SC900
shared responsibility model
- identifies which security tasks are handled by the cloud provider, and which security tasks are handled by you, the customer - the responsibilities vary depending on where the workload is hosted: -Software as a Service (SaaS) -Platform as a Service (PaaS) -Infrastructure as a Service (IaaS) -On-premises datacenter
Controls
-A control is a requirement of a regulation, standard, or policy. It defines how to assess and manage system configuration, organizational process, and people responsible for meeting a specific requirement of a regulation, standard, or policy. -Compliance Manager tracks the following types of controls: -Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing. -Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization. -Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.
Device identity
-A device identity gives administrators the information they can use when making access or configuration decisions. -Device identities can be set up in different ways in Azure AD: -Azure AD registered devices. -Azure AD joined: An Azure AD joined device is a device joined to Azure AD through an organizational account, which is then used to sign in to the device. Azure AD joined devices are generally owned by the organization. -Hybrid Azure AD joined devices: These devices are joined to your on-premises Active Directory and Azure AD requiring organizational account to sign in to the device
Service principal
-A service principal is, essentially, an identity for an application. -For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD to enable its integration. -The service principal enables core features such as authentication and authorization of the application to resources that are secured by the Azure AD tenant.
exact data match (EDM) classification
-EDM-based classification enables you to create custom sensitive information types that refer to exact values in a database of sensitive information.
user identity
-Employees and guests are represented as users in Azure AD. --If you have several users with the same access needs, you can create a group. -You use groups to give access permissions to all members of the group, instead of having to assign access rights individually.
Identity
An identity may be associated with a user, an application, a device, or something else.
Four pillars of an identity infrastructure
-Administration. Administration is about the creation and management/governance of identities for users, devices, and services. As an administrator, you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted). -Authentication. The authentication pillar tells the story of how much an IT system needs to know about an identity to have sufficient proof that they really are who they say they are. It involves the act of challenging a party for legitimate credentials. -Authorization. The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access. -Auditing. The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.
Assessments
-An assessment is a grouping of controls from a specific regulation, standard, or policy. -Completing the actions within an assessment helps to meet the requirements of a standard, regulation, or law. -For example, an organization may have an assessment that, when completed, helps to bring the organization's Microsoft 365 settings in line with ISO 27001 requirements.
Microsoft Authenticator app
-As a passwordless authentication method, the Microsoft Authenticator app can be used as a primary form of authentication to sign in to any Azure AD account or as an additional verification option during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication events.
Authentication
-Authentication is the process of proving that a person is who they say they are. -The username states who you are, but by itself isn't enough to grant you access. When combined with the password, which only that user should know, it allows access to your systems. The username and password, together, are a form of authentication. -Authentication is sometimes shortened to AuthN.
Identity Protection
-Automate the detection and remediation of identity-based risks. -Investigate risks using data in the portal. -Export risk detection data to third-party utilities for further analysis.
Privileged access lifecycle
-Azure AD Privileged Identity Management (PIM) provides extra controls tailored to securing access rights. -PIM helps you minimize the number of people who have access to resources across Azure AD, Azure, and other Microsoft online services.
Difference between Azure AD RBAC and Azure RBAC
-Azure AD built-in and custom roles are a form of RBAC in that Azure AD roles control access to Azure AD resources. This is referred to as Azure AD RBAC. In the same way that Azure AD roles can control access to Azure AD resources, so too can Azure roles control access to Azure resources. This is referred to as Azure RBAC. Although the concept of RBAC applies to both Azure AD RBAC and Azure RBAC, what they control are different: -Azure AD RBAC - Azure AD roles control access to Azure AD resources such as users, groups, and applications. -Azure RBAC - Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management.
Federated authentication
-Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user's password. -This sign-in method ensures that all user authentication occurs on-premises.
Azure AD pass-through authentication
-Azure AD pass-through authentication allows users to sign in to both on-premises and cloud-based applications using the same passwords, like password hash synch. -A key difference, however, is when users sign in using Azure AD, pass-through authentication validates users' passwords directly against your on-premises Active Directory.
