Implementation Continuous Assurance for the project:
The basic idea behind Continuous Assurance ( CA ) is to setup the ability to check for "drift" from what is considered a secure snapshot of a system. Support for Continuous Assurance lets us treat security truly as a 'state' as opposed to a 'point in time' achievement. This is particularly important in todays context when 'continuous change' has become a norm.
There can be two types of drift:
Drift involving 'baseline' configuration: This involves settings that have a fixed number of possible states ( often predefined/statically determined ones ). For instance, a SQL DB can have TDE encryption turned ON or OFF or a storage account may have auditing turned ON however the log retention period may be less than 365 days.
Drift involving 'stateful' configuration: There are settings which cannot be constrained within a finite set of well-known states. For instance, the IP addresses configured configured to have access to a SQL DB can be any ( arbitrary ) set of IP addresses. In such scenarios, usually human judgement is intially required to determined whether a particular configuration should be considered 'secure' or not. However, once that is done, it is important to ensure that there is no "stateful drift" from the attested configuration. ( E.g. if in a troubleshooting session, someone adds the IP address of a developer machines to the list, the Continuous Assurance feature should be able to identify the drift and generate notifications/alerts or even trigger 'auto-remediation' depending on the severity of the change ).
Reference :
https://azsk.azurewebsites.net/04-Continous-Assurance/Readme.html
No comments:
Post a Comment