Security, Privacy, Compliance and Trust

Question 1

What are Networks?

Answer 1

Give access to everything, allowing our services to connect with apps, users and other servcies

Question 2

How can we secure network connectivity (4)

Answer 2

1) Firewalls
2) DDoS protection service
3) Network security groups
4) Application security groups

Question 3

What are firewalls

Answer 3

Rules: firewall defines rules for what traffic can/cannot access device or service behind it
Variations: firewalls come as hardware and software versions, and can suit any type and size of network
Critical part for any network

Question 4

What is DDoS Protection Service

Answer 4

DDoS protection service detects the DDoS attack and deflects it. Various levels of protection depending on the scenario
No downtime: no interruption to your service and Azure will mitigate the attack globally
Two tiers: basic (traffic monitoring and real time mitigation) and standard (mitigation tuned to VNet resources)

Question 5

What is DDoS

Answer 5

Distributed denial of services attack. Servers can only handle a certain number of requests per second. If there are too many requests, the server will stop. Some attacks are done on purpose, from many different services. These attacks cause loss of business, loss of customer trust and costs money to recover services

Lots of computers and other connected devices targeting a single website to make it stop

Question 6

What is a Network Security Group (NSG)?

Answer 6

Resource firewall: personal resource firewall attached to virtual network, subnet or network interface
Rules: A NSG determines who can access the resources attached to it, using rules for inbound and outbound traffic
E.g. if you have a VM on a Vnet, these can both be behind a firewall. The VM will then be on its own NSG to define its own security

Question 7

What is an Application Security Group?

Answer 7

NSG protects and monitors traffic to specific network/VM (IP endpoint), application SG will protect an application
ASG lets you configure Network security as a natural extension of application structure. Group VMs and Vnets into logical application groups and apply an application security group

Question 8

What is Security Center

Answer 8

Portal within Azure portal that helps with consistent and manageable cloud security by integrating services into a unified view

1) Each VM has an agent installed to send data to the portal, which analyses it
2) Alerts you to threats and helps you protect against them
3) Ready for hybrid arch

Question 9

What are some highlights of the security centre

Answer 9

1) Policy and compliance metrics
2) Gives you a ‘secure score’ for gamification of security hygiene
3) Integrates with other cloud provides
4) Two levels: free (assess and recommend) and standard (monitor and detect)

Question 10

How do you use Security Centre?

Answer 10

1) Define policies: set of rules to evaluate a resource. Use predefined policies or your own
2) Protect resources: Actively protect your resources through monitoring policies and outcomes
4) Respond to security alerts by investigating and redefining policies

Question 11

What is Azure Key Vault?

Answer 11

Stores passwords and secrets and certificates, and allows you to share with other users/services without them knowing the value

Question 12

What are the key features of Key Vault

Answer 12

1) Secure hardware: even the hardware is secure, so MS can’t access your data
2) Application isolation: apps can’t pass on secrets, nor access other application secrets
3) Gobal scaling

Question 13

When is an example of using Key Vaults?

Answer 13

You want to give access to a 3rd party web service to access your SQL DB. You don’t want to give it your username and password, so you give it access to key vaults which will grant access to certain applications
Key features

Also works for secrets to prevent sharing credentials

Question 14

What is Azure Information Protection

Answer 14

Helps organisation classify, and optionally, protect its documents and emails by applying labels

1) Secure documents, emails and data outside of the company network
2) Classify data: according to how sensitive is it, automatically according to policies, or manually
3) Track activities: track what is happening with sharing and revoke access if needed
4) Share data: you can control who edits, views, prints and forwards
5) Integration: controls for document access is integrated with common apps and tools (MS365)

Question 15

What is Advanced Threat Protection?

Answer 15

Attackers may target users as a weak link to access servers/apps/systems. ATP allows you to monitor user behavior on-prem and in the cloud via a portal

1) Monitor users: analyse user activity and info. Includes permissions and memberships of groups
2) Baseline behaviour: record what a users normal behaviour and routine is. Any activity outside of this will be logged as suspicious
3) Suggest changes: ATP will suggest changes to conform with security best practices, to reduce risks

Question 16

What aspects of Cyber-Attack Kill Chain will ATP monitor

Answer 16

1) Reconnaissance: if a user is searching for info about other users, device IP addresses and more, ATP will raise alerts
2) Brute force: any attempts to guess user credentials will be identified and flagged
3) Increasing privileges: any attempt by a user to gain more privileges will be flagged. This could be through another users log in

Question 17

What is a security policy in Security Center?

Answer 17

Set of rules that Azure can use to evaluate if your configuration of a service is valid to comply with company/regulator requirements

Question 18

How is access to key vaults managed?

Answer 18

Access to secrets and passwords can be granted or denied very fast and as needed

Question 19

What is governance

Answer 19

Without governance, you may risk compliance, incorrect configuration or services that cost too much as developed in isolation.

Question 20

What are some tools and services to implement adaquate governance?

