Enabling MSP, MSSPs and customers to Run Their Own Azure Management Applications, Keeping all Data in Their Tenant
Microsoft Azure provides a powerful way for #MSP, #MSSPs, and direct companies, to add custom Azure management automation that keeps all data in their tenant, or in the case of the MSP/MSSP in the customer tenant.
This design is the core of #Senserva and its one of main things that makes us unique, however this article is general purpose and Senserva's implementation is provided at the end of the article as a detailed case study.
The diagram below overviews one good way to leverage this model for an MSSP but it works for a direct customer as well.
In this model the MSP/MSSP or end customer creates a management application in a management tenant, show as green in the diagram. The blue tenants are customer tenants, they can hold management data, or they can have the MSSP hold it. But beyond this data never leaves those tenants, if a customer holds the data, it never leaves their tenant, if they want to partner to manage the data it never leaves the partner's tenant for example. And in no case does the data go to the product vendor if there is one.
As a contrast, legacy third party (i.e., non-Microsoft) management tools pull data to their systems. Customers do not want this to happen as a rule, and with the Cloud there is no reason to do it, at least not from the customer's perspective.
This diagram does include optional rollups so the MSSP can review non PII items across all customers. (Personal Identifiable Information can be represented by non-reversable Azure ID in the roll up data).
This model uses the #LogAnalyticsWorkspace, its a great database because it removes data as it ages out, enabling management products to provide a continual flow of information with no effort.
LAW is also the core of Azure security, and many products use it including #MicrosoftSentinel which enables a great security eco-system. This system brings together information from any number of third-party products and from Microsoft itself. The MSSP can add their own management solution and it immediately integrates, fitting right in.
The model also breaks out the security manager service into its own Azure App Service, in this case Senserva, and keeps it separate from the user interface, in this case an MSSP labeled private web server running as an App Service. The web service can be highly secured because its not general purpose or multi-tenant, its dedicated to the partners and their customers. These two services can be put into one #AzureAppService but they should remain separate run-times so they can each have their own security creds. one reads and one writes. The Azure App Service is also used to support dev/beta/production builds - it does this right out of the box.
Customers can mix and match this model, moving web servers into their own tenant to further lock them down for example.
And to add a new tenant all that need be done is add the tenant to the management services, no other install need be done.
Here is an alternative model where the #MSSP product is installed in every tenant, coming from the Microsoft Marketplace, with #Azure #Lighthouse and #Azure #DevOps used to manage the systems once installed. The diagram mentions Senserva but any product can be made to work like this.
In this model the MSSP, or direct customer, provides a complete end-to-end solution to their external or internal customers. The Microsoft Marketplace handles the installation and Lighthouse/DevOps take over the ongoing management.
Next, this diagram contains a definition of what how the management software can be created. This diagram can be any run time, in this case Senserva is used to filter data before it goes into the Log Analytics Workspace.
These are example of what Senserva works with, including creating solutions specific for an MSSP or customer. And the big win here is we do all the #KQL so you do not have to (!) This get a little marketing-ish here as promised. And please keep in mind, all our data is designed to work with #microsoftsentinel, for threat hunting, alerts or other.
Oh yes, the title of this article includes "in minutes" - this is done when we do all the work for you, by extending our core technologies to add management tasks specific to your needs. We can take all your KQL, put it into an application and extend our UI for it. We just need 15 minutes a week from you to make this happen. Even more marketing!
Visit us at the Microsoft Azure Marketplace or email us at email@example.com for more information. Thanks!