Categories of Azure AD roles
-Azure AD-specific roles: These roles grant permissions to manage resources within Azure AD only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Azure AD. -Service-specific roles: For major Microsoft 365 services, Azure AD includes built-in, service-specific roles that grant permissions to manage features within the service. For example, Azure AD includes built-in roles for Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator roles that can manage features with their respective services. -Cross-service roles: There are some roles within Azure AD that span services. For example, Azure AD has security-related roles, like Security Administrator, that grant access across multiple security services within Microsoft 365. Similarly the Compliance Administrator role you can manage Compliance-related settings in Microsoft 365 Compliance Center, Exchange, and so on.
Encryption on Azure
-Azure Storage Service Encryption helps to protect data at rest by automatically encrypting before persisting it to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage, and decrypts the data before retrieval. -Azure Disk Encryption helps you encrypt Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. -Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Compliance Manager
-Compliance Manager helps simplify the way you manage compliance. -It calculates a risk-based compliance score that measures progress toward completing recommended actions to reduce risks associated with data protection and regulatory standards. -The Compliance Manager solution also provides workflow capabilities and built-in control mapping to help you efficiently carry out improvement actions.
Templates
-Compliance Manager provides templates to help admins to quickly create assessments. -They can modify these templates to create an assessment optimized for their needs. -Admins can also build a custom assessment by creating a template with their own controls and actions. -For example, the admin may want a template to cover an internal business process control, or a regional data protection standard that isn't covered by one of Microsoft's 150-plus prebuilt assessment templates.
Microsoft's Privacy Principles
-Control -Transparency -Security -Strong legal protections -No content-based targeting -Benefits to you
Federation
-Enables the access of services across organizational or domain boundaries by establishing trust relationships between the respective domain's identity provider. -With federation, there's no need for a user to maintain a different username and password when accessing resources in other domains. -trust relationship
FIDO2
-Fast Identity Online (FIDO) is an open standard for passwordless authentication. -FIDO allows users and organizations to leverage the standard to sign in to their resources using an external security key or a platform key built into a device, eliminating the need for a username and password.
Built-in roles
-Global administrator: users with this role have access to all administrative features in Azure Active Directory. The person who signs up for the Azure Active Directory tenant automatically becomes a global administrator. -User administrator: users with this role can create and manage all aspects of users and groups. This role also includes the ability to manage support tickets and monitor service health. -Billing administrator: users with this role make purchases, manage subscriptions and support tickets, and monitor service health.
Improvement actions
-Improvement actions help centralize compliance activities. -Each improvement action provides recommended guidance that's intended to help organizations to align with data protection regulations and standards. -Improvement actions can be assigned to users in the organization to do implementation and testing work.
Managed identity
-Managed identities are a type of service principal that are automatically managed in Azure AD and eliminate the need for developers to manage credentials. -Managed identities provide an identity for applications to use when connecting to Azure resources that support Azure AD authentication and can be used without any extra cost.
hybrid identity
-Many organizations are a mixture of both cloud and on-premises applications. -Microsoft's identity solutions span on-premises and cloud-based capabilities. -These solutions create a common user identity for authentication and authorization to all resources, regardless of location.
Microsoft Priva
-Microsoft Priva helps you understand the data your organization stores by automating discovery of personal data assets and providing visualizations of essential information -Priva evaluates your organization's data stored in the following Microsoft 365 services within your Microsoft 365 tenant: -Exchange Online -SharePoint Online -OneDrive for Business -Microsoft Teams
Data Estate Insights
-Microsoft Purview Data Estate Insights, data officers and security officers can get a bird's eye view and at a glance understand what data is actively scanned, where sensitive data is, and how it moves.
Data Map
-Microsoft Purview Data Map provides the foundation for data discovery and data governance. -By scanning registered data sources, Azure Purview Data Map is able to capture metadata about enterprise data, to identify and classify sensitive data.
