Understand Security, Privacy, Compliance, and Trust

Question 1

_____: if we start on the perimeter of the network, we’re focused on limiting and eliminating attacks from the internet. Azure Security Center is a great place to look for information because it will identify internet-facing resources that do not have network security groups associated with them, as well as resources that are not secured behind a firewall

Answer 1

Internet Protection

Question 2

_____: a service that grants server access based on the originating IP address of each request. You create _____ rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server

Answer 2

Firewall

Question 3

_____: a managed, cloud-based, network security service that protects your Azure Virtual network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. _____ provides inbound protection for non-HTTP/S protocols such as Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound network-level protections for all ports and protocols, and application-level protection for outbound HTTP/S

Answer 3

Azure Firewall

Question 4

_____: a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is specifically designed to protect HTTP traffic

Answer 4

Azure Application Gateway

Question 5

_____: ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances

Answer 5

Network Virtual Appliances (NVAs)

Question 6

_____: Any resource exposed on the internet is at risk of being attacked by a denial of service attack. These types of attacks attempt to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive.When you combine _____ with application design best practices, you help provide defense against DDoS attacks. _____ leverages the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. The _____ service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics

Answer 6

Azure DDoS Protection

Question 7

Azure DDoS Protection Tier: _____: automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions

Answer 7

Basic

Question 8

Azure DDoS Protection Tier: _____: provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protections Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are added to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Azure Application Gateway. DDoS _____ protection can mitigate the following types of attacks:

• Volumetric Attacks: the attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic
• Protocol Attacks: these attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack
• Resource (Application) Layer Attacks: these attacks target web application packets to disrupt the transmission of data between hosts

Answer 8

Standard

Question 9

_____: for communication between virtual machines, Network Security Groups (NSGs) are a critical piece to restrict unnecessary communication

Answer 9

Virtual Network Security

Question 10

_____: it is common to have existing network infrastructure that needs to be integrated to provide communication from on-premises networks or to provide improved communication between services in Azure

Answer 10

Network Integration

Question 11

_____: connections are a common way of establishing secure communication channels between networks. Connection between Azure Virtual Network and an on-premises _____ device is a great way to provide secure communication between your network and your Vnet on Azure

Answer 11

Virtual Private Network (VPN)

Question 12

_____: to provide a dedicated, private connection between your network and Azure, you can use Azure _____. _____ lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With _____, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. This improves the security of your on-premises communication by sending this traffic over the private circuit instead of over the internet. You do not need to allow access to these services for your end users over the internet, and you can send this traffic through appliances for further traffic inspection

Answer 12

ExpressRoute

Question 13

_____: allow you to filter network traffic to and from Azure resources in an Azure virtual network. An _____ can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. They provide a list of allowed and denied communication to and from network interfaces and subnets and are fully customizable

Answer 13

Network Security Groups (NSGs)

Question 14

_____: is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services

Answer 14

Authentication

Question 15

_____: is the process of establishing what level of access and authenticated person or service has. It specifies what data they are allowed to access and what they can do with it

Answer 15

Authorization

Question 16

• Access to your Azure subscriptions is performed using _____. _____ is a modern cloud-based identity service/identity provider that supports multiple authentication protocols to secure applications and services in the cloud
• _____ is not the same as Windows Active Directory. Windows Active Directory is focused on security Windows desktops and servers. In contrast, _____ is all about web-based authentication standards such as OpenID and Oauth
• When you sign up for a Microsoft cloud services such as Microsoft Azure, Microsoft Intune, or Office 365, a dedicated instance of _____ is automatically created for your organization
• Users, applications, and other entities registered in _____ are not all lumped into a single global service. Instead, _____ is partitioned into separate tenants
• When it comes to _____ tenants, there is no concrete definition of “organization.” Tenants can be owned by individuals, teams, companies, or any other group of people
• The email address you use to sign into Azure can be associated with more than one tenant. You can switch between tenants in the Switch Directory section
• _____ tenants and subscriptions have a many-to-one trust relationship. A tenant can be associated with multiple Azure subscriptions, but every subscription is associated with only one tenant
• Each tenant has an Account Owner, this is the original Azure account that is responsible for billing. You can add additional users to the tenant, and even invite guests from other _____ tenants to access resources in subscriptions

