Security, Endpoint Manager, Azure (and more security) – Virtualization review
Ignite Fall 2021 recap: Security, Endpoint Manager, Azure (and more security)
Paul details his personal and totally subjective highlights from the recent lecture, which he found more substantial than some predecessors.
Microsoft’s recent Ignite virtual conference featured some interesting posts and announcements this time around, unlike some earlier incarnations of the biannual event. In this article, I will cover my personal and totally subjective highlights. And don’t worry – I won’t speak in words to extend the metaverse in Teams via Mesh and appearing as a cartoon avatar instead of my unshaven self on a video. While this is cool, it still takes a while before it becomes a reality for most of us.
Safety – Safety – Safety
To paraphrase Steve Ballmer, many security products and services originate from Microsoft. The recently previewed announcement – and now in General Availability Plan 1 – of Defender for Endpoint joins the OG Defender for Endpoint, which is now renamed Plan 2. Plan 1 is part of Microsoft 365 E3 but does not support not support Linux (while covering Android, iOS, macOS, and Windows) and Threat and Vulnerability Management (listing all installed apps and prioritizing which ones you need to upgrade due to known risks). The younger brother also doesn’t offer Endpoint Discovery and Response (EDR), Automated Investigation and Response (AIR), Microsoft Threat Experts, or Advanced Hunting.
At Ignite, a third parent has been announced, Business advocate, to be part of Microsoft 365 Business Premium (max 300 users) and also available standalone for $ 3 per user per month. This release also skips Linux support, but only removes advanced search and threat experts, making it a very attractive option for small and medium-sized businesses (SMBs), especially since it will do part of a license that many companies are already paying for.
Microsoft’s famous “let’s rename everything every year to confuse everyone and occupy our marketing department” approach also hit this time around, as Microsoft Cloud App Security is now Defender for Cloud Apps. Additionally, Azure Defender (paid cloud workload protection) and Azure Security Center (free cloud workload security posture scan) are now Defender for Cloud with the paid part known as advanced security. . This name change makes sense because Defender for Cloud can also handle security for AWS and GCP in multi-cloud deployments, so the name Azure Defender didn’t quite work.
Microsoft Endpoint Manager
MEM came to Ignite with quite a few new tips, some focused on work from home / hybrid scenarios.
In the news that allegedly had Steve’s apoplexy mentioned above, Linux desktops will be able to be managed by MEM (preview coming “early 2022”, Ubuntu only early), and you can use conditional access policies to control access. Again, soon you will have the option to write your own device compliance checks to verify a BIOS version, for example, using PowerShell.
You’ll also be able to manage security settings (public preview rollout now) for devices that cannot be enrolled in MEM – Windows servers for example – through Endpoint Manager.
A boon to large organizations that use on-premises Configuration Manager, Microsoft Connected Cache is now GA in version 2111. You add this cache to your distribution points and they automatically start downloading updates. Organizations that have previewed this have seen savings of up to 98% in downloaded bytes through this cache and native Windows 10 update bits sharing. Speaking of updates, if you will. get rid of it completely, there is now a Microsoft Managed Desktop Plan 1 service that entrusts this task to Microsoft engineers.
You can now deploy DMG apps to Macs via MEM, and a simplified setup wizard will arrive for iOS / iPadOS in the first half of 2022. Data Loss Prevention (DLP) is now in public preview on MacOS, you can therefore block printing, copying to USB drives and other actions for sensitive documents, as you can do in Windows. MEM has also been extended with more Endpoint Analysis Reports for hybrid scenarios, including the new Work report from anywhere.
But by far the biggest new MEM for me at Ignite is the new Remote help. This has been a glaring omission for many years, an omission built into most other endpoint management solutions. Now help desk staff can log in to devices (including those where staff work at home) and view their screens. True to form, Microsoft provides strong RBAC permissions for who can log in, and admins can also control what actions can be performed during a remote help session.
Finally, Microsoft added Support for Android Open Source Project (AOSP) to MEM (public preview). This operating system – often used in specially designed devices – will initially work with RealWear devices, but this will expand to others. AOSP devices do not have access to Google services such as the Play Store and therefore require special attention to work well with MDM.
There was a lot of new Azure, my favorite being the new Chaos Studio. Pioneered by Netflix, Chaos Engineering is the concept of randomly deactivating or “modifying” components of your infrastructure to ensure that architects and engineers really integrate resiliency and also test it in production. This public preview comes with an experience designer where you can add multiple stages and branches and inject one or more errors. The faults include powering off identical virtual machines or sets of virtual machines, failover of a CosmosDB, modifying a Network Security Group (NSG) rule, eight different Azure Kubernetes Services (AKS) faults, added CPU / physical memory / virtual memory / disk I / O pressure just to name a few. The designer also allows you to add delays between actions to test different scenarios.
While few companies will be ready to start deactivating virtual machines (or the services inside those virtual machines) in their legacy migrated cloud infrastructure, Chaos Studio will be a great addition for times when you want to test in load. architecture before the production phase. It will also be useful for cloud native workloads to increase confidence in their resiliency.
As you can imagine, there are strict controls around Chaos Studio. For example, only resources that have been explicitly checked in can be targeted and only by staff with specific RBAC permissions. Chaos Studio also has a managed system identity in Azure AD, and unless you have access to resources, experiments will not run. And you can stop an ongoing experiment if everything goes horribly wrong. Chaos Studio is free during the public preview (GA scheduled for April 2022), after which there will be price per minute costs for an ongoing experiment, but that would apparently only serve to cover Microsoft’s costs.
Until Ignite, if you were running a third-party Network Virtual Appliance (NVA) in high availability mode with multiple instances, you had to configure and manage your own load balancer upstream. New Azure Gateway Load Balancer is a fully managed service that hides that complexity and you just define the network functionality you need and it takes care of it.
If you want to run apps in containers in Azure, there are a few options. On the one hand, there’s Azure Container Instances (ACI) where you get one or more managed containers and simply deploy your code, with very few configuration options. At the other end of the spectrum is AKS, with a full-fledged Kubernetes environment. And while it is managed by Microsoft, there is a parcel configuration and ongoing maintenance for you. In between is the new Azure container apps, which is an application-centric serverless hosting service where you deploy your application code to containers and rely on Autoscaling Kubernetes Event Driven (KEDA), Distributed Application Execution (Dapr) and Sent for autoscaling, microservices integration, and proxy.