Pass Microsoft Azure Security AZ-500 Exam in First Attempt Easily

Introduction and Study Resources

1. Azure Quick Overview

In particular. We're going to cover the following cloud models that you need to be aware of that you may have heard about already in the industry: Azure's core infrastructure. Included are Azure regions and what you need to know about resource groups, which you'll use throughout the networking course. Virtual machines. And then we'll talk about app and DB services. as well as some of the other services available to you in Azure. Finally, we're ending off with the Azure Portal itself and how you can get around the portal and access Azure. Let's begin by taking a look at the cloud service models. And if we look at the traditional way, this is what we would deploy in our data center, and this is the stack that we basically have to manage. So from networking through storage servers, we often have a virtualization layer, an operating system we might deploy, and then we have to run some middleware on top of it, runtime data applications, et cetera. But all of us—you get the point—would manage and maintain the data center. Cloud came after Virtualization and expanded on it, introducing new models, the first of which was Infrastructure as a Service, also known as IaaS in the industry. The big difference is that we no longer manage those bottom four pieces of the stack. So that takes away networking, storage, servers, and virtualization in the Azure world.

Azure will manage all of those for us. We don't have to go and physically plug any cables in, we don't have to rack storage arrays and servers, and we don't even have to maintain our own virtualization layer like you often would previously with VMware or HyperV. However, in this model, you still need to manage the operating system itself. But then there were other options that came along, notably Platform as a Service. This is a common one that's gaining traction in the industry. You hear the term "paths" when people talk about this one, and this takes away things like the operating system middleware and run time from it. You still have to manage your applications and data that run on top of that. However, in many cases, all platforms as services now offer slightly different services. But perhaps you don't need the OS anymore and can use web apps, which you'll hear about a little bit later on, or perhaps you've got a database service that's readily available to you, so you don't need to manage the SQL engine or anything else anymore. That's all managed for you by database services. And finally, we have software as a service.

This is fully managed. These are SAS-based services. Typically, things like ServiceNow or other hosted services Think of things like Dropbox and things like that as well. This is a completely hosted service for you. In some cases, you're still going to manage your application that runs on top of those, but you're not really supporting any of the plumbing at all, really. You're just kind of working and configuring the application. Then we've got things like Azure Regions. This is very important. Think of that traditional model when wewanted to build a data center. It's a lot of work, right? We would have to typically put it in one location. It is frequently the building in which your company is housed. And when you want to expand, it's very difficult because you'd have to go and build another entire data center, maybe somewhere else in the world. Well, Azure gives us over 50 regions worldwide. It's available in over 140 countries. And as you can see, there's a mixture of available regions, announced regions, and some regions now have what they call "availability zones." So this is a region, say, for example, in the central US. There are availability zones present for the region, but there are also individual data centres within that region where you can place your workloads. So you can get additional availability, but you can just see the global coverage. So if you want to deploy your application and have it closer to your customers, you can do that.

If you've got data sovereignty rules that you need to adhere to That also allows you to keep data, perhaps, in the country of origin much more easily. There's another concept as well that goes with this, which is region pairs. So when Microsoft Azure built the regions, they paired them up. So that way, when they patch them and do their maintenance, you can know that only one region in the region pair will be susceptible to maintenance at a particular time. So that's just a good thing to know if you're choosing a second region. Often, a lot of customers have a primary region and a second region. For failover, knowing which one is paired is very important. One of the fundamental concepts you do need to know about our Azure Resource Groups is that these are where you put all of your different objects. They're essentially a container that you can put your web apps, virtual machines, and databases in.

Any service you see us deploy in the course will almost always be deployed in a resource group. The good thing is it's very easy to manage, but just be aware of this too. When you delete the resource group, every single thing in there is destroyed. It's helpful because it allows us to just take away all the components and associated components of applications that share the same lifecycle very easily. but you just need to be careful with it. And you'll see things like resource locks and other things throughout the course so you know how to use them wisely. Now let's take a look at some of the fundamental networking features you need to be aware of. Well, first of all, there's this fundamental concept of a VNet that you can see on screen right now.

