SC-900: Microsoft Security, Compliance, and Identity Fundamentals
Sensitivity label uses
*Encrypt email and/or documents *Mark content - via watermark, header, footer, etc. *Label automatically *Protect content in containers via sites or groups *Extend sensitivity labels to third-party apps and services *Classify content without using any protection settings, just for awareness
Microsoft's six key privacy principles
1) Control - put customer in control of their data 2) Transparency 3) Security 4) Strong legal protections - respect local privacy law and advocate for privacy as a human right 5) No content-based targeting - not using email, chat, files, or other personal content to target advertising 6) Benefits to you - if data is collected about the customer it benefits the customer (i.e. makes their experience better)
Microsoft 365 Defender suite protects..
1) Endpoints with Microsoft Defender for Endpoint 2) Email and collaboration with Microsoft Defender for Office 365 3) Identities with Microsoft Defender for Identity and Azure AD Identity Protection 4) Cloud Applications with Microsoft Cloud App Security
Authentication methods
1) Password hash synchronization 2) Pass-through authentication (PTA) 3) Federated authentication
Insider risk management principles
1) Transparency - balance user privacy vs org risk w/ privacy-by-design architecture 2) Configurable - policies configurable based on industry, geography, and business group 3) Integrated - Inegrated workflow across M365 compliance solutions 4) Actionable - insights to enable user notifications and data/user investigations
Configurations for Windows Hello
1) Windows Hello convenience PIN - configured by a user; no asymmetric or cert-based authentication 2) Windows Hello for Business - configured by Group Policy or MDM (mobile device management) policy such as Microsoft Intune; backed by key-based or cert-based authentication = safer than convenience PIN
Zero trust guiding principles
1. Verify explicitly - authenticate/authorize based on all data points (e.g. identity, location, device, service, data classification, anomalies, etc.) 2. Least privileged access - limit with JIT/JEA, risk-based adaptive policies, and data protection 3. Assume breach - Segment networks, users, devices, apps. Encrypt data. Use analytics to improve security.
Microsoft Cloud App Security (MCAS)
A Cloud Access Security Broker (CASB) A cross-SaaS solution that acts as an intermediary between a cloud user and the cloud provider including control over data travel (e.g. can't download red data) helps discover/control use of Shadlow IT of cloud apps being used Office 365 is a subset of MCAS
Microsoft Intune
A mobile device management (MDM) solution to manage devices
Azure Sentinel
A scalable, cloud-native SIEM/SOAR single solution for alert detection, threat visibility, proactive hunting, and threat response Spans all users, devices, apps, infrastructure (on-prem and in the cloud) Leverages Artificial Intelligence
Microsoft 365 Compliance Center
Available to customers with a M365 SKU with roles: GA, Compliance Admin, Compliance Data admin Overview of how the company is meeting compliance requirements Maps regulatory controls against recommended improvement actions in prioritized order Includes: Compliance Manager a Compliance Score Solution catalog - compliance solutions & actions Active alerts
Azure Defender plan options
Azure Defender for: Servers - Windows and Linux machines App Services Azure Storage containers SQL Kubernetes Container registries (Azure Resource Manager based registries) Key Vault
Azure Logic Apps
Can be used to automate and orchestrates tasks Integrated with Azure Sentinel in the SOC to automate workflows and playbooks in response to security events
Azure Monitor Workbooks
Canvas for data analysis with built-in and custom reports from Azure Sentinel integration from several data sources
Azure Key Vault
Centralized cloud service for storing app secrets including: 1) Secrets management (tokens, passwords, API keys, etc.) 2) Key management (private encryption keys) 3) Certificate management (provision/manage public and private SSL/TLS certs 4) Secrets backed by HSMs (Hardware Security Modules)
CASB
Cloud Access Security Broker - gatekeeper to broker real-time access between users and the cloud resources they use on any device in any location Provides: 1) Visibility to all cloud services (help identify Shadow IT) 2) Data Security - classified as Red 3) Threat protection 4) Compliance for cloud apps - meet regulatory standards (e.g. HIPPA)
MCAS tools/architecture
Cloud Discovery - map and identify cloud environment Sanctioning/unsanctioning apps in the Cloud App Catalog App connectors using provider APIs Conditional Access App Control protection Continuous control via policies to control/detect risky user behavior
Microsoft Defender for Identity
Cloud-based security tool using ON-PREM AD data/signals to identify, detect, and investigate threats of compromised identities and malicious insider actions Monitors user profiles and behaviors to identify suspicious accounts FKA Azure ATP (Advanced Threat Protection)
Microsoft Intune
Cloud-based service that focuses on MDM (mobile device management) and MAM (mobile application management) to control how org's devices (phones, tablets, laptops) are used Allows people to use personal devices and ensures company data stays protected and isolated from personal data Devices controlled via security baselines, compliance policies, and Conditional Access Integrates with Microsoft Defender for Endpoint for a Mobile Threat Defense solution for Android, iOS/iPadOS, and Win10 or later
Azure Sentinel Security Operation Areas
Collect Detect Investigate Respond
Data Loss Prevention Policies