Answer 16

Azure Active Directory

Question 17

_____: a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization

Answer 17

Tenant

Question 18

_____: enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts

Answer 18

Single Sign-On

Question 19

_____: you can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My Apps portal (also referred to as Access Panel), and SaaS apps

Answer 19

Application Management

Question 20

_____: manage your guest users and external partners while maintaining control over your own corporate data Business-to-Customer (B2C) identity services. Customer and control how users sign up, sign in, and manage their profiles when using your apps and services

Answer 20

Business-to-Business (B2B) Identity Services

Question 21

_____: manage how your cloud or on-premises devices access your corporate data

Answer 21

Device Management

Question 22

_____: provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:

• Something You Know: would be a password or the answer to a security questions
• Something You Possess: could be a mobile app that receives a notification or token-generating device
• Something You Are: typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices

Answer 22

Multi-Factor Authentication

Question 23

_____: just a thing that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates. As a bonus definition, an account is data associated with an _____

Answer 23

Identity

Question 24

_____: an identity acting within certain roles or claims. Usually, it is not useful to consider identity and _____ separately, but think of using sudo on a Bach prompt in Linux or on Windows using “run as Administrator.” In both those cases, you are still logged in as the same identity as before , but you’ve changed the role under which you are executing. Groups are often also considered _____ because they can have rights assigned

Answer 24

Principal

Question 25

_____: an identity that is used by a service or application. And like other identities, it can be assigned roles

Answer 25

Service Principal

Question 26

_____: the creation of service principals an be a tedious process, and there are a lot of touch points that can make maintaining they difficult. _____ are much easier and will do most of the work for you. A managed identity can be instantly created for any Azure service that supports it - and the list is constantly growing. When you create a _____, you are creating an account on the Azure AD tenant. The Azure infrastructure will automatically take care of authenticating the service and managing the account. You can then use that account like any other Azure AD account, including securely letting the authenticated service access other Azure resources

Answer 26

Managed Identities for Azure Services

Question 27

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Data Governance & Rights Management: _____

Answer 27

• On-Premises: Customer
• IaaS: Customer
• PaaS: Customer
• SaaS Customer

Question 28

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Client Endpoint: _____

Answer 28

• On-Premises: Customer
• IaaS: Customer
• PaaS: Customer
• SaaS: Customer

Question 29

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Account & Access Management: _____

Answer 29

• On-Premises: Customer
• IaaS: Customer
• PaaS: Customer
• SaaS: Customer

Question 30

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Identity & Directory Infrastructure: _____

Answer 30

• On-Premises: Customer
• IaaS: Customer
• PaaS: Shared
• SaaS: Shared

Question 31

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Application: _____

Answer 31

• On-Premises: Customer
• IaaS: Customer
• PaaS: Shared
• SaaS: Microsoft

Question 32

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Network Controls: _____

Answer 32

• On-Premises: Customer
• IaaS: Customer
• PaaS: Shared
• SaaS: Microsoft

Question 33

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Operating System: _____

Answer 33

• On-Premises: Customer
• IaaS: Customer
• PaaS: Microsoft
• SaaS: Microsoft

Question 34

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Physical Hosts: _____

Answer 34

• On-Premises: Customer
• IaaS: Microsoft
• PaaS: Microsoft
• SaaS: Microsoft

Question 35

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Physical Network: _____

Answer 35

• On-Premises: Customer
• IaaS: Microsoft
• PaaS: Microsoft
• SaaS: Microsoft

Question 36

Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Physical Datacenter: _____

Answer 36

• On-Premises: Customer
• IaaS: Microsoft
• PaaS: Microsoft
• SaaS: Microsoft

Question 37

A Layered Approach to Security: _____ is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. Microsoft applies a layered approach to security, both in physical data centers and across Azure services. The objective of _____ is to protect and prevent information from being stolen by individuals who are not authorized to use it. Defense in Depth can be visualized as a set of concentric rings, with data to be secured in the center. Each ring adds an additional layer of security around the data. This approach removes reliance on any single layer of protection and acts to slow down an attack and prove alert telemetry that can be acted upon, either automatically or manually

Answer 37

Defense in Depth

Question 38

_____: the process of making data unreadable and unusable to unauthorized viewers. To use or read the _____ data, it must be decrypted, which requires the use of a secret key. There are two top-level types of _____

