天蓝色在ps中的色值_加强天蓝色政策

天蓝色在ps中的色值

The goal was clear; risk-based metrics providing a defense-in-depth based view of security posture by app team. We knew app teams were competitive. We knew app teams wanted to be empowered! We knew app teams wanted to be secure. We also knew many app teams were unclear on what “secure” meant. We wanted a scoreboard by app-team that provided not just the necessary information to “score” them, but the essential information to inform them. What inspired us was sharing “our” perspective on security. How does Information Security see security? What is meant by defense-in-depth? Why is security posture important? How do I secure my application from a Security point of view?

目标很明确； 基于风险的指标可提供应用团队基于深度防御的安全状况视图。 我们知道应用团队具有竞争力。 我们知道应用程序团队希望获得授权！ 我们知道应用团队希望获得安全保护。 我们还知道许多应用团队尚不清楚“安全”的含义。 我们想要一个由应用程序团队提供的记分板，不仅提供“打分”他们的必要信息，而且还提供告知他们的基本信息。 启发我们的是分享“我们的”安全性观点。 信息安全如何看待安全性？ 深度防御是什么意思？ 为什么安全态势很重要？ 如何从安全性角度保护我的应用程序？

The customer wanted to use Azure Policy as the backdrop to provide this visibility; however, Azure Policy is quite limited. It does not support:

客户希望以Azure策略为背景来提供这种可见性； 但是，Azure策略非常有限。 它不支持：

• Risk-Based Scoring — I cannot assign a risk level or an importance level to an audit event. In other words, I cannot declare how vital the policy is to achieve?
  基于风险的评分-我无法为审核事件分配风险级别或重要性级别。 换句话说，我无法宣布该政策的实现有多重要？
• Defense-In-Depth Categorization — I cannot declaratively categorize the security layer of said policy. Is the policy a network policy? An identity policy?
  深度防御分类-我无法以声明方式对上述策略的安全层进行分类。 该策略是网络策略吗？ 身份政策？
• Tag Based Reporting — I cannot utilize tags assigned to resources organize policy results by application on the Policy dashboard.
  基于标签的报告-我无法利用分配给资源的标签按策略仪表板上的应用程序组织策略结果。
• Risk-Based Posture Compliance — Since I cannot report by application (or tag), and since I cannot see applied vs. not-applied security by importance or by layer of security control, I cannot assess security posture.
  基于风险的姿势合规性-由于无法按应用程序(或标签)进行报告，并且由于无法按重要性或安全控制层来查看应用的安全性与未应用的安全性，因此无法评估安全状态。
• Embedded Hyperlinks By Policy — I cannot populate a hyperlink on a Policy, so I cannot redirect the team to an external page to assist with an understanding of the policy (why it exists, what to do to fix it).
  按策略的嵌入式超链接-我无法在策略上填充超链接，因此无法将团队重定向到外部页面，以帮助您理解该策略(为什么存在，如何解决该策略)。

I decided to power-up Azure Policy, with contextualized meta-data stored in the policy description field.

我决定使用存储在策略描述字段中的上下文化元数据来启动Azure策略。

The key-value pairs:

键值对：

• Risk=High/Medium/Low (this would be better described as importance)

  风险 =高/中/低(最好将其描述为重要性)

• Status=Active or not present

  状态 =活动或不存在

• Layer (Where security control is applied)=Identity, Data, Application, OS/System, Network

  层 (应用安全控制的地方)=身份，数据，应用程序，操作系统/系统，网络

• URL = where to go for more info

  URL =去哪里获取更多信息

In a future release, I will calculate a Security Posture Risk Score based on policy importance compliance across each security layer (how many High/Medium/Low’s exist across the security layers for a given category i.e. subscription, resource group, application, etc). The result, an actual secure score.

在未来的版本中，我将基于每个安全层上的策略重要性合规性(给定类别(即订阅，资源组，应用程序等)在安全层中存在多少高/中/低)来计算安全状态风险评分。 结果是实际的安全评分。

方法范式 (The Paradigm of Approach)

The POC was created based on the following paradigm.