Consist of: Conditions - content must match before a rules is enforced Action - what the admin wants to happen if conditions are met Locations - where policy will be applied (e.g. Exchange, SharePoint, OneDrive, MSFT Teams, etc.) Policies are applied/enforce in prioritized order
Security token
Cryptographically signed document issued to identity after authenticating with IdP Used as proof of identity with servers Contains 'claims' associated with the identity
B2C Access Management
Customer Identity access management (CIAM) solution that allows users to sign-in with their preferred social, enterprise, or local account identities to get SSO to your apps Managed in the Azure B2C directly and separately from the organization's employee and partner directory SSO to customer owned apps within B2C tenant are supported
On-prem datacenter
Customer responsible for EVERYTHING from physical security to encrypting sensitive data
Azure Sentinel costs
Data for security analytics is stored in an Azure Monitor Log workspace Billing based on volume of data ingested and stored Billed in two models: 1) Capacity reservations - fixed fee based on the selected tier 2) Pay-As-You-Go - Billed per GB for volume of data ingested and stored
EDRM
Electronic Discovery Reference Model
Microsoft 365 Defender
Enterprise defense suite that protects against sophisticated cyberattacks Covers threats detection --> response across all service domains including applications, email, endpoints, identities, and data NOT domain-specific, threat detection and responses across all domains Default workflows and custom workflows available
Microsoft Defender for Office 365 Plan 2
Everything in Plan 1 +: Threat trackers - latest intelligence on cybersecurity issues and allows org to take action BEFORE a threat Threat Explorer - real-time report that allows you to identify and analyze recent threats AIR (Automated Investigation and Response) - set of security playbooks and recommended actions Attack Simulator - run realistic attack scenarios in your org
XDR
Extended Detection Response - system that delivers intelligent, automated, and integrated security across an org's domain Prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms Provided via Microsoft 365 Defender and Azure Defender integrated with Azure Sentinel
FERPA
Family Educational Rights and Privacy Act - rules to protect student information
HIPAA
Health Insurance Portability and Accountability Act - rules on how health-related info should be protected
Microsoft Defender for Endpoint
Help protect endpoints via technology embedded into Windows 10 and MSFT cloud services including endpoint behavioral sensors from the OS Uses AI FKA Microsoft Defender ATP (Advanced Threat Protection)
Communication compliance
Helps minimize communication risks by enabling orgs to detect, capture, and take remediation actions for inappropriate messages scan internal and external communications for policy matches to be reviewed Uses this workflow: 1) Configure - identify compliance requirements and configure applicable comms policies 2) Investigate - admins look deeper into issues detected when communication matches policy 3) Remediate - options include an alert, tagging a message, notifying a user, escalating to another reviewer, marking as false positive, removing a message in Teams, and escalating for investigation 4) Monitor - keep track of and manage compliance issues identified by comms compliance policies through the entire workflow process
Cloud-only model
Identities are created and wholly managed in Azure AD Both cloud-only and hybrid identities can access both cloud and on-prem resources
Azure Active Directory Premium P1
Includes all features in Free + O365 features + Advanced admin (including dynamic groups) Self-service group management Microsoft Identity manager (on-prem IAM suite) Cloud write-back capabilities (allow self-service password reset for on-prem users)
Microsoft 365 Defender Endpoint reports
Includes: Threat protection report - high level info about threat trends and alerts generated in your org Device health and compliance report Vulnerable devices report - includes their exposure to vulnerabilities, severity, etc.
Rootkits
Intercept and change the standard OS process. Can then report the device is healthy and not infected so can't be trusted
Content search actions
MSFT created several Security and Compliance Center PowerShell scripts to complete content search-related tasks including: search-specific mailbox or sites search for list of users Manage multiple searches Clone a search
Microsoft's XDR tools
Microsoft 365 Defender & Azure Defender Both integrate with Azure Sentinel
MAM
Mobile Application Management - gives admins ability to protect corporate data at the app level (let users use their personal devices, but protect org's data) supports BYOD
Azure Security Center
Network security monitoring service that provides infrastructure level security management to strengthen your security posture Includes: *Continuous assessment of environments and prioritized recommendations for hardening tasks *Network maps - look at topology of workloads to ensure nodes are properly configured and how they are connected to block unwanted/unnecessary connections *Threat protection - detect and prevent threats on IaaS, non-Azure servers, & PaaS; integrates with MSFT Defender for Endpoint Azure Defender Off mode is free; Defender On costs
Microsoft Intune security baselines
ONLY for windows devices and MSFT applications
Microsoft Defender for Office 365 Plan 1
Offers config, protection, and detection tools for your Office 365 suite including: Safe attachments (checks for malicious content) Safe Links (links scanned for malicious sites) Safe attachments for SharePoint, OneDrive, and MSFT Teams Anti-phishing protection Real-time detection of threats
Crucial events
