Azure Security and Privacy Concepts Flashcards

1
Q

Authentication vs Authorization

A

Authentication - The act of proving who or what something is

Authorization - Granting the correct level of access to a resource or service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Azure Active Directory (Azure AD)

A

Sits at the heart of Authentication in the Microsoft Cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Azure AD Functionality

A
Provides:
  User Management
  Application Integration
  Single Sign on
  Integration with other directory services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Azure AD single sign-on

A

One of the key features of Azure AD
Users should be asked for their credentials once
Can integrate with Microsoft provided and 3rd party applications
Application integration includes the ability to provision users and assign levels of access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Azure AD Conditional Access

A

Control access to apps no matter where our users are

We create conditional access policies (if-then statements)

Signals are used to make decisions
IP location information
risk analysis
device information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Conditional Access decisions

A

Block Access

Grant Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Azure Role Based Access Control (RBAC)

A

Tool used to provide shared access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

RBAC - Roles

A

Roles allow you to group together sets of permissions

We can make users or groups members of roles

Members of roles inherit all the permissions assigned to the role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

RBAC - Three Built-in Roles

A

Owner - manage everything including access to resources

Contributor - manage everything EXCEPT granting access to resources

Reader - view everything but not make changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

RBAC Custom Roles

A

Use Built-in roles first, if unsuitable define custom roles

Always follow principal of least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Resource Locks

A

Override permissions at various scopes.
subscription locks
group locks
resource locks

Locks are inherited by child resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Types of Azure Locks

A

ReadOnly
authorized users that have permission to view the resource are able to view but cannot update or delete

CanNotDelete
authorized users that have permission to view and modify the resource cannot delete the resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Azure Tags

A

Key Value pairs assigned to resources

Tags can be used to
enforce security requirements
control costs
deploy software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Azure Policy

A

is a collection of rules

each policy is assigned to a scope

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Azure Initiatives

A

a collection of policies

initiatives are assigned to a scope (i.e., resource group)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Built-in Policies (types)

A
Storage accounts
Resource types
Allowed locations
Enforce tags
Virtual machine SKUs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Azure Blueprints

A

A way of orchestrating the deployment of resource templates and artifacts

Blueprints include Azure Policy and Azure Initiatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Defining a blueprint

A

Resource groups can be defined and created

Azure Resource Manager (ARM) templates can be included to deploy resources

Azure policy can be included to enforce compliance

Roles can be assigned resources that blueprints have created

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Azure Advisor Security Assistance

A

Azure advisor integrates with Azure security center

Advisor security assistance helps prevent, detect and respond to threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Azure Network Security Groups (NSGs)

A

NSGs filter traffic - allow/deny in/outbound traffic

NSGs contain rules - rules are processed in order based on a number 100 (processed first) to 4096 (processed last)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Properties of NSGs

A

Attached to subnets or network cards

can be linked to multiples resources

are stateful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Problems with NSGs

A

Can become complex - containing lots of rules

Can be difficult to maintain - adding more resources may result in a need to update several network security groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Application Security Groups

A

Allows us to reference a group of resources

Used as a source or destination in network security groups

Can be used in NSGs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Azure Firewall

