Understand Security, Privacy, Compliance, and Trust Flashcards
_____: if we start on the perimeter of the network, we’re focused on limiting and eliminating attacks from the internet. Azure Security Center is a great place to look for information because it will identify internet-facing resources that do not have network security groups associated with them, as well as resources that are not secured behind a firewall
Internet Protection
_____: a service that grants server access based on the originating IP address of each request. You create _____ rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server
Firewall
_____: a managed, cloud-based, network security service that protects your Azure Virtual network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. _____ provides inbound protection for non-HTTP/S protocols such as Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound network-level protections for all ports and protocols, and application-level protection for outbound HTTP/S
Azure Firewall
_____: a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is specifically designed to protect HTTP traffic
Azure Application Gateway
_____: ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances
Network Virtual Appliances (NVAs)
_____: Any resource exposed on the internet is at risk of being attacked by a denial of service attack. These types of attacks attempt to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive.When you combine _____ with application design best practices, you help provide defense against DDoS attacks. _____ leverages the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. The _____ service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics
Azure DDoS Protection
Azure DDoS Protection Tier: _____: automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions
Basic
Azure DDoS Protection Tier: _____: provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protections Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are added to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Azure Application Gateway. DDoS _____ protection can mitigate the following types of attacks:
- Volumetric Attacks: the attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic
- Protocol Attacks: these attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack
- Resource (Application) Layer Attacks: these attacks target web application packets to disrupt the transmission of data between hosts
Standard
_____: for communication between virtual machines, Network Security Groups (NSGs) are a critical piece to restrict unnecessary communication
Virtual Network Security
_____: it is common to have existing network infrastructure that needs to be integrated to provide communication from on-premises networks or to provide improved communication between services in Azure
Network Integration
_____: connections are a common way of establishing secure communication channels between networks. Connection between Azure Virtual Network and an on-premises _____ device is a great way to provide secure communication between your network and your Vnet on Azure
Virtual Private Network (VPN)
_____: to provide a dedicated, private connection between your network and Azure, you can use Azure _____. _____ lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With _____, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. This improves the security of your on-premises communication by sending this traffic over the private circuit instead of over the internet. You do not need to allow access to these services for your end users over the internet, and you can send this traffic through appliances for further traffic inspection
ExpressRoute
_____: allow you to filter network traffic to and from Azure resources in an Azure virtual network. An _____ can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. They provide a list of allowed and denied communication to and from network interfaces and subnets and are fully customizable
Network Security Groups (NSGs)
_____: is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services
Authentication
_____: is the process of establishing what level of access and authenticated person or service has. It specifies what data they are allowed to access and what they can do with it
Authorization
- Access to your Azure subscriptions is performed using _____. _____ is a modern cloud-based identity service/identity provider that supports multiple authentication protocols to secure applications and services in the cloud
- _____ is not the same as Windows Active Directory. Windows Active Directory is focused on security Windows desktops and servers. In contrast, _____ is all about web-based authentication standards such as OpenID and Oauth
- When you sign up for a Microsoft cloud services such as Microsoft Azure, Microsoft Intune, or Office 365, a dedicated instance of _____ is automatically created for your organization
- Users, applications, and other entities registered in _____ are not all lumped into a single global service. Instead, _____ is partitioned into separate tenants
- When it comes to _____ tenants, there is no concrete definition of “organization.” Tenants can be owned by individuals, teams, companies, or any other group of people
- The email address you use to sign into Azure can be associated with more than one tenant. You can switch between tenants in the Switch Directory section
- _____ tenants and subscriptions have a many-to-one trust relationship. A tenant can be associated with multiple Azure subscriptions, but every subscription is associated with only one tenant
- Each tenant has an Account Owner, this is the original Azure account that is responsible for billing. You can add additional users to the tenant, and even invite guests from other _____ tenants to access resources in subscriptions
Azure Active Directory
_____: a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization
Tenant
_____: enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts
Single Sign-On
_____: you can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My Apps portal (also referred to as Access Panel), and SaaS apps
Application Management
_____: manage your guest users and external partners while maintaining control over your own corporate data Business-to-Customer (B2C) identity services. Customer and control how users sign up, sign in, and manage their profiles when using your apps and services
Business-to-Business (B2B) Identity Services
_____: manage how your cloud or on-premises devices access your corporate data
Device Management
_____: provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:
- Something You Know: would be a password or the answer to a security questions
- Something You Possess: could be a mobile app that receives a notification or token-generating device
- Something You Are: typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices
Multi-Factor Authentication
_____: just a thing that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates. As a bonus definition, an account is data associated with an _____
Identity
_____: an identity acting within certain roles or claims. Usually, it is not useful to consider identity and _____ separately, but think of using sudo on a Bach prompt in Linux or on Windows using “run as Administrator.” In both those cases, you are still logged in as the same identity as before , but you’ve changed the role under which you are executing. Groups are often also considered _____ because they can have rights assigned
Principal
