Module 3: Security, Privacy, Compliance and Trust Flashcards

1
Q

What is defense in depth?

A

Defense in depth is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the objective of defense in depth?

A

The objective of defense in depth is to protect and prevent information from being stolen by individuals not authorized to access it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is CIA?

A

Confidentiality, Integrity and Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe Confidentiality.

A

The Principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe Integrity.

A

The prevention of unauthorized changes to information at rest or in transit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe Availablity (CIA).

A

Ensure services are available to authorized users. Denial of service attacks are a prevalent cause of loss of availability to users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe the layers of defense in depth.

A

Physical security is the first line of defense to protect computing hardware in the datacenter.

Identity & access controls access to infrastructure and change control.

Perimeter layer uses distributed denial-of-service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.

Networking layer limits communication between resources through segmentation and access controls.

Compute layer secures access to virtual machines.

Application layer ensures applications are secure and free of vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Azure Firewall?

A

Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What features does Azure Firewall include?

A

Azure Firewall provides many features, including:

  • Built-in high availability.
  • Unrestricted cloud scalability.
  • Inbound and outbound filtering rules.
  • Azure Monitor logging.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some common usage scenarios for Azure Firewall?

A

You typically deploy Azure Firewall on a central virtual network to control general network access. With Azure Firewall you can configure:

  • Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
  • Network rules that define source address, protocol, destination port, and destination address.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Azure Application Gateway?

A

Azure Application Gateway also provides a firewall, called the Web Application Firewall (WAF). WAF provides centralized, inbound protection for your web applications against common exploits and vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a DDoS attack?

A

DDoS attacks attempt to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Thus, any resource exposed to the internet, such as a website, is potentially at risk from a DDoS attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does Azure DDos protection service protect applications?

A

The Azure DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe the basic tier of Azure DDoS Protection.

A

The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe the Standard tier of Azure DDos Protection.

A

The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What types of attacks can DDoS standard protection mitigate?

A

Volumetric attacks. The attack’s goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.

Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.

Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Network Security Groups (NSG)?

A

Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

List the properties an NSG rule specifies.

A
  • Name
  • Priority
  • Source or Destination
  • Protocol
  • Direction
  • Port Range
  • Action
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is Application Security Groups (ASG)?

A

Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Describe the Perimeter Layer Azure security solution.

A

The network perimeter layer is about protecting organizations from network-based attacks against your resources. Identifying these attacks, alerting, and eliminating their impact is important to keep your network secure. To do this:

  • Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for end users.
  • Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Describe the Networking Layer Azure security solution.

A

At this layer, the focus is on limiting network connectivity across all your resources to only allow what is required. Segment your resources and use network-level controls to restrict communication to only what is needed. By restricting connectivity, you reduce the risk of lateral movement throughout your network from an attack. Use NSGs to create rules about inbound and outbound communication at this layer. As best practices:

  • Limit communication between resources through segmenting your network and configuring access controls.
  • Deny by default.
  • Restrict inbound internet access and limit outbound where appropriate.
  • Implement secure connectivity to on-premises networks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Describe the Combining services Azure security solution.

A

You can also combine multiple Azure networking and security services to manage your network security and provide increased layered protection. The following are examples of combined services:

  • Network security groups and Azure Firewall. Azure Firewall complements network security group functionality. Together, they provide better defense-in-depth network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall-as-a-service, which provides network and application-level protection across different subscriptions and virtual networks.
  • Application Gateway WAF and Azure Firewall. WAF is a feature of Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S. Combining both provides additional layers of protection.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the two fundamental concepts when talking about identity and access?

A
  • Authentication. Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
  • Authorization. Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is Azure Active Directory (Azure AD)?

A

Azure Active Directory is a Microsoft cloud-based identity and access management service. Azure AD helps employees of an organization sign in and access resources:

  • External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.
  • Internal resources might include apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What services does Azure AD provide?

A

Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.

Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.

Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.

Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data

Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.

Device Management. Manage how your cloud or on-premises devices access your corporate data.

26
Q

What is Azure AD intended for?

A
  • IT administrators. Administrators can use Azure AD to control access to apps and their resources, based on your business requirements.
  • App developers. Developers can use Azure AD to provide a standards-based approach for adding functionality to applications that you build, such as adding Single-Sign-On functionality to an app, or allowing an app to work with a user’s pre-existing credentials and other functionality.
  • Microsoft 365, Microsoft Office 365, Azure, or Microsoft Dynamics CRM Online subscribers. These subscribers are already using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. You can immediately start to manage access to your integrated cloud apps using Azure AD.
27
Q

What is Azure Multi-Factor Authentication (MFA)?