Part of Advanced Auditing Includes: *MailItemsAccess - when mail was accessed *Send - when a user sends/replies/forwards and email (does not include content, just header/metadata) *SearchQueryIntiatedExchange - when a user searches something in the search bar in Outlook on the web (OWA) to search for items in a mailbox *SearchQueryInitiatedSharePoint - when a person searches for something in the SharePoint home site for your org
Compliance Manager
Part of the Service Trust Portal Compliance Manager - measures your progress in completing actions to reduce risk around data protection and regulatory standards
Identity Protection reports
Risky users Risky sign-ins Risk detections
Microsoft Intune: RBAC
Role-based Access Control - assign roles to Intune users to limit what they can see/edit/download
Microsoft Defender for Office 365
Safeguards your organization against malicious threats posed by email message, links (URLs), and collaboration tools including MSFT Teams, SharePoint Online, OneDrive for Business, and other Office clients FKA Office 365 ATP (Advanced Threat Protection) Available in two plans: Microsoft Defender for Office 365 Plan 1 and Plan 2 Included in certain subscriptions or available as a standalone add on
Azure Secure Score
Score given by Azure Security Center based on aggregate of assessment of resources, subscriptions, and org for security issues High the score, the lower the risk (e.g. 90% secure is very secure) Improve your score by following provided security recommendations via manual changes or by using the Quick Fix! option
SIEM
Security Information and Event Management - tool used to collect data from across the whole estate, including infrastructure, software, and resources Performs analysis, looks for correlations/anomalies, and generates alerts and incidents
SOAR
Security Orchestration Automated Response - takes alerts from many sources including SIEMs and then triggers action-driven automated workflows and processes to run security tasks to mitigate the risk
PTA (Pass-through authentication)
Simple password validation for Azure AD authentication services by using a software agent that runes on on-premis servers. Server validates the users directly with an on-prem AD so it doesn't happen in the cloud
SSO
Single Sign-On - user logs in once and that credential is used across multiple apps/resources
The security admin wants to protect Azure resources from DDoS attacks, which Azure DDoS Protection tier will the admin use to target Azure Virtual Network resources?
Standard (not Basic) - The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources
Office 365 Cloud App Security
Subset of MCAS that provides enhanced visibility and control for Office 365
An organization needs to continuously monitor the security status of its network. What Security Center tool would they use?
The network map provides a map of the topology of your network workloads, which lets you block unwanted connections.
Cloud Security Posture Management (CSPM)
Tools designed to improve your cloud security management and disrupt attackers ROI Assesses systems and automatically alerts security staff in your IT department when a vulnerability is found Tools include: 1) Zero Trust-based access control 2) Real-time risk scoring 3) Threat and Vulnerability Management (TVM) 4) Discover sharing risks -data exposure of company IP 5) Technical policy - apply technical controls to audit/enforce policies 6) Threat modeling systems and architecture
Resource locks
Used to prevent critical resources from being accidentally deleted or changed Options: CanNotDelete (can still modify) or ReadOnly (cannot modify) Resources can have both locks at once
Types of Azure AD Identities
User Service Principal Managed Identity Devices
User risk vs sign-in risk
User risk - probability that a given identity or account is compromised (i.e. leaked credentials on the web) Sign-in risk - probability that a given authentication request isnt authorized by the identity owner (i.e. likelihood sign-in not performed by the user based on location)
User administrator
Users with this role can create and manage all aspects of user and groups Also have ability to support tickets and monitor service health
Global admin (GA)
Users with this role have access to all admin features in Azure AD
Billing administrator
Users with this role make purchases, manage subscriptions & support tickets, and monitor service health
Trainable classifiers
Uses AI and machine learning to classify data based on what the item/document is (e.g. contract, invoice, customer records, etc.) not elements in the item (e.g. pattern matching an SSN) Once trained/ready, can sort through items in locations like SharePoint Online, Exchange, and OneDrive, and classify the content Two types: 1) Pre-trained classifiers - provided by MSFT and ready to go with no training (e.g. resumes, source code, harassment, profanity, and threat) 2) Custom trainable classifiers - classifying data unique to an org like contracts and customer records; provide with many samples to "train"
Asymmetric encryption
Uses a public key and private key pair Examples: TLS (Transport Layer Security) for the HTTPS protocol, and data signing
Hashing
Uses and algorithm to convert original text into a unique fixed-length hash value Used to store passwords Best practice: salt passwords
Password write-back
When password is changed via SSPR, is written back to on-prem AD in real-time
Azure AD Connect
When updates to user accounts, groups, and contacts are made in your on-prem DS, all are synchronized to Azure AD via Azure Ad Connect
An organization uses different types of devices, including Windows, iOS, and Android devices. Admins for that organization have created a security baseline profile in Intune that they want to apply across the devices. To which devices can the security baseline profile be applied?
