Versions Compared

Old Version 1

changes.mady.by.user Daylan Araz

Saved on

compared with

New Version 2

changes.mady.by.user Dominik Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It is crucial to understand, that most of the landing zone setup itself can and is only done by the client themselves. Learn in https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/434896928436536285/Get+started+with+a+Customer+Managed+Tenant#Responsibilities which tasks these are.

...

  • More control over incoming changes

  • Fewer if not minimal lateral movement risks

  • A tight grip on principle of least privilege as no human needs privileged access anymore except in escalations

  • An easy to get audit trail

  • A modern-day approach of collaboration

att436109341
Gliffy
imageAttachmentId
macroId
baseUrlhttps://unique-ch.atlassian.net/wiki
af6d8262-afea-4364-ba32-d34fcf22a1cdnameseparation Copy Copy
diagramAttachmentIdpageidatt435912752379781121
containerIdtimestamp4360437901710338052456

Note that the more the client automates, the less of the roles and permissions outlined below are needed. How much of the setup is automated from the client side also has a pricing and timeline impact as human actions always take longer than those of machines.

This automation grade is top-notch and a dream to many 🫧 Unique although works on providing the best risk mitigations possible. The more of this automation is implemented, the securer the solution all-in-all gets.

Once more it is to remember that depending on the https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/434896928436536285/Get+started+with+a+Customer+Managed+Tenant#Responsibilities it is up to one of the parties to mitigate this risk.

...

This separation targets primarily https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/436043790436536301/Reference+Architecture+CMT#Risk-based-approach and is not only decoration.

att435617824
Gliffy
imageAttachmentId
baseUrlhttps://unique-ch.atlassian.net/wiki
nameseparation Copy
diagramAttachmentIdpageidatt435519505298254348
containerIdtimestamp4360437901710338097903

Unique advises to segregate resources at a resource group level using the following groups:

...

The content of the main group, primarily based on https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks-pci/aks-pci-ra-code-assets. Besides the Infrastructure requirements some more resources are recommended to be deployed in order to run (blue star) .

Gliffy
imageAttachmentIdatt436174879
baseUrlhttps://unique-ch.atlassian.net/wiki
nameRG Copy
diagramAttachmentIdpageidatt436404264379781121
containerIdtimestamp4360437901710338139587

Roles

Panel
panelIconId1f4d1
panelIcon:bookmark_tabs:
panelIconText📑
bgColor#FFF0B3

To understand the content of this section, https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles must be read and understood.

att436469781
Gliffy
imageAttachmentId
baseUrlhttps://unique-ch.atlassian.net/wiki
namerole3 Copy
diagramAttachmentIdpageidatt436142111298254348
containerIdtimestamp4360437901710338254914
imageAttachmentId
Gliffy
att435748900baseUrlhttps://unique-ch.atlassian.net/wiki
namerole-high-level Copy
diagramAttachmentIdpageidatt436338723298254348
containerIdtimestamp4360437901710338306500

...

GovernanceOwner

see parentDominik Meyer