(AZ-900 topic) Describe general security and network security features Flashcards
AZ-900 Topic assess your ability to: Show an understanding of what the Azure security features are, as well as Azure network security features Questions for this domain comprise 13% of the total questions for the AZ-900.
Regarding this diagram, which service might you place at 1 to protect the connection credentials from the web service to the SQL database, but also allow access to third party applications?
- Azure Sentinel
- Azure Information Protection
- A Network Security Group
- Azure Key Vault
-Azure Key Vault
Azure Key Vault will store your connection credentials securely, and allow third-party applications to use it through a token. The token access can be revoked without changing the credentials.
You are in charge of an Azure database that has valuable and sensitive data stored in it. You need a third party client to access this data. How would you provide access in the most secure way?
- Use Azure Key Vault to create a single use password for the database. The client can use this to get an authentication token for further use.
- Use Azure Key Vault to protect and share the password without revealing it.
- Store the data in the secure tier data storage and provide access via a secure token only.
- Use Azure Information Protection to secure and track any piece of data accessed.
Use Azure Key Vault to protect and share the password without revealing it.
Azure Key Vault is used to protect secrets and passwords. You can share these secrets and passwords with third parties without revealing them. This allows access to your resources securely to third parties.
Which of the following components can be used to load balance traffic to web applications, such as Azure App Service web apps using layer 7 of the OSI model?
- Virtual Network
- Load Balancer
- Application Gateway
- Route table-Virtual Network Gateway
-Application Gateway
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. They are aware of the much more abstract high-level layer 7 in the OSI model, meaning the load balancer understands HTTP headers and can do things such as routing requests to different places based on the URL of a web request.
Your company wants to make use of Azure for deployment of various solutions. They want to ensure suspicious attacks and threats using compromised credentials to resources in their Azure account are prevented. Which of the following helps prevent such attacks by using in-built sensors in Azure?
- Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
- Azure DDoS Protection
- Azure Privileged Identity Management
- Azure AD Identity Protection
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft routinely changes the names of their services, including this one. This is something to be aware both on the exam, where you may encounter the new or old names, and also in the real-world.
Which Azure service should you use to store certificates?
- Azure Information Protection
- Azure storage account
- Azure Security Center
- Azure Key Vault
Azure Key Vault
Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Your company has a new Azure virtual network that needs to be secured. What is the best way to only allow specific kinds of outside traffic into this network?
- Using the Azure DDoS Protection Service when configured for inbound traffic.
- Use an Azure Network Security Group attached to the virtual network.
- Use a load balancer in front of the network to use rules to limit the traffic.
- Use an Azure Firewall attached to the virtual network.
(choose 1)
-Use an Azure Firewall attached to the virtual network.
Azure Firewall blocks any incoming or outgoing traffic that isn’t specifically allowed on a network. A Network Security Group manages the traffic to specific services, Azure DDoS Protection Service protects against attacks and a load balancer distributes traffic to specific VMs.
You need to protect emails, documents and important data that will be shared outside your company. What Azure service should you use?
- Azure Artifacts.
- Azure Data Box.
- Azure Information Protection.
- Azure Pipelines.
(choose 1)
-Azure Information Protection.
Azure Information Protection allows you to protect emails, documents and other data and define who can access the information and what they can do with it. Azure Artifacts is a developer tool for managing source code packages. Azure Pipelines is a developer tool for continuous deployment. Azure Data Box is a physical box for transferring data.
The Angry Llamas corporation has asked you to implement a solution that will monitor users in their on-premises environment and their behavior, to make sure any suspicious behavior is caught. What is a solution to do this?
- Use the alert feature in Azure Active Directory to monitor user behavior and raise alerts for anything out of the ordinary.
- Use Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
- Use Azure Information Protection to monitor, analyse and profile user behavior, and raise alerts if unusual behavior is detected.
- Use an Azure Firewall to monitor the traffic entering the network and the Azure services attached to it.
-Use Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
You are looking to restrict internet traffic to a Windows virtual machine - what Azure functionality would you choose to accomplish this?
- Public IP Address
- Resource Group
- Redis
- Network Security Groups
-Network Security Groups
Appropriately configured Network Security groups allow you to control all inbound and outbound traffic for your virtual machines.
You want to protect your Azure services from attacks that send large amounts of usually allowed traffic from the outside world and that might overwhelm your services. Which is the best way you can do this?
- Use an Azure Firewall attached to the virtual network that faces the Internet.
- Use the Azure DDoS Protection Service to protect against denial of service attacks.
- Use a load balancer in front of the services to mitigate the attacks and distribute the traffic to multiple machines.
- Use Advanced Threat Protection to secure the network.
-Use the Azure DDoS Protection Service to protect against denial of service attacks.
Azure DDoS Protection protects against denial of service attacks, which involve large amounts of data directed at your service so is the perfect service to protect our services.
What is one simple way to ensure you meet certain governance rules and regulations when setting up a new Azure environment?