Windows devices NOT Android or iOS devices
Core eDiscovery workflow
a basic tool that orgs can use to search and export content in M365 Starts from the M365 Compliance Center 1) Create a case and add members to it 2) Create an eDiscover hold - may take up to 24 hours to take effect, infinite or specify date range 3) Search for content via queries 4) Export content - to a results.csv file 5) Close, reopen, and delete a core eDiscovery case - 30 day grace period when holds are turned off
Azure Defender
a built-in threat protection tool built into Azure Security Centerthat protects workloads running in Azure, on-prem, hybrid, and other clouds Uses policies including those built-in by default, custom, and regulatory standards such as NIST and Azure CIS, and the Azure Security Benchmark
Content explorer
a tab in the data classification pane of the MSFT Compliance Center gain visibility into content that has been scanned Access strictly limited to two roles: 1) Content explorer list viewer 2) Content explorer content viewer
Endpoint Security Manager
admin role in Microsoft Intune that grants access to the Microsoft Endpoint Manager admin center
Privileged ACCESS management (PAM)
allows granular access control over privileged admin TASKS in M365 Different than PIM because It is scoped at the TASK level with ability to execute multiple tasks; PIM is at the AD roles and role group level
unified audit log
allows orgs to view user and admin activity in one place across several services (MSFT 365 services, Dynamics 365, MSFT Power Apps, MSFT Power Automate, PowerBI, AAD, etc.)
zero standing access
any user who needs privileged access must request permissions for access and will only receive the level they need when they need it (JEA/JIT)
Advanced eDiscovery workflow
builds on core eDiscvoery solution that aligns with EDRM (Electronic Discovery Reference Model) 1. Add custodians to a case - someone who has admin control of a document or file 2. Search custodial data sources for data relevant to the case - search custodian locations 3. Add data to a review set - add search results to a review set; data is copied, indexed, & moved to secure location ion Azure Storage 4. Review and analyze data in a review set 5. Export and download case data - copy to a different Azure Storage location
Microsoft 365 Defender incidents que
central location to prioritize cross-domain attacks and alerts into single incidents and severity of incident shows number of alerts, type, impact, and how it maps to THE MITRE attack framework
Web App Firewall (WAF)
centralized protection of web apps from common exploits Can be deployed via Azure Application Gateway, Azure Front Door, Azure Content Delivery Network (CDN) services from MSFT
Shared controls
controls both your organization and Microsoft share responsibility for implementing
audit log record retention
dependent on O365 or M365 Enterprise subscription and the type of license assigned to specific users core audit capability, audit record is kept for 90 days can take 30 min-24 hours after an event occurs for the audit log record to be returned in a search
Azure Policy
designed to help enforce standards and assess compliance across the org via aggregate view of all resources can remediate in bulk if issue identified evaluates whether properties of resources match with policy definitions ;(outlined in JSON format)
Microsoft Information Protection (MIP)
discovers, classifies, and protects sensitive and business critical content/data throughout its lifecycle manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you don't for on-orem, cloud, and hybrid environments
eDiscovery tools
eDiscovery tools can be used to search for content in Exchange Online mailboxes, Microsoft 365 Groups, MSFT Teams, SharePoint Online, OneDrive for Business conversations, and Yammer teams Search via the Content search tool Used if company is involved in litigation
Content Search eDiscovery tool
enables search for in-place items such as email, documents, and IM conversations Must be a member of the eDiscovery Manager role group Accessible via Compliance Center in O365 or M365
Compliance Manager
end-to-end solution in M365 Compliance Center that helps admins manage org's compliance requirements easier Includes: Prebuilt assessment and customizable templates with common industry and location regulations/standards
Customer Lockbox
ensures MSFT can't access an org's content to resolve a case requiring assistance from a MSFT without explicit customer approval
Sensitive information types
figures with set patterns that can be used to identify them (e.g. SSN = XXXX-XX-XXXX) that can be identified by MSFT Compliance Center Also able to set custom patterns for org-specific requirements Examples include: Credit card numbers, passport or ID numbers, bank account numbers, health services numbers
Advanced Audit
helps orgs conduct forensic and compliance investigations by increasing audit log retention required to complete investigation requires one of the following: *M365 E5 or E3 license *O365 E3 license with MSFT E5 Compliance *M365 E5 eDiscovery and Audit add-on license Includes crucial events retains all Exchange, SharePoint, and AAD audit records for one year, max available is 10 years with additional license
Microsoft 365 Defender portal
helps security admins and SOC teams manage and protect their org by showing the common security cards in navigation panel w/ ability to customize by individual a specialized workspace designed to meet the needs of security teams and provides actionable insights to help reduce risks and safeguard your digital estate Includes a Microsoft Secure Score (broader than Azure Secure Score) combines MCAS, Defender for O365/Identity/Endpoint, and AAD
Azure Disk Encryption
helps you encrypt Windows and Linux IaaS virtual machine disks via BitLocker
Endpoint data loss prevention
how protection/monitoring capabilities of DLP for sensitive content can be extended to Windows 10 devices Can be extended to MSFT Teams chat and channels admins can audit and manage activities that users complete on sensitive content including: Creating an item Renaming an item Copying items to removable media Copying items to network shares Printing documents Accessing items using unalloyed apps and browsers
Label policies
how sensitivity labels are applied to users or groups admins can: *Choose who can see the labels *Apply a default label *Require justification for label change *Mandatory labeling (require users to apply a label) *Link users to help pages describing meaning of labels
Cloud App Security portal
lets you see the security posture of your cloud-based apps
Solution catalog (compliance)
links to collections of integrated compliance solutions across 3 areas: 1) information protection & governance 2) Insider risk management - identify & act before an incident 3) Discover & respond section - find and respond to compliance issues
