Hey everyone,
I'm the main person in charge of our Azure tenant at a small organization, where we run an outsourced application for our clients. Recently, I've taken on some compliance responsibilities for SOC2, and I've realized our Azure setup has major blind spots. There's hardly any documentation on access procedures or vulnerability management related to Azure, and our app's architecture has several issues, like public SQL database endpoints and lack of Azure policy definitions for restricting access.
I'm considering proposing that we create a new subscription where we can build a compliant architecture from scratch using infrastructure as code (IaC) for better network security and identity governance, and then migrate everything over. The challenge is, I'm pretty new to this, and there isn't much support in my organization for these concerns aside from me—especially since my boss is currently focused elsewhere.
Any advice on how to tackle this?
4 Answers
You're navigating a tricky situation, for sure. One thing to do is ask your boss who has access to the contract with the outsourced development team. This will help you understand what they were supposed to document. When communicating with them, it's a good strategy to ask for their existing documentation directly—it could open up a dialogue. Instead of trying to overhaul everything all at once, consider developing a 'future state' and migrate over time to avoid getting stuck in a sprawling mess. That way you can gradually transition the more complex parts instead of facing a massive overhaul.
I totally understand where you're coming from! It's vital to get your leadership on board about the security gaps in your Azure tenant. I recommend documenting everything you find, articulating why it matters in simple terms, and what risks it poses. Once you've got that laid out, propose realistic solutions with estimated costs and timelines. Frame your findings in a way that emphasizes business impact—like potential downtime or liability—that typically resonates more with the management. Also, don't hesitate to reach out to your outsourced application team about these issues. If they’re open to communication, that might help speed up the fixes!
Your idea to implement a parallel subscription sounds good, but given that you're in a SOC2 scope, I’d prioritize fixing critical issues immediately. Auditors are more interested in seeing that you identified risks and took action rather than having a flawless architecture from the start. The public SQL endpoints are critical—lock down those access points and ensure you route traffic through private endpoints or known IPs. It’s a quick win that makes a big difference. After that, keep an eye on your access review process and document your change management procedures—these will be key areas of interest during your audit!
Creating a new subscription for a proper landing zone is a solid idea! However, if you're already preparing for a SOC2 audit, you might not have time to migrate everything before it happens. It's often better to quickly address the major issues you find in your current setup and document them. For instance, focusing on securing those public SQL database endpoints should be your highest priority—denying public access at the firewall level is a quick fix that can eliminate a major risk. When it comes to RBAC, start by tightening access to who can be Owners or Global Admins in Entra. This way, even during audits, you have tangible progress you can show, which adds credibility even if the full overhaul isn’t completed.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures