Security Flashcards
Azure Active Directory
Microsofts identity and access management service which helps employees sign in and access resources.
RBAC Controls access to resources E.g. O365, SaaS, Azure portal, apps in internal network, workstations.
There’s also Azure AD roles which the highest is Global Administrator
Uses Single sign on (SSO)
B2B (invite guest users from other orgs. Can then give them RBAC) and B2C (selling app, allows users to login with facebook etc)
Can transfer subscriptions to a new AAD (tenant)
Hybrid identity (sign in to local machine on prem. These credentials are extended out to cloud) - offered by product called Azure AD connect (free)
4 tiers of Azure Active Directory
- Free - MFA, SSO, basic security and usage reports, self service password change, User and group mngt.
- Office 365 apps: Company branding, SLA, two sync between on prem and cloud
- Premium 1: Hybrid architecture, Advanced Group Access, Conditional Access
- Premium 2: Identity protection, Identity Governance
Multi Factor Authentication
Additional security. Use second device to confirm it’s you logging in.
MFA Server needed for authentication when supporting users located on on-prem AD only.
Azure Security Center
Unified infrastructure security management system
Strengthens security posture of data centers
Azure Key vault
Centralized cloud service for storing application secrets.
Can store tokens, passwords, API keys and others.
Benefits:
- Centralized store: reduces chances of being leaked.
- Strong storage with Azure.
- Monitor access and use of secrets.
- Easy integration with other apps.
Hardware security modules (HSM)
Piece of hardware where keys are stored.
Stored in memory (not written to disc) therefore if it shuts down, keys are gone.
Can have multiple tenants storing keys on one module (FIPS 140-2)
More secure is a single tenant on one device (FIPS 140-3)
Azure DDOS Protection
What is DDOS
What is included by default
What are the tiers of coverage offered (2)
Distributed Denial of Service attack - flooding website with requests.
Azure has this security built in by default.
Two tiers (Basic and Standard)
Standard starts at 3000USD per month.
Guarenteed SLAs and expert support.
Azure Firewall
Cloud based network security service.
Restricts access to server based on originating IP address (can supply a range)
Acts as entrance for all traffic to vNet.
Enforces polciies across subscriptions and Vnets.
Uses static public IP address for Vnet
High availability built in - no additional load balancers required.
Have additional Vnet spokes. Firewall chooses how traffic distributed.
Azure Information Protection (AIP)
Protects sensitive info such as emails, docs with encryption.
Integrated in Office apps - enables user to select Publib, Internal,
Confidential, Secret, Personal etc. in Microsoft Word
Azure Application Gateway
Web traffic load balancer.
Includes web application firewall
Re-routes traffic to other places based on set of rules.
Intrusion Detection (Protection) System (IDS / IPS)
Software that monitors network or system for malicious activity/ policy violations.
Azure Advanced Threat Protection (ATP)
Identifies, detects, and helps you investigate threats and malicious actions.
Contains several components and has it’s own portal (portal.atp.azure.com)
Azure ATP is part of Enterprise Mobility Suite E5 and has standalone license.
Security Development Lifecycle (SDL)
Industry leading software assurance process.
Embedding security and privacy in software.
Building it throughout the development of a product.
Detailed Process:
Training - make sure developers build security into apps and services.
Define Security Requirements - Start planning this early in product dev.
Define Metrics and Compliance reporting - define minimum acceptable level of security and hold teams accountable to this. Use KPIs to track.
Perform threat modelling - what if scenarios.
Encryption - use but leave to the experts
Be careful with 3rd party components
Use approved tools
Create standard incident response.
Role based access control (RBAC)
3 steps to setup
Controls who can do what with resources. E.g. IT can manage settings, devs have read only, admin can do everything.
Steps to apply: Who, Rule, Scope
- Security Principal (who e.g. User, Group, Service Principal for services requiring access, Managed Identity)
- Role Definition (collection of permissions. Read, Write, Delete). Can be high level (Owner) or specific (VM Reader).
- Scope (set of resources that role gets access to). Can set at various levels (Management Group, Subscription, Resource Group or Resources)
Resource locks
Can lock Subscription, RG or Resource to prevent accidental modification or deletion.
Delete - can’t delete
ReadOnly - can’t delete or update