A

a managed stateful firewall service

protects access to virtual networks

24
Azure Firewall Features
out/inbound NAT support integration with Azure Monitor unrestricted scalability network traffic filtering rules
25
Azure DDoS Protection
DDoS mitigation for networks and applications
26
Azure DDoS Protection - Features
Always-on monitoring application layer protection integration with Azure monitor
27
Azure DDoS Service Tiers - Basic
Active traffic monitoring and always on detection Backed by an SLA Free
28
Azure DDoS Service Tiers - Standard
Basic + real time metric post attack reports Access to experts during active attack
29
Azure Information Protection
used to classify docs and emails applies labels to docs labeled docs can be protected (labels stay with the docs regardless of location)
30
Azure Information Protection - Classification
Metadata is added to docs Visual markings (headers, footers, watermarks)
31
Azure Information Protection - Protection
Azure rights management encrypts docs using rights management templates
32
Azure Monitor
Collect (metrics, logs) and analyse metric information for Azure and on-premise resources Troubleshooting and performance monitoring
33
Azure Service Health
Notifies you about Azure service status Reports incidents and planned maintenance Personalised dashboards Configurable alerts Guidance and support
34
Azure advanced threat and protection
Monitor and analyze user activity identify suspicious activity and events
35
Azure Key Vault
Centralizes the storage of application secrets logging to monitor how and when secrets are being used enable centralized administration of secrets
36
Azure Key Vault Recommendations
Separate key vault for each application or environment Take regular backups of your key vault Turn on logging and set up alerts turn on soft delete and purge protection
37
Azure Sentinel (SIEM and SOAR)
Cloud-native security information event management (SIEM) Security orchestration automate response solutions (SOAR)
38
Azure Sentinel
Connect to your security sources with data connectors Analyze your data using workbooks and analytics Security automation and orchestration using playbooks Deep investigation and hunting
39
Azure Security Center - Secure Score
Azure Security Center assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score (a percentage)
40
Azure Security Center - Security Policy
is a rule about specific security conditions that you want controlled. Built in definitions include things like controlling what type of resources can be deployed or enforcing the use of tags on all resources. You can also create your own custom policy definitions.
41
Azure Security Center
A tool for security posture management and threat Continually assess - provides secure score for quick understanding of security strengths Secure - customized and prioritized task suggestions to improve secure score Defend - detects threats to Azure resources and provides alerts
42
Regulatory Compliance
Process of ensuring that you follow the standards of laws laid out by governing bodies People and process monitor systems to detect and prevent violations Compliance monitoring can be complex Azure provides several tools to help us asses our compliance posture
42
Regulatory Compliance
Process of ensuring that you follow the standards of laws laid out by governing bodies People and process monitor systems to detect and prevent violations Compliance monitoring can be complex Azure provides several tools to help us asses our compliance posture
43
Azure Service Trust Portal - Compliance Manager
Compliance manager - workflow based risk assessment tool
44
Azure Service Trust Portal - Industry and Regions
Industry and region-specific compliance information docs.
45
Microsoft Trust Center
Security, privacy and compliance information Access to Microsoft product compliance information Compliance tools compliance score audit reports data protection resources
46
Azure Special Regions
Exists for compliance and legal reasons - not available to public US GOV Regions China Regions Germany Regions
47
Microsoft Privacy Statement
Explains how Microsoft collects and processes personal data and for what purposes Includes product specific information
48
Microsoft Online subscription Agreement (MOSA)
Documents the acceptable and unacceptable use of Microsoft Online Services. An agreement between Microsoft and the Subscriber
49
Online Services Terms (OST)
The terms for which each Microsoft product is offered The licensing agreements for all of Microsoft online services
49
Online Services Terms (OST)
The terms for which each Microsoft product is offered The licensing agreements for all of Microsoft online services
50
Online Service Data Protection Addendum (DPA)
How data is protected, the responsibilities of Microsoft in data protection and the responsibilities of the customer in data protection
51
Dedicated Hosts
provide physical servers that host one or more VMs your server is dedicated to your organization helps with compliance requirements helps meet server-based SLA
52
Security Posture: Confidentiality
Confidentiality-This pillar ensures that the ‘protect surface’ can be accessed only by those who have been granted direct/express permission.
53
Security Posture: Integrity
Integrity– A unique fingerprint of the data is created by using a one-way hashing algorithm. The receiver is then sent the hash. The goal of integrity is to preserve the data throughout the transmission. Therefore, after the recipient receives the hash, he/she can recalculate the original value of the hash and compare the values to detect data consistency.
54
Security Posture: Availability
Data should be made available only to authentic users. Authentic users shouldn’t be denied access.
55
Defense In Depth Layers
1 Data: Data encryption in Azure Blob Storage (Integrity) 2 Application: SSL/TLS encryptions (Integrity) 3 Compute: Regular application of OS and layered software patches (Availability) 4 Network: Network security rules (Confidentiality) 5 Perimeter: Distributed Denial-of-service (Availability) 6 Identity and access: Azure Active Directory user authentication (Integrity) 7 Physical security: Azure datacenter biometric access controls (Confidentiality)