POC是基于以下范例创建的。

• I am familiar with PowerShell
  我熟悉PowerShell
• I love Log Analytics (LA), Resource Graph Explorer and Kusto
  我喜欢Log Analytics(LA)，Resource Graph Explorer和Kusto
• Azure Workbooks are easy
  Azure工作簿很简单
• Power BI is cool, but I feel clumsy in it
  Power BI很酷，但是我觉得很笨拙
• The Azure Policy description field is editable, and can thereby drive meta-data for an improved solution
  Azure策略描述字段是可编辑的，因此可以驱动元数据以提供改进的解决方案

想法的步骤 (The Steps of The Idea)

1. Use local PowerShell to create the infrastructure, which consisted of Key Vault, Storage, and Log Analytics
   使用本地PowerShell创建基础结构，该基础结构由Key Vault，存储和Log Analytics组成

2. Use local PowerShell read Azure Policy Data and write the results to a .csv placed on Azure Storage. Within this step, use the Policy description field content to power the meta-data that drives the solution

   使用本地PowerShell读取Azure策略数据并将结果写入放置在Azure存储上的.csv。 在此步骤中，使用“策略描述”字段内容来驱动驱动解决方案的元数据

3. Use Log Analytics’ external table capability to parse, map and manage the .csv
   使用Log Analytics的外部表功能来解析，映射和管理.csv
4. Use Workbooks to visualize the results
   使用工作簿可视化结果
5. Migrate step 2 to a function app using machine identity an run on a schedule from then on
   从那时开始，使用机器身份将步骤2迁移到功能应用程序

结果 (The Result)

The result is a dashboard with context, including compliance by policy importance, security layer (defense-in-depth view), and application.

结果是具有上下文的仪表板，包括按策略重要性，安全层(纵深防御视图)和应用程序进行的合规性。

A URL sends teams to a specific page to assist with the policy (why is it important, how do I fix it, etc.)

URL会将团队发送到特定页面以协助制定政策(为什么如此重要，如何解决等)

结论 (Conclusion)

The solution demonstrates what’s possible for Azure Policy if it were to integrate a framework to support the definition of context. It is an idea to help envision how to measure, visualize, and empower teams about security.

该解决方案演示了如果Azure策略集成了框架以支持上下文定义，那么Azure策略的可能性。 这是一个有助于设想如何对团队进行安全性评估，可视化和授权的想法。

The code used to power the result set could also be used as part of a CI/CD process. Pass in the RSG and get back your result. If you have any high-risk items, you don’t pass Go.

用于增强结果集的代码也可以用作CI / CD流程的一部分。 传递RSG并返回您的结果。 如果您有任何高风险物品，则不会通过Go。

In general, Azure Policy has to fix some gaps in order to succeed as a go-to audit option. In addition to the items above, there are other issues with Azure Policy:

通常，Azure策略必须解决一些缺陷，才能作为首选审核选项成功。 除了上述各项之外，Azure策略还存在其他问题：

• Not all resource provider attributes are exposed — At the time of this writing I cannot see the IP addresses configured in PaaS SQL, nor can I see the public/private settings for storage containers, as an example.
  并非所有资源提供者属性都公开-例如，在撰写本文时，我看不到PaaS SQL中配置的IP地址，也看不到存储容器的公共/私有设置。
• Not all resource provider attributes are exposed the same way, even though they are the same attribute — IP addresses configured for one PaaS service may be in some other attribute tree, with different attribute names, across PaaS services.
  即使所有资源提供者属性都具有相同的属性，也并非以相同的方式公开它们—为一项PaaS服务配置的IP地址可能位于跨PaaS服务的具有不同属性名称的其他某些属性树中。

The net result, I cannot rely on Azure Policy as a comprehensive solution. This function app, and this framework, may help enable you to establish something alongside Azure Policy to provide a meaningful, comprehensive view of security posture, without too much effort.

最终结果是，我不能依靠Azure策略作为全面的解决方案。 该功能应用程序和此框架可以帮助您与Azure策略一起建立一些东西，从而无需花费太多精力即可提供有意义的，全面的安全状况视图。

The detailed steps are listed below.

详细步骤如下。

第1步-创建基础架构 (Step 1 — Create Infrastructure)

Run the PowerShell below, locally. This code will create the infrastructure used in this solution. The code is straight forward. Create a RSG, Key Vault, KV users for admin and secret retrieval, KV policy for said users, create storage + container for hosting of resulting csv, SAS tokens (one for each process identity — writing to and reading from), and Log Analytics. Output the variables used for the next step.

