Alex on the Azure Practice call - LBG not understanding the potential behind using Policy to not just Deny…
Client has a technology that they already use
We have an Engineer in with them knowing that they can do more with it
From the experienced LBG team we know that the client would prove difficult to invest in discovery given recent experience
With Security and Policy being such a a key factor in the picture, a proof delivering an integrated solution even into dev would be - to say the least - a pain.. and slow!
We are aware that LBG have (Justin?) shown preference towards no-code and a more cost-sustainable implementation - or at least part-implementation model
so how can we get next to this tech and show them “we can help you do more.. and better”
If we can show them that without one addition or change to their use of policy - right now - we can also show them a better way of working
so - we could - piggyback off Policy usage (or standalone for demo) with a blanket Deny as they use and use that data to either make decisions for them (as they do all day long with financial decision calculation) - and make it so that it not only works today, but that they dont have to pay us to maintain it that would be a winner for them… if they would let us demo….
If LBG are already using policy and we want them to see outside the box of whats possible, I thought that some work Jan mentioned a while back to customise actions based on the policy - so his example used the compliance state to alerting and monitoring
https://github.com/gysiedebruyn/azure-policy-iac-terraform
With this you can expand on the Function App to do certain things when specific changes are detected or you can create alerts from the LAW as required.
but depending on what those close to LBG want to chase with a higher likelihood of further engagement 2 options
Simple No-Code Solution
More Complex
Some ideas - no filters :P
emulating the bank setup for where we can access Policy generated event logs, we mirror the setup and ensure we capture events to a compatible input source for flows
if we cannot access data directly, we can replicate the behaviour in Jan’s POC where he leverages policy compliance events to log - so either use as is deliver the simple No-Code solution
a DefaultDeny policy opens a great conversation in my mind - as SecOps ppl do tend to forget how transferable and still-relevant their skills aer (secops people I finds have always been the hardest converts due to alot of “automate me out” concerns - i mean they are the last bastion to appreciate what we want to achieve right here :P
I am more than happy to share my well-used conversion process if you’re interested…
SecOps and the general function deal with Absolutes
these absolutes are yes or no
they are risk categorisation
they are fact verification
The list does go on - but in general they get something, they pick a set if rules that matches that something (using another set of rules) and they chug through that list to verify or categorise and approve
That my friends is pseudo-code; or specifically no-code.
Attachments:
image-20230523-162031.png (image/png)
image-20230523-162319.png (image/png)
image-20230523-162322.png (image/png)
image-20230523-162426.png (image/png)
image-20230523-162445.png (image/png)
image-20230523-163224.png (image/png)
image-20230523-163624.png (image/png)
image-20230523-190546.png (image/png)
image-20230523-191539.png (image/png)
image-20230523-195307.png (image/png)
image-20230523-195326.png (image/png)
image-20230523-195927.png (image/png)
