Azure Security and Privacy Concepts

Question 1

Authentication vs Authorization

Answer 1

Authentication - The act of proving who or what something is

Authorization - Granting the correct level of access to a resource or service

Question 2

Azure Active Directory (Azure AD)

Answer 2

Sits at the heart of Authentication in the Microsoft Cloud

Question 3

Azure AD Functionality

Answer 3

Provides:
  User Management
  Application Integration
  Single Sign on
  Integration with other directory services

Question 4

Azure AD single sign-on

Answer 4

One of the key features of Azure AD
Users should be asked for their credentials once
Can integrate with Microsoft provided and 3rd party applications
Application integration includes the ability to provision users and assign levels of access

Question 5

Azure AD Conditional Access

Answer 5

Control access to apps no matter where our users are

We create conditional access policies (if-then statements)

Signals are used to make decisions
IP location information
risk analysis
device information

Question 6

Conditional Access decisions

Answer 6

Block Access

Grant Access

Question 7

Azure Role Based Access Control (RBAC)

Answer 7

Tool used to provide shared access

Question 8

RBAC - Roles

Answer 8

Roles allow you to group together sets of permissions

We can make users or groups members of roles

Members of roles inherit all the permissions assigned to the role

Question 9

RBAC - Three Built-in Roles

Answer 9

Owner - manage everything including access to resources

Contributor - manage everything EXCEPT granting access to resources

Reader - view everything but not make changes

Question 10

RBAC Custom Roles

Answer 10

Use Built-in roles first, if unsuitable define custom roles

Always follow principal of least privilege

Question 11

Resource Locks

Answer 11

Override permissions at various scopes.
subscription locks
group locks
resource locks

Locks are inherited by child resources

Question 12

Types of Azure Locks

Answer 12

ReadOnly
authorized users that have permission to view the resource are able to view but cannot update or delete

CanNotDelete
authorized users that have permission to view and modify the resource cannot delete the resource

Question 13

Azure Tags

Answer 13

Key Value pairs assigned to resources

Tags can be used to
enforce security requirements
control costs
deploy software

Question 14

Azure Policy

Answer 14

is a collection of rules

each policy is assigned to a scope

Question 15

Azure Initiatives

Answer 15

a collection of policies

initiatives are assigned to a scope (i.e., resource group)

Question 16

Built-in Policies (types)

Answer 16

Storage accounts
Resource types
Allowed locations
Enforce tags
Virtual machine SKUs

Question 17

Azure Blueprints

Answer 17

A way of orchestrating the deployment of resource templates and artifacts

Blueprints include Azure Policy and Azure Initiatives

Question 18

Defining a blueprint

Answer 18

Resource groups can be defined and created

Azure Resource Manager (ARM) templates can be included to deploy resources

Azure policy can be included to enforce compliance

Roles can be assigned resources that blueprints have created

Question 18

Azure Advisor Security Assistance

Answer 18

Azure advisor integrates with Azure security center

Advisor security assistance helps prevent, detect and respond to threats

Question 19

Azure Network Security Groups (NSGs)

Answer 19

NSGs filter traffic - allow/deny in/outbound traffic

NSGs contain rules - rules are processed in order based on a number 100 (processed first) to 4096 (processed last)

Question 20

Properties of NSGs

Answer 20

Attached to subnets or network cards

can be linked to multiples resources

are stateful

Question 21

Problems with NSGs

Answer 21

Can become complex - containing lots of rules

Can be difficult to maintain - adding more resources may result in a need to update several network security groups

Question 22

Application Security Groups

Answer 22

Allows us to reference a group of resources

Used as a source or destination in network security groups

Can be used in NSGs

Question 23

Azure Firewall

Answer 23

a managed stateful firewall service

protects access to virtual networks

Question 24

Azure Firewall Features

Answer 24

out/inbound NAT support

integration with Azure Monitor

unrestricted scalability

network traffic filtering rules

Question 25

Azure DDoS Protection

Answer 25

DDoS mitigation for networks and applications

Question 26

Azure DDoS Protection - Features

Answer 26

Always-on monitoring

application layer protection

integration with Azure monitor

Question 27

Azure DDoS Service Tiers - Basic

Answer 27

Active traffic monitoring and always on detection

Backed by an SLA

Free

Question 28

Azure DDoS Service Tiers - Standard

Answer 28

Basic +

real time metric

post attack reports

Access to experts during active attack

Question 29

Azure Information Protection

Answer 29

used to classify docs and emails

applies labels to docs

labeled docs can be protected

(labels stay with the docs regardless of location)

Question 30

Azure Information Protection - Classification

Answer 30

Metadata is added to docs

Visual markings (headers, footers, watermarks)

Question 31

Azure Information Protection - Protection

Answer 31

Azure rights management encrypts docs using rights management templates

Question 32

Azure Monitor

Answer 32

Collect (metrics, logs) and analyse metric information for Azure and on-premise resources