Records management
management solution to manage regulatory, legal, and business-critical records across their corporate data when content is labeled as a record, the following happens: 1) restrictions are put on it to block certain activities (e.g. deletion) 2) activities are logged 3) proof of disposition is kept at end of retention period (proof of deletion?) Rules for 'records': 1) regulatory label can't be removed when content is marked as a regulator record, not even by a GA (irreversible) 2) retention periods cannot be made shorter after the label has been applied
Microsoft Secure Score
measure of the company's security posture of the organization across your apps, devices, and identities higher score = better protection provides benchmarks and KPIs provides recommendations/actions to improve score for M365, AAD, Microsoft Defender for Identity/Endpoint, and MCAS
Compliance Score & types
measures the progress in completing recommended improvement actions within controls related to compliance Improvement action types: 1) Your improved actions (responsibility of org/company) 2) Microsoft actions (responsibility of Microsoft to manage Or: 1) Mandatory - should/can NOT be bypassed (e.g. password requirement) 2) Discretionary - depends on the user adherence (e.g. lock laptop when leave it) Sub categories: Preventative Detective Corrective
Sensitivity labels
orgs decide on sensitivity labels applied to content such as emails and documents each item can only have one sensitivity label on it at a time they are: customizable (e.g. red, orange, yellow, green) clear text - stored in clear text so TPO can read and apply their own protect actions Persistent - becomes part of metadata for that content and moves with it
Advanced eDiscovery
part of M 365 and provides ability for: Content Search Core eDiscovery Advanced eDiscovery
Transparent Data Encryption (TDE)
protects Azure SQL Database and Azure Data warehouse
Azure Storage Service Encryption
protects data at rest by automatically encrypting BEFORE persisting it to Azure storage decrypts before retrieval
Azure Blueprints
provides a way to define a repeatable set of Azure resources; can be replicated to multiple Azure regions enables dev teams to rapidly provision and run new environments that are known to be in compliance with org's requirements examples include: *Role Assignments *Policy Assignments *Azure Resource Manager (ARM) templates *Resource Groups
Service Trust Portal
provides info, tools, and other resources about Microsoft security, privacy, and compliance practices Includes: Compliance Manager - measures company's progress Trust Documents - links to a docs Industries & Regions - compliance info in different areas Trust Center - security, compliance, and privacy in the Microsoft Cloud
Azure Resource Manager (ARM)
provides management layer that enables admins to create, update, and delete resources in an Azure account admins can use RESOURCE LOCKS to secure resources after deployment
Azure Security Benchmark (ASB)
provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure Spans network security, IAM, data protection/recovery, incident response, and more
Activity explorer
provides visibility into what content has been discovered and LABLED/CLASSIFIED and where it is at; includes label downgrades (e.g. Red --> Green data data classification) admins have 30+ filter options
Trust relationship
relationship between the server and the IdP to that is used to validate the security token granted to the client
Information Barriers
restrict communication/searching for a user between groups to avoid conflict of interest from occurring in an org supports only TWO-way restrictions, not one-way examples: *students can't look up other student info or chat with them *legal - lawyers keep client info separate from other clients *professional services
ISO 27701
rules and guidance to manage personal information and demonstrate compliance
Retention labels
used to assign settings at an ITEM level, such as a folder, document, or email and label travels with content an item can only have one retention label assigned to it at a time can be applied manually or automatically if matches conditions a default label can be applied for SharePoint documents takes priority over retention policy (e.g. site has retention policy of 5 years, you need document for 10 - apply retention label to that document only)
Retention policies
used to assign the same retention settings to content at a (WEB)SITE level or MAILBOX level 1 policy can be assigned to multiple locations Items inherit retention settings from their container specified in the retention policy, if content moves out of a container a copy is stored but retention settings don't travel with the content to its new location
Microsoft 365 Defender portal security report
view info about security trends by CATEGORY or GROUP: Group by CATEGORY: Identities - users Data - emails and document cotents Devices - computers, mobile phones, and other devices Apps - programs and attached online services Group by TOPIC: Risk - entities that are at highest risk Detection trends - new threats Configuration and health - configuration and deployment of security controls
Microsoft Intune Endpoint security node
where admins go to configure and manage/enforce security tasks for at-risk devices
Windows Hello lets users authenticate to
1) A Microsoft account 2) An AD account 3) An AAD account 4) Identity provider or Relying Party Services that supports FIDO v2.0
Key features of Azure Firewall
1) High availability and ability to span multiple availability zones 2) Network and app level filtering 3) Outbound SNAT (Source Network Address Translation) 4) Inbound DNAT (Destination Network Address Translation) 5) Multiple public IP addresses 6) Threat intelligence filterning 7) Integration with Azure Monitor to analyze logs
Types of DDOs attacks
1) Volume-based attacks -flood the network with seemingly legit traffic to not allow legit traffic to get through 2) Protocol attacks - overwhelm with false protocol requests in layer 3 (network) and layer 4 (transport) 3) Resource (application) layer attacks -target web application packets to disrupt transmission of data between hosts
Pillars of Identity
1. Administration - creation and management (LCM) of identities 2. Authentication (AuthN)- proving identity, how much evidence needed 3. Authorization (AuthZ) - determine level of access an authenticated identity has 4. Auditing - tracking via logs who does what, when, where, & how via reporting alerts and governance
Azure AD editions
1. Azure Active Directory Free 2. Office 365 Apps 3. Azure Active Directory Premium P1 4. Azure Active Directory Premium P2
What security tasks ALWAYS responsibility of the customer?
