Understand Security, Privacy, Compliance, and Trust Flashcards
_____: if we start on the perimeter of the network, we’re focused on limiting and eliminating attacks from the internet. Azure Security Center is a great place to look for information because it will identify internet-facing resources that do not have network security groups associated with them, as well as resources that are not secured behind a firewall
Internet Protection
_____: a service that grants server access based on the originating IP address of each request. You create _____ rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server
Firewall
_____: a managed, cloud-based, network security service that protects your Azure Virtual network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. _____ provides inbound protection for non-HTTP/S protocols such as Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It also provides outbound network-level protections for all ports and protocols, and application-level protection for outbound HTTP/S
Azure Firewall
_____: a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is specifically designed to protect HTTP traffic
Azure Application Gateway
_____: ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances
Network Virtual Appliances (NVAs)
_____: Any resource exposed on the internet is at risk of being attacked by a denial of service attack. These types of attacks attempt to overwhelm a network resource by sending so many requests that the resource becomes slow or unresponsive.When you combine _____ with application design best practices, you help provide defense against DDoS attacks. _____ leverages the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. The _____ service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics
Azure DDoS Protection
Azure DDoS Protection Tier: _____: automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions
Basic
Azure DDoS Protection Tier: _____: provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protections Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are added to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Azure Application Gateway. DDoS _____ protection can mitigate the following types of attacks:
- Volumetric Attacks: the attackers goal is to flood the network layer with a substantial amount of seemingly legitimate traffic
- Protocol Attacks: these attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack
- Resource (Application) Layer Attacks: these attacks target web application packets to disrupt the transmission of data between hosts
Standard
_____: for communication between virtual machines, Network Security Groups (NSGs) are a critical piece to restrict unnecessary communication
Virtual Network Security
_____: it is common to have existing network infrastructure that needs to be integrated to provide communication from on-premises networks or to provide improved communication between services in Azure
Network Integration
_____: connections are a common way of establishing secure communication channels between networks. Connection between Azure Virtual Network and an on-premises _____ device is a great way to provide secure communication between your network and your Vnet on Azure
Virtual Private Network (VPN)
_____: to provide a dedicated, private connection between your network and Azure, you can use Azure _____. _____ lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. With _____, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. This improves the security of your on-premises communication by sending this traffic over the private circuit instead of over the internet. You do not need to allow access to these services for your end users over the internet, and you can send this traffic through appliances for further traffic inspection
ExpressRoute
_____: allow you to filter network traffic to and from Azure resources in an Azure virtual network. An _____ can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. They provide a list of allowed and denied communication to and from network interfaces and subnets and are fully customizable
Network Security Groups (NSGs)
_____: is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services
Authentication
_____: is the process of establishing what level of access and authenticated person or service has. It specifies what data they are allowed to access and what they can do with it
Authorization
- Access to your Azure subscriptions is performed using _____. _____ is a modern cloud-based identity service/identity provider that supports multiple authentication protocols to secure applications and services in the cloud
- _____ is not the same as Windows Active Directory. Windows Active Directory is focused on security Windows desktops and servers. In contrast, _____ is all about web-based authentication standards such as OpenID and Oauth
- When you sign up for a Microsoft cloud services such as Microsoft Azure, Microsoft Intune, or Office 365, a dedicated instance of _____ is automatically created for your organization
- Users, applications, and other entities registered in _____ are not all lumped into a single global service. Instead, _____ is partitioned into separate tenants
- When it comes to _____ tenants, there is no concrete definition of “organization.” Tenants can be owned by individuals, teams, companies, or any other group of people
- The email address you use to sign into Azure can be associated with more than one tenant. You can switch between tenants in the Switch Directory section
- _____ tenants and subscriptions have a many-to-one trust relationship. A tenant can be associated with multiple Azure subscriptions, but every subscription is associated with only one tenant
- Each tenant has an Account Owner, this is the original Azure account that is responsible for billing. You can add additional users to the tenant, and even invite guests from other _____ tenants to access resources in subscriptions
Azure Active Directory
_____: a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization
Tenant
_____: enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts
Single Sign-On
_____: you can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My Apps portal (also referred to as Access Panel), and SaaS apps
Application Management
_____: manage your guest users and external partners while maintaining control over your own corporate data Business-to-Customer (B2C) identity services. Customer and control how users sign up, sign in, and manage their profiles when using your apps and services
Business-to-Business (B2B) Identity Services
_____: manage how your cloud or on-premises devices access your corporate data
Device Management
_____: provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:
- Something You Know: would be a password or the answer to a security questions
- Something You Possess: could be a mobile app that receives a notification or token-generating device
- Something You Are: typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices
Multi-Factor Authentication
_____: just a thing that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates. As a bonus definition, an account is data associated with an _____
Identity
_____: an identity acting within certain roles or claims. Usually, it is not useful to consider identity and _____ separately, but think of using sudo
on a Bach prompt in Linux or on Windows using “run as Administrator.” In both those cases, you are still logged in as the same identity as before , but you’ve changed the role under which you are executing. Groups are often also considered _____ because they can have rights assigned
Principal
_____: an identity that is used by a service or application. And like other identities, it can be assigned roles
Service Principal
_____: the creation of service principals an be a tedious process, and there are a lot of touch points that can make maintaining they difficult. _____ are much easier and will do most of the work for you. A managed identity can be instantly created for any Azure service that supports it - and the list is constantly growing. When you create a _____, you are creating an account on the Azure AD tenant. The Azure infrastructure will automatically take care of authenticating the service and managing the account. You can then use that account like any other Azure AD account, including securely letting the authenticated service access other Azure resources
Managed Identities for Azure Services
Shared Security Responsibility with Azure. Who is responsible for what?Responsibility: Data Governance & Rights Management: _____
- On-Premises: Customer
- IaaS: Customer
- PaaS: Customer
- SaaS Customer