault to store credentials, but we also know that you need another pair of credentials to access the credentials stored in Key Vault.

Where do you store them? We have a chicken and egg problem. That is exactly what managed identities solve. With managed identities, Azure will automatically generate a pair of credentials and make...

In this section, we will review our Contoso use case that we started in Chapter 2, Solution Architecture, and improved in Chapter 5, Application Architecture. However, none of our diagrams included security-specific portions. It is time to fix this and see where to use some of the features that we have explained throughout this chapter. Figure 7.20 illustrates what we ended up with in Chapter 5, Application Architecture:

Figure 7.20 – Reminder of the Contoso use case from Chapter 5

As you can see, there is nothing specific about security. For the sake of simplicity and brevity, we will get rid of the Power BI and Stream Analytics services. So, our new functional flow is now as shown in Figure 7.21:

Figure 7.21 – Revisited flow without Stream Analytics and Power BI

For the security bits, we are interested in the interactions between the components, to understand...

In this chapter, we introduced the vast security landscape of Azure, which deserves an entire dedicated book. We gave you a glimpse into cloud-native security, and what it implies in terms of mindset and technology choices.

We explained to you why identity is the primary layer of defense in the public cloud, and we highlighted a few trade-offs that are incurred by a network-centric approach. A network approach is often the default approach, which is inspired by decades of traditional security practices on-premises. We saw that Azure has quite a lot of built-in security features and services that we can use to our advantage not only to secure our Azure workloads but also to secure other clouds and even on-premises systems.

Lastly, we reviewed our initial Contoso use case, from the eyes of a security architect, by adding two specific security views to our diagram. By now, you should be better equipped to tackle Azure-specific security topics as well as to deal with cloud...