Please enable JavaScript.

Coggle requires JavaScript to display documents.

Examine Microsoft Azure security, privacy, compliance, and trust (AZ-900) …

- - - - Confidentiality - The Principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content.
      - Integrity - The prevention of unauthorized changes to information at rest or in transit. A common approach used in data transmission is for the sender to create a unique fingerprint of the data using a one-way hashing algorithm. The hash is sent to the receiver along with the data. The data's hash is recalculated and compared to the original by the receiver to ensure the data wasn't lost or modified in transit.
      - Availability - Ensure services are available to authorized users. Denial of service attacks are a prevalent cause of loss of availability to users.
    - - Physical security is the first line of defense to protect computing hardware in the datacenter.
      - Identity & access controls access to infrastructure and change control.
      - Perimeter layer uses distributed denial-of-service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
      - Networking layer limits communication between resources through segmentation and access controls.
      - Compute layer secures access to virtual machines.
      - Application layer ensures applications are secure and free of vulnerabilities.
    - - Stored in a database
        
        Stored on disk inside virtual machines
        
        Stored on a SaaS application such as Microsoft 365
        
        Stored in cloud storage
    - - Ensure applications are secure and free of vulnerabilities.
        
        Store sensitive application secrets in a secure storage medium.
        
        Make security a design requirement for all application development.
    - - Secure access to virtual machines.
        Implement endpoint protection and keep systems patched and current.
    - - Limit communication between resources.
        
        Deny by default.
        
        Restrict inbound internet access and limit outbound, where appropriate.
        
        Implement secure connectivity to on-premises networks.
    - - Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.
        Use perimeter firewalls to identify and alert on malicious attacks against your network.
    - - Control access to infrastructure and change control.
        
        Use single sign-on and multi-factor authentication.
        
        Audit events and changes.
    - - Physical building security and controlling access to computing hardware within the data center is the first line of defense.
  - - - Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
        Network rules that define source address, protocol, destination port, and destination address.
  - - - The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use.
    - - Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
      - Tipos de ataques
        
        Volumetric attacks: Volumetrico: inundar la capa de red con multiples llamadas
        
        Protocol attacks:Ataques de protocolo :explotando la debilidad en las capas 3 y 4
        
        Resource applicaiton layer attacks: Ataques de la capa de recursos: interrumpir la transmision a traves de paquedes de apps web
  - - - The network perimeter layer is about protecting organizations from network-based attacks against your resources. Identifying these attacks, alerting, and eliminating their impact is important to keep your network secure. To do this:
        
        Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for end users.
        
        Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
    - - Limit communication between resources through segmenting your network and configuring access controls.
        
        Deny by default.
        
        Restrict inbound internet access and limit outbound where appropriate.
        
        Implement secure connectivity to on-premises networks.
    - - Network security groups and Azure Firewall.
      - Application Gateway WAF and Azure Firewall.
        
        WAF is a feature of Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S. Combining both provides additional layers of protection.
- - - - aUTHENTICATION
      - Single sign on
      - Application management
        
        using Azure AD App proxy
      - b2b
        
        manage guest user and partners
      - b2c
      - device management
    - - Something you know could be a password or the answer to a security question.
        
        Something you possess might be a mobile app that receives a notification, or a token-generating device.
        
        Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.
- - - - Detect - Review the first indication of an event investigation. For example, use the Security Center dashboard to review the initial verification that a high-priority security alert was raised.
      - Assess - Perform the initial assessment to obtain more information about the suspicious activity. For example, obtain more information about the security alert.
      - Diagnose - Conduct a technical investigation and identify containment, mitigation, and workaround strategies. For example, follow the remediation steps described by Security Center in that particular security alert.
  - - - Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
      - Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
      - Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.
      - Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.
    - - Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution and reduces the chances that secrets may be accidentally leaked.
        
        Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.
        
        Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.
        
        Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools.
        
        Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.
  - - - Allowed storage account SKUs. This policy definition has a set of conditions/rules that determine whether a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.
      - Allowed resource type. This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of the defined list.
      - Allowed locations. This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geographic compliance requirements.
      - Allowed Virtual Machine SKUs. This policy enables you to specify a set of VM SKUs that your organization can deploy.
    - - An initiative definition is a set of policy definitions to help track your compliance state for a larger goal
  - - - Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
        
        Allow a database administrator (DBA) group to manage SQL databases in a subscription.
        
        Allow a user to manage all resources in a resource group, such as VMs, websites, and subnets.
        
        Allow an application to access all resources in a resource group.
  - - - Role assignments
        
        Policy assignments
        
        Azure Resource Manager templates
        
        Resource groups
  - - - When designing a subscription model, one should consider the deployment boundary factor, some customers have separate subscriptions for Development and Production, each one is isolated from each other from a resource perspective and managed using RBAC.
- - - - Application monitoring data: Data about the performance and functionality of the code you have written, regardless of its platform.
      - Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
      - Azure resource monitoring data: Data about the operation of an Azure resource.
      - Azure subscription monitoring data: Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
      - Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as Azure Active Directory.
  - - - Applications Insights
      - Monitor for containers
      - Monitor for vms
    - - Alerts
      - Autoscale
    - - Dashboards
      - Views
      - Power BI