- Use a support plan of Professional Direct or Premier level to get Architecture help for a new Azure environment.
- Use the Azure Template Wizard when creating a new service.
- Use Azure Blueprints.
- Use Azure Compliance Monitor to compare your infrastructure against.
Use Azure Blueprints.
Azure Blueprints are templates for creating compliant Azure infrastructure projects. You can use them to comply with standards and regulations that apply to your company. You can get architecture help using a support plan too, but it is much more laborious.
What should you use to evaluate whether your company’s Azure environment meets regulatory requirements? (choose 2)
- Knowledge Center
- Compliance Manager
- Azure Advisor
- Azure Security Center
Compliance Manager
Azure Security Center
Azure Security Center and Compliance Manager are the correct answers. Azure Security Center has a regulatory compliance dashboard, and Compliance Manager enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft Professional Services and Microsoft cloud services, such as Microsoft Office 365, Microsoft Dynamics 365, and Microsoft Azure. These answers are incorrect: Azure Knowledge Center is a site to get answers to common support questions - it is not used to determine regulatory compliance; Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments, it recommends solutions that can help you improve the cost-effectiveness, performance, high availability, and security of your Azure resources - it does not determine regulatory compliance.
Which of the following statements best describes a Network Security Group?
- Network Security Groups are established connections between your network and Azure.
- Network Security Groups contain inbound and outbound security rules enabling traffic to be filtered.
- Network Security Groups are groups of devices within a subnet that perform security functions.
- Network Security Groups are another name for peered virtual networks, allowing secure communication between resources.
Network Security Groups contain inbound and outbound security rules enabling traffic to be filtered.
Network Security Groups are used to filter traffic to and from resources in an Azure virtual network. They contain lists of security rules which allow or deny inbound and outbound traffic. The security rules contain properties such as priority, source or destination, protocol, direction, port range and action.
You are working with the enterprise security team. The CEO asked you to advise the most powerful tool that can detect possible volatilities in your company. You need to cover Windows Server 2012 R2 and Linux servers.
Which of the following is the best tool to recommend?
- Microsoft Defender Advanced Threat Protection
- Azure Advanced Threat Protection (ATP)
- Azure Security Center
- Azure Sentinel
Azure Sentinel
Azure Sentinel is the most powerful tool to detect abnormal behaviors in not only the cloud environment but on-premises as well. It is based on Workspaces where logs are stored. Azure Sentinel allows you to collect data from all users, devices, applications on-premises, or in mutliple clouds. When paired with Microsoft analytics. It can find undetected threats while minimizing false positives.
At the time of this writing, Microsoft Defender Advanced Threat Protection (ATP) and Azure Advanced Threat Protection do support Linux operating systems. ATP collects usage data and can safeguard your enterprise against threats, but it is not as powerful as Azure Sentinel in finding undetected threats and volatilities.
Azure Security Center is lesss powerful service that Azure Sentinel but does allow you to spot abnormalities.
Azure Sentinel is a security information event management (SIEM) and security orchestration automated response (SOAR) solution while Security Center is not
You company needs to host multiple virtual machines that run an application your customers use in the East US region of Azure. You need to ensure that no other VMs are placed on the physical machines in the data center. All VMs need to have high availability using availability zones/
What should you use?
- Desired State Configuration
- Azure Board
- Azure Pipelines
- Azure DevTest Labs
- Dedicated Host
- Azure Advisor
Dedicated Host
Azure Dedicated Host is a service that provisions physical hardware in data center dedicated to one or moreof your company’s and no one else’s virtual machines. Dedicated hosts are physical servers in a data center that can provide hardware isolation at the physical server level. These dedicated hosts share the same network and storage as non-isolated hosts. Dedicated hosts can opt in or opt out of a maintenance window to reduce the impact of the workload running on the dedicated host. you can deploy multiple dedicated hosts for high availability using availability zones or fault domains for fault isolation.
You would not choose the Desired State Configuration (DSC) because it helps define a state for your machines. DSC does not ensure that VMs will be physically isolated on specific hardware.
You would not choose Azure Advisor. Azure Advisor examines resource configuration and usage and provides recommended solutions. Recommendations for cost, security, reliability (formerly High Availability), operational excellence, and performance are combined into a single dashboard. Azure Advisor makes recommendations but may not recommend having VMs be physically isolated on specific hardware.
Azure DevTest Labs allow you to create VMs and PaaS resources without approvals. Azure DevTest Labs enables your team to create multiple VMs or an empty resource group as a sandbox to isolate VMs. You can use resuable templates and artifacts to provide your environment using Microsoft VMs or Linux VMs quickly. VMs can be created from custom images that have all software applications and any tools installed. Azure DevTest Labs does not ensure VMs will be physically isolated on specific hardware.
You would not choose to use Azure Pipelines beacuse it integrates your code respository with builds and releases in Azure DevOps.
You would not choose Azure Boards. Azure Board uses agile methodology to track and plan projects using tools such as scrum boards, Kanban boards, and dashboards.