Security, responsibility and trust in Azure

Question 1

Describe security concept “Defense in depth”

Answer 1

strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.

Question 2

Layers of defense in depth strategy

Answer 2

DATA
APPLICATION
COMPUTE
NETWORKING 
PERIMETER FIREWALLS
IDENTITY & ACCESS
PHYSICAL SECURITY

Question 3

Azure Security Center

Answer 3

Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises.

Question 4

Azure Security Center is available in two tiers

Answer 4

Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.
Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.

Question 5

Use cases

Answer 5

Use Security Center for incident response - You can use Security Center during the detect, assess, and diagnose stages.

Use Security Center recommendations to enhance security.
You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center.

Question 6

Describe the difference between authentication and authorisation

Answer 6

Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials, and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.

Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.

Question 7

What is Azure AD?

Answer 7

cloud-based identity service
built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone
Services:
Authentication - to apps and resources (includes MFA, password reset, password reqs)
SSO - one ID + pw for multiple apps. Identity tied to user.
App management - mange cloud and on-prem apps using Azure AD App Proxy, SSO and SaaS apps
B2B identity services - guest users
B2C identity services - users sign-up, sign-in etc
Device management - how cloud or on-prem accesses corporate data

Question 8

Describe Multi-factor authentication

Answer 8

Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

Something you know - password
Something you possess - auth app
Something you are - biometric

Question 9

Service Principal
First > Identity
Second > Principal

Answer 9

Identity - thing that can be authenticated (users, apps, servers)
Principal - identity with certain roles or claims

A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.

Question 10

Managed identity

Answer 10

A managed identity can be instantly created for any Azure service that supports it

When you create a managed identity for a service, you are creating an account on your organization’s Active Directory

Question 11

RBAC

Answer 11

Roles are sets of permissions, like “Read-only” or “Contributor”, that users can be granted to access an Azure service instance.

Identities are mapped to roles directly or through group membership.

Question 12

Privileged Identity Management

Answer 12

Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.

Question 13

What is encryption?

Answer 13

Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key. There are two top-level types of encryption: symmetric and asymmetric.

Question 14

Symmetric encryption

Answer 14

Symmetric encryption uses the same key to encrypt and decrypt the data.

Question 15

Asymmetric encryption

Answer 15

Asymmetric encryption uses a public key and private key pair.

Question 16

Encryption at rest

Answer 16

Data is unreadable without the keys and secrets needed to decrypt it.

Question 17

Encryption in transit

Answer 17

application layer prior to sending it over a network. HTTPS is an example of application layer in transit encryption.

set up a secure channel, like a virtual private network (VPN), at a network layer, to transmit data between two systems.

Question 18

Azure Storage Service Encryption

Answer 18

Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval.

Question 19

Azure Disk Encryption

Answer 19

Disk Encryption leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).

Question 20

Transparent data encryption

Answer 20

helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Question 21

Azure Key Vault

Answer 21

Azure Key Vault is a centralized cloud service for storing your application secrets.

Question 22

Azure Key Vault - useful scenarios

Answer 22

Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.
Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.

Question 23

The benefits of using Key Vault include:

Answer 23

Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution, and reduces the chances that secrets may be accidentally leaked.
Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.
Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.
Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions, and use standard certificate management tools.
Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services.

Question 24

Types of certificates

Answer 24

Service certificates are used for cloud services

Management certificates are used for authenticating with the management API

Question 25

What is a Firewall?

Answer 25

A firewall is a service that grants server access based on the originating IP address of each request. You create firewall rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server. Firewall rules, generally speaking, also include specific network protocol and port information.

Question 26

NB: Azure Firewall

Answer 26

managed, cloud-based, network security service that protects your Azure Virtual Network resources.

It is a fully stateful (full state of active network connections) firewall as a service with built-in high availability and unrestricted cloud scalability.

Question 27

Azure Application Gateway

Answer 27

LB + WAF - is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites.

HTTP - It is designed to protect HTTP traffic.

Question 28

NB: Azure DDoS Protection

Answer 28

DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. The Azure DDoS Protection service protects your Azure applications by monitoring traffic at the Azure network edge before it can impact your service’s availability.

BASIC - Always-on traffic monitoring and real-time mitigation of common network-level attacks
STANDARD - provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources

Question 29

Types of DDoS attacks

Answer 29

Volumetric attacks. The attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.

Question 30

NB: Network Security Groups (NSG’s)

Answer 30

FILTER - allow you to filter network traffic to and from Azure resources in an Azure virtual network.

An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.

Question 31

ExpressRoute

Answer 31

ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.

Question 32

NB: Microsoft Azure Information Protection (AIP)

Answer 32

(sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.

Question 33

NB: Azure Advanced Threat Protection (ATP)

Answer 33

is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Question 34

Azure ATP portal

Answer 34

Azure ATP has its own portal, through which you can monitor and respond to suspicious activity.

Question 35

Azure ATP sensor

Answer 35

installed directly on your domain controllers.

sensor monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.

Question 36

Azure AD ID Protection

Answer 36

Enforce Azure MFA based on a condition