5th #AzureGov Meetup – How to get an App ATO, L4 certification update, P-ATO, PowerBI Embedded

July 9, 2016

The fifth #AzureGov meetup took place on June 29th at Microsoft’s K Street office.

Like the previous meetups, this meetup also began with a  networking session. A hot topic of conversation amongst the attendees was the recent announcement about AzureGov achieving high impact provisional authority  (P-ATO) – highest impact level for FedRAMP accreditation.  In other words, AzureGov can now host high-impact level data and applications. This was seen by many as a turning point in AzureGov adoption by federal and state agencies.

After the  networking session, Nate Johnson, Senior Program Manager in the Azure Security Group, presented an insightful session on how apps can achieve ATO.  He talked about the six step process for apps to achieve ATO.

 

 

image

Nate also talked about how AzureGov team can help customers in achieving an ATO for their apps including  Azure SME support, customer responsibility matrix, security documentation, blueprints and templates.

imagecontrol

The next session was presented by Aaron Barth. Principal PFE, Microsoft Services. Aaron’s session built on the FedRAMP process outlined by Nate earlier. Aaron provided a “practitioners perspective” based on his recent experience in going through ATO process for a client of his. As a developer himself,  Aaron was able to demystify, what appears to be  an onerous process  of  documenting every security control in the application. He explained that  by building on a FedRAMP compliant platform,  a large chunk of the documentation requirements were addressed by the cloud provider (AzureGov).

The following slide (also from Aaron’’s  deck) was very helpful in depicting i) how the various  security controls maps to different tiers of the application ii) how the number of ATO controls that you are responsible for (as an app owner), goes down significantly as you move from on-premises, IaaS and PaaS.

image

The next presentation was from Brett Goldsmith of AIS. Brett presented a brief  demonstration of how his team, using the  FBI UCR dataset,  built a nice looking visualizations using Power BI Embedded.

Finally, I tried to answer a question that has come up in previous meetups – “How can I leverage rich ARM templates in an AzureGov setting?”  As you know, not all services (including Azure RM providers) are available in AzureGov today.   So here is my brute force approach for working around this *temporary* limitation ( disclaimer – this is not an “official” workaround by any means, so please conduct your due diligence regarding licensing etc.)

In a nutshell – provision resources in Azure using ARM  (for example the sqlvm-always-on), glean the metadata from the provisioned resources  (AV Set, ILBs, Storage), copy the images to Azure Gov, use the metadata gleaned from the previous step to provision resources in AzureGov using ASM.

 

image

That said, hopefully we will not need to use the aforementioned workaround for long. New ARM Resources Providers are being added to AzureGov at a fairly rapid clip. In fact, I just  ran a console program to dump all resource providers. The output is pasted below.  Notice the addition of providers such as Storage V2.

Provider Namespace Microsoft.Backup
ResourceTypes:
BackupVault

Provider Namespace Microsoft.ClassicCompute
ResourceTypes:
domainNames
checkDomainNameAvailability
domainNames/slots
domainNames/slots/roles
virtualMachines
capabilities
quotas
operations
resourceTypes
moveSubscriptionResources
operationStatuses

Provider Namespace Microsoft.ClassicNetwork
ResourceTypes:
virtualNetworks
reservedIps
quotas
gatewaySupportedDevices
operations
networkSecurityGroups
securityRules
capabilities

Provider Namespace Microsoft.ClassicStorage
ResourceTypes:
storageAccounts
quotas
checkStorageAccountAvailability
capabilities
disks
images
osImages
operations

Provider Namespace Microsoft.SiteRecovery
ResourceTypes:
SiteRecoveryVault

Provider Namespace Microsoft.Web
ResourceTypes:
sites/extensions
sites/slots/extensions
sites/instances
sites/slots/instances
sites/instances/extensions
sites/slots/instances/extensions
publishingUsers
ishostnameavailable
sourceControls
availableStacks
listSitesAssignedToHostName
sites/hostNameBindings
sites/slots/hostNameBindings
operations
certificates
serverFarms
sites
sites/slots
runtimes
georegions
sites/premieraddons
hostingEnvironments
hostingEnvironments/multiRolePools
hostingEnvironments/workerPools
hostingEnvironments/multiRolePools/instances
hostingEnvironments/workerPools/instances
deploymentLocations
ishostingenvironmentnameavailable
checkNameAvailability

Provider Namespace Microsoft.Authorization
ResourceTypes:
roleAssignments
roleDefinitions
classicAdministrators
permissions
locks
operations
policyDefinitions
policyAssignments
providerOperations

Provider Namespace Microsoft.Cache
ResourceTypes:
Redis
locations
locations/operationResults
checkNameAvailability
operations

Provider Namespace Microsoft.EventHub
ResourceTypes:
namespaces
checkNamespaceAvailability
operations

Provider Namespace Microsoft.Features
ResourceTypes:
features
providers

Provider Namespace microsoft.insights
ResourceTypes:
logprofiles
alertrules
autoscalesettings
eventtypes
eventCategories
locations
locations/operationResults
operations
diagnosticSettings
metricDefinitions
logDefinitions

Provider Namespace Microsoft.KeyVault
ResourceTypes:
vaults
vaults/secrets
operations

Provider Namespace Microsoft.Resources
ResourceTypes:
tenants
providers
checkresourcename
resources
subscriptions
subscriptions/resources
subscriptions/providers
subscriptions/operationresults
resourceGroups
subscriptions/resourceGroups
subscriptions/resourcegroups/resources
subscriptions/locations
subscriptions/tagnames
subscriptions/tagNames/tagValues
deployments
deployments/operations
operations

Provider Namespace Microsoft.Scheduler
ResourceTypes:
jobcollections
operations operationResults

Provider Namespace Microsoft.ServiceBus
ResourceTypes:
namespaces
checkNamespaceAvailability
premiumMessagingRegions
operations

Provider Namespace Microsoft.Storage
ResourceTypes:
storageAccounts
operations
usages
checkNameAvailability

 

Here is the code to print all resource providers available in AzureGov

static void Main(string[] args)

  {

      var token = GetAuthorizationHeader();

      var credentials = new Microsoft.Rest.TokenCredentials(token);

      var resourceManagerClient = new Microsoft.Azure.Management.Resources.ResourceManagementClient(new Uri(AzureResourceManagerEndpoint), credentials)

      {

          SubscriptionId = SubscriptionId,

      };





      foreach (var provider in resourceManagerClient.Providers.List())




      {




          Console.WriteLine(String.Format("Provider Namespace {0}", provider.NamespaceProperty));




          Console.WriteLine("ResourceTypes:");








          foreach (var resourceType in provider.ResourceTypes)




          {




              Console.WriteLine(String.Format("\t {0}", resourceType.ResourceType));




          }








          Console.WriteLine("");




      }







			


	

	

		Posted by vishwas lele

					Filed in Azure, AzureGov, Meetup

								

	Leave a Comment »	






	
	

		
Leave a comment