Please enable JavaScript.
Coggle requires JavaScript to display documents.
Azure Secure Framework, Secure data and apps, Security operations, Active…
Azure Secure Framework
Defense in depth
Perimeter
DDOS
Firewall
Network
within applications
NSG
outside internet
deny by default
user to app
managed/ AD B2C
Identity Access
AD
SSO
MFA
compute
Endpoint access NSG
patch management
application
vulnerabilities
sensitive app secrets
security requirements
data
stored in db
transit
SAAS app
cloud storage
physical
Biometric
Identity management
Managed Identities
Azure AD Application proxy
Azure AD B2C
MFA outside company's network
are
possess
know
SSO
AD connect
Pass-through authentication
Auto sign-in for domain joined PC
Infrastructure Protection
Management groups
group subscription
Privileged Identity management
JIT privileged access to auditors
RBAC
service identities
Encryption
In transit
identify and classify data
At rest
TDE
DB
ADE
Virtual disks
SSE
Raw storage
Key vault
Backups
Network Security
app to app
NSG
Network service endpoints
users and app
app to internet
ELB/WAF
On-prem to azure
VPN gateway
Express Route
Application security
SDLC
Prolaunch
Data security
encrypt blob storage
Operational security
DevSecOps
Secure data and apps
Database Security
Database authentication
SQL
Azure AD
Database Firewalls
Deny by default
Auditing
Retain
Report
Analyze
Data discovery and classification
protection
transit
ExpressRoute
P2S
S2S
Azure portal (HTTPS)
rest
disk encryption to mitigate risks
disk encryption
classification
classification
structured
databases
excel sheet
unstructured
code
email
states
in process
in transit
rest
Vulnerability assessment
adv data security
Dynamic data masking (credit cards last 4 digit)
Advanced Threat protection
detects anomaly
Transparent data encryption
CMK
service managed
Always encrypted
randomized
deterministic
Azure key vault
Example
Certificates
Creation
lifecycle
storage
lifecycle events notification
renewals
Access
Data plane
Key vault access policy
Management plane
RBAC
Keys
key Operations
create
import
update
delete
Cryptographic operations
Sign and verify
Key wrapping
Encrypt and decrypt
Keys
Soft
hard (HSM)
Secrets
Encryption
manual or certificate
CMK
Secret rotation
Storage Security
Data sovereignty
storage access
Azure AD DS
Shared access signatures
Azure AD
Shared key
anonymous read access
Shared Access signatures
service-level
account level
user delegation
Design to use SAS
Frond-end proxy
lightweight SAS provider service
Azure AD storage authentication
authntication
authorization
Encryption
Security
SSE for data
Azure AD and RBAC
Encrypted in transit
setup secure transfer required
delegated access using SAS
Data at rest
SSE
Azure disk encryption
Blob data retention policies
legal hold
Time-based
Azure Files Authentication
share
directory
Application security
Microsoft Identity platform
App registration
getting a access token
register with Microsoft Identity platform
App scenarios of using AD
graph permissions
application
delegated
managed identities
system assigned
user assigned
Security operations
azure monitor
monitor
Monitors
security center
Sentinel
Event hubs
Streaming platform to stream log data to sentinel or SIEM
Event ingestion
Metrics and logs
metrics
use
alert
automate
visualize
export
analyze
retrieve
archive
logs
analyze
visualize
alert
retrieve
Log analytics
write query
test query
Alerts
monitor condition
action group
target resource
Azure resource
logic test
signal
logic
diagnostic logging
resource
tenant
Azure sentinel
SIEM as a service
SOAR
Data connection
Azure security center
Active Directory
Active Directory
Overview
SSO
AD join
join
register
devices
Azure AD joined
Hybrid Azure AD joined
Azure AD registered
Multi tenant
Users
directory synced
guests
CLoud identities
Groups
types
security groups
O365 groups
Adding
Assigned
Dynamic User
Dynamic device