Troubleshooting and performance monitoring

Question 33

Azure Service Health

Answer 33

Notifies you about Azure service status

Reports incidents and planned maintenance

Personalised dashboards
Configurable alerts
Guidance and support

Question 34

Azure advanced threat and protection

Answer 34

Monitor and analyze user activity

identify suspicious activity and events

Question 35

Azure Key Vault

Answer 35

Centralizes the storage of application secrets

logging to monitor how and when secrets are being used

enable centralized administration of secrets

Question 36

Azure Key Vault Recommendations

Answer 36

Separate key vault for each application or environment

Take regular backups of your key vault

Turn on logging and set up alerts

turn on soft delete and purge protection

Question 37

Azure Sentinel (SIEM and SOAR)

Answer 37

Cloud-native security information event management (SIEM)

Security orchestration automate response solutions (SOAR)

Question 38

Azure Sentinel

Answer 38

Connect to your security sources with data connectors

Analyze your data using workbooks and analytics

Security automation and orchestration using playbooks

Deep investigation and hunting

Question 39

Azure Security Center - Secure Score

Answer 39

Azure Security Center assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score (a percentage)

Question 40

Azure Security Center - Security Policy

Answer 40

is a rule about specific security conditions that you want controlled.

Built in definitions include things like controlling what type of resources can be deployed or enforcing the use of tags on all resources. You can also create your own custom policy definitions.

Question 41

Azure Security Center

Answer 41

A tool for security posture management and threat

Continually assess - provides secure score for quick understanding of security strengths

Secure - customized and prioritized task suggestions to improve secure score

Defend - detects threats to Azure resources and provides alerts

Question 42

Regulatory Compliance

Answer 42

Process of ensuring that you follow the standards of laws laid out by governing bodies

People and process monitor systems to detect and prevent violations

Compliance monitoring can be complex

Azure provides several tools to help us asses our compliance posture

Question 42

Regulatory Compliance

Answer 42

Process of ensuring that you follow the standards of laws laid out by governing bodies

People and process monitor systems to detect and prevent violations

Compliance monitoring can be complex

Azure provides several tools to help us asses our compliance posture

Question 43

Azure Service Trust Portal - Compliance Manager

Answer 43

Compliance manager - workflow based risk assessment tool

Question 44

Azure Service Trust Portal - Industry and Regions

Answer 44

Industry and region-specific compliance information docs.

Question 45

Microsoft Trust Center

Answer 45

Security, privacy and compliance information

Access to Microsoft product compliance information

Compliance tools
compliance score
audit reports
data protection resources

Question 46

Azure Special Regions

Answer 46

Exists for compliance and legal reasons - not available to public

US GOV Regions

China Regions

Germany Regions

Question 47

Microsoft Privacy Statement

Answer 47

Explains how Microsoft collects and processes personal data and for what purposes

Includes product specific information

Question 48

Microsoft Online subscription Agreement (MOSA)

Answer 48

Documents the acceptable and unacceptable use of Microsoft Online Services.

An agreement between Microsoft and the Subscriber

Question 49

Online Services Terms (OST)

Answer 49

The terms for which each Microsoft product is offered

The licensing agreements for all of Microsoft online services

Question 49

Online Services Terms (OST)

Answer 49

The terms for which each Microsoft product is offered

The licensing agreements for all of Microsoft online services

Question 50

Online Service Data Protection Addendum (DPA)

Answer 50

How data is protected, the responsibilities of Microsoft in data protection and the responsibilities of the customer in data protection

Question 51

Dedicated Hosts

Answer 51

provide physical servers that host one or more VMs

your server is dedicated to your organization

helps with compliance requirements

helps meet server-based SLA

Question 52

Security Posture: Confidentiality

Answer 52

Confidentiality-This pillar ensures that the ‘protect surface’ can be accessed only by those who have been granted direct/express permission.

Question 53

Security Posture: Integrity

Answer 53

Integrity– A unique fingerprint of the data is created by using a one-way hashing algorithm. The receiver is then sent the hash. The goal of integrity is to preserve the data throughout the transmission. Therefore, after the recipient receives the hash, he/she can recalculate the original value of the hash and compare the values to detect data consistency.

Question 54

Security Posture: Availability

Answer 54

Data should be made available only to authentic users.

Authentic users shouldn’t be denied access.

Question 55

Defense In Depth Layers

Answer 55

1 Data: Data encryption in Azure Blob Storage (Integrity)
2 Application: SSL/TLS encryptions (Integrity)
3 Compute: Regular application of OS and layered software patches (Availability)
4 Network: Network security rules (Confidentiality)
5 Perimeter: Distributed Denial-of-service (Availability)
6 Identity and access: Azure Active Directory user authentication (Integrity)
7 Physical security: Azure datacenter biometric access controls (Confidentiality)