Answer 38

Encryption

Question 39

_____: uses the same key to encrypt and decrypt the data. Consider a desktop password manager application. You enter your passwords and they are encrypted with you own personal key (your key is often derived from your master password). When the data needs to be retrieved, the same key is used, and the data is decrypted

Answer 39

Symmetric Encryption

Question 40

_____: uses a public key and private key pair. Either key can encrypt but a single key can’t decrypt its own encrypted data. To decrypt, you need the paired key. _____ is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing

Answer 40

Asymmetric Encryption

Question 41

_____: data at rest is the data that has been stored on a physical medium. This could be data stored on the disk of a server, data stored in a database, or data stored in a storage account. Regardless of the storage mechanism, encryption of data at rest ensures that the stored data is unreadable without the keys and secrets needed to decrypt it

Answer 41

Encryption at Rest

Question 42

_____: data in transit is the data actively moving from one location to another, such as across the internet or through a private network. Secure transfer can be handled by several different layers. It could be done by encrypting the data at the application layer prior to sending it over a network. HTTPS is an example of application layer in transit encryption.You can also set up a secure channel, like a virtual private network (VPN), at a network layer, to transmit data between two systems. Encrypting data in transit protects the data from outside observers and provides a mechanism to transmit data while limiting risk of exposure

Answer 42

Encryption in Transit

Question 43

Encrypt Raw Data: _____: for data at rest helps you protect your data to meet your organizational security and compliance commitments. With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob Storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to applications using the services

Answer 43

Azure Storage Service Encryption

Question 44

Encrypt Virtual Machine Disks: Storage Service Encryption provides low-level encryption protection for data written to physical disk, but how do you protect the VHDs of a VM? _____: is a capability that helps you encrypt your Windows and Linus IaaS VHDs. Azure Disk Encryption leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryptions for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and managed the disk encryption keys and secrets

Answer 44

Azure Disk Encryption

Question 45

Encrypt Databases: _____helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, _____ is enabled for all newly deployed Azure SQL Databases instances._____ encrypts the storage of an entire database by using a symmetric key called the database encryption key. By default, Azure provides a unique encryption key per logical SQL Server instance and handles all the details. Bring your own key (BYOK) is also supported with keys stored in Azure Key Vault

Answer 45

Transparent Data Encryption (TDE)

Question 46

_____: a centralized cloud service for storing your application secrets. _____ helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. It is useful in a variety of scenarios:
– Secrets Management: you can use _____ to securely store and tightly control access to tokens, password, certificates, Application Programming Interface (API) keys, and other secrets
– Key Management: you can also use _____ as a key management solution. _____ makes it easier to create and control the encryption keys used to encrypt your data
– Certificate Management: _____ lets you provision, manage, and deploy your public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates in Azure, and internally connected, resources more easily
- Store Secrets Backed by Hardware Security Modules (HSMs): the secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs

Answer 46

Azure Key Vault

Question 47

_____: a monitoring service that provides threat protection across all your services both in Azure, and on-premises. _____ can:
- Provide security recommendations based on your configurations, resources, and networks
- Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online
- Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited
- Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute
- Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred
- Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.
Available in two tiers:
- Free: available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only
- Standard: this tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more

Answer 47

Azure Security Center

Question 48

_____: a cloud-based solution that helps organizations classify and optionally protect document and emails by applying labels. Labels can be applied automatically based on rules and conditions, manually, or a combination of both where users are guided by recommendations. You can purchase _____ either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise + Mobility, or Microsoft 365 Enterprise

Answer 48

Azure Information Protection (AIP)

Question 49

_____: a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. _____ is capable of detecting known malicious attacks and techniques, security issues, and risks against your networks. _____ consists of several components:
- _____ Portal: through this portal you can monitor and response to suspicious activity. You can also use the portal to monitor, manage, and investigate threats in your network environment
- _____ Sensor: installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuration port mirroring
- _____ Cloud Service: runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. _____ Cloud Service is connected to Microsoft’s intelligent security graph.
_____ is available as part of the Enterprise Mobility + Security 5 suite (EMS E5) and as a standalone license

Answer 49

Azure Advanced Threat Protection (ATP)

Question 50

_____: a service in Azure that you use to define, assign, and manage standards for resources in your environment. It can prevent the creation of disallowed resources, ensure new resources have specific settings applied, and run evaluations of your existing resources to scan for non-compliance. _____ comes with many built-in policy and initiative definitions that you can use, under categories such as Storage, Networking, Compute, Security Center, and Monitoring

