Architecture Flashcards
Common Attacks: Data Layer
Exposing an encryption key or using weak encryption can leave your data vulnerable
Common Attacks: Application Layer
Malicious code injection and execution are the hallmarks of application-layer attacks
Common Attacks: VM/compute layer
Malware is a common method of attacking an environment
Common Attacks: Networking Layer
Attacks through open ports, (ssh rdp)
Common Attacks: Perimeter Layer
Denial of Service
Common Attacks: Policies and access layer
Exposed credentials
Common Attacks: Physical layer
Unauthorised access to premises
Waste can show up in several ways. Lets look at a few examples
- A virtual machine that is always 90% idle
- Paying for a license included in a virtual machine when a license is already owned
- Retaining infrequently accessed data on a storage medium optimized for frequent access
- Manually repeating the build of a non-production environment
By leveraging Azure AD for SSO you’ll also have the ability to combine multiple data sources into an
intelligent security graph.
By leveraging Azure AD for SSO you’ll also have the ability to combine multiple data sources into an intelligent security graph. This security graph enables
the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-premises AD
Management groups are an additional hierarchical level recently introduced into the RBAC model. Management groups add the ability to
group subscriptions together and apply policy at an even higher level.
The ability to flow roles through an arbitrarily defined subscription hierarchy also allows administrators to
grant temporary access to an entire environment for authenticated users
This is an additional paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD & Azure resource access reviews.
Azure AD Privileged Identity Management (PIM)
What is an identity?
A thing that can be authenticated - username, application or server
What is a principal?
An identity acting with certain roles - eg sudo
What is a service principal?
an identity that is used by a service or application. Like other identities it can be assigned roles.
The creation of service principals can be a tedious process, and there are a lot of touch points that can make maintaining them difficult. What is the solution?
Managed identities for Azure resources
True or false, an Azure based VM can be given a managed identity that allows grants it the rights to stop and start other machines
True
There are two top-level types of encryption:
Symmetric and Asymmetric.
In encryption what does AES stand for
Advanced Encryption Standard
SSE automatically encrypts data in
- All Azure Storage services including Azure Managed Disks, Azure Blob storage, Azure Files, Azure Queue storage, and Azure Table storage
- Both performance tiers (Standard and Premium)
- Both deployment models (Resource Manager and classic)
Can boot disks be encrypted?
Yes
… helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Transparent data encryption (TDE)
encryption services all use keys to encrypt and decrypt data, so how do we ensure that the keys themselves are secure?
Azure Key Vault
Azure Key Vault is a cloud service that works as a secure secrets store. Key Vault allows you to
create multiple secure containers, called vaults
Azure Key Vault is a cloud service that works as a secure secrets store. Key Vault allows you to create multiple secure containers, called vaults. These vaults are backed by
hardware security modules (HSMs)
What is a hardware security module (HSM)
is a physical computing device that safeguards and manages digital keys for strong authentication and provides Cryptoprocessing.
____ _____ _____ will identify internet-facing resources that don’t have network security groups (NSG) associated with them, as well as resources that are not secured behind a firewall.
Azure security centre
What is the Azure equivalent of a Virtual Private Cloud (VPC)
An Azure Virtual Network - a VNET
Comparisons with AWS: Can an AWS subnet span multiple AZ’s
no
Comparisons with AWS: Communications between all subnets in the AWS VPC
are through ____________ and are ________ by default
AWS Backbone
Allowed by default
Comparisons with AWS: How many Internet Gateways are allowed per VPC in AWS
Only one
How does Azure deal with public and private subnets
Azure VNet does not provide a default VNet and does not have private or public subnet as in AWS VPC. Resources connected to a VNet have access to the Internet, by default.
In AWS The Security Group is a _____ object that is applied at the _______ level
stateful
EC2 Instance level
In Azure NSGs are _______ and can be applied at the ______ or ______ level
stateful
subnet or NIC level.
Are AWS’s NACLs stateful or stateless
stateless
What does stateful mean in the context of Security Groups or Network Security Groups
This means if there is an inbound rule that allow traffic on a port (e.g. port 80), a matching rule on the outbound side is not required for the packets to flow on the same port.
In Azure what is an Application Gateway
a Layer 7 load balancer that also includes a web application firewall (WAF)
Application Gateway is a layer 7 load balancer, which means
it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2)
For protection of non-HTTP-based services or for increased customization, ______ ________ ______ (____) can be used to secure your network resources
Network Virtual Appliances
To isolate Azure services to only allow communication from virtual networks, use
VNet service endpoints
With service endpoints, Azure service resources can be secured to your virtual network. Securing service resources to a virtual network provides improved security by
by fully removing public internet access to resources, and allowing traffic only from your virtual network.
Which service allows for read-replicas.
Azure SQL Database geo-replication
… is a DNS-based load balancer that enables you to distribute traffic within and across Azure regions.
Traffic Manager
What is Traffic Manager
A DNS based load balancer
Traffic Manager can route users based upon a set of characteristics:
Priority - You specify an ordered list of front-end instances. If the one with the highest priority is unavailable, Traffic Manager will route the user to the next available instance.
Weighted - You would set a weight against each front-end instance. Traffic Manager then distributes traffic according to those defined ratios.
Performance - Traffic Manager routes users to the closest front-end instance based on network latency.
Geographic - You could set up geographical regions for front-end deployments, routing your users based upon data sovereignty mandates or localization of content.
… is a private, dedicated connection between your network and Azure
Azure ExpressRoute
Standard storage SSD - This is SSD backed storage and has the low latency of SSD but lower levels of throughput. A ______ _____ _____ would be a good use case for this disk type.
A non-production web server
Standard storage HDD - This is spindle disk storage and may fit well where
your application is not bound by inconsistent latency or lower levels of throughput.
Polyglot persistence is
the usage of different data storage technologies to handle your storage requirements.
__ ___ provides a single management point for infrastructure-level logs and monitoring for most of your Azure services
Azure monitor
When automating the deployment of services and infrastructure, there are two different approaches you can take
Imperative and Declarative
On Azure, declarative automation is done through the use of
Azure Resource Manager templates