在本地运行下面的PowerShell。 此代码将创建此解决方案中使用的基础结构。 代码简单明了。 创建一个RSG，Key Vault，用于管理和秘密检索的KV用户，用于所述用户的KV策略，创建用于托管所得csv，SAS令牌(每个进程标识一个，用于读写)和日志分析的存储+容器。 输出用于下一步的变量。

At the end of this script, variables are written to the screen. Copy and paste these into the next portion of code.

在此脚本的最后，变量被写入屏幕。 将它们复制并粘贴到代码的下一部分中。

步骤2 —在本地运行Audit PowerShell (Step 2 — Run Audit PowerShell Local)

The above step will output variables to the screen. Copy these variables and paste them into the top section of the following code. This will enable the code to execute against the infrastructure you just created. In this step, the code will also generate Kusto query output for you to use in Log Analytics to make this entire process work. Some things to note here:

上面的步骤会将变量输出到屏幕。 复制这些变量并将其粘贴到以下代码的顶部。 这将使代码能够针对您刚创建的基础结构执行。 在此步骤中，代码还将生成Kusto查询输出，供您在Log Analytics中使用，以使整个过程正常进行。 这里要注意一些事情：

1. when I ran Azure Policy at the subscription level, some results were left out for some reason. I could only get Azure Policy results to be accurate if I iterated it across each RSG in the subscription, so that is what is done.
   当我在订阅级别运行Azure策略时，由于某些原因，一些结果被遗漏了。 如果对订阅中的每个RSG进行迭代，我只能获得Azure Policy结果的准确性。
2. I don’t include it in here, but you would need another file that provides the tags for each RSG. This assumes your RGS tag has the application name on it. This customer could figure out app owner via a different method, which is what we used. That method is not explained here either, for security reasons. The point is, you should be able to map application by rsg.
   我不在这里包括它，但是您需要另一个文件来为每个RSG提供标签。 假设您的RGS标签上有应用程序名称。 该客户可以通过另一种方法(我们使用的方法)来找出应用程序所有者。 出于安全原因，此处也不解释该方法。 关键是，您应该能够通过rsg映射应用程序。

第三步 (Step 3)

Use the queries written to the screen at the end of the prior step, to power up the search in this step. This is where the power of meta-data and contextualization occurs. The search below starts with the pasted data from above and adds the necessary steps to:

使用上一步结束时写入屏幕的查询，在此步骤中启动搜索。 这就是元数据和上下文化功能发生的地方。 下面的搜索从上面的粘贴数据开始，并向以下添加必要的步骤：

1. remove garbage headers
   删除垃圾头
2. union the tables together
   将表合并在一起
3. parse our necessary meta-data fields
   解析我们必要的元数据字段
4. create an ‘Application’ field
   创建一个“应用程序”字段
5. summarize results and return the data
   汇总结果并返回数据

You can then save this search as a function in your Log Analytics space and then call that function from the workbook to get the results.

然后，您可以将该搜索另存为一个函数，并保存到Log Analytics空间中，然后从工作簿中调用该函数以获取结果。

第4步 (Step 4)

Create a workbook to visualize the answers by copying the code below, and pasting it into a new empty workbook underneath (attached to) the Log Analytics space we created. Within this workbook, we simply call the function we created in LA. This keeps it clean.

通过复制以下代码，然后将其粘贴到我们创建的Log Analytics空间下方(附加到)下面的新空工作簿中，来创建工作簿以可视化答案。 在此工作簿中，我们仅调用在LA中创建的函数。 这样可以保持干净。

第5步 (Step 5)

Place the code used locally (step 2), into the function app you provided rights to within your Key Vault policy in the first step. This function app will then run and this solution will update the result set on a set schedule.

第一步，将本地使用的代码(第2步)放入您在Key Vault策略中提供权限的功能应用程序中。 然后将运行该功能应用程序，并且此解决方案将按设定的时间表更新结果集。

Nice To Haves

很高兴

History. :) I will leave that for someone else to do.

历史。 :)我将其留给其他人去做。

翻译自: https://medium.com/@chuckj67/power-up-azure-policy-6d773bd5cd8b

天蓝色在ps中的色值