4. Security Flashcards
Who is in charge of the security in the cloud ?
Itβs a shared responsibility model:
- Microsoft handle the physical security
- Digital security is shared between customer and Microsoft. Azure has tools to mitigate security threats, consumer is responsible to use the tools.
What are the layers of cloud infrastructure for which Azure provide security ?
- Data (compliance with regulator)
- Application (security in app dev)
- Compute (implement endpoint protection)
- Networking (restrict traffic)
- Perimeter (use DDoS protection)
- Identity and access (MFA, SSO etc)
- Physical security
What is Azure Security Center ?
- Monitoring service that provides threat protection across all services both in Azure, and on-premises.
- Gives security recommendations based on your configurations, resources, and networks
- Analyzes & identifies identify potential inbound attacks
- Just-in-time access control for ports through Azure Defender
- Automatic security assessments through continuous monitoring to identify potential vulnerabilities
What is Azure Defender ?
- Provides a full suite of security-related services including
continuous monitoring, threat detection, just-in-time access control for ports - $15 per node per month, 30-day free trial available
Identity & Access (Azure AD): what is it ?
Cloud- based identity services to manage authentication and authorization through Azure Active Directory
Identity & Access (Azure AD): can Azure AD synchronize with on-prem AD ?
Yes
Identity & Access (Azure AD): what are the service provided by Azure AD ?
- Authentication
- SSO
- Application management
- Business to business (B2B) identity services
- Business-to-Customer (B2C) identity services
- Device Management (how cloud/ on-prem device access to corporate data)
Encryption (Azure Key Vault, Certificates): what are the different encryption on Azure ?
- For raw storages: Azure Storage Service Encryption
- For virtual machine disks: Azure Disk Encryption
- For databases: Transparent data encryption (TDE)
- For secrets: Azure Key Vault
Encryption (Azure Key Vault, Certificates): what is Azure Storage Service Encryption?
Automatically encrypts your data before persisting it to e.g. Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage and decrypts the data before retrieval
Encryption (Azure Key Vault, Certificates): what is Azure Disk Encryption?
Helps you encrypt your Windows (with Bitlocker) and Linux (dm-crypt) IaaS virtual machine disks.
Encryption (Azure Key Vault, Certificates): what is Azure Key Vault?
π Stores & manages: Secrets (password, certificates, API keys β¦), Keys (creates & ctrl encryption keys), Certificates (manage & deploy SSL/TLS)
Network Protection: why is it important in cloud environment ?
secure your network from attacks and unauthorized access
Network Protection: what measure can you set up in your cloud environment from outside threat ?
- Firewall: Azure Firewall, Azure Application Gateway (load balancer + WAF), Network virtual appliances (NVAs, similar to hardware firewall)
- DDoS Protection: Azure DDoS Protection (network monitoring and mitigation for DDoS)
Network Protection: what measure can you set up in your cloud environment from inside threat ?
- Virtual network security: Network Security Groups (NSGs, list of allowed/denied communication), Service endpoints (limit access to your virtual network)
- Network integration: VPN, Azure ExpressRoute (dedicated & private connection between your network and Azure)
Microsoft Azure Information Protection (AIP): what is it ?
- π Helps to classify and optionally protect (encrypt) documents and emails by applying labels (data classification).
- After your content is classified, you can track and control how the content is used. E.g. you can: Analyze data flows to gain insight into your business, Detect risky behaviors and take corrective measures, Track access to documents, Prevent data leakage or misuse of confidential information
- You can purchase AIP either as a standalone solution, or through one of the following Microsoft licensing suites:
Enterprise Mobility + Security
or Microsoft 365 Enterprise