Data Sharing and Data Policy
-Microsoft Purview Data Sharing enables organizations to securely share data both within your organization or cross organizations with business partners and customers. -Access policies in Microsoft Purview enable you to manage access to different data systems across your entire data estate.
Service Trust Portal
-Microsoft's public site for publishing audit reports and other compliance-related information associated with Microsoft's cloud services. -STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored whitepapers that provide details on how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.
Azure Network Security groups
-Network security groups (NSGs) let you filter network traffic to and from Azure resources in an Azure virtual network; for example, a virtual machine. -An NSG consists of rules that define how the traffic is filtered. -You can associate only one network security group to each virtual network subnet and network interface in a virtual machine. -The same network security group, however, can be associated to as many different subnets and network interfaces as you choose. -An NSG is made up of inbound and outbound security rules. NSG security rules are evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic
network segmentation
-Network segmentation can secure interactions between perimeters. -This approach can strengthen an organization's security posture, contain risks in a breach, and stop attackers from gaining access to an entire workload. -The main reasons for network segmentation are: -The ability to group related assets that are a part of (or support) workload operations. -Isolation of resources. -Governance policies set by the organization. -Virtual networks are the core component for network segmentation.
OATH
-OATH (Open Authentication) is an open standard that specifies how time-based, one-time password (TOTP) codes are generated. -One-time password codes can be used to authenticate a user. -OATH TOTP is implemented using either software or hardware to generate the codes. -Software OATH tokens are typically applications. Azure AD generates the secret key, or seed, that's input into the app and used to generate each OTP. -OATH TOTP hardware tokens (supported in public preview) are small hardware devices that look like a key fob that displays a code that refreshes every 30 or 60 seconds. -OATH software and hardware tokens, are only supported as secondary forms of authentication in Azure AD, to verify an identity during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication.
Authorization
-Once you authenticate a user, you'll need to decide where they can go, and what they're allowed to see and touch. This process is called authorization. -In cybersecurity terms, authorization determines the level of access or the permissions an authenticated person has to your data and resources. -Authorization is sometimes shortened to AuthZ.
Platform as a Service (PaaS)
-PaaS provides an environment for building, testing, and deploying software applications. -The goal of PaaS is to help you create an application quickly without managing the underlying infrastructure. -With PaaS, the cloud provider manages the hardware and operating systems, and the customer is responsible for applications and data.
Passwords
-Passwords are the most common form of authentication, but they have many problems, especially if used in single-factor authentication, where only one form of authentication is used. -The use of passwords should be supplemented or replaced with more secure authentication methods available in Azure AD.
Data privacy
-Providing notice and being transparent about the collection, processing, use, and sharing of personal data are fundamental principles of privacy laws and regulations. -Privacy laws previously referenced "PII" or "personally identifiable information" but the laws have expanded the definition to any data that is directly linked or indirectly linkable back to a person. -Organizations are subject to, and must operate consistent with, a multitude of laws, regulations, codes of conduct, industry-specific standards, and compliance standards governing data privacy.
Phone Authentication
-SMS-based authentication. Short message service (SMS) used in mobile device text messaging can be used as a primary form of authentication. -Voice call verification. Users can use voice calls as a secondary form of authentication, to verify their identity, during self-service password reset (SSPR) or Azure AD Multi-Factor Authentication.
Software as a Service (SaaS)
-SaaS is hosted and managed by the cloud provider, for the customer. -It's usually licensed through a monthly or annual subscription. Microsoft 365, Skype, and Dynamics CRM Online are all examples of SaaS software. -SaaS requires the least amount of management by the cloud customer. -The cloud provider is responsible for managing everything except data, devices, accounts, and identities.
Azure DDoS Protection
-The Azure DDoS Protection service is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack. -Azure DDoS Protection identifies an attacker's attempt to overwhelm the network. -It blocks traffic from the attacker, ensuring that it doesn't reach Azure resources. -Legitimate traffic from customers still flows into Azure without any interruption of service.
What is the difference between Network Security Groups (NSGs) and Azure Firewall?