A

Azure Multi-Factor Authentication provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

  1. Something you know could be a password or the answer to a security question.
  2. Something you possess might be a mobile app that receives a notification, or a token-generating device.
  3. Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.
28
Q

Which Azure services include MFA?

A
  • Azure Active Directory Premium licenses. These licenses provide full-featured use of Azure Multi-Factor Authentication Service (cloud) or Azure Multi-Factor Authentication Server (on-premises).
  • Multi-Factor Authentication for Office 365. A subset of Azure Multi-Factor Authentication capabilities is available as a part of your Office 365 subscription.
  • Azure Active Directory global administrators. Because global administrator accounts are highly sensitive, a subset of Azure Multi-Factor Authentication capabilities are available to protect these accounts.
29
Q

What is the Azure Security Center?

A

Azure Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:

  • Provide security recommendations based on your configurations, resources, and networks.
  • Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online.
  • Continuously monitor all your services and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
  • Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate can execute.
  • Analyze and identify potential inbound attacks and help to investigate threats and any post-breach activity that might have occurred.
  • Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.
30
Q

Describe the Azure Security Center Free tier.

A

Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.

31
Q

Describe the Azure Security Center Standard tier.

A

This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.

32
Q

Describe how to use Azure Security Center for an incident response.

A

You can use Security Center during the detect, assess, and diagnose stages. Here are examples of how Security Center can be useful during the three initial incident response stages:

  • Detect. Review the first indication of an event investigation. For example, use the Security Center dashboard to review the initial verification that a high-priority security alert was raised.
  • Assess. Perform the initial assessment to obtain more information about the suspicious activity. For example, obtain more information about the security alert.
  • Diagnose. Conduct a technical investigation and identify containment, mitigation, and workaround strategies. For example, follow the remediation steps described by Security Center in that particular security alert.
33
Q

Describe how to use Azure Security Center to enhance security.

A

You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center.

A security policy defines the set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company’s security requirements.

Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy. The recommendations guide you through the process of configuring the needed security controls.

34
Q

What is Azure Key Vault?

A

Azure Key Vault is a centralized cloud service for storing your applications’ secrets. Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.

35
Q

What are some usage scenarios for Azure Key Vault?

A
  • Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
  • Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
  • Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.
  • Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.
36
Q

What are the benefits in using Azure Key Vault?

A
  • Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution and reduces the chances that secrets may be accidentally leaked.
  • Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.
  • Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.
  • Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools.
  • Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.
37
Q

What is Azure Information Protection (AIP)?

A

Azure Information Protection is a cloud-based solution that helps organizations classify and (optionally) protect its documents and emails by applying labels. Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations).

38
Q

What is Azure Advanced Threat Protection (ATP)?

A

Azure Advanced Threat Protection is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure ATP is capable of detecting known malicious attacks and techniques, security issues, and risks against your network.

39
Q

What are the Azure ATP components?

A
  • Azure ATP portal. Azure ATP has its own portal, through which you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment.
  • Azure ATP sensor. Azure ATP sensors are installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.
  • Azure ATP cloud service. Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft’s intelligent security graph.
40
Q

What is the Azure Policy service?

A

Azure Policy is a service in Azure that you use to create, assign, and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements (SLAs).

41
Q

What are the three steps to creating and implementing an Azure policy?

A
  1. Create a policy definition
  2. Assign the definition to resources.
  3. Review the evaluation results.
42
Q

What are some examples of policy definitions?

A
  • Allowed Storage Account SKUs. This policy definition has a set of conditions/rules that determine whether a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.
  • Allowed Resource Type. This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of this defined list.
  • Allowed Locations. This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geographic compliance requirements.
  • Allowed Virtual Machine SKUs. This policy enables you to specify a set of VM SKUs that your organization can deploy.
43
Q

What is an initiative definition?

A

An initiative definition is a set of policy definitions to help track your compliance state for a larger goal. Initiative assignments reduce the need to make several initiative definitions for each scope.

44
Q

What is Role-Based Acess Control (RBAC)?

A

Role-based access control provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. RBAC is provided at no additional cost to all Azure subscribers.

45
Q

What are some usage scenarios for RBACs?

A
  • Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
  • Allow a database administrator (DBA) group to manage SQL databases in a subscription.
  • Allow a user to manage all resources in a resource group, such as VMs, websites, and subnets.
  • Allow an application to access all resources in a resource group.
46
Q

Describe the RBAC best practices?

