Azure Security and Privacy Concepts Flashcards
Authentication vs Authorization
Authentication - The act of proving who or what something is
Authorization - Granting the correct level of access to a resource or service
Azure Active Directory (Azure AD)
Sits at the heart of Authentication in the Microsoft Cloud
Azure AD Functionality
Provides: User Management Application Integration Single Sign on Integration with other directory services
Azure AD single sign-on
One of the key features of Azure AD
Users should be asked for their credentials once
Can integrate with Microsoft provided and 3rd party applications
Application integration includes the ability to provision users and assign levels of access
Azure AD Conditional Access
Control access to apps no matter where our users are
We create conditional access policies (if-then statements)
Signals are used to make decisions
IP location information
risk analysis
device information
Conditional Access decisions
Block Access
Grant Access
Azure Role Based Access Control (RBAC)
Tool used to provide shared access
RBAC - Roles
Roles allow you to group together sets of permissions
We can make users or groups members of roles
Members of roles inherit all the permissions assigned to the role
RBAC - Three Built-in Roles
Owner - manage everything including access to resources
Contributor - manage everything EXCEPT granting access to resources
Reader - view everything but not make changes
RBAC Custom Roles
Use Built-in roles first, if unsuitable define custom roles
Always follow principal of least privilege
Resource Locks
Override permissions at various scopes.
subscription locks
group locks
resource locks
Locks are inherited by child resources
Types of Azure Locks
ReadOnly
authorized users that have permission to view the resource are able to view but cannot update or delete
CanNotDelete
authorized users that have permission to view and modify the resource cannot delete the resource
Azure Tags
Key Value pairs assigned to resources
Tags can be used to
enforce security requirements
control costs
deploy software
Azure Policy
is a collection of rules
each policy is assigned to a scope
Azure Initiatives
a collection of policies
initiatives are assigned to a scope (i.e., resource group)
Built-in Policies (types)
Storage accounts Resource types Allowed locations Enforce tags Virtual machine SKUs
Azure Blueprints
A way of orchestrating the deployment of resource templates and artifacts
Blueprints include Azure Policy and Azure Initiatives
Defining a blueprint
Resource groups can be defined and created
Azure Resource Manager (ARM) templates can be included to deploy resources
Azure policy can be included to enforce compliance
Roles can be assigned resources that blueprints have created
Azure Advisor Security Assistance
Azure advisor integrates with Azure security center
Advisor security assistance helps prevent, detect and respond to threats
Azure Network Security Groups (NSGs)
NSGs filter traffic - allow/deny in/outbound traffic
NSGs contain rules - rules are processed in order based on a number 100 (processed first) to 4096 (processed last)
Properties of NSGs
Attached to subnets or network cards
can be linked to multiples resources
are stateful
Problems with NSGs
Can become complex - containing lots of rules
Can be difficult to maintain - adding more resources may result in a need to update several network security groups
Application Security Groups
Allows us to reference a group of resources
Used as a source or destination in network security groups
Can be used in NSGs
Azure Firewall
a managed stateful firewall service
protects access to virtual networks
Azure Firewall Features
out/inbound NAT support
integration with Azure Monitor
unrestricted scalability
network traffic filtering rules
Azure DDoS Protection
DDoS mitigation for networks and applications
Azure DDoS Protection - Features
Always-on monitoring
application layer protection
integration with Azure monitor
Azure DDoS Service Tiers - Basic
Active traffic monitoring and always on detection
Backed by an SLA
Free
Azure DDoS Service Tiers - Standard
Basic +
real time metric
post attack reports
Access to experts during active attack
Azure Information Protection
used to classify docs and emails
applies labels to docs
labeled docs can be protected
(labels stay with the docs regardless of location)
Azure Information Protection - Classification
Metadata is added to docs
Visual markings (headers, footers, watermarks)
Azure Information Protection - Protection
Azure rights management encrypts docs using rights management templates
Azure Monitor
Collect (metrics, logs) and analyse metric information for Azure and on-premise resources
Troubleshooting and performance monitoring
Azure Service Health
Notifies you about Azure service status
Reports incidents and planned maintenance
Personalised dashboards
Configurable alerts
Guidance and support
Azure advanced threat and protection
Monitor and analyze user activity
identify suspicious activity and events
Azure Key Vault
Centralizes the storage of application secrets
logging to monitor how and when secrets are being used
enable centralized administration of secrets
Azure Key Vault Recommendations
Separate key vault for each application or environment
Take regular backups of your key vault
Turn on logging and set up alerts
turn on soft delete and purge protection
Azure Sentinel (SIEM and SOAR)
Cloud-native security information event management (SIEM)
Security orchestration automate response solutions (SOAR)
Azure Sentinel
Connect to your security sources with data connectors
Analyze your data using workbooks and analytics
Security automation and orchestration using playbooks
Deep investigation and hunting
Azure Security Center - Secure Score
Azure Security Center assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score (a percentage)
Azure Security Center - Security Policy
is a rule about specific security conditions that you want controlled.
