Security, Privacy, Compliance, and Trust Flashcards
Describe “network security groups (NSG)”
Filter traffic inbound and outbound from Azure resources located in Azure Virtual Network. Filtering by rules Ability to have multiple inbound and outbound rules. Rules specify: Source/Destination Protocol Port Direction Priority
Describe “application security groups (ASG)”
Feature that allows grouping of virtual machines located in Azure virtual network
Designed to reduce the maintenance effort.
Describe “User-defined Routes (UDR)”
Custom routes
Designed to override Azure’s default routing or add new routes
Managed via Azure Route Table resource
Associated with a zero or more Virtual Network subnets
Describe “Azure Firewall”
PaaS Managed, cloud-based firewall service Built-in high availability Highly scalable Inbound and outbound filtering rules Support for fully qualified domain name Integrated with Azure monitor for logging and analytics Blocks traffic by default
Describe “Azure DDoS Protection”
Detects malicious traffic and blocks it
Prevents additional costs
Basic: automatically enabled
Standard: additional mitigation and monitoring capabilities
Standard uses ML to analyze traffic patterns
Describe “authentication”
Authentication is the process of verification/assertion of identity
Describe “authorization”
Authorization is the process of ensuring that only authenticated identities get access to the resources for which they have been granted access.
Describe “access management”
The process of controlling, verifying, tracking, and managing access to authorized users and application.
Describe “Azure Active Directory”
Identity and Access Management
Identities: users, groups, apps, servers
Access: subscriptions, resource groups, roles, role assignments, authentication and authorization, etc.
Describe “Multi-Factor Authentication (MFA)”
Uses more than one factor to prove identity
Knowledge - something you know
Possession - something you have
Physical Characteristic Factor - something you are
Location Factor - somewhere you are
Describe “Azure Security Center”
Centralized/unified infrastructure and platform security management service
Natively embedded
Integrated with Azure Advisor
Free: included, provide continuous assessments, security score, and actionable security recommendations
Paid: hybrid security, threat protection alerts, vulnerability scanning, just in time VM access, etc
Describe “Azure Key Vault”
PaaS
Managed service for securing sensitive information
Secure storage service for keys, secrets, and certificates
highly integrated with other services
centralization
access monitoring and logging
Describe “Role-Based Access Control (RBAC)”
Authorization system built on Azure Resource Manager (ARM) Designed for fine-grained access management of Azure Resources Role assignment is combination of Role Definition Security Principle Scope Hierarchical Built-in and Custom roles are supported
Describe “Resource Locks”
Designed to prevent accidental deletion and or modification
Used in conjunction with RBAC
Read-only
Delete
Scopes are hierarchical (inherited)
Management Groups cant be locked
Only Owner and User Access Administrator roles can manage locks
Describe “tags”
Simple Name (key) Value pairs Designed to help with organization of Azure resources Used for resource governance, security, operations management, cost management, automation, etc Typical tagging strategies use functional, classification, finance/accounting, partnership tags Applicable to resources, resource groups, and subscriptions Not inherited by default
