Module 3: Security, Privacy, Compliance and Trust Flashcards
What is defense in depth?
Defense in depth is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to data.
What is the objective of defense in depth?
The objective of defense in depth is to protect and prevent information from being stolen by individuals not authorized to access it.
What is CIA?
Confidentiality, Integrity and Availability
Describe Confidentiality.
The Principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content.
Describe Integrity.
The prevention of unauthorized changes to information at rest or in transit.
Describe Availablity (CIA).
Ensure services are available to authorized users. Denial of service attacks are a prevalent cause of loss of availability to users.
Describe the layers of defense in depth.
Physical security is the first line of defense to protect computing hardware in the datacenter.
Identity & access controls access to infrastructure and change control.
Perimeter layer uses distributed denial-of-service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
Networking layer limits communication between resources through segmentation and access controls.
Compute layer secures access to virtual machines.
Application layer ensures applications are secure and free of vulnerabilities.
What is Azure Firewall?
Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
What features does Azure Firewall include?
Azure Firewall provides many features, including:
- Built-in high availability.
- Unrestricted cloud scalability.
- Inbound and outbound filtering rules.
- Azure Monitor logging.
What are some common usage scenarios for Azure Firewall?
You typically deploy Azure Firewall on a central virtual network to control general network access. With Azure Firewall you can configure:
- Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
- Network rules that define source address, protocol, destination port, and destination address.
What is Azure Application Gateway?
Azure Application Gateway also provides a firewall, called the Web Application Firewall (WAF). WAF provides centralized, inbound protection for your web applications against common exploits and vulnerabilities.
What is a DDoS attack?
DDoS attacks attempt to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Thus, any resource exposed to the internet, such as a website, is potentially at risk from a DDoS attack.
How does Azure DDos protection service protect applications?
The Azure DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability.
Describe the basic tier of Azure DDoS Protection.
The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.
Describe the Standard tier of Azure DDos Protection.
The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
What types of attacks can DDoS standard protection mitigate?
Volumetric attacks. The attack’s goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.
What is Network Security Groups (NSG)?
Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
List the properties an NSG rule specifies.
- Name
- Priority
- Source or Destination
- Protocol
- Direction
- Port Range
- Action
What is Application Security Groups (ASG)?
Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.
Describe the Perimeter Layer Azure security solution.
The network perimeter layer is about protecting organizations from network-based attacks against your resources. Identifying these attacks, alerting, and eliminating their impact is important to keep your network secure. To do this:
- Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for end users.
- Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
Describe the Networking Layer Azure security solution.
At this layer, the focus is on limiting network connectivity across all your resources to only allow what is required. Segment your resources and use network-level controls to restrict communication to only what is needed. By restricting connectivity, you reduce the risk of lateral movement throughout your network from an attack. Use NSGs to create rules about inbound and outbound communication at this layer. As best practices:
- Limit communication between resources through segmenting your network and configuring access controls.
- Deny by default.
- Restrict inbound internet access and limit outbound where appropriate.
- Implement secure connectivity to on-premises networks.
Describe the Combining services Azure security solution.
You can also combine multiple Azure networking and security services to manage your network security and provide increased layered protection. The following are examples of combined services:
- Network security groups and Azure Firewall. Azure Firewall complements network security group functionality. Together, they provide better defense-in-depth network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall-as-a-service, which provides network and application-level protection across different subscriptions and virtual networks.
- Application Gateway WAF and Azure Firewall. WAF is a feature of Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S. Combining both provides additional layers of protection.
What are the two fundamental concepts when talking about identity and access?
- Authentication. Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
- Authorization. Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.
What is Azure Active Directory (Azure AD)?
Azure Active Directory is a Microsoft cloud-based identity and access management service. Azure AD helps employees of an organization sign in and access resources:
- External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.
- Internal resources might include apps on your corporate network and intranet, along with any cloud apps developed by your own organization.