1. Data 2. Devices 3. Accounts/Identities
Zero trust foundational pillars
1. Identities - can be users, services, or devices 2. Devices - monitor for health/compliance 3. Apps - manage permissions/access 4. Data - should be classified, labeled, and encrypted where appropriate 5. Infrastructure - understand baseline to detect anomalies and flag risky behavior to take action 6. Networks - should be segmented and include real-time threat monitoring and protection
Cloud Adoption Framework for Azure Lifecycle
1. Strategy: define business justification and expected outcomes of adoption. 2. Plan: align actionable adoption plans to business outcomes. 3. Ready: Prepare the cloud environment for the planned changes. 4. Adopt -Migrate: Migrate and modernize existing apps AND/OR -Innovate: Develop new cloud-native or hybrid apps 5. Govern: Govern the environment and workloads. 6. Manage: Operations management for cloud and hybrid solutions.
Azure Firewall
A managed, cloud-based network security service that protects your Azure VNet resources Advantage of model is ability to scale up/centrally exert control over multiple VNets across different subscriptions
NSG priority
A number between 100-4096, security rules are processed in order of priority (lower --> higher numbers) Once a a traffic matches a rule, processing stops
Zero Trust
A security model that assumes everything is on an open and untrusted network, even resources behind firewalls "Trust no one, verify everything"
FIDO2
Abbreviation for Fast Identity Online - an alliance that promotes open authentication standards and aims to reduce reliance on passwords FIDO2 allows users to sign-in with an external security key such as a USB, lightning connector, Bluetooth, or NFC Azure AD supports FIDO2
AD
Active Directory - set of directory services developed by Microsoft as part of Windows 2000 for on-premises domain-based networks
AD DS
Active Directory Domain Services - stores information about members of the domain, including devices and users, verifies their credentials, an defines their access rights. A server running AD DS is a domain controller (DC) Supports on-premises IT infrastructure for multiple domains using a single identity per user Does not natively support mobile devices, SaaS applications, or apps that require MODERN authentication
Azure Active Directory Premium P2
All P1 features + Azure AD Identity protection to provide risk-based Conditional Access to apps and data PIM - Privileged Identity Management to help discover, restrict, and monitor admins and access to resources & provide (just-in-time) JIT access when needed
Modern authentication
All services and information are are managed by a central identity provider Client authenticates with IdP. Once authenticated, the IdP sends the client a security token. The token is used as proof of identity that is sent to the server The server has a trust relationship with the IdP so it verifies with the IdP and trusts the security token
Azure Network Security Group (NSG)
Allow you to allow or deny inbound/outbound network traffic based on rules to/from Azure resources that exist in your Vnet (e.g. a vm)
Access packages
Allows users (including external users) to request/receive access to groups of resources together (e.g. IAM access) bundled together to improve efficiency
Azure Active Directory Free Edition
Allows you to administer users groups Synchronize with AD (on-prem) Configure self-service password change for cloud users Enable SSO across Azure, M365, and other SaaS apps Included with subscriptions to O365, Azure, Dynamics 365, and Power Platform
B2B Collaboration
Allows you to share your orgs apps and services with guest users from other orgs while maintaining control over your data Uses invitation and redemption process and managed in Azure AD as guests Allows external users to access your resources with their credentials Supports SSO for guests to all Azure AD-connected apps
NSG information points
Allows/denies traffic to Azure resources based on 5 by priority using 5 evaluation points: 1/2) Source/Destination (IP address range, service tag, or app security group) 3/4) Source/Destination port (range) 5) Protocol (TCP, UDP, ICMP, or Any)
CA access controls
At time of auth requerts, can: 1) Block access 2) Grant Access 3) Require one or more conditions to be met before granting access (MFA, compliant device, hybrid joined, password change, etc.) 4) Control user access based on session controls (e.g. don't allow ability to download sensitive data)
Password spray attack
Attempts to match a username against a list of weak passwords
Dictionary attack
Attempts to steal identity by trying a large number of known passwords AKA Brute force attacks
Windows Hello for Business
Authentication feature built into Windows 10, replaces passwords with strong 2FA on PCs and mobile devices using a biometric or PIN Stores PIN and biometric data locally on device (never sent to external devices or servers) = safer b/c no collection point for attackers to compromise
Federated authentication
Azure AD redirects the client requesting authentication to a separate trusted identity provider such as AD FS (AD Federation SErvices) to validate user's password
Azure AD External identity types
B2B: allows you to share apps and resources with external users B2C: Identity management solution for consumer and customer facing apps Both included in Premium P1 and Premium P2 Azure AD editions