-The Azure Firewall service complements network security group functionality. -Together, they provide better "defense-in-depth" network security. -Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. -Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network and application-level protection across different subscriptions and virtual networks.
Zero Trust
-The Zero Trust model operates on the principle of "trust no one, verify everything." -The Zero Trust model has three principles: These are: verify explicitly, least privilege access, and assume breach. -Verify explicitly. Always authenticate and authorize based on the available data points, including user identity, location, device, service or workload, data classification, and anomalies. -Least privileged access. Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity. -Assume breach. Segment access by network, user, devices, and application. Use encryption to protect data, and use analytics to get visibility, detect threats, and improve your security.
Distributed Denial of Service attacks
-The aim of a Distributed Denial of Service (DDoS) attack is to overwhelm the resources on your applications and servers, making them unresponsive or slow for genuine users. -A DDoS attack will usually target any public-facing device that can be accessed through the internet.
Cloud workload protection (CWP)
-Through cloud workload protection capabilities, Microsoft Defender for Cloud is able to detect and resolve threats to resources, workloads, and services. -Cloud workload protections are delivered through integrated Microsoft Defender plans, specific to the types of resources in your subscriptions and provide enhanced security features for your workloads.
Azure AD Password hash synchronization
-Users can sign in to Azure AD services by using the same username and password that they use to sign in to their on-premises Active Directory instance. Azure AD handles users' sign-in process. -The Active Directory domain service (AD DS) stores passwords in the form of a hash value representation, of the actual user password. -With Azure AD password hash synchronization, the password hash is extracted from the on-premises Active Directory instance using Azure AD Connect.
Web Application Firewall
-Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. -A centralized WAF helps make security management simpler, improves the response time to a security threat, and allows patching a known vulnerability in one place, instead of securing each individual web application.
Infrastructure as a Service (IaaS)
-With IaaS, you're using the cloud provider's computing infrastructure -The cloud customer isn't responsible for the physical components, such as computers, the network, or the physical security of the datacenter. -However, the cloud customer still has responsibility for software components running on that computing infrastructure such as operating systems, network controls, applications, and protecting data.
Data Catalog
-With the Microsoft Purview Data Catalog, business and technical users can quickly and easily find relevant data using a search experience with filters based on various lenses like glossary terms, classifications, sensitivity labels and more.
What's the difference between Azure Policy and Azure role-based access control (RBAC)?
-You use Azure Policy to ensure that the resource state is compliant to your organization's business rules, no matter who made the change or who has permission to make changes. -Azure Policy will evaluate the state of a resource, and act to ensure the resource stays compliant. -Azure RBAC focuses instead on managing user actions at different scopes. -Azure RBAC manages who has access to Azure resources, what they can do with those resources, and what areas they can access.
Azure AD access reviews
-enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment. -Regular access reviews ensure that only the right people have access to resources.
Azure Key Vault
-a centralized cloud service for storing your application secrets. -Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. -It's useful for different kinds of scenarios: -Secrets management. You can use Key Vault to store securely and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets. -Key management. You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data. -Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for Azure, and internally connected, resources more easily.
Conditional Access
-a feature of Azure AD that provides an extra layer of security before allowing authenticated users to access data or other assets. -Conditional Access is implemented through policies that are created and managed in Azure AD. -A Conditional Access policy analyses signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data). -A Conditional Access policy might state that if a user belongs to a certain group, then they're required to provide multi-factor authentication to sign in to an application.
Password Protection
-a feature of Azure AD that reduces the risk of users setting weak passwords. -Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization. -helps you defend against password spray attacks
Microsoft Sentinel
-a scalable, cloud-native SIEM/SOAR solution that delivers intelligent security analytics and threat intelligence across the enterprise. -It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response. -Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds. -Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence. -Investigate threats with artificial intelligence (AI) and hunt suspicious activities at scale -Respond to incidents rapidly with built-in orchestration and automation of common security tasks.
Privileged Identity Management (PIM)
-a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. -PIM is: -Just in time, providing privileged access only when needed, and not before. T-ime-bound, by assigning start and end dates that indicate when a user can access resources. -Approval-based, requiring specific approval to activate privileges. -Visible, sending notifications when privileged roles are activated. -Auditable, allowing a full access history to be downloaded.
