Open in app

Sign in

Write

Sign in

Power-Up Azure Policy

Turning Azure Policy Into A Risk-Based Tool

Chuck Johnson
The Startup

--

The goal was clear; risk-based metrics providing a defense-in-depth based view of security posture by app team. We knew app teams were competitive. We knew app teams wanted to be empowered! We knew app teams wanted to be secure. We also knew many app teams were unclear on what “secure” meant. We wanted a scoreboard by app-team that provided not just the necessary information to “score” them, but the essential information to inform them. What inspired us was sharing “our” perspective on security. How does Information Security see security? What is meant by defense-in-depth? Why is security posture important? How do I secure my application from a Security point of view?

The customer wanted to use Azure Policy as the backdrop to provide this visibility; however, Azure Policy is quite limited. It does not support:

  • Risk-Based Scoring — I cannot assign a risk level or an importance level to an audit event. In other words, I cannot declare how vital the policy is to achieve?
  • Defense-In-Depth Categorization — I cannot declaratively categorize the security layer of said policy. Is the policy a network policy? An identity policy?
  • Tag Based Reporting — I cannot utilize tags assigned to resources organize policy results by application on the…

--

--

Chuck Johnson
The Startup

Written by Chuck Johnson

104 Followers
Writer for

A witness to life; its patterns & flow. A discoverer of the essence of things. A creator of designs through observation. A security architect. Author.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams