Architecture Flashcards

1
Q

Common Attacks: Data Layer

A

Exposing an encryption key or using weak encryption can leave your data vulnerable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Common Attacks: Application Layer

A

Malicious code injection and execution are the hallmarks of application-layer attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Common Attacks: VM/compute layer

A

Malware is a common method of attacking an environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Common Attacks: Networking Layer

A

Attacks through open ports, (ssh rdp)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Common Attacks: Perimeter Layer

A

Denial of Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Common Attacks: Policies and access layer

A

Exposed credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Common Attacks: Physical layer

A

Unauthorised access to premises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Waste can show up in several ways. Lets look at a few examples

A
  • A virtual machine that is always 90% idle
  • Paying for a license included in a virtual machine when a license is already owned
  • Retaining infrequently accessed data on a storage medium optimized for frequent access
  • Manually repeating the build of a non-production environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

By leveraging Azure AD for SSO you’ll also have the ability to combine multiple data sources into an

A

intelligent security graph.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

By leveraging Azure AD for SSO you’ll also have the ability to combine multiple data sources into an intelligent security graph. This security graph enables

A

the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-premises AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Management groups are an additional hierarchical level recently introduced into the RBAC model. Management groups add the ability to

A

group subscriptions together and apply policy at an even higher level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The ability to flow roles through an arbitrarily defined subscription hierarchy also allows administrators to

A

grant temporary access to an entire environment for authenticated users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This is an additional paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD & Azure resource access reviews.

A

Azure AD Privileged Identity Management (PIM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an identity?

A

A thing that can be authenticated - username, application or server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a principal?

A

An identity acting with certain roles - eg sudo

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a service principal?

A

an identity that is used by a service or application. Like other identities it can be assigned roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The creation of service principals can be a tedious process, and there are a lot of touch points that can make maintaining them difficult. What is the solution?

A

Managed identities for Azure resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

True or false, an Azure based VM can be given a managed identity that allows grants it the rights to stop and start other machines

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

There are two top-level types of encryption:

A

Symmetric and Asymmetric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In encryption what does AES stand for

A

Advanced Encryption Standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

SSE automatically encrypts data in

A
  • All Azure Storage services including Azure Managed Disks, Azure Blob storage, Azure Files, Azure Queue storage, and Azure Table storage
  • Both performance tiers (Standard and Premium)
  • Both deployment models (Resource Manager and classic)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Can boot disks be encrypted?

23
Q

… helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

A

Transparent data encryption (TDE)

24
Q

encryption services all use keys to encrypt and decrypt data, so how do we ensure that the keys themselves are secure?

A

Azure Key Vault

25
Azure Key Vault is a cloud service that works as a secure secrets store. Key Vault allows you to
create multiple secure containers, called vaults
26
Azure Key Vault is a cloud service that works as a secure secrets store. Key Vault allows you to create multiple secure containers, called vaults. These vaults are backed by
hardware security modules (HSMs)
27
What is a hardware security module (HSM)
is a physical computing device that safeguards and manages digital keys for strong authentication and provides Cryptoprocessing.
28
____ _____ _____ will identify internet-facing resources that don't have network security groups (NSG) associated with them, as well as resources that are not secured behind a firewall.
Azure security centre
29
What is the Azure equivalent of a Virtual Private Cloud (VPC)
An Azure Virtual Network - a VNET
30
Comparisons with AWS: Can an AWS subnet span multiple AZ's
no
31
Comparisons with AWS: Communications between all subnets in the AWS VPC are through ____________ and are ________ by default
AWS Backbone | Allowed by default
32
Comparisons with AWS: How many Internet Gateways are allowed per VPC in AWS
Only one
33
How does Azure deal with public and private subnets
Azure VNet does not provide a default VNet and does not have private or public subnet as in AWS VPC. Resources connected to a VNet have access to the Internet, by default.
34
In AWS The Security Group is a _____ object that is applied at the _______ level
stateful | EC2 Instance level
35
In Azure NSGs are _______ and can be applied at the ______ or ______ level
stateful | subnet or NIC level.
36
Are AWS's NACLs stateful or stateless
stateless
37
What does stateful mean in the context of Security Groups or Network Security Groups
This means if there is an inbound rule that allow traffic on a port (e.g. port 80), a matching rule on the outbound side is not required for the packets to flow on the same port.
38
In Azure what is an Application Gateway
a Layer 7 load balancer that also includes a web application firewall (WAF)
39
Application Gateway is a layer 7 load balancer, which means
it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2)
40
For protection of non-HTTP-based services or for increased customization, ______ ________ ______ (____) can be used to secure your network resources
Network Virtual Appliances
41
To isolate Azure services to only allow communication from virtual networks, use
VNet service endpoints
42
With service endpoints, Azure service resources can be secured to your virtual network. Securing service resources to a virtual network provides improved security by
by fully removing public internet access to resources, and allowing traffic only from your virtual network.
43
Which service allows for read-replicas.
Azure SQL Database geo-replication
44
... is a DNS-based load balancer that enables you to distribute traffic within and across Azure regions.
Traffic Manager
45
What is Traffic Manager
A DNS based load balancer
46
Traffic Manager can route users based upon a set of characteristics:
Priority - You specify an ordered list of front-end instances. If the one with the highest priority is unavailable, Traffic Manager will route the user to the next available instance. Weighted - You would set a weight against each front-end instance. Traffic Manager then distributes traffic according to those defined ratios. Performance - Traffic Manager routes users to the closest front-end instance based on network latency. Geographic - You could set up geographical regions for front-end deployments, routing your users based upon data sovereignty mandates or localization of content.
47
... is a private, dedicated connection between your network and Azure
Azure ExpressRoute
48
Standard storage SSD - This is SSD backed storage and has the low latency of SSD but lower levels of throughput. A ______ _____ _____ would be a good use case for this disk type.
A non-production web server
49
Standard storage HDD - This is spindle disk storage and may fit well where
your application is not bound by inconsistent latency or lower levels of throughput.
50
Polyglot persistence is
the usage of different data storage technologies to handle your storage requirements.
51
__ ___ provides a single management point for infrastructure-level logs and monitoring for most of your Azure services
Azure monitor
52
When automating the deployment of services and infrastructure, there are two different approaches you can take
Imperative and Declarative
53
On Azure, declarative automation is done through the use of
Azure Resource Manager templates