Security, Privacy, Compliance and Trust

Question 1

describe Network Security Groups (NSG)

Answer 1

NETWORK SECURITY. Network Security Groups are a series of rules you can apply that allow inbound traffic based on certain rules, or allow outbound traffic based on certain rules. Enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
Inbound NSG rules protect a destination IP address and port by number. If you have hundreds of servers and machines Application Security Groups are better used.

Question 2

describe Application Security Groups (ASG)

Answer 2

NETWORK SECURITY. Application security groups enable you to group resources by type, then apply rules to all IP addresses/ports in that type so that you don’t have to keep manually repeating your NSG configuration.

This feature allows you to reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.

Question 3

describe User Defined Routes (UDR)

Answer 3

NETWORK SECURITY. Allows you to define some path your traffic needs to travel over your network.
e.g. force traffic to go through a firewall device before reaching your VM by specifying a UDR

Question 4

Describe Azure DDoS Protection

Answer 4

NETWORK SECURITY. Azure DDoS Protection provides “Basic” and “Standard” service tiers.
Basic tier:
- Always on monitoring
- Automatic mitigation for L3/L4 attacks
- L7 Protection with Application Gateway Web application firewall
-Globally deployed

Standard tier:

• Protection policies tuned to your VNet
• Logging, alerting and telemetry
• Resource cost scale protection

Question 5

choose an appropriate Azure security solution

Answer 5

Consider all elements of defence in depth.

1. Network Perimeter layer (DDoS protection and firewalls)
   a) All virtual network subnets should use NSG (Network Security Groups) as this is the most basic layer of allowing or denying traffic
   b) WAF Firewalls
2. Networking layer (limit communication through segmenting your network and configuring access controls, deny by default, restric inbound internet access and limit outbound where appropriate, implement secure connectivity to on-premise networks)
3. Comining services e.g. Network security groups and Azure firewall , Application Gateway WAF and Azure Firewall

Question 6

describe the difference between authentication and authorization

Answer 6

Authentication - Who you are

Authorisation - what you can do

Question 7

describe Azure Active Directory

Answer 7

Azure Active Directory is a Microsoft cloud-based identity and access management service. Azure AD helps employees of an organization sign in and access internal and external resources.

Azure AD provides services such as:
Authentication, SSO, Application management, Business to business identity services, Busines to customer identity services

Question 8

describe Azure Multi-Factor Authentication

Answer 8

Azure Multi-Factor Authentication provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:
Something you know
Something you possess
Something you are (biometric)
Azure MFA comes with Azure AD Premium Licences, MFA authentication for O365 , Azure AD global administrators

Question 9

Describe Azure Security Center

Answer 9

Azure Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises.
Security Center can:
Provide security recommendations, Monitor security and automatically apply required security to new services as they come online.
identify potential vulnerabilities before they can be exploited.
Use machine learning to detect and block malware from being installed on your virtual machines and services.
You can also define a list of allowed applications to ensure that only the apps you validate can execute.
Analyze and identify potential inbound attacks and help to investigate threats and any post-breach activity that might have occurred.
Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.

Available as Free or Standard

Question 10

describe the Microsoft Privacy Statement

Answer 10

This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.

Question 11

describe the Trust center

Answer 11

The Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community.

Question 12

describe the Service Trust Portal

Answer 12

The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.

Question 13

describe Compliance Manager

Answer 13

Compliance Manager is a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.

Question 14

describe Azure Government cloud services

Answer 14

Azure Government is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure Government offers physical isolation from non-US government deployments and provides screened US personnel.

Question 15

describe Azure China cloud services

Answer 15

Azure China is operated by 21Vianet (Azure China 21Vianet) is a physically separated instance of cloud services located in China, independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. (“21Vianet”), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd.

Question 16

Describe Azure Security Center

Answer 16

SECURITY TOOL. Azure Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises.
Security Center can:
Provide security recommendations, Monitor security and automatically apply required security to new services as they come online.
identify potential vulnerabilities before they can be exploited.
Use machine learning to detect and block malware from being installed on your virtual machines and services.
You can also define a list of allowed applications to ensure that only the apps you validate can execute.
Analyze and identify potential inbound attacks and help to investigate threats and any post-breach activity that might have occurred.
Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.

Available as Free or Standard

Question 17

Describe Azure Key Vault

Answer 17

Azure Key Vault is a centralized cloud service for storing your applications’ secrets. Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.

Question 18

describe Azure Information Protection (AIP)

Answer 18

Azure Information Protection is a cloud-based solution that helps organizations classify and (optionally) protect its documents and emails by applying labels. Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations).

Question 19

Describe Azure Key Vault

Answer 19

SECURITY TOOL. Azure Key Vault is a centralized cloud service for storing your applications’ secrets. Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.

Question 20

describe Azure Information Protection (AIP)

Answer 20

SECURITY TOOL. Azure Information Protection is a cloud-based solution that helps organizations classify and (optionally) protect its documents and emails by applying labels. Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations).

Question 21

Describe Azure Advanced Threat Protection (Azure ATP)

Answer 21

SECURITY TOOL. Azure Advanced Threat Protection is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure ATP is capable of detecting known malicious attacks and techniques, security issues, and risks against your network.

Question 22

What is the purpose of Azure Firewall?

Answer 22

NETWORK SECURITY. A firewall analyses traffic that is directed towards it, then either reject traffic that doesn’t follow the permitted pattern or allow traffic.

Question 23

describe Role-Based Access Control (RBAC)

Answer 23

Role-based access control provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. RBAC is provided at no additional cost to all Azure subscribers

Question 24

What is Azure Policy?

Answer 24

Azure Policy is a service in Azure that you use to create, assign, and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements (SLAs).