Answer 20

1) Azure Policy
2) Role based access control
3) Locks

Question 21

What is Azure Policy

Answer 21

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules, allowing all resources to work together even if developed individually. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill-down to the per-resource
Governance validates that your organisation can achieve its goals through effective and efficient use of IT

Question 22

What is Role Based Access Control (RBAC)

Answer 22

Define user access to individual resources and what actions then can take on the resource
Minimum access: RBAC can enable minimum access necessary, ensuring only users with valid access can manage resources
Target specific use cases. Be very explicit about users and access. For example, allow an application access to certain resources or allow a user to manage resources in a resource group

Question 23

How does RBAC work based on role assignment

Answer 23

1) Security principal: an object representing an entity such as a user or group/serboce, which can access the resource
2) Role definition: collection of permissions such as read/write/delete
3) Scope: the resources the access applies to. Specify which role can access a resource or resource group

Question 24

Give a scenario where you would use RBAC

Answer 24

You have 3 VMs (admin, billing and general). You could create 3 roles:
1) Admin: read/write to all
2) Accountant: read/write to billing and read to general
3) Standard user: read to general
You can now assign each role to a number of users, and if there is a change to the role you can update this and all users with this assignment will be updated

Question 25

What are locks and their workflow

Answer 25

Used to manage changes and removal or resources. Locks need to be removed before actions can be performed. Workflow:

1) Assign a lock to a subscription, RG or resource
2) Types: can be of type delete (can delete a locked item) or read only (cant make any changes)

Question 26

How can you ensure resources are up to date for governance?

Answer 26

1) Azure Blueprints

2) Azure Advisor for security assistance

Question 27

What is Azure Blueprints

Answer 27

Templates for creating Azure resources, removing the issue of creating manual environments that fit within the governance compliance. Blueprints include

1) Resource templates
2) Role based access control
3) Policies
4) Samples for common regulations

Question 28

What is Azure Advisors for security assistance?

Answer 28

Help prevent, detect and respond to potential threats across cloud and on-premises environments with Security Center. Get actionable insights from operational data with monitoring and diagnostic visualization. Reduce downtime without compromising compliance needs with Backup and Site Recovery.

Advisor is a separate portal within the azure portal, but the security assistance part of it is part of the azure security center

Question 29

What is Azure Monitor

Answer 29

Monitors telemetry data to identify resources health to identify those that aren’t performing 100%

Question 30

What is telemetry data

Answer 30

Collection of measurements of other data at remote or inaccessible points and their automatic transmission to receiving equipment for monitoring. I.E info about how other devices are performing, which is passed to a central point to analyse

Question 31

In what scenario would you use Azure Monitor?

Answer 31

When VMs are running, Azure monitor ensures they are all running to optimal performance. As soon as one is underperforming you receive the information. You don’t need to know what information is on the machine, you need to know information about the machine (telemetery)

Question 32

What are the features of Azure Monitor?

Answer 32

1) Constant feed: most azure services feed telemetry data into azure monitor. Even on prem
2) Fully managed and centralised to analyse all data in one place
3) Query language: full access to an interactive query language to learn about the telemetry data
4) Machine Learning: predict and recognise problems faster with built in ML

Question 33

What are the outcomes of Azure Monitor?

Answer 33

1) Maximise performance
2) Maximise availability
3) Identify issues

Question 34

What is Azure Service Health

Answer 34

In Azure portal, there is the service health dashboard which notifies you of planned and unplanned incidents on the platform

Question 35

What are the features of Azure Service Health

Answer 35

1) Personalised dashboard to highlight service issues on resources
2) Custom alerts: get notified, which are simple to set up an customise
3) Real time tracking: track any alerts and issues in real time and get full reports once resolved
4) Free

Question 36

What is compliance

Answer 36

Regulations, legislation, rules and guidelines need to be complied to. If companies in the EU don’t take compliance seriously, they can face massive fines

Question 37

What are some industry regulations

Answer 37

1) General Data Protection Regulation: Main objective is to protect individuals and processing of their data. Gives control of personal data back to the individual, instead of the company owning it. Companies are required to implement a lot of tools for consumers to control their data
2) ISO standards: many categories such as compliance with quality and customer satisfaction. Also includes food safety and env management
3) NIST: National institute of standards and tech, focusing purely on tech industry. Developed primarily for US federal agencies. Compliance with NIST means compliance with multiple federal US regulations

Question 38

What is Azure Compliance Manager

Answer 38

Azure knows about compliance and your resources, so can give recommendations through the compliance manager. Benefits include:

1) Recommendations for ensuring compliance with GDPR, ISO and NIST
2) Assign compliance tasks to team members and track progress
3) Compliance score: chase 100% compliance!
4) Secure storage: upload compliance documents and store them securely
5) Reports: get reports of compliance data t provide to managers/auditors

Question 39

What are two specific regional offerings to meet compliance?

Answer 39

1) Azure Government cloud
Dedication region with separate data center
Exclusivity: guaranteed only screened personnel ave access
Compliance with required US Gov agencies and level 5 department of defence
Azure benefitrs (Availability, scalability, managed resources)

2) China region
Data centers physically located in china with no outside connection.
All data kept in china, meaning global services wont work
Compliant with all chinese regulations

Question 40

What is Azure Privacy

Answer 40

Core part of the platform. Not a single service for it, but covered in a host of other services

1) Azure Information protection: classify, label and protect data based on level of sensitivity
2) Azure policy: define and enforce rules to ensure privacy
3) Guides: use guides to respond and comply with GDPR privacy requests
4) Compliance manager: make sure you are following privacy guidelines
5) Microsoft Privacy Statement

Question 41

What is trust?

