Versions Compared

Old Version 14

changes.mady.by.user Daylan Araz

Saved on

compared with

New Version Current

changes.mady.by.user Daylan Araz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To understand all further references in this document, the Azure Hierarchy as well as the basic principles of Azure Entra ID (and its permissions) have to be understood.

...

  • Data exfiltration in general (someone or Unique extracting/stealing data of any classification but naturally mostly classified data)

  • Data exfiltration via the Kubernetes Data Plane

  • Data exfiltration via Privileged Roles

  • Misconfiguration of Cloud Resources

  • Over-Provisioning or cost escalations

  • Security vulnerabilities in third-party application applications which could also result in data exfiltration

...

Note

Unique always uses and means to advice to use PIM and does not repeat that statement in every chapter and section. PIM and PIM only!

Reference

Overall concept

Uniques Unique's reference architecture bases is based mainly on two key concepts from Microsoft:

...

  • More control over incoming changes

  • Fewer if not minimal lateral movement risks

  • A tight grip on the principle of least privilege as no human needs privileged access anymore except in escalations

  • An easy to get audit trail

  • A modern-day approach to collaboration

...

Drawio
1710338052456
mVer2
zoom1
simple0
inComment0
custContentId665813410
pageId436536301
lbox1
diagramDisplayNameUntitled Diagram-1721331319020.drawio
contentVer1
revision1
baseUrlhttps://unique-ch.atlassian.net/wiki
nameseparation Copy
pageid379781121
timestampdiagramNameUntitled Diagram-1721331319020.drawio
pCenter0
width638.8299999999999
links
tbstyle
height670

Note that the more the client automates, the less fewer of the roles and permissions outlined below are needed. How much of the setup is automated from the client side also has a pricing and timeline impact as human actions always take longer than those of machines.

...

This separation targets primarily https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/445972604/Reference+Architecture+CMT#Risk-based-approach and is not only decoration.

...

Drawio
mVer2
zoom1
simple0
inComment0
custContentId666010183
pageId436536301
lbox1
diagramDisplayNameUntitled Diagram-1721331421346.drawio
contentVer2
revision2
baseUrlhttps://unique-ch.atlassian.net/wiki
nameResource Groups
diagramAttachmentIdatt476676253
containerId436536301
timestamp1712132491800

...

diagramNameUntitled Diagram-1721331421346.drawio
pCenter0
width412.48
links
tbstyle
height500

Unique advises segregating resources at a resource group level using the following groups:

Group

Content

High-level permissions

Main

Primary resources needed to run (blue star) but no resources that contain data.

The responsible party (can be Unique or the client, see Responsibilities) mostly works within this resource group if ever.

Sensitive

All customer data which mainly consists of prompts and files, all the embedding of uploaded files, and encryption keys.

Unique should have the least possible privilege (and only JIT) of to this group. Actually, no human should have too much access to this, see Automation.

Audit

CentralisedCentralized, tamper-safe audit logs of (blue star) .

Unique and their workloads can only one-way emit into this resource group, there is no way to read. Modifications to this resource group should preferably only be made by the client or via Automation.

Vnet

Networking setup, whereof where some limited internet access is needed to pull the content of https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/436536544

Naturally, most clients prefer to administer this part of the infrastructure themselves as it has a colossal security impact, if Unique should take care of it, the Automation approach is recommended above all manual actions.

Terraform

Store terraform states.

Few individuals with a specific role or the Automation should have access to this group as here the state of the whole infrastructure gets saved.

...

The content of the main group, primarily based on https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks-pci/aks-pci-ra-code-assets. Besides the Infrastructure requirements, some more resources are recommended to be deployed in order to run (blue star).

Gliffy
imageAttachmentIdatt476577970
macroId81166eb0-9ebd-4555-b065-e7197ee7323a
baseUrlhttps://unique-ch.atlassian.net/wiki
nameRGs
diagramAttachmentIdatt476250183
containerId436536301
timestamp1712135171525

...

Roles

Panel
panelIconId1f4d1
panelIcon:bookmark_tabs:
panelIconText📑
bgColor#FFF0B3

To understand the content of this section, https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles must be read and understood.

...

Drawio
mVer2
zoom1
simple0
inComment0
custContentId665879265
pageId436536301
lbox1
diagramDisplayNameUntitled Diagram-1721333282094.drawio
contentVer1
revision1
baseUrlhttps://unique-ch.atlassian.net/wiki
nameCustom Roles
diagramAttachmentIdatt476708886
containerId436536301
timestamp1712133385150

...

diagramNameUntitled Diagram-1721333282094.drawio
pCenter0
width441.60009765625
links
tbstyle
height350.280029296875
Drawio
mVer2
zoom1
simple0
inComment0
custContentId667353128
pageId436536301
lbox1
diagramDisplayNameUntitled Diagram-1721385429338.drawio
contentVer2
revision2
baseUrlhttps://unique-ch.atlassian.net/wiki

...

diagramNameUntitled Diagram-1721385429338.drawio
pCenter0
width876.6999999999999
links
tbstyle
height381

...

Author

See Parent