A
  • Using RBAC, segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a scope level.
  • When planning your access control strategy, grant users the lowest privilege level that they need to do their work.
47
Q

What is a Resource Lock?

A

Resource Locks help you prevent accidental deletion or modification of your Azure resources. You can manage these locks from within the Azure portal. To view, add, or delete locks, go to the SETTINGS section of any resource’s settings blade.

48
Q

Whar are the two lock types?

A
  • CanNotDelete means authorized admins can still read and modify a resource, but they can’t delete the resource.
  • ReadOnly means authorized admins can read a resource, but they can’t delete or update the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role.
49
Q

What are Azure Blueprints?

A

Azure Blueprints enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements. Azure Blueprint enables development teams to rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed up development and delivery.

Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:

  • Role assignments
  • Policy assignments
  • Azure Resource Manager templates
  • Resource groups
50
Q

What is the Azure Blueprint process?

A

The process of implementing Azure Blueprint consists of the following high-level steps:

  1. Create an Azure Blueprint.
  2. Assign the blueprint.
  3. Track the blueprint assignments.
51
Q

What are some usage scenarios for Azure Blueprints?

A
  • Adhering to security or compliance requirements, whether government or industry requirements, can be difficult and time-consuming. To help you with auditing, traceability, and compliance with your deployments, use Azure Blueprint artifacts and tools. Time-consuming paperwork is no longer needed, and your path to certification is expedited.
  • Azure Blueprint are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines and can be tracked more rigorously.
52
Q

What are the main three aspects to consider in relation to creating and managing subscriptions?

A
  • Billing: Reports can be generated by subscriptions, if you have multiple internal departments and need to do “chargeback”, a possible scenario is to create subscriptions by department or project.
  • Access Control: A subscription is a deployment boundary for Azure resources and every subscription is associated with an Azure AD tenant that provides administrators the ability to set up role-based access control (RBAC). When designing a subscription model, one should consider the deployment boundary factor, some customers have separate subscriptions for Development and Production, each one is completely isolated from each other from a resource perspective and managed using RBAC.
  • Subscription Limits: Subscriptions are also bound to some hard limitations. For example, the maximum number of Express Route circuits per subscription is 10. Those limits should be considered during the design phase, if there is a need to go over those limits in particular scenarios, then additional subscriptions may be needed. If you hit a hard limit, there is no flexibility.
53
Q

What are Tags?

A

Tags are metadata that you can apply to Azure resources to organize them. Each tag consists of a name and value pair.

54
Q

What are some limitations to tags?

A
  • Not all resource types support tags.
  • Each resource or resource group can have a finite amount of name/value pairs. If you need to apply more tags than the maximum allowed number, use a JSON string for the tag value. The JSON string can contain many values that are applied to a single tag name.
  • The tag name is limited to 512 characters, and the tag value is limited to 256 characters. For storage accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.
  • Virtual Machines and Virtual Machine Scale Sets are limited to a total of 2048 characters for all tag names and values.
  • Tags applied to the resource group are not inherited by the resources in that resource group.
55
Q

What is Azure Monitor?

A

Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.

56
Q

What data does Azure Monitor collect?

A

Monitor collects data from each of the following tiers:

  • Application monitoring data: Data about the performance and functionality of the code you have written, regardless of its platform.
  • Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
  • Azure resource monitoring data: Data about the operation of an Azure resource.
  • Azure subscription monitoring data: Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
  • Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as Azure Active Directory.
57
Q

When does Azure Monitor start collecting data?

A

As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps.

58
Q

What is Azure Service Health?

A

Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources.

59
Q

What is Azure Service Health comprised of?

A
  • Azure Status provides a global view of the health state of Azure services. With Azure Status, you can get up-to-the-minute information on service availability. Everyone has access to Azure Status and can view all services that report their health state.
  • Service Health provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them. In this dashboard, you can track active events such as ongoing service issues, upcoming planned maintenance, or relevant Health advisories. When events become inactive, they are placed in your Health history for up to 90 days. Finally, you can use the Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you.
  • Resource Health helps you diagnose and obtain support when an Azure service issue affects your resources. It provides you details with about the current and past state of your resources. It also provides technical support to help you mitigate problems.
60
Q

What is a difference between Azure Status and Resource Health?

A

Azure Status informs you about service problems that affect a broad set of Azure customers and Resource Health gives you a personalized dashboard of your resources’ health. Resource Health shows you times, in the past, when your resources were unavailable because of Azure service problems.

61
Q

What are the four categories that Azure Monitor features can be

A