Answer 41

Governance, compliance and privacy all make up trust within an IT solution

Question 42

What are Azures services to ensure trust?

Answer 42

1) Trust Center

2) Service Trust portal

Question 43

What is Trust Center?

Answer 43

Learn about MS effort on security, privacy, GDPR, data location, compliance and more. A hub for more info about trust in each product and service

Question 44

What is Service Trust Portal?

Answer 44

Review all independent reports and audits performs on MS products and services. Azure complies with more standards that any other cloud provider

Question 45

What services can feed data into Azure Monitor

Answer 45

Both Azure services and on-prem services

Question 46

What are valid use cases for Azure Service Health

Answer 46

1) Set up custom alerts to notify you of outages, planner or otherwise
2) Track incidents with your services in real time and get a report after

Question 47

What are the types of Locks in Azure?

Answer 47

Delete

Read-only

Question 48

What are the features of RBAC?

Answer 48

1) Define which users have access to resources

2) Define which actions users can take on resources

Question 49

Which companies must comply with GDPR?

Answer 49

Companies of any country if their users are in the EU

Question 50

What is special about the china region in Azure

Answer 50

1) All services are physically located in China
2) All customer data is geographically within china
3) Guaranteed to be compliant with all Chinese data and IT regulations

Question 51

What are 3 key characteristics of SLAs for Azure products

Answer 51

1) Performance targets (specific to service)
2) Uptime and connectivity (range from 99/9 (3 9’s) to 5 9’s)
3) Service credits (how MS respond if service fails to perform)

Question 52

What is a composite SLA

Answer 52

Combining SLAs across different service offerings, which will affect SLAs (SLA of each individual service multiplied together)

Question 53

What is Application SLA

Answer 53

Create your own SLA to set performance targets and suit your specific app, to evaluate how it meets business requirements e.g. resiliency, availability. Refers to the overall time the system is functional and working

Question 54

What are the two encryption types

Answer 54

Symmetric encryption uses the same key to encrypt and decrypt the data. Consider a desktop password manager application. You enter your passwords and they are encrypted with your own personal key (your key is often derived from your master password). When the data needs to be retrieved, the same key is used, and the data is decrypted.

Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can’t decrypt its own encrypted data. To decrypt, you need the paired key. Asymmetric encryption is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.

Question 55

What are some encryption services

Answer 55

1) Azure storage service encryption
2) Azure Disk encryption
3) Transparent data encryption (SQL and warehousing)
4) Azure key vaulets

Question 56

What is TLS

Answer 56

Transport Layer Security (TLS) is the basis for encryption of website data in transit. TLS uses certificates to encrypt and decrypt data. However, these certificates have a lifecycle that requires administrator management. A common security problem with websites is having expired TLS certificates that open security vulnerabilities.

Question 57

What are the types of certificates

Answer 57

1) Service certificates are used for cloud services

2) Management certificates are used for authenticating with the management API

Question 58

What is ExpressRoute

Answer 58

To provide a dedicated, private connection between your network and Azure, you can use Azure ExpressRoute. ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Microsoft 365, and Dynamics 365. ExpressRoute connections improve the security of your on-premises communication by sending this traffic over the private circuit instead of over the public internet.

Question 59

You are planning on purchasing Azure AD Premium for your Azure subscription. What is the SLA for this product?

Answer 59

Per the Azure documentation “We guarantee at least 99.9% availability of the Azure Active Directory Basic and Premium services”.

Remember : No SLA is provided for the Free tier of Azure Active Directory

Question 60

What can be recommended by Advisor?

Answer 60

Service security
Resource cost
Storage performance and reliability

Question 61

When utilizing at least two Azure virtual machines with at least two availability zones, what is the guaranteed service level agreement that can be expected?

Answer 61

When deploying at least two Azure virtual machines across two or more Availability Zones in the same Azure region, a 99.99% SLA is guaranteed.

A 99.9% SLA can be expected for any single instance virtual machine using premium storage for all operating system disks and data disks.

For all Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have Virtual Machine Connectivity to at least one instance at least 99.95% of the time.

Question 62

What is the difference between a firewall and a NSG

Answer 62

Azure Firewall blocks any incoming or outgoing traffic that isn’t specifically allowed on a network. A Network Security Group manages the traffic to specific services

Question 63

Which of the following are PAAS?

Azure Virtual Network

Azure App Service

Azure Virtual Machines

Azure SQL Database

Answer 63

Azure App Service

Azure SQL DB

Question 64

If you have a VNet in an RG and you set a policy to not allow VNets in the RG, what happens

Answer 64

VNet continues to function normally, but no new subnets can be added.

Question 65

What is ITIL

Answer 65

ITIL compliance refers to the level of conformance to the Information Technology Infrastructure Library (ITIL), a system of standards developed by the British Office of Government Commerce (BGC).