Module 4ba - Security and Network Security - Defense in Depth, Security Posture Flashcards
What is The Principle of Least Privilege?
Restricting access to information to ONLY those individuals who have been explicitly granted access, and ONLY at the minimum level they need to perform their work
What’s one of the most common approaches in ensuring Integrity for in-transit data?
Hashing. Use a one-way hash algorithm to create a unique hash using the data being transferred. Send the hash separately from the data to the receiver. The receiver recalculates the hash with the same algo and received data. If the resulting hash matches the sent hash, then the data wasn’t tampered in transit
Hint: there’s a service dedicated
What’s a common attack that compromises Availability?
Denial-Of-Service Attacks (DoS). Meant to degrade the availability of a system
What is Defense in Depth?
A strategy where each outer layer protects the inner most layers, the last one finally being Data. Microsoft offers several protection services at EACH layer
Hint: PS, IA, P, N, C, A, D
What are seven (7) layers that comprise Defense in Depth (i.e. Dante’s Inferno 🔥)?
- Physical Security Layer
- Identity & Access Layer
- Perimeter Layer
- Network Layer
- Compute Layer
- Application Layer
- Data Layer
Describe how to secure the Physical Security Layer
This is things like guarded gates around the data center, armed guards, etc. Physically securing the buildings in the data center
Also keycard access and authorized access by individuals into the data center. Most MS employees never actually get to see or get into a data center.
Describe how to secure the Identity & Access Layer
Basically all permissions and access control
- Controls access to infrastructure and change control
- Enforces SSO
- Auditing on Events and other changes
Describe how to secure the Perimeter Layer
Refers to the NETWORK perimeter; protecting from network-based attacks.
Focus on protecting your org’s Resources from network-based attacks. Identify, alert and eliminate impact
- Azure DDoS Protection for filtering large-scale attacks
- Azure Firewall to identify and alert on malicious attacks against your network
Describe how to secure the Network Layer
Restricting your network connectivity to required communication only. Reduces chance of an attack spreading throughout the entire network infrastructure, thus reducing potential attack vectors
- Define NSG inbound/outbound rules
- Limited communication between Resources to “as-needed”
- “Deny” access by default
- Restrict inbound and limit outbound access appropriately
- Secure connectivity and communication with On-Prem networks
Describe how to secure the Compute Layer
Ensuring that your COMPUTE RESOURCES are not just secure, but also UP TO DATE, and that proper controls are in place:
- Securing access to VMs
- Endpoint protection on devices
- Keep systems patched and current (security patches, hotfixes, general updates, etc.)
Describe how to secure the Application Layer
Integrating security into the app development lifecycle to reduce potential attack vectors
- Ensure apps are secure/free of vulnerabilities
- Store secrets in a secure form (key vault)
- Security should be a design requirement
Describe how to secure the Data Layer
Almost all attackers are after DATA. Securing data is the responsibility of those who store and control access to it. Regulatory requirements dictate what controls/processes are put in place to secure “confidentiality, integrity and availability” - aka Security Posture~
Data attack sources:
- DBs (most obvious)
- VM disks (since scaling requires virtualization)
- SaaS apps (like hacking into Salesforce customer data)
- Cloud storage (how hackers got into iCloud for celebrity pictures)
Hint: C I A
What are the three (3) principles of Security Posture?
Confidentiality - protecting secrets, private content, access levels to applications and underlying infrastructure. Principle of Least Privilege
(Data) Integrity - Preventing unauthorized changes to information at rest (stored data) and in-transit (transferred from one place to another)
Availability - Ensure services and apps are functioning and can only be accessed by authorized parties
How do you best secure your Perimeter Layer?
Focus on protecting your org’s Resources from network-based attacks. Identify, alert and eliminate impact
- Azure DDoS Protection for filtering large-scale attacks
- Azure Firewall to identify and alert on malicious attacks against your network
Give two (2) combinations of Azure networking and security services?
Combo 1: NSGs + Azure Firewall
- Protect Resources INSIDE the AVN with NSGs - NSGs provide distributed network-layer traffic filtering, limiting traffic to Resources within the AVN
- Protect the AVN OUTSIDE using Azure Firewall. It provides inbound protection for non-HTTPS protocols (RDP, SSH, FTP etc.) and outbound network-level protection for all ports and protocols
Basically, Firewall compliments NSGs for defense-in-depth network security
Combo 2: Azure Application Gateways (w/ WAFs) + Azure Firewall
- WAF comes with App Gateway, providing centralized INBOUND protection against common exploits, and app-level protection for OUTBOUND HTTP/HTTPS
- Protect the AVN OUTSIDE using Azure Firewall. It provides inbound protection for non-HTTPS protocols (RDP, SSH, FTP etc.) and outbound network-level protection for all ports and protocols