Azure Bastion
-a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. -The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. -Azure Bastion provides secure and seamless RDP and SSH (Remote Desktop Protocol (RDP) and/or Secure Shell (SSH) ports) connectivity to your virtual machines directly from the Azure portal using Transport Layer Security (TLS). -When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software. -Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
Active Directory (AD)
-a set of directory services developed by Microsoft as part of Windows 2000 for on-premises domain-based networks -It stores information about members of the domain, including devices and users, verifies their credentials, and defines their access rights.
Microsoft Purview Insider Risk Management
-a solution that helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities. Insider risk management is available in the Microsoft Purview compliance portal. -insider risk management is centered around the following principles: -Transparency: Balance user privacy versus organization risk with privacy-by-design architecture. -Configurable: Configurable policies based on industry, geographical, and business groups. -Integrated: Integrated workflow across Microsoft Purview solutions. -Actionable: Provides insights to enable user notifications, data investigations, and user investigations.
Microsoft Purview Data Loss Prevention (DLP)
-a way to protect sensitive information and prevent its inadvertent disclosure -With DLP policies, admins can: -Identify, monitor, and automatically protect sensitive information across Microsoft 365 -Help users learn how compliance works -View DLP reports showing content that matches the organization's DLP policies -With data loss prevention policies, administrators can now define policies that can prevent users from sharing sensitive information in a Microsoft Teams chat session or Teams channel, whether this information is in a message, or in a file.
Entitlement management
-an identity governance feature that enables organizations to manage the identity and access lifecycle at scale. -Entitlement management automates access request workflows, access assignments, reviews, and expiration. -Entitlement management includes the following capabilities to address these challenges: -Delegate the creation of access packages to non-administrators. -Managing external users. When a user who isn't yet in your directory requests access, and is approved, they're automatically invited into your directory and assigned access.
Microsoft Purview compliance portal
-brings together all of the tools and data that are needed to help understand and manage an organization's compliance needs. -The compliance portal is available to customers with a Microsoft 365 SKU with one of the following roles: -Global administrator -Compliance administrator -Compliance data administrator -When an admin signs in to the Microsoft Purview compliance portal, the card section on the home page shows, at a glance, how your organization is doing with data compliance, what solutions are available for your organization, and a summary of any active alerts
Data residency
-data residency regulations govern the physical locations where data can be stored and how and when it can be transferred, processed, or accessed internationally.
Microsoft Purview Information Protection
-discovers, classifies, and protects sensitive and business-critical content throughout its lifecycle across your organization. -It provides the tools to know your data, protect your data, and prevent data loss.
Sensitivity labels
-enable the labeling and protection of content, without affecting productivity and collaboration. -With sensitivity labels, organizations can decide on labels to apply to content such as emails and documents, much like different stamps are applied to physical documents
Endpoint data loss prevention (Endpoint DLP)
-extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) -Endpoint DLP enables admins to audit and manage activities that users complete on sensitive content. Listed below are a few examples: -Creating an item -Renaming an item -Copying items to removable media -Copying items to network shares -Printing documents -Accessing items using unallowed apps and browsers
Azure Virtual Network
-fundamental building block for your organization's private network in Azure. -VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation. -Azure VNet enables organizations to segment their network. -Organizations can create multiple VNets per region per subscription, and multiple smaller networks (subnets) can be created within each VNet.
Azure Policy
-help enforce standards and assess compliance across your organization. -Through its compliance dashboard, you can access an aggregated view to help evaluate the overall state of the environment. -you can also use capabilities like bulk remediation for existing resources and automatic remediation for new resources, to resolve issues rapidly and effectively. -Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.
Auditing solutions in Microsoft Purview
-help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. -Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log -Audit (Standard). provides you the ability to log and search for audited activities and power your forensic, IT, compliance, and legal investigations; default -Audit (Premium). provides audit log retention policies and longer retention of audit records. It provides audit records for high-value crucial events that can help your organization investigate possible security or compliance breaches and determine the scope of compromise.