Answer 50

Azure Policy

Question 51

_____: expresses what to evaluate and what action to take. For example, you could ensure all public websites are secured with HTTPS, prevent a particular storage type from being created, or force a specific version of SQL Server to be used. The _____ itself is represented as a JSON file. You can use one of the pre-defined definitions in the portal or create your own (either modifying an existing one or starting from scratch)

Answer 51

Policy Definition

Question 52

Managing a few policies is easy, but once you have more than a few, you will want to organize them, that is where _____ come in._____ work alongside policies in Azure Policy

Answer 52

Initiatives

Question 53

_____: a set or group of policy definitions to help track your compliance state for a larger goal.

Answer 53

Initiative Definition

Question 54

_____: an initiative definition assigned to a specific scope. _____ reduce the need to make several initiative definitions for each scope

Answer 54

Initiative Assignment

Question 55

_____: gives you the control to define roles for people and grant them only the amount of access needed to do their jobs while using Azure services. Roles are sets of permissions, like “Read-Only” or “Contributor,” that users can be granted to access an Azure Service instance.Identities are mapped to roles directly or through group membership. Separating security principals, access permissions, and resources provides simple access management and fine-grained control. Administrators are able to ensure the minimum necessary permissions are granted.Roles can be granted at the individual service instance level, but they can also flow down the Azure Resource Manager hierarchy

Answer 55

Role-Based Access Control (RBAC)

Question 56

_____: a setting that can be applied to any resource to block modification or deletion. _____ can set to either delete or read-only
- Delete will allow all operations against the resources but block the ability to delete it.
- Read-Only will only allow read activities to be performed against the resource, blocking any modification or deletion of the resource.
_____ can be applied to Subscriptions, Resources Groups, and to individual resources, and they are inherited when applied at higher levels.
Use _____ to protect those key pieces of Azure that could have a large impact if they were removed or modified

Answer 56

Resource Locks

Question 57

_____: maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on

Answer 57

Azure Monitor

Question 58

_____: a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. _____ can also help you prepare for planned maintenance and changes that could affect the availability of your resources

Answer 58

Azure Service Health

Question 59

_____ explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
_____ applies to the interactions Microsoft has with you and Microsoft products such as Microsoft services, websites, apps, software, servers, and devices. It is intended to provide openness and honesty about how Microsoft deals with personal data in its products and services

Answer 59

Microsoft Privacy Statement

Question 60

_____: a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. _____ is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community including:

• In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products
• Recommended resources in the form of a curated list of the most applicable and widely-used resources for each topic
• Information specific to key organizational roles, including business managers, tenant admins or data security teams, risk assessment and privacy officers, and legal compliance teams
• Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal
• Direct guidance and support for when you can’t find what you are looking for

Answer 60

Trust Center

Question 61

_____: hosts the Compliance Manger service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. _____ also includes information about how Microsoft online services can help your organization maintain and track compliance standards, laws, and regulations

Answer 61

Service Trust Portal (STP)

Question 62

_____: International Organization for Standardization

Answer 62

ISO

Question 63

_____: System and Organization Controls

Answer 63

SOC

Question 64

_____: National Institute for Standards and Technology

Answer 64

NIST

Question 65

_____: Federal Risk and Authorization Management Program

Answer 65

FedRAMP

Question 66

_____: General Data Protection Regulation

Answer 66

GDPR

Question 67

_____: a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure
_____ provides the following features:
- Combines the following three items:
◊ Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft’s cloud services against various standards
◊ Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU GDPR)
◊ An organization’s self-assessment of their own compliance with these standards and regulations
- Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization’s compliance goals
- Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization’s exposure to risk
- Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities
- Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided by auditors, regulators, and other compliance stakeholders

Answer 67

Compliance Manager

Question 68

_____ delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud. _____ handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide the highest level of security and compliance, ______ uses physically isolated datacenters and networks (located in U.S. only)

Answer 68

Azure Government Services

Question 69

_____: a differentiated option from these with separate accounts and pricing. It delivers our industry-leading services from German datacenters, with data residency in Germany, and strict data access and control measures provided through a unique data trustee model governed under German law

Answer 69

Azure Germany Services