Built in definitions include things like controlling what type of resources can be deployed or enforcing the use of tags on all resources. You can also create your own custom policy definitions.
Azure Security Center
A tool for security posture management and threat
Continually assess - provides secure score for quick understanding of security strengths
Secure - customized and prioritized task suggestions to improve secure score
Defend - detects threats to Azure resources and provides alerts
Regulatory Compliance
Process of ensuring that you follow the standards of laws laid out by governing bodies
People and process monitor systems to detect and prevent violations
Compliance monitoring can be complex
Azure provides several tools to help us asses our compliance posture
Regulatory Compliance
Process of ensuring that you follow the standards of laws laid out by governing bodies
People and process monitor systems to detect and prevent violations
Compliance monitoring can be complex
Azure provides several tools to help us asses our compliance posture
Azure Service Trust Portal - Compliance Manager
Compliance manager - workflow based risk assessment tool
Azure Service Trust Portal - Industry and Regions
Industry and region-specific compliance information docs.
Microsoft Trust Center
Security, privacy and compliance information
Access to Microsoft product compliance information
Compliance tools
compliance score
audit reports
data protection resources
Azure Special Regions
Exists for compliance and legal reasons - not available to public
US GOV Regions
China Regions
Germany Regions
Microsoft Privacy Statement
Explains how Microsoft collects and processes personal data and for what purposes
Includes product specific information
Microsoft Online subscription Agreement (MOSA)
Documents the acceptable and unacceptable use of Microsoft Online Services.
An agreement between Microsoft and the Subscriber
Online Services Terms (OST)
The terms for which each Microsoft product is offered
The licensing agreements for all of Microsoft online services
Online Services Terms (OST)
The terms for which each Microsoft product is offered
The licensing agreements for all of Microsoft online services
Online Service Data Protection Addendum (DPA)
How data is protected, the responsibilities of Microsoft in data protection and the responsibilities of the customer in data protection
Dedicated Hosts
provide physical servers that host one or more VMs
your server is dedicated to your organization
helps with compliance requirements
helps meet server-based SLA
Security Posture: Confidentiality
Confidentiality-This pillar ensures that the ‘protect surface’ can be accessed only by those who have been granted direct/express permission.
Security Posture: Integrity
Integrity– A unique fingerprint of the data is created by using a one-way hashing algorithm. The receiver is then sent the hash. The goal of integrity is to preserve the data throughout the transmission. Therefore, after the recipient receives the hash, he/she can recalculate the original value of the hash and compare the values to detect data consistency.
Security Posture: Availability
Data should be made available only to authentic users.
Authentic users shouldn’t be denied access.
Defense In Depth Layers
1 Data: Data encryption in Azure Blob Storage (Integrity)
2 Application: SSL/TLS encryptions (Integrity)
3 Compute: Regular application of OS and layered software patches (Availability)
4 Network: Network security rules (Confidentiality)
5 Perimeter: Distributed Denial-of-service (Availability)
6 Identity and access: Azure Active Directory user authentication (Integrity)
7 Physical security: Azure datacenter biometric access controls (Confidentiality)