Defaults for admins using SSPR
By default admin accounts: Are enabled for SSPR Are required to use 2FA Cannot use security questions (weak)
Azure AD registered devices
Can be Windows 10, iOS, Android, or macOS devices Typically a personal device that is signed in with a personal Microsoft account or another local account
Hybrid Azure AD joined devices
Can be Windows 7, 8.1, or 10 OR Windows Server 2008 or newer Owned by the org and signed in with an AD Domain services (on-prem) account. Exists in the cloud and on-prem
Microsoft Identity Manager
Can import records from on-prem HR systems such as SAP HCM, Oracle eBusiness, and Oracle PeopleSoft
Windows Hello for Business
Configured by Group Policy or MDM (mobile device management) policy such as Microsoft Intune; backed by key-based or cert-based authentication = safer than convenience PIN
Microsoft Cloud Adoption Framework for Azure
Consists of documentation, implementation guidance, best practices, and tools designed to help businesses adopt cloud
Azure Role-Based Access Control (RBAC)
Control permissions to manage Azure AD resources Supports built-in and custom roles (requires Premium P1 or P2 license): Global Administrator User administrator Billing administrator
DNAT
Destination Network Address Translation - inbound internet traffic to the firewall public IP address is translated and filtered to the private IP address of resources on the virtual network
Azure AD joined devices
Devices that exist only in the cloud that can be configured for all Win10 devices Owned by the organization and signed in with Azure AD or synced AD work or school account
DC
Domain Controller - server running Active Directory Domain Services
Office 365 Apps (Azure AD) Edition
Free features + self-service password RESET for cloud users Device write-back (two-way synchronization between on prem and Azure AD) Included with subscriptions to O365, E1, E3, E5, F1, and F3
Azure AD identity governance tasks
Govern identity LCM Govern access LCM Secure privileged access for admins for employees, business partners and vendors, and across services and applications on-prem & in the cloud
Azure DDoS Protection
Identifies an attacker's attempt to overwhelm the network and blocks the traffic from the attacker Tiers: 1) Basic - enable for every property in Azure at no additional cost and includes real-time mitigation of common network-level attacks using MSFTs global network to distribute attacks 2) Standard - provides extra mitigation capabilities including dedicated traffic monitoring and machine learning algorithms
Shared responsibility model
Identifies which security tasks are handled by the cloud provider vs the customer Types: SaaS (Software as a Service) PaaS (Platform as a Service) IaaS (Infrastructure as a Service) On-premises data center (On-prem)
Hybrid Identity model
Identities are created/managed in AD DS or another on-premis identity provider and then synchronized to Azure AD Both cloud-only and hybrid identities can access both cloud and on-prem resources When updates to user accounts, groups, and contacts are made in your on-prem DS, all are synchronized to Azure AD via Azure Ad Connect Identities can be authenticated by Azure AD (managed authentication) or Azure AD redirects the client requesting the authentication to another identity provider (federated authentication)
Managed Identities
Identities automatically managed in Azure AD and typically used to manage credentials for authenticating a cloud application with an Azure service
What is the new security perimeter?
Identity - how a user, app, device, etc. can be verified and authenticated to be who they say they are such
Managed authentication
In the hybrid model, authentication is done by Azure AD
PIM characteristics
JIT/JEA access Time-bound (assign start and end dates) - can be helpful for guests leaving by x date Approval-based to activate privileges Visible/transparent by sending notifications when privileged roles are activated Auditable
Azure Active Directory
Microsoft's cloud based identity provider that provides organizations with IDaaS (Identity as a Service) solution for all apps across cloud and on-premises Enables employees, guests, and others to sign-in and access internal services (apps developed internally) and external services (SaaS apps like O365, Azure portal, etc.) Can enable orgs to securely enable use of personal devices and collaboration with business partners and customers
Microsoft Authenticator app
Mobile app (available for Android and iOS) for MFA and can be configured to use biometrics such as fingerprint or facial scan
OATH
OATH (Open Authentication) - open standard that specifies how time-based, one-time password (TOTP) codes are generated to authenticate a user Can be software tokens (e.g. MSFT Authenticator app) or hardware tokens that refreshes every 30-60 seconds
An organization has recently conducted a security audit and found that four people who have left were still active and assigned global admin roles. The users have now been deleted but the IT organization has been asked to recommend a solution to prevent a similar security lapse happening in future. Which solution should they recommend?
PIM - Privileged Identity Management mitigates the risks of excessive, unnecessary, or misused access permissions.
Why is Windows Hello safer than a password?
