Module 3: Security, Privacy, Compliance and Trust

Question 1

What is defense in depth?

Answer 1

Defense in depth is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to data.

Question 2

What is the objective of defense in depth?

Answer 2

The objective of defense in depth is to protect and prevent information from being stolen by individuals not authorized to access it.

Question 3

What is CIA?

Answer 3

Confidentiality, Integrity and Availability

Question 4

Describe Confidentiality.

Answer 4

The Principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content.

Question 5

Describe Integrity.

Answer 5

The prevention of unauthorized changes to information at rest or in transit.

Question 6

Describe Availablity (CIA).

Answer 6

Ensure services are available to authorized users. Denial of service attacks are a prevalent cause of loss of availability to users.

Question 7

Describe the layers of defense in depth.

Answer 7

Physical security is the first line of defense to protect computing hardware in the datacenter.

Identity & access controls access to infrastructure and change control.

Perimeter layer uses distributed denial-of-service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.

Networking layer limits communication between resources through segmentation and access controls.

Compute layer secures access to virtual machines.

Application layer ensures applications are secure and free of vulnerabilities.

Question 8

What is Azure Firewall?

Answer 8

Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Question 9

What features does Azure Firewall include?

Answer 9

Azure Firewall provides many features, including:

• Built-in high availability.
• Unrestricted cloud scalability.
• Inbound and outbound filtering rules.
• Azure Monitor logging.

Question 10

What are some common usage scenarios for Azure Firewall?

Answer 10

You typically deploy Azure Firewall on a central virtual network to control general network access. With Azure Firewall you can configure:

• Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
• Network rules that define source address, protocol, destination port, and destination address.

Question 11

What is Azure Application Gateway?

Answer 11

Azure Application Gateway also provides a firewall, called the Web Application Firewall (WAF). WAF provides centralized, inbound protection for your web applications against common exploits and vulnerabilities.

Question 12

What is a DDoS attack?

Answer 12

DDoS attacks attempt to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Thus, any resource exposed to the internet, such as a website, is potentially at risk from a DDoS attack.

Question 13

How does Azure DDos protection service protect applications?

Answer 13

The Azure DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability.

Question 14

Describe the basic tier of Azure DDoS Protection.

Answer 14

The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.

Question 15

Describe the Standard tier of Azure DDos Protection.

Answer 15

The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.

Question 16

What types of attacks can DDoS standard protection mitigate?

Answer 16

Volumetric attacks. The attack’s goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.

Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.

Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.

Question 17

What is Network Security Groups (NSG)?

Answer 17

Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

Question 18

List the properties an NSG rule specifies.

Answer 18

• Name
• Priority
• Source or Destination
• Protocol
• Direction
• Port Range
• Action

Question 19

What is Application Security Groups (ASG)?

Answer 19

Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.

Question 20

Describe the Perimeter Layer Azure security solution.

Answer 20

The network perimeter layer is about protecting organizations from network-based attacks against your resources. Identifying these attacks, alerting, and eliminating their impact is important to keep your network secure. To do this:

• Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for end users.
• Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.

Question 21

Describe the Networking Layer Azure security solution.

Answer 21

At this layer, the focus is on limiting network connectivity across all your resources to only allow what is required. Segment your resources and use network-level controls to restrict communication to only what is needed. By restricting connectivity, you reduce the risk of lateral movement throughout your network from an attack. Use NSGs to create rules about inbound and outbound communication at this layer. As best practices:

• Limit communication between resources through segmenting your network and configuring access controls.
• Deny by default.
• Restrict inbound internet access and limit outbound where appropriate.
• Implement secure connectivity to on-premises networks.

Question 22

Describe the Combining services Azure security solution.

Answer 22

You can also combine multiple Azure networking and security services to manage your network security and provide increased layered protection. The following are examples of combined services:

• Network security groups and Azure Firewall. Azure Firewall complements network security group functionality. Together, they provide better defense-in-depth network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall-as-a-service, which provides network and application-level protection across different subscriptions and virtual networks.
• Application Gateway WAF and Azure Firewall. WAF is a feature of Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S. Combining both provides additional layers of protection.

Question 23

What are the two fundamental concepts when talking about identity and access?

Answer 23

• Authentication. Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
• Authorization. Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.

Question 24

What is Azure Active Directory (Azure AD)?

Answer 24

Azure Active Directory is a Microsoft cloud-based identity and access management service. Azure AD helps employees of an organization sign in and access resources:

• External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.
• Internal resources might include apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

Question 25

What services does Azure AD provide?

Answer 25

Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.

Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.

Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.

Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data

Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.

Device Management. Manage how your cloud or on-premises devices access your corporate data.

Question 26

What is Azure AD intended for?

