Sunday, November 22, 2015

Course Review: Security in a Cloud-Enabled World

Just recently released, I decided to spend some time watching "Security in a Cloud-Enabled World" on MVA.

Overall I thought it was a pretty good course, although not what I expected it to be.  The course was broken down into 2 sections, the first focusing on Microsoft's role as a Trusted cloud provider and the second being a list of roadmaps that should be considered when clients chose a cloud provider to host their solutions.

Here are a couple of points I made about the course:

1)  It is good to get validated on what I am currently doing.  When I engage as an SA on a project, I review many aspects of the roadmaps outlined in this course.  This is good validation that I am on the right path.

2)  If you want to skip several hours of boring content, just read the poster and do the quizzes. 

3)  I am not a big fan of using "user reviews" when judging how secure a cloud provider or solution is.  In the second module, many references to how users perceived the security/availability of their solutions in the cloud.  Most, as you could expect, were favorable of the cloud.  While interesting material, it has been well documented that security is a lemons market.  While I am not saying that Azure's security stance is bad, I do think that ultimately it is very difficult for customers or end users to make even an educated guess on the subject.

4)  There was an inherent lack of focus on how to do things in Azure.  While I guess that wasn't the point of the course, I think that this material needs to be covered somewhere.  In one module, the presenter talks at length about access to the administrative consoles.  Some info is provided on MFA and about how to configure subscriptions for security, but no info is presented on how to audit these admin accounts, control these admin accounts, tie these admin accounts to PAM toolsets, etc.  I think there is a lot of room for content like this.

Overall it was a good course.  It was well structured, and provides a good framework for review when designing out cloud solutions.

Tuesday, November 10, 2015

Similarities between Medical teams and Agile IT Teams


From my own knowledge/reading and being married to a health-care professional, I've come to see many parallels that makes a discussion about how the field of medicine tackles teamwork and how it is done in IT.

Parallel 1: Team Based Approach

Over the past several years, health-care has become more of a team sport.  Rather than having one individual tend to patient needs, these responsibilities have been spread out to a team of health-care professionals.  This team is meant to act as one, having to gain a shared mental model of the situation, learn to work together while taking the lead from a central actor, and all have specialist knowledge that needs to be surfaced at the right time.

To me, this is essentially what an agile team has become.  Long ago are the days where a single developer/architect/person could hold the complexity of a solution to themselves.  We now have a clear distinction between front-end and back-end developers.  UX is super important, and generally we have a specialist that deals only with that area.  Integration is a different beast then standard storage options, and generally someone with competency in that area is required.  Not to mention other areas such as security, performance, and testing.  Even when those specialists don't exist, someone has to play that role.  In agile teams, these roles are distributed within the team in a "best-fit" format.  Or short-straw, depending on how your scrums go. 

Parallel 2: Roles are sorta-clearly defined in a dynamic way

From offices to the emergency room, medical teams are created (sometimes on the fly) to attend to patient needs.  Generally in these teams, there is a doctor who essentially is the lead.  They job is not only to be the lead, but also know the most.  Of course we know that isn't possible, and hence there are specialists that also make up the team.  Depending on the situation there may be an array of specialized nurses, technicians, or other disciplines.  With recent developments in patient-centric care, a lot of literature on the subject also includes the patient in the team and defines roles and responsibilities for that individual.

This parallels quite well with how agile works.  Regardless of the size of the agile team, there is generally a team lead or scrum master, several team members with varying skill and specialty, the product owner and the stakeholders.  Agile is about a team lead working closely with a product owner to deliver success in a project.

In both cases above, the roles on the team shift depending on who is on the team and what skill sets they bring in.  For example, you may have a technically weak scrum master who is great at communicating and keeping on top of things.  This person may share the role of "lead" with that of a technical guru also on the team.  The same can happen (although with less frequency) in the medical world.  In the event of an emergency, what happens when there is no doctor there to lead the charge?  Somebody has to play that role.

Parallel 3: Teams form, disband, and re-form with different configurations

At an almost breathtaking pace, as compared to IT, medial teams form to deal with a specific case and then re-form to deal with other cases.  This is essentially what happens in agile teams as they transition between projects.  The main difference here is the speed at which this occurs in the medial arena. 

While there are probably more parallels that can be drawn, I think that it is safe to say that there is a lot of overlap between how medical teams operate and how agile IT teams operate.  The medical community has been trying to tackle these concepts for quite some time now.  What interests me the most is the discussion on competency.

Sunday, November 8, 2015

Making the switch to Azure DNS

One service that has been on my radar for some time has been Azure DNS.  Released to preview in May of last year, Azure DNS is yet another offering to compete with already established services from Amazon and Google.

From an IT perspective, I like these services being added to Azure.  It allows for a the creation of a on-stop shop for hosting IT services, allows the creation of a single point for billing, and, utilizing resource manager deployment model, allows for you to create strong RBAC controls around who can manage and maintain the service.

Getting started with Azure DNS is pretty easy, and is detailed quite well in the following Microsoft blog posts:

Getting Started with Azure DNS using Powershell

Create DNS Records

A couple of things I noted during the process:

1)  Some of the operations are offline.  They are clearly marked in the documentation, but keep in mind that the "set" commands are required. 

2)  You need to create record sets for everything, even things with only 1 record.  This is an interesting design decision, and adds to the initial setup.

3)  It is deployed only via Powershell and Resource Manager.  So standard rules/considerations apply around the lifetime of the resource, RBAC considerations, etc.

Making the switch took about an hour or so one night.  Previously, I was using mydomain to host my DNS for shamirc.com.  This has now switched over to Azure DNS.

Follow this link for a pingdom report on the DNS configuration:  Pingdom

Some interesting things for future investigation

1) DNS Performance testing from around the world (and in comparison to Amazon / Google)
2) Actual cost for a production site
3) From a security perspective, eDOS.  All these services charge per million queries.  I wonder what protection mechanisms are in place against queries done on the service
4) DNSSEC Support