_____: an identity that is used by a service or application. And like other identities, it can be assigned roles
Service Principal
_____: the creation of service principals an be a tedious process, and there are a lot of touch points that can make maintaining they difficult. _____ are much easier and will do most of the work for you. A managed identity can be instantly created for any Azure service that supports it - and the list is constantly growing. When you create a _____, you are creating an account on the Azure AD tenant. The Azure infrastructure will automatically take care of authenticating the service and managing the account. You can then use that account like any other Azure AD account, including securely letting the authenticated service access other Azure resources
Managed Identities for Azure Services
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Data Governance & Rights Management: _____
- On-Premises: Customer
- IaaS: Customer
- PaaS: Customer
- SaaS Customer
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Client Endpoint: _____
- On-Premises: Customer
- IaaS: Customer
- PaaS: Customer
- SaaS: Customer
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Account & Access Management: _____
- On-Premises: Customer
- IaaS: Customer
- PaaS: Customer
- SaaS: Customer
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Identity & Directory Infrastructure: _____
- On-Premises: Customer
- IaaS: Customer
- PaaS: Shared
- SaaS: Shared
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Application: _____
- On-Premises: Customer
- IaaS: Customer
- PaaS: Shared
- SaaS: Microsoft
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Network Controls: _____
- On-Premises: Customer
- IaaS: Customer
- PaaS: Shared
- SaaS: Microsoft
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Operating System: _____
- On-Premises: Customer
- IaaS: Customer
- PaaS: Microsoft
- SaaS: Microsoft
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Physical Hosts: _____
- On-Premises: Customer
- IaaS: Microsoft
- PaaS: Microsoft
- SaaS: Microsoft
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Physical Network: _____
- On-Premises: Customer
- IaaS: Microsoft
- PaaS: Microsoft
- SaaS: Microsoft
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Physical Datacenter: _____
- On-Premises: Customer
- IaaS: Microsoft
- PaaS: Microsoft
- SaaS: Microsoft
A Layered Approach to Security: _____ is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. Microsoft applies a layered approach to security, both in physical data centers and across Azure services. The objective of _____ is to protect and prevent information from being stolen by individuals who are not authorized to use it. Defense in Depth can be visualized as a set of concentric rings, with data to be secured in the center. Each ring adds an additional layer of security around the data. This approach removes reliance on any single layer of protection and acts to slow down an attack and prove alert telemetry that can be acted upon, either automatically or manually
Defense in Depth
_____: the process of making data unreadable and unusable to unauthorized viewers. To use or read the _____ data, it must be decrypted, which requires the use of a secret key. There are two top-level types of _____
Encryption
_____: uses the same key to encrypt and decrypt the data. Consider a desktop password manager application. You enter your passwords and they are encrypted with you own personal key (your key is often derived from your master password). When the data needs to be retrieved, the same key is used, and the data is decrypted
Symmetric Encryption
_____: uses a public key and private key pair. Either key can encrypt but a single key can’t decrypt its own encrypted data. To decrypt, you need the paired key. _____ is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing
Asymmetric Encryption
_____: data at rest is the data that has been stored on a physical medium. This could be data stored on the disk of a server, data stored in a database, or data stored in a storage account. Regardless of the storage mechanism, encryption of data at rest ensures that the stored data is unreadable without the keys and secrets needed to decrypt it
Encryption at Rest
_____: data in transit is the data actively moving from one location to another, such as across the internet or through a private network. Secure transfer can be handled by several different layers. It could be done by encrypting the data at the application layer prior to sending it over a network. HTTPS is an example of application layer in transit encryption.You can also set up a secure channel, like a virtual private network (VPN), at a network layer, to transmit data between two systems. Encrypting data in transit protects the data from outside observers and provides a mechanism to transmit data while limiting risk of exposure
Encryption in Transit
Encrypt Raw Data: _____: for data at rest helps you protect your data to meet your organizational security and compliance commitments. With this feature, the Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob Storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to applications using the services
Azure Storage Service Encryption
Encrypt Virtual Machine Disks: Storage Service Encryption provides low-level encryption protection for data written to physical disk, but how do you protect the VHDs of a VM? _____: is a capability that helps you encrypt your Windows and Linus IaaS VHDs. Azure Disk Encryption leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryptions for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and managed the disk encryption keys and secrets
Azure Disk Encryption
Encrypt Databases: _____helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, _____ is enabled for all newly deployed Azure SQL Databases instances._____ encrypts the storage of an entire database by using a symmetric key called the database encryption key. By default, Azure provides a unique encryption key per logical SQL Server instance and handles all the details. Bring your own key (BYOK) is also supported with keys stored in Azure Key Vault
Transparent Data Encryption (TDE)
_____: a centralized cloud service for storing your application secrets. _____ helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. It is useful in a variety of scenarios:
– Secrets Management: you can use _____ to securely store and tightly control access to tokens, password, certificates, Application Programming Interface (API) keys, and other secrets
– Key Management: you can also use _____ as a key management solution. _____ makes it easier to create and control the encryption keys used to encrypt your data
– Certificate Management: _____ lets you provision, manage, and deploy your public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates in Azure, and internally connected, resources more easily
- Store Secrets Backed by Hardware Security Modules (HSMs): the secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs
Azure Key Vault
_____: a monitoring service that provides threat protection across all your services both in Azure, and on-premises. _____ can:
- Provide security recommendations based on your configurations, resources, and networks
- Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online
- Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited
- Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute
- Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred
- Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.
