AZ-300/103/900. Security, responsibility and trust
Data Security
It's the responsibility of those storing and controlling access to data to ensure that it's properly secured. Often, there are regulatory requirements that dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.
Network virtual appliances (NVAs)
Ideal options for non-HTTP services or advanced configurations, and are similar to hardware firewall appliances.
Azure ATP sensor
Installed directly on your domain controllers and monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.
Microsoft Security Development Lifecycle (SDL)
Security and privacy considerations throughout all phases of the development process
Main concept in case of identity and access control
1. Authentication 2. Authorization
Azure ATP components
1. Azure ATP portal 2. Azure ATP sensor 3. Azure ATP cloud service
Azure Firewall Service choices
1. Azure Firewall 2. Web Application Firewall (WAF) 3. Network virtual appliances (NVAs)
Identity and Access Security
1. Control access to infrastructure and change control. 2. Use single sign-on and multi-factor authentication. 3. Audit events and changes. The identity & access layer is all about ensuring identities are secure, and that access granted is only what is needed, and changes are logged.
Azure Security Layers (defense in depth rings)
1. Data 2. Application 3. Compute 4. Network 5. Perimeter 6. Identity & Access 7. Physical Security
What is always customer responsibility to secure?
1. Data 2. Endpoints 3. Accounts 4. Access management
Two ways to encrypt your data
1. Encryption at rest 2. Encryption in transit
Application Security
1. Ensure applications are secure and free of vulnerabilities. 2. Store sensitive application secrets in a secure storage medium. 3. Make security a design requirement for all application development. Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code. Encourage all development teams to ensure their applications are secure by default. Make security requirements non-negotiable.
Azure Security Center Service tiers
1. Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only. 2. Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.
Networking Security
1. Limit communication between resources. 2. Deny by default. 3. Restrict inbound internet access and limit outbound, where appropriate. 4. Implement secure connectivity to on-premises networks. At this layer, the focus is on limiting the network connectivity across all your resources to only allow what is required.
Main parts of SDL
1. Provide personal training - security is everyone's job 2. Define security requirements 3. Define metrics and compliance reporting 4. Perform threat modeling 5. Establish design requirements 6. Define and use cryptography standards 7. Manage security risks from using third-party components 8. Use approved tools 9. Perform Static Analysis Security Testing 10. Perform Dynamic Analysis Security Testing 11. Perform penetration testing 12. Establish a standard incident response process
Compute Security
1. Secure access to virtual machines. 2. Implement endpoint protection and keep systems patched and current. Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure your compute resources are secure, and that you have the proper controls in place to minimize security issues.
Azure AD methods of providing identities to services
1. Service Principals 2. Managed Identities
Azure Certificates Types
1. Service certificates are used for cloud services 2. Management certificates are used for authenticating with the management API
Top level types of Encryption
1. Symmetric Encryption 2. Asymmetric Encryption
Perimeter Security
1. Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end-users. 2. Use perimeter firewalls to identify and alert on malicious attacks against your network. At the network perimeter, it's about protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting on them is important to keep your network secure.
Azure Key Vault
A centralized cloud service for storing your application secrets. It helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
Azure Advanced Threat Protection (Azure ATP)
A cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. It is capable of detecting known malicious attacks and techniques, security issues, and risks against your network.
Azure Information Protection (AIP)
A cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels.
Web Application Firewall (WAF)
A firewall that operates at the application level, specifically designed to protect web applications by examining requests at the application stack level. It is a part of Azure Application Gateway.
Azure Firewall
A managed, cloud-based, network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Azure Security Center
A monitoring service that provides threat protection across all of your services both in Azure, and on-premises. It is part of the Center for Internet Security (CIS) recommendations
Firewall
A service that grants server access based on the originating IP address of each request.
Azure security is ...
A shared responsibility between Microsoft and Azure customer
Identity
A thing that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates.
Network Security Group (NSG)
Allow you to use multiple inbound and outbound security rules to filter network traffic to and from Azure resources in an Azure virtual network by source and destination IP address, port, and protocol. They provide a list of allowed and denied communication to and from network interfaces and subnets and are fully customizable.
