Security Flashcards
Azure Active Directory
Microsofts identity and access management service which helps employees sign in and access resources.
RBAC Controls access to resources E.g. O365, SaaS, Azure portal, apps in internal network, workstations.
There’s also Azure AD roles which the highest is Global Administrator
Uses Single sign on (SSO)
B2B (invite guest users from other orgs. Can then give them RBAC) and B2C (selling app, allows users to login with facebook etc)
Can transfer subscriptions to a new AAD (tenant)
Hybrid identity (sign in to local machine on prem. These credentials are extended out to cloud) - offered by product called Azure AD connect (free)
4 tiers of Azure Active Directory
- Free - MFA, SSO, basic security and usage reports, self service password change, User and group mngt.
- Office 365 apps: Company branding, SLA, two sync between on prem and cloud
- Premium 1: Hybrid architecture, Advanced Group Access, Conditional Access
- Premium 2: Identity protection, Identity Governance
Multi Factor Authentication
Additional security. Use second device to confirm it’s you logging in.
MFA Server needed for authentication when supporting users located on on-prem AD only.
Azure Security Center
Unified infrastructure security management system
Strengthens security posture of data centers
Azure Key vault
Centralized cloud service for storing application secrets.
Can store tokens, passwords, API keys and others.
Benefits:
- Centralized store: reduces chances of being leaked.
- Strong storage with Azure.
- Monitor access and use of secrets.
- Easy integration with other apps.
Hardware security modules (HSM)
Piece of hardware where keys are stored.
Stored in memory (not written to disc) therefore if it shuts down, keys are gone.
Can have multiple tenants storing keys on one module (FIPS 140-2)
More secure is a single tenant on one device (FIPS 140-3)
Azure DDOS Protection
What is DDOS
What is included by default
What are the tiers of coverage offered (2)
Distributed Denial of Service attack - flooding website with requests.
Azure has this security built in by default.
Two tiers (Basic and Standard)
Standard starts at 3000USD per month.
Guarenteed SLAs and expert support.
Azure Firewall
Cloud based network security service.
Restricts access to server based on originating IP address (can supply a range)
Acts as entrance for all traffic to vNet.
Enforces polciies across subscriptions and Vnets.
Uses static public IP address for Vnet
High availability built in - no additional load balancers required.
Have additional Vnet spokes. Firewall chooses how traffic distributed.
Azure Information Protection (AIP)
Protects sensitive info such as emails, docs with encryption.
Integrated in Office apps - enables user to select Publib, Internal,
Confidential, Secret, Personal etc. in Microsoft Word
Azure Application Gateway
Web traffic load balancer.
Includes web application firewall
Re-routes traffic to other places based on set of rules.
Intrusion Detection (Protection) System (IDS / IPS)
Software that monitors network or system for malicious activity/ policy violations.
Azure Advanced Threat Protection (ATP)
Identifies, detects, and helps you investigate threats and malicious actions.
Contains several components and has it’s own portal (portal.atp.azure.com)
Azure ATP is part of Enterprise Mobility Suite E5 and has standalone license.
Security Development Lifecycle (SDL)
Industry leading software assurance process.
Embedding security and privacy in software.
Building it throughout the development of a product.
Detailed Process:
Training - make sure developers build security into apps and services.
Define Security Requirements - Start planning this early in product dev.
Define Metrics and Compliance reporting - define minimum acceptable level of security and hold teams accountable to this. Use KPIs to track.
Perform threat modelling - what if scenarios.
Encryption - use but leave to the experts
Be careful with 3rd party components
Use approved tools
Create standard incident response.
Role based access control (RBAC)
3 steps to setup
Controls who can do what with resources. E.g. IT can manage settings, devs have read only, admin can do everything.
Steps to apply: Who, Rule, Scope
- Security Principal (who e.g. User, Group, Service Principal for services requiring access, Managed Identity)
- Role Definition (collection of permissions. Read, Write, Delete). Can be high level (Owner) or specific (VM Reader).
- Scope (set of resources that role gets access to). Can set at various levels (Management Group, Subscription, Resource Group or Resources)
Resource locks
Can lock Subscription, RG or Resource to prevent accidental modification or deletion.
Delete - can’t delete
ReadOnly - can’t delete or update
Management Groups
Manage multiple subscriptions (accounts) into a hierarchical structure.
All subscriptions auto roll up into the Root.
Encryption
what is it, two types, two methods
Last line of security in securing data - this is the process of making data unreadable.
Can have encrpytion at rest (where data is saved) or in transit (when it is being transferred)
Symetric
- uses same key to encrypt and decrypt
vs
Asymetric
- uses publickey and private key pair.
- either can encrypt but a single key can’t decrypt.
Transport Layer Security (TLS)
Basis for encrypting website data in transit.
Uses certificates to encrypt/decrypt.
Network Security Groups (NSG)
Control communication between resources to minimise interaction and make them more secure (based on IP addresses).
Application Security Groups (ASG)
Allow us to define fine grained security policies based on applications rather than explicity IP addresses.
E.g. group VMs and base security on these groups.
Part of Network Security Groups
User Defined Routes (UDR)
In subnets, Azure always creates system routes defining how traffic will flow. User Defined Routes allow you to override this.
4 RBAC roles built into Azure by Default
Owner - Full access, incl right to delegate access to others.
Contributor - Can create and manage, but can’t grant access to others
Reader - Can view resources
User Access Admin - Can ONLY grant access (can’t read or edit)