Answer 26

• IT administrators. Administrators can use Azure AD to control access to apps and their resources, based on your business requirements.
• App developers. Developers can use Azure AD to provide a standards-based approach for adding functionality to applications that you build, such as adding Single-Sign-On functionality to an app, or allowing an app to work with a user’s pre-existing credentials and other functionality.
• Microsoft 365, Microsoft Office 365, Azure, or Microsoft Dynamics CRM Online subscribers. These subscribers are already using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. You can immediately start to manage access to your integrated cloud apps using Azure AD.

Question 27

What is Azure Multi-Factor Authentication (MFA)?

Answer 27

Azure Multi-Factor Authentication provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

1. Something you know could be a password or the answer to a security question.
2. Something you possess might be a mobile app that receives a notification, or a token-generating device.
3. Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.

Question 28

Which Azure services include MFA?

Answer 28

• Azure Active Directory Premium licenses. These licenses provide full-featured use of Azure Multi-Factor Authentication Service (cloud) or Azure Multi-Factor Authentication Server (on-premises).
• Multi-Factor Authentication for Office 365. A subset of Azure Multi-Factor Authentication capabilities is available as a part of your Office 365 subscription.
• Azure Active Directory global administrators. Because global administrator accounts are highly sensitive, a subset of Azure Multi-Factor Authentication capabilities are available to protect these accounts.

Question 29

What is the Azure Security Center?

Answer 29

Azure Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:

• Provide security recommendations based on your configurations, resources, and networks.
• Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online.
• Continuously monitor all your services and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
• Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate can execute.
• Analyze and identify potential inbound attacks and help to investigate threats and any post-breach activity that might have occurred.
• Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.

Question 30

Describe the Azure Security Center Free tier.

Answer 30

Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.

Question 31

Describe the Azure Security Center Standard tier.

Answer 31

This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.

Question 32

Describe how to use Azure Security Center for an incident response.

Answer 32

You can use Security Center during the detect, assess, and diagnose stages. Here are examples of how Security Center can be useful during the three initial incident response stages:

• Detect. Review the first indication of an event investigation. For example, use the Security Center dashboard to review the initial verification that a high-priority security alert was raised.
• Assess. Perform the initial assessment to obtain more information about the suspicious activity. For example, obtain more information about the security alert.
• Diagnose. Conduct a technical investigation and identify containment, mitigation, and workaround strategies. For example, follow the remediation steps described by Security Center in that particular security alert.

Question 33

Describe how to use Azure Security Center to enhance security.

Answer 33

You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center.

A security policy defines the set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company’s security requirements.

Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy. The recommendations guide you through the process of configuring the needed security controls.

Question 34

What is Azure Key Vault?

Answer 34

Azure Key Vault is a centralized cloud service for storing your applications’ secrets. Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.

Question 35

What are some usage scenarios for Azure Key Vault?

Answer 35

• Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
• Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
• Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.
• Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.

Question 36

What are the benefits in using Azure Key Vault?

Answer 36

• Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution and reduces the chances that secrets may be accidentally leaked.
• Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.
• Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.
• Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools.
• Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.

Question 37

What is Azure Information Protection (AIP)?

Answer 37

Azure Information Protection is a cloud-based solution that helps organizations classify and (optionally) protect its documents and emails by applying labels. Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations).

Question 38

What is Azure Advanced Threat Protection (ATP)?

Answer 38

Azure Advanced Threat Protection is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure ATP is capable of detecting known malicious attacks and techniques, security issues, and risks against your network.

Question 39

What are the Azure ATP components?

Answer 39

• Azure ATP portal. Azure ATP has its own portal, through which you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment.
• Azure ATP sensor. Azure ATP sensors are installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.
• Azure ATP cloud service. Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft’s intelligent security graph.

Question 40

What is the Azure Policy service?

Answer 40

Azure Policy is a service in Azure that you use to create, assign, and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements (SLAs).

Question 41

What are the three steps to creating and implementing an Azure policy?

Answer 41

1. Create a policy definition
2. Assign the definition to resources.
3. Review the evaluation results.

Question 42

What are some examples of policy definitions?

Answer 42

• Allowed Storage Account SKUs. This policy definition has a set of conditions/rules that determine whether a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.
• Allowed Resource Type. This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of this defined list.
• Allowed Locations. This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geographic compliance requirements.
• Allowed Virtual Machine SKUs. This policy enables you to specify a set of VM SKUs that your organization can deploy.

Question 43

What is an initiative definition?

Answer 43

An initiative definition is a set of policy definitions to help track your compliance state for a larger goal. Initiative assignments reduce the need to make several initiative definitions for each scope.

Question 44

What is Role-Based Acess Control (RBAC)?

Answer 44

Role-based access control provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. RBAC is provided at no additional cost to all Azure subscribers.

Question 45

What are some usage scenarios for RBACs?