Azure ATP portal
Allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal (https://portal.atp.azure.com) to monitor, manage, and investigate threats in your network environment. Your user accounts must be assigned to an Azure AD security group that has access to the Azure ATP portal to be able to sign in.
Role-Based Access Control (RBAC)
An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization. Roles can be granted at the individual service instance level, but they also flow down the Azure Resource Manager hierarchy. Roles assigned at a higher scope, like an entire subscription, are inherited by child scopes, like service instances.
Azure AD Privileged Identity Management (PIM)
An additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews. A comprehensive approach to infrastructure protection should consider including the ongoing auditing of role members as their organization changes and evolves.
Symmetric Encryption
An encryption method when the same key is used to encode and to decode the message
Asymmetric Encryption
An encryption method when two keys are used: one of which is secret (or private) and one of which is public (freely known to others). Either key can encrypt but a single key can't decrypt its own encrypted data. To decrypt, you need the paired key. This type of encryption is used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
Principal
An identity acting with certain roles or claims. Example: use of 'sudo' on a Bash prompt in Linux or on Windows using "run as Administrator." In both those cases, you are still logged in as the same identity as before, but you've changed the role under which you are executing. Groups are often also considered principals because they can have rights assigned.
Service Principal
An identity that is used by a service or application. And like other identities, it can be assigned roles. It unifies the meaning of identity and principal.
Azure AD provides services such as:
Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services. Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts. Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps. Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services. Device Management. Manage how your cloud or on-premises devices access your corporate data.
Azure provides services to manage both authentication and authorization through....
Azure Active Directory (Azure AD)
Azure DDoS Protection Service tiers
Basic - The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft's online services use. Azure's global network is used to distribute and mitigate attack traffic across regions. Standard - The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
Azure Disk Encryption
Encrypts Windows and Linux IaaS virtual hard discs (VHD) of the VMs. It leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).
Transparent Data Encryption (TDE)
Encrypts contents of individual databases for Azure SQL and Azure Data Warehouse. Encrypts the storage of an entire database (data at rest) by using a symmetric key called the database encryption key. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. By default, TDE is enabled for all newly deployed Azure SQL Database instances.
Azure ExpressRoute
Extends your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. It improves the security of your on-premises communication by sending this traffic over the private circuit instead of over the public internet
Physical Security
Physical building security and controlling access to computing hardware within the data center is the first line of defense. With physical security, the intent is to provide physical safeguards against access to assets. This ensures that other layers can't be bypassed, and loss or theft is handled appropriately.
Encryption
Process of converting readable data into unreadable characters to prevent unauthorized access.
Encryption of data in transit
Protects the data from outside observers and provides a mechanism to transmit data while limiting risk of exposure.
Azure DDoS Protection Service
Protects your Azure applications by monitoring traffic at the Azure network edge before it can impact your service's availability. Within a few minutes of attack detection, you are notified using Azure Monitor metrics.
Encryption of data at rest
Refers to data that is stored on digital media while it is not being transferred between devices. The stored data is unreadable without the keys and secrets needed to decrypt it. If an attacker was to obtain a hard drive with encrypted data and did not have access to the encryption keys, the attacker would not compromise the data without great difficulty.
Azure ATP cloud service
Runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. It is connected to Microsoft's intelligent security graph.
Azure Storage Service Encryption
The Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval. The handling of encryption, encryption at rest, decryption, and key management in Storage Service Encryption is transparent to applications using the services.
Azure DDoS Standard tier protection can mitigate the following types of attacks:
Volumetric attacks. The attackers' goal is to flood the network layer with a substantial amount of seemingly legitimate traffic. Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack. Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.
Transport Layer Security (TLS)
The basis for encryption of website data in transit. Uses certificates to encrypt and decrypt data. A common security problem with websites is having expired TLS certificates that open security vulnerabilities.
Authentication (AuthN)
The process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
Authorization (AuthZ)
The process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it.
Security Policy
The set of controls that are recommended for resources within that specified subscription or resource group
Managed Identities for Azure Services
When you create a managed identity for a service, you are creating an account on your organization's Active Directory (a specific organization's Active Directory instance is known as an "Active Directory Tenant"). The Azure infrastructure will automatically take care of authenticating the service and managing the account. You can then use that account like any other Azure AD account, including securely letting the authenticated service access other Azure resources.