Retention labels and policies
-help organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted. -Applying retention labels and assigning retention policies helps organizations: -Comply proactively with industry regulations and internal policies that require content to be kept for a minimum time. -Reduce risk when there's litigation or a security breach by permanently deleting old content that the organization is no longer required to keep. -Ensure users work only with content that's current and relevant to them.
Microsoft Purview Records Management
-helps an organization look after their legal obligations -It also helps to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be kept, no longer of value, or no longer required for business purposes.
Communication compliance
-helps minimize communication risks by enabling organizations to detect, capture, and take remediation actions for inappropriate messages. -Predefined and custom policies in communication compliance make it possible to scan internal and external communications for policy matches so they can be examined by chosen reviewers. -enables reviewers to investigate scanned emails, and messages across Microsoft Teams, Exchange Online, Yammer, or third-party communications in an organization, taking appropriate remediation actions to make sure they're compliant with the organization's message standards.
Solution catalog
-links to collections of integrated solutions to help you manage end-to-end compliance scenarios. -Solutions areas included: -Information protection & governance. These solutions help organizations classify, protect, and retain your data where it lives and wherever it goes. Included are data lifecycle management, data loss prevention, information protection, and records management. -Privacy. Build a more privacy-resilient workplace. Privacy management gives actionable insights on your organization's personal data to help you spot issues and reduce risks. -Insider risk management. These solutions help organizations identify, analyze, and remediate internal risks before they cause harm. Included are communication compliance, information barriers, and insider risk management. -Discovery & respond. These solutions help organizations quickly find, investigate, and respond with relevant data. Included are Audit, data subject requests, and eDiscovery.
Azure Firewall
-managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers. -You can deploy Azure Firewall on any virtual network but the best approach is to use it on a centralized virtual network.
Microsoft Purview Data Lifecycle Management
-manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you don't. -It gives organizations the capabilities to govern their data, for compliance or regulatory requirements.
Compliance score
-measures progress in completing recommended improvement actions within controls. -The score can help an organization to understand its current compliance posture. -It also helps organizations to prioritize actions based on their potential to reduce risk.
Microsoft Purview Information Barriers
-policies that admins can configure to prevent individuals or groups from communicating with each other. -When information barrier policies are in place, people who shouldn't communicate with other specific users can't find, select, chat, or call those users. -With information barriers, checks are in place to prevent unauthorized communication.
Azure Blueprints
-provide a way to define a repeatable set of Azure resources. -Azure Blueprints enable development teams to rapidly provision and run new environments, with the knowledge that they're in line with the organization's compliance requirements -Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as: -Role Assignments -Policy Assignments -Azure Resource Manager templates (ARM templates) -Resource Groups
Microsoft Purview governance portal
-provides a unified data governance service that helps you manage your on-premises, multicloud, and software-as-a-service (SaaS) data. -The Microsoft Purview governance portal allows you to: -Create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. -Enable data curators to manage and secure your data estate. -Empower data consumers to find valuable, trustworthy data.
Microsoft cloud security benchmark (MCSB)
-provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multicloud environment
Multi-factor authentication
-requires more than one form of verification, such as a trusted device or a fingerprint scan, to prove that an identity is legitimate -Azure Active Directory Multi-Factor Authentication works by requiring: Something you know - typically a password or PIN and Something you have - such as a trusted device that's not easily duplicated, like a phone or hardware key or Something you are - biometrics like a fingerprint or face scan.
Security baselines
-standardized documents for Azure product offerings, describing the available security capabilities and the optimal security configurations to help you strengthen security through improved tooling, tracking, and security features. -Service baselines are currently only available for Azure. -Microsoft cloud security benchmark v1 baselines apply guidance from the Microsoft cloud security benchmark to the specific Azure service for which it's defined.