Question 25

How do you implement an Azure policy?

Answer 25

1. create a policy definition
2. Assign the definition to resources
   Assign to a specific scope which could range from a management group to a resource group, policy assignments are inherited by all child resources
3. Review the evaluation results
   review the non-compliant policy results and take any action needed

Question 26

What is the function of Policy Initiatives

Answer 26

Policy Initiatives work with Azure Policies.
1. Initiative definition
a set of policy definitions to help track your compliance state for a larger goal
2. Initiative assignment
Assign the definition to a specific scope, which could range from a management group to a resource group

Question 27

What are Resource Locks used for?

Answer 27

Resource Locks help you prevent accidental deletion or modification of your Azure resources. You can manage these locks from within the Azure portal. You can set lock level to Read-Only or Can not delete.

Question 28

What are Azure Blueprints?

Answer 28

Azure Blueprints enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements. Azure Blueprint enables development teams to rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed up development and delivery.

Question 29

Describe Azure Monitor

Answer 29

Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. Azure Monitor features can be organized into four categories: Analyze, Respond, Visualize and Integrate.

Question 30

Describe Azure Service Health

Answer 30

Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources.
composed of: Azure Status, Service Health, Resource Health. Together, the Azure Service Health components provide you with a comprehensive view of the health status of Azure, at the level of granularity that is most relevant to you.

Question 31

Which of the following could grant or deny access based on the originating IP address?

Azure Active Directory
Azure Firewall
VPN Gateway

Answer 31

Azure Firewall.
The Azure Firewall grants server access based on the originating IP address of each request. You create firewall rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server. Firewall rules also include specific network protocol and port information.

Question 32

Which of the following services would you use to filter internet traffic in your Azure virtual network?

Azure Firewall
Network Security Group
VPN Gateway

Answer 32

Network Security Group (NSG).
NSGs allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

Question 33

Which of the following provides information about planned maintenance and changes that could affect the availability of your resources?

Azure Monitor
Azure Security Center
Azure Service Health

Answer 33

Azure Service Health.
Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources.

Question 34

Which of the following can be used to help you enforce resource tagging so you can manage billing?

Azure Policy
Azure Service Health
Compliance Manager

Answer 34

Azure Policy.

Azure Policy can be used to enforce tagging values and rules on resources.

Question 35

Which of the following can be used to define a repeatable set of Azure resources that implement organizational requirements?

Azure Blueprint
Azure Policy
Azure Resource Groups

Answer 35

Azure Blueprints. Azure Blueprints enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements. Azure Blueprint enables development teams to rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed up development and delivery.

Question 36

Which of the following lets you grant users only the rights they need to perform their jobs?

Azure Policy
Compliance Manager
Role-Based Access Control

Answer 36

Role-Based Access Control (RBAC). RBAC lets you to grant users only the rights they need to perform their jobs.

Question 37

Who is responsible for the security of your Azure Storage account access keys?

Answer 37

I am responsible, not Azure

Question 38

True or false: you can create your own policies if built-in Azure Policy is not sufficient to your needs

Answer 38

TRUE, you can create custom policies using JSON

Question 39

What types of resources are defined as “compute resources”?

Answer 39

Compute Services - a category of services in Azure that provides CPU cycles for rent. Virtual Machines are only one type of compute resource. The Marketplace contains many types of resources, not just compute.

Question 40

Which feature within Azure collects all of the logs from various resources into a central dashboard, where you can run queries, view graphs, and create alerts on certain events?

Answer 40

Azure Monitor

a centralized dashboard that collects all the logs, metrics and events from your resources

Question 41

What are Azure Availability Zones?

Answer 41

Availability Zones - Unique physical locations within an Azure region, made up of one or more datacenters; there is a minimum of three zones in each region; you can manually place your resources in an availability zone for highest availability

Question 42

Azure Services can go through several phases in a Service Lifecycle. What are the three phases called?

Answer 42

Private Preview, Public Preview, and General Availability

Question 43

Which method of deploying a virtual machine provides the highest availability SLA?

Answer 43

Two or more virtual machines in an availability zone. This offers 99.99% availability when configured correctly.
Note: availability sets = 99.95% and single FM instance = 99.9%

Question 44

Which Azure feature is most likely to deliver the most immediate savings when it comes to reducing Azure costs?

Answer 44

Reserved Instances often offer 40% or more savings off of the price of pay-as-you-go virtual machines

Question 45

What is the most number of virtual machines that can me managed under a single Virtual Machine Scale Set?

Answer 45

1000

Question 46

What is the basic way of protecting an Azure Virtual Network subnet?

Answer 46

Network Security Group (NSG) - a fairly basic set of rules that you can apply to both inbound traffic and outbound traffic that lets you specify what sources, destinations, and ports are allowed to travel through from outside the virtual network to inside the virtual network

Question 47

Logic apps, functions, and service fabric are all examples of what model of compute within Azure?

Answer 47

Serverless model

Question 48

What is Single Sign-On?

Answer 48

Single Siugn-On is the ability to use the same user ID and password to log into every application that your company has enabled by Azure Active Directory

Question 49

Which tool within Azure helps you to track your compliance with various international standards and government laws?

Answer 49

Compliance Manager will track your own compliance with various standards and laws.

Question 50

What is a DDoS attack?

Answer 50

Distributed Denial of Service attacks (DDoS) -a type of attack that originates from the Internet that attempts to overwhelm a network with millions of packets of bad traffic that aims to prevent legitimate traffic from getting through

Question 51

What are some current capavilites of Asure Cognitive Services API?

Answer 51

• speak text in an extremely realistic way
• Recognise faces in picture
• Translate text from one language to another
• recognise text in an image
• create text from audio