Available in two tiers:
- Free: available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only
- Standard: this tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more
Azure Security Center
_____: a cloud-based solution that helps organizations classify and optionally protect document and emails by applying labels. Labels can be applied automatically based on rules and conditions, manually, or a combination of both where users are guided by recommendations. You can purchase _____ either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise + Mobility, or Microsoft 365 Enterprise
Azure Information Protection (AIP)
_____: a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. _____ is capable of detecting known malicious attacks and techniques, security issues, and risks against your networks. _____ consists of several components:
- _____ Portal: through this portal you can monitor and response to suspicious activity. You can also use the portal to monitor, manage, and investigate threats in your network environment
- _____ Sensor: installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuration port mirroring
- _____ Cloud Service: runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. _____ Cloud Service is connected to Microsoft’s intelligent security graph.
_____ is available as part of the Enterprise Mobility + Security 5 suite (EMS E5) and as a standalone license
Azure Advanced Threat Protection (ATP)
_____: a service in Azure that you use to define, assign, and manage standards for resources in your environment. It can prevent the creation of disallowed resources, ensure new resources have specific settings applied, and run evaluations of your existing resources to scan for non-compliance. _____ comes with many built-in policy and initiative definitions that you can use, under categories such as Storage, Networking, Compute, Security Center, and Monitoring
Azure Policy
_____: expresses what to evaluate and what action to take. For example, you could ensure all public websites are secured with HTTPS, prevent a particular storage type from being created, or force a specific version of SQL Server to be used. The _____ itself is represented as a JSON file. You can use one of the pre-defined definitions in the portal or create your own (either modifying an existing one or starting from scratch)
Policy Definition
Managing a few policies is easy, but once you have more than a few, you will want to organize them, that is where _____ come in._____ work alongside policies in Azure Policy
Initiatives
_____: a set or group of policy definitions to help track your compliance state for a larger goal.
Initiative Definition
_____: an initiative definition assigned to a specific scope. _____ reduce the need to make several initiative definitions for each scope
Initiative Assignment
_____: gives you the control to define roles for people and grant them only the amount of access needed to do their jobs while using Azure services. Roles are sets of permissions, like “Read-Only” or “Contributor,” that users can be granted to access an Azure Service instance.Identities are mapped to roles directly or through group membership. Separating security principals, access permissions, and resources provides simple access management and fine-grained control. Administrators are able to ensure the minimum necessary permissions are granted.Roles can be granted at the individual service instance level, but they can also flow down the Azure Resource Manager hierarchy
Role-Based Access Control (RBAC)
_____: a setting that can be applied to any resource to block modification or deletion. _____ can set to either delete or read-only
- Delete will allow all operations against the resources but block the ability to delete it.
- Read-Only will only allow read activities to be performed against the resource, blocking any modification or deletion of the resource.
_____ can be applied to Subscriptions, Resources Groups, and to individual resources, and they are inherited when applied at higher levels.
Use _____ to protect those key pieces of Azure that could have a large impact if they were removed or modified
Resource Locks
_____: maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on
Azure Monitor
_____: a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. _____ can also help you prepare for planned maintenance and changes that could affect the availability of your resources
Azure Service Health
_____ explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
_____ applies to the interactions Microsoft has with you and Microsoft products such as Microsoft services, websites, apps, software, servers, and devices. It is intended to provide openness and honesty about how Microsoft deals with personal data in its products and services
Microsoft Privacy Statement
_____: a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. _____ is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community including:
- In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products
- Recommended resources in the form of a curated list of the most applicable and widely-used resources for each topic
- Information specific to key organizational roles, including business managers, tenant admins or data security teams, risk assessment and privacy officers, and legal compliance teams
- Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal
- Direct guidance and support for when you can’t find what you are looking for
Trust Center
_____: hosts the Compliance Manger service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. _____ also includes information about how Microsoft online services can help your organization maintain and track compliance standards, laws, and regulations
Service Trust Portal (STP)
_____: International Organization for Standardization
ISO
_____: System and Organization Controls
SOC
_____: National Institute for Standards and Technology
NIST
_____: Federal Risk and Authorization Management Program
FedRAMP
_____: General Data Protection Regulation
GDPR
_____: a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure
_____ provides the following features:
- Combines the following three items:
◊ Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft’s cloud services against various standards
◊ Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU GDPR)
◊ An organization’s self-assessment of their own compliance with these standards and regulations
- Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization’s compliance goals
- Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization’s exposure to risk
- Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities
- Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided by auditors, regulators, and other compliance stakeholders
Compliance Manager
_____ delivers a dedicated cloud enabling government agencies and their partners to transform mission-critical workloads to the cloud. _____ handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide the highest level of security and compliance, ______ uses physically isolated datacenters and networks (located in U.S. only)
Azure Government Services
_____: a differentiated option from these with separate accounts and pricing. It delivers our industry-leading services from German datacenters, with data residency in Germany, and strict data access and control measures provided through a unique data trustee model governed under German law
Azure Germany Services