Answer 45

• Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
• Allow a database administrator (DBA) group to manage SQL databases in a subscription.
• Allow a user to manage all resources in a resource group, such as VMs, websites, and subnets.
• Allow an application to access all resources in a resource group.

Question 46

Describe the RBAC best practices?

Answer 46

• Using RBAC, segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a scope level.
• When planning your access control strategy, grant users the lowest privilege level that they need to do their work.

Question 47

What is a Resource Lock?

Answer 47

Resource Locks help you prevent accidental deletion or modification of your Azure resources. You can manage these locks from within the Azure portal. To view, add, or delete locks, go to the SETTINGS section of any resource’s settings blade.

Question 48

Whar are the two lock types?

Answer 48

• CanNotDelete means authorized admins can still read and modify a resource, but they can’t delete the resource.
• ReadOnly means authorized admins can read a resource, but they can’t delete or update the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role.

Question 49

What are Azure Blueprints?

Answer 49

Azure Blueprints enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements. Azure Blueprint enables development teams to rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed up development and delivery.

Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:

• Role assignments
• Policy assignments
• Azure Resource Manager templates
• Resource groups

Question 50

What is the Azure Blueprint process?

Answer 50

The process of implementing Azure Blueprint consists of the following high-level steps:

1. Create an Azure Blueprint.
2. Assign the blueprint.
3. Track the blueprint assignments.

Question 51

What are some usage scenarios for Azure Blueprints?

Answer 51

• Adhering to security or compliance requirements, whether government or industry requirements, can be difficult and time-consuming. To help you with auditing, traceability, and compliance with your deployments, use Azure Blueprint artifacts and tools. Time-consuming paperwork is no longer needed, and your path to certification is expedited.
• Azure Blueprint are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines and can be tracked more rigorously.

Question 52

What are the main three aspects to consider in relation to creating and managing subscriptions?

Answer 52

• Billing: Reports can be generated by subscriptions, if you have multiple internal departments and need to do “chargeback”, a possible scenario is to create subscriptions by department or project.
• Access Control: A subscription is a deployment boundary for Azure resources and every subscription is associated with an Azure AD tenant that provides administrators the ability to set up role-based access control (RBAC). When designing a subscription model, one should consider the deployment boundary factor, some customers have separate subscriptions for Development and Production, each one is completely isolated from each other from a resource perspective and managed using RBAC.
• Subscription Limits: Subscriptions are also bound to some hard limitations. For example, the maximum number of Express Route circuits per subscription is 10. Those limits should be considered during the design phase, if there is a need to go over those limits in particular scenarios, then additional subscriptions may be needed. If you hit a hard limit, there is no flexibility.

Question 53

What are Tags?

Answer 53

Tags are metadata that you can apply to Azure resources to organize them. Each tag consists of a name and value pair.

Question 54

What are some limitations to tags?

Answer 54

• Not all resource types support tags.
• Each resource or resource group can have a finite amount of name/value pairs. If you need to apply more tags than the maximum allowed number, use a JSON string for the tag value. The JSON string can contain many values that are applied to a single tag name.
• The tag name is limited to 512 characters, and the tag value is limited to 256 characters. For storage accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.
• Virtual Machines and Virtual Machine Scale Sets are limited to a total of 2048 characters for all tag names and values.
• Tags applied to the resource group are not inherited by the resources in that resource group.

Question 55

What is Azure Monitor?

Answer 55

Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.

Question 56

What data does Azure Monitor collect?

Answer 56

Monitor collects data from each of the following tiers:

• Application monitoring data: Data about the performance and functionality of the code you have written, regardless of its platform.
• Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
• Azure resource monitoring data: Data about the operation of an Azure resource.
• Azure subscription monitoring data: Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
• Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as Azure Active Directory.

Question 57

When does Azure Monitor start collecting data?

Answer 57

As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps.

Question 58

What is Azure Service Health?

Answer 58

Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources.

Question 59

What is Azure Service Health comprised of?

Answer 59

• Azure Status provides a global view of the health state of Azure services. With Azure Status, you can get up-to-the-minute information on service availability. Everyone has access to Azure Status and can view all services that report their health state.
• Service Health provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them. In this dashboard, you can track active events such as ongoing service issues, upcoming planned maintenance, or relevant Health advisories. When events become inactive, they are placed in your Health history for up to 90 days. Finally, you can use the Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you.
• Resource Health helps you diagnose and obtain support when an Azure service issue affects your resources. It provides you details with about the current and past state of your resources. It also provides technical support to help you mitigate problems.

Question 60

What is a difference between Azure Status and Resource Health?

Answer 60

Azure Status informs you about service problems that affect a broad set of Azure customers and Resource Health gives you a personalized dashboard of your resources’ health. Resource Health shows you times, in the past, when your resources were unavailable because of Azure service problems.

Question 61

What are the four categories that Azure Monitor features can be