Please enable JavaScript.
Coggle requires JavaScript to display documents.
Secure network connectivity on Azure (2) - Coggle Diagram
Secure network connectivity on Azure
(2)
What is defense in depth?
The objective of defense in depth is to
protect information
and prevent it from being stolen by those who aren't authorized to access it.
Layers of defense in depth
Layers
The physical security layer is the first line of defense to
protect computing hardware in the datacenter.
Physically securing access to buildings and controlling access to computing hardware within the datacenter are the first line of defense.
The identity and access layer controls access to
infrastructure and change control.
Control access to infrastructure and change control.
Use single sign-on (SSO) and multifactor authentication.
Audit events and changes.
The perimeter layer uses distributed denial of service (DDoS)
protection to filter large-scale attacks before they can cause a denial of service for users.
Use DDoS protection to filter large-scale attacks before they can affect the availability of a system for users.
Use perimeter firewalls to identify and alert on malicious attacks against your network.
The network layer limits communication between
resources through segmentation and access controls.
Limit communication between resources.
Deny by default.
Restrict inbound internet access and limit outbound access where appropriate.
Implement secure connectivity to on-premises networks.
The compute layer secures access to virtual machines.
Secure access to virtual machines.
Implement endpoint protection on devices and keep systems patched and current.
The application layer helps ensure that applications
are secure and free of security vulnerabilities.
Ensure that applications are secure and free of vulnerabilities.
Store sensitive application secrets in a secure storage medium.
Make security a design requirement for all application development.
The data layer controls access to business
and customer data that you need to protect.
Stored in a database.
Stored on disk inside virtual machines.
Stored in software as a service (SaaS) applications, such as Office 365.
Managed through cloud storage.
Security posture
Confidentiality
The principle of least privilege means restricting access to information only to individuals explicitly granted access, at only the level that they need to perform their work
Integrity
Prevent unauthorized changes to information:
At rest: when it's stored.
In transit: when it's being transferred from one place to another, including from a local computer to the cloud.
Availability
Ensure that services are functioning and can be accessed only by authorized users. Denial-of-service attacks are designed to degrade the availability of a system, affecting its users.
Firewall
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Protect from DDoS attacks by using Azure DDoS Protection
Basic
Free by default
Standard
What kinds of attacks can DDoS Protection help prevent?
Volumetric attacks
Protocol attacks
Resource-layer (application-layer) attacks (only with web application firewall)
What are network security groups?
A network security group enables you to filter
network traffic to and from Azure resources within an Azure virtual network
.
You can think of NSGs like an internal firewall
. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
Combine Azure services to create a complete network security solution
Secure the perimeter layer
Azure DDoS Protection
perimeter firewalls with Azure Firewall
Secure the network layer
Network security groups
Combine services
Network security groups and Azure Firewall
Azure Application Gateway web application firewall and Azure Firewall