Data sovereignty
-the concept that data, particularly personal data, is subject to the laws and regulations of the country/region in which it's physically collected, held, or processed. -This can add a layer of complexity when it comes to compliance because the same piece of data can be collected in one location, stored in another, and processed in still another; making it subject to laws from different countries/regions.
Electronic discovery (eDiscovery)
-the process of identifying and delivering electronic information that can be used as evidence in legal cases -Microsoft Purview provides three eDiscovery solutions: Content search, eDiscovery (Standard), and eDiscovery (Premium). -Content Search. -eDiscovery (Standard). The eDiscovery (Standard) solution builds on the basic search and export functionality of Content search by enabling you to create eDiscovery cases and assign eDiscovery managers to specific cases. -eDiscovery (Premium). The eDiscovery (Premium) solution builds on the existing capabilities in eDiscovery (Standard). In addition, eDiscovery (Premium) provides an end-to-end workflow to identify, preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations.
Microsoft Defender for Cloud
-tool for security posture management and threat protection. -It strengthens the security posture of your cloud resources, and with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms. -Microsoft Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises: -Continuously assess - Know your security posture, identify and track vulnerabilities. -Secure - Harden all connected resources and services. -Defend - Detect and resolve threats to resources, workloads, and services.
Cloud security posture management (CSPM)
-tools designed to improve your cloud security management. It assesses your systems and automatically alerts security staff in your IT department when a vulnerability is found. -CSPM uses tools and services in your cloud environment to monitor and prioritize security enhancements and features. -CSPM uses a combination of tools and services: -Zero Trust-based access control: Considers the active threat level during access control decisions. -Real-time risk scoring: To provide visibility into top risks. -Threat and vulnerability management (TVM): Establishes a holistic view of the organization's attack surface and risk and integrates it into operations and engineering decision-making. -Discover risks: To understand the data exposure of enterprise intellectual property, on sanctioned and unsanctioned cloud services. -Technical policy: Apply guardrails to audit and enforce the organization's standards and policies to technical systems. Threat modeling systems and architectures: Used alongside other specific applications.
Trainable classifiers
-use artificial intelligence and machine learning to intelligently classify your data. -They're most useful classifying data unique to an organization like specific kinds of contracts, invoices, or customer records. -This method of classification is more about training a classifier to identify an item based on what the item is, not by elements that are in the item (pattern matching).
Defense in depth
-uses a layered approach to security, rather than relying on a single perimeter. -A defense in-depth strategy uses a series of mechanisms to slow the advance of an attack. -Each layer provides protection so that, if one layer is breached, a subsequent layer will prevent an attacker getting unauthorized access to data.
Hashing
-uses an algorithm to convert text to a unique fixed-length value called a hash. -Each time the same text is hashed using the same algorithm, the same hash value is produced. -That hash can then be used as a unique identifier of its associated data. -Hashing is used to store passwords
security information and event management (SIEM)
A SIEM system is a tool that an organization uses to collect data from across the whole estate, including infrastructure, software, and resources. It does analysis, looks for correlations or anomalies, and generates alerts and incidents.
security orchestration automated response (SOAR)
A SOAR system takes alerts from many sources, such as a SIEM system. The SOAR system then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue.
identity governance
Azure AD identity governance gives organizations the ability to do the following tasks: -Govern the identity lifecycle. -Govern access lifecycle. -Secure privileged access for administration.
Azure AD identity types
Azure AD manages different types of identities: users, service principals, managed identities, and devices.
On-premises datacenters
In an on-premises datacenter, you have responsibility for everything from physical security to encrypting sensitive data
Azure AD RBAC
Managing access using roles is known as role-based access control (RBAC). Azure AD built-in and custom roles are a form of RBAC in that Azure AD roles control access to Azure AD resources.
Symmetric encryption
Uses the same key to encrypt and decrypt the data.
Passwordless authentication
When a user signs in with a passwordless method, credentials are provided by using methods like biometrics with Windows Hello for Business, or a FIDO2 security key.
Windows Hello for Business
Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This two-factor authentication is a combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics).
Asymmetric encryption
uses a public key and private key pair