PIN is tied to device and useless w/o hardware PIN never transmitted anywhere, so no central location for attackers Windows Hello PIN is backed by a TPM (Trusted Platform Module) chip with built-in physical security that is tamper resistant
Conditional Access
Premium feature of Azure AD that provides extra layer of security before allowing authenticated users to access data or other assets managed through CA policies created and managed in Azure AD Policies analyses signals including user/group membership, location via IP address range, device compliance, application, cloud apps, real-time sign-in risk detection (via Azure AD Identity Protection), or user risk (via Identity protection)
PIM
Privileged Identity Management is a service in Azure Active Directory that enables you to manage, control, and monitor access to important Microsoft resources in your org (Azure AD, Azure, M365, Microsoft Intune) Part of Premium P2 only Helps you minimize number of people who have access to resources across Azure AD
Sign-in risk
Probability that a given auth request isn't authorized by the identity owner Can be calculated in real-time or offline using MSFT threat intelligence sources (Identity protection) Examples: anonymous or malware IP address, atypical travel, password spray, AAD threat intelligence (meets attack pattern)
Platform as a Service (PaaS)
Provides an environment to build, test, and deploy software applications by providing underlying infrastructure including the hardware and OS
User
Representation of something managed by Azure AD such as employees and guests (B2B) Use groups to provide access to several members at once vs assigning individually
Service Principle
Security identity used by apps or services to access specific Azure resources (i.e. an identity for an application) App must first be registered with Azure AD which creates a global unique app object that is stored in the Azure AD tenant
SSPR
Self Service Password Reset - feature of Azure AD that allows users to change or reset their password, or unlock their account without an admin or help desk Auth methods available include: mobile app notification, mobile app code, email, mobile phone, office phone, security questions User must be assigned an Azure AD license and registered with at least 1 authentication method
Azure AD External Identities
Set of capabilities that enable organizations to allow access to external users, such as customers or partners to "bring their own identities" to sign in Enabled through Azure AD support of external identities like other Azure AD tenants, Facebook, Google, or enterprise identity providers if admins set up federation with them
Federation
Single Sign-On between multiple identity providers Enables access of services across organizational boundaries by establishing trust relationships between the domain/entities' identity provider Trust is not always bidirectional
Software as a Service (SaaS)
Software hosted and managed by the cloud provider for the customer. Cloud provider manages everything aside from data, devices, accounts, and identities Examples include: Microsoft 365, Skype, and Dynamics CRM
SNAT
Source Network Address Translation - translates private IP address of network resources in Azure public IP address to identify and allow traffic originating from the virtual network to internet destinations
Directory Services
Stores directory data (hierarchical structure of info on the network) and makes available to users, admins, services, apps, etc.
Types of managed identites
System-assigned - created as part of an Azure service/resource and only that resource and tied to LCM of that service (i.e. if service is deleted, so is the identity) User-assigned - a standalone Azure resource that is assigned to one or more instances of an Azure service and is shared as a single identity across multiple Azure services
Azure Identity Protection
Tool that allows orgs to: Automate detection and remediate identity-based risks based on Microsoft learnings from trillions of data points with its customers Investigate risks using data in the portal Export risk detection data to a third-party utilities for further analysis Categorizes into three tiers: low, medium, and high Risk detections can trigger actions such as requiring users to provide MFA, reset their password, or block access until an admin takes action Requires Premium P2
Password hash synchronization
Used to authenticate on-prem directory objects in Azure AD. Users have same username and password that they use on-prem
Symmetric encription
Uses the same secret key to encrypt and decrypt
Entitlement management
automates access request workflows, access assignments, reviews, and expiration to allow orgs to manage IAM at scale via access packages feature of Azure Ad Premium P2 (along with access reviews)
Dynamic groups
enable admins to create attribute-based rules to determine membership of groups when attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any users to be added or removed from a group. If yes, added and if no longer, removed from group
Azure virtual network (VNet)
enables different Azure resources (e.g. Azure virtual machine) to securely communicate with other VNets, the internet, or your on-prem network can be divided into multiple subnetworks (subnets) secured by network security groups (NSGs)
Password Protection
feature of Azure AD that reduces risk of users setting weak passwords based on password spray attacks Detects and blocks known weak passwords automatically via a default global banned password list AND can weak terms specific to your org Can be integrated with an on-prem AD environment
Infrastructure as a Service (IaaS)
leveraging the cloud provider's cloud infrastructure (physical) including computers, network, and physical security of the datacenter. Customer still manages software components.
Device
piece of equipment such as a mobile device, laptop, printer, server, etc. Device identities can be set up in 3 different was in Azure AD: 1) Registered devices 2) Joined devices 3) Hybrid joined devices
User risk
probability a given identity or account is compromised Calculated offline via threat intelligence sources Examples: leaked credentials found on the dark web, AAD threat intelligence (meets attack patters or is not consistent with typical user behavior)
Azure Bastion
provides secure and seamless RDP (Remote Desk Protocol)/SSH (Secure Shell) connectivity to your virtual machines directly from the Azure portal using TLS (Transport Layer Security) Does not require a public IP address, agent, or special client software More secure because does not expose RDP/SSH ports to the public (protects against port scanning) Protects against zero-day exploits 1 Azure Bastion deployed per VNet Does not require management of NSGs
Security defaults
set of basic identity security mechanisms recommended by Microsoft Includes: Required MFA registration for all users Forcing admins to use MFA Requiring standard users to complete MFA when needed
Common claims of security tokens
subject - unique, unchanging identifier of the client issued at - when security token was issued expiration - when the security token should expire audience - describes the recipient of the token so the token cannot be forwarding to others. If audience does not list recipient it is dropped