Please enable JavaScript.
Coggle requires JavaScript to display documents.
AZ900 security + privacy concepts - Coggle Diagram
AZ900
security + privacy concepts
Cost Management
Accounting
Capex - capital expenditures
Depreciate over useful life of asset
Cannot fully deduct the asset cost in the same year it is purchased
Opex - operating expenditures
where cloud typically charged
Reliability
high availability
local, fast. eg power failure
disaster recovery
eg flood, earthquake
fault tolerance
similar to HA but zero downtime -
WHAT IS THE DIFF?
cloud computing services
IaaS
PaaS
SaaS
deployment models
(cloud types)
public
private*
hybrid
community
e.g. Azure Government
Security + Privacy
Azure AD
identity services
Azure AD vs AD Domain Services. Typically use Azure AD for cloud only b/c limited. Azure AD required for cloud services
Azure AD Domain Services - PaaS
Azure AD Connect
Azure AD Domain Services can't replace on-prem AD or Azure AD. Azure AD required for cloud.
--> use Azure AD connect to replicate objects from AD
MultiFactor authentication:
something you know
something you have
something you are
Role Based Access Control
Roles
purpose - group together sets of permissions
can make users or groups members of roles
common built-in roles:
owner, contributor, reader
can be applied at levels:
subscription, resource group, individual resources
Adding role assignment to resource group:
[in res group] > access control (IAM) > Add role assignment
Governance
policies and blueprints
Why needed
Enforce security requirements
Enforce tech requirements
Enforcing standard sizes, builds, configurations
Tools
Azure Policy
What is it?
A collection of rules
Assigned to a scope
e.g. a subscription
Ensures resources will be compliant
with company standards
Using
:
define, assign, parameters
Some built-in policies
: storage SKU sizes, which res types can be used, restricting locations, enforcing tags, VM SKU sizes
Adding in portal
: Policy > Definitions
Can add initiative/policy definitions
Initiatives
What is it?
A collection of polices, grouped
together to achieve a larger goal
Assigned to a scope
e.g. subscription or res group
Using
: Define, assign, parameters
Azure Blueprints
What is it?
A way of orchestrating the deployment of
resource templates + artifacts
What artifacts can it deploy?
Policies and iniatives
Roles assigned to resources created by blueprint
Azure resource manager templates
Using
:
Define, publish it, assign (deploy) it
Blueprints are versioned, can decide which version is assigned to deployments
Azure Advisor Security Assistance
Integrates with Azure Security Center. Config managed in security center.
What is it?
Helps prevent, detect, and respond to threats
Alerts, recommendations
Securing networks
network security groups
(NSGs)
What are they?
Allow/deny inbound/outbound traffic
Contain rules
with ordinal number for priority (100 to 4096)
Attached to
subnets
or
network cards
, can be linked to
multiple resources
Are stateful -
return traffic in/out will be allowed
Properties
: name, priority, source/destination, protocol (e.g. TCP, UDP), direction (inbound/outbound), action (allow/deny)
Sample NSG Rules
Region used for NSG must
match region
for resource being protected
Problems with
can be complex
- lots of rules
Difficult to maintain
-
if add resources, may need to update selveral NSGs
Solutions
Use service tags
Use default security rules
Use
application security groups
examples- based on tier, DMZ, automation
application security groups can be source or destination for NSG rule
1) create app security group
2) for individual resource > networking > application security groups
3) for NSG > create a rule > use app security group as a source/destination
Azure Firewalls and User Defined Routes
user defined routes
What are they
: default system routes for routing between subnet to the internet are enabled by default; user defined routes allow overriding default routes
Often used when we want to filter traffic through a virtual appliance
[Before] and [After]
What are features of Azure firewall?
stateful
threat intelligence
modes: off, alert only, alert and deny
inbound + outbound NAT support
integration with Azure Monitor
networking traffic filtering rules
Azure DDoS service tiers
Basic
active traffic monitoring
availability guarantee
backed by an SLA
free
Standard
real time metrics (useful for attack in progress)
post attack reports
access to DDoS experts during an active attack
integrates w/ Security information and event management (SIEM)
Cost: monthl
Can also use virtual appliances (e.g. Palo Alto)
Other security options
Azure web application firewall
: publish onprem/cloud apps, lures bound traffic towards them
forced tunnelling
: control flow of internet-bound traffic. e.g. route internet-bound traffic to on-prem so on-prem tools can assess traffic
Marketplace device
Compliance and Data Protection Standards
Microsoft Trust Center
security, privacy, + compliance info
MS product compliance info
compliance tools
compliance score
audit reports
data protection resources
url: servicetrust.microsoft.com
Azure special regions:
US gov: Virginia, Iowa
China: East, North
Germany: Central, Northeast
securing resource groups/resources - locks
Readonly
Delete
Can add resources to res group
but can't delete any
Security and reporting tools
Azure information protection
What is it?
Classify documents and emails
Classification (metadata) and protection
protection: Azure rights management encrypts documents using rights management templates
• onprem data stores: use Azure information protection scanner
• cloud app stores: Microsoft cloud app security
Azure monitor
metrics and logs for Azure and on-prem resources
troubleshooting and performance monitoring
Azure key vault
Azure security center
use cases and setup
protect PaaS:
no deployment needed
non-Azure services
:
deploy monitoring agent
compliance
:
reports our compliance posture
assessment
:
of existing + new sources
threat protection
:
threats to IaaS and PaaS
tiers
free
continuous assessment + security reccomends
Azure secure score
standard
just in time VM access, network hardening, threat protection for VMs
Azure service health
notifies you about Azure services and planned maintenance
personalized dashboards
configurable alerts
support guiding you through issue
Azure advanced threat protection
detect and investigate attacks in Azure and on-prem
monitor and analyze user actvity
identifies suspicious activity and events
works w/ on-prem AD forest
identifies:
reconnaissance attacks
compromised credentials
lateral movements
domain dominance