And within our VNET, we have subnets. This is the network that we can ultimately connect our virtual machines to. So virtual machines will connect to a subnet that has a subnet range. That's what gives it its IP address. It's an IP address from a subnet that you've defined in your home router, just like your home machine on your home network. Same thing: you can define multiple subnets in Azure within the same VNet, essentially connecting it to the VNet and selecting a range from that subnet. One thing to note is that VNETS are isolated, so there's complete isolation between them unless you choose to connect them using some of the other things we'll talk about a little bit later on. In addition, you do have Internet access available to you by default. Unless you add additional rules and things on top of that, all of the machines in the subnet can communicate with the Internet. And you can talk in; you just need a public IP address to be able to do that as well.

In addition, you can put pretty much any of the Azure resources that you want into a VNet. As a result, when you connect, whether it's Web apps, VMs, or other services, you'll have specific options for connecting them to the network that you want. So you can mix and match services in those virtual networks, and they can be a mixture of PAS or IR services as well. In addition, you can connect VNet to other Venets. There's a concept known as VNet peering, as well as connectivity on premises using a variety of VPN, gateway, ExpressRoute, and other technologies that are available. Finally, you have something on there called a traffic filter.

That's what the NSG is. There are certainly ways to do things like IDs and IPS, which stands for intrusion detection and intrusion prevention, for anyone not familiar with those terms. You can route traffic through devices like Palo Alto and Checkpoint, or you can use this built-in traffic filter, which is an NSG, also known as a Network Security Group, to restrict traffic. But as I said, you can also do routing as well. So there's a default routing behavior. So by default, all those machines and subnet A and subnet B can all talk to each other. If we pair a VNet with another VNet, the VMs or services in that VNet can talk to the other one. But that's the default routing behaviour if we want to change it and redirect the route, like I said, through places like Palo Alto, checkpoints, or one of the other services out there that are available to you as well. The other big thing is to have a fundamental knowledge of our virtual machines, and we start off with our hardware platform on the screen and think of our hardware just like we would in the traditional way.

We would have a CPU; we would have memory; we would have a disk. And often, when we're doing this on premises, we would have an operating system Windows or Linux), and then we would install our application. And that's the old way we do things. That's still the way when we have a machine at home: we have a physical machine with our hardware (CPU, memory, disk), we put our Windows machine or our MacOS on top of it, and then we load all our applications on top of that. Well, virtual machines changed the game when I came along, because what happened was that you still have a CPU and memory disc that go into a set of hardware, but another layer was added in between called a hypervisor. So things on premises like VMware or HyperV were the common ones that were out there. And then on top of that, you would couple up your apps and OS together into what is ultimately known as a virtual machine.

These are your VMs, and they allowed us to basically oversubscribe those hosts because often what would happen was you weren't using all of that CPU and memory on those machines. Every time an enterprise would stand up in your application, they'd buy a whole host of new hardware, but a lot of it went away. So, by putting a large number of operating systems and applications on the same set of CPU, memory, and disk, you can achieve much better consolidation, value for money, and a return on your investment. Now, in addition to the virtual machines and networking, which are really some of the core infrastructure things you need to know about, there are a number of app and DB services. These are the PAS services we talked about earlier. And in particular, under App Services, we've got something called Web Apps.

This is a PaaS service that allows us to take applications that traditionally we might deploy on IIS (Internet Information Services), like ASP Net applications, and run them directly on the Power service known as WebApps without us having to manage that OS and install the IRS server, et cetera. In addition, there are mobile apps for mobile device back ends. That's another service that can also run in the same app service environment as well as serverless functions such as functions and logic apps. So both these are a little bit different. Azure functions are really serverless pieces of code that you would write, and then they will execute on a compute node that Azure has available for you. So instead of you writing your code and then kind of deploying it all on a single virtual machine or operating system, this time you write the code and it just places it on a machine to run for you in addition to your logic apps. Very similar. But these are not really code heavy.These are more about connecting different services on the Internet or between different Azure services, and you'll hear more about those. like I said, throughout the course.

The other big one, though, is containers, and more specifically, Azure Container Service, also known as AKS. Often people call it Azure Kubernetes Service because it's predominately Kubernetes now, which is the main standard that people are going for in the container world, and you'll hear more about this as well. But this allows us to couple up and deploy and essentially containerize applications with this concept of build, ship, and run. So an app developer can build the application, build it into a container, ship it off to a container repository, and then run it on a container host when the time comes. In addition, we've got those database services, so we've got things like SQL in particular. We've got AzureSQL in there as well as SQL managed instances. These are currently in preview, so they're not covered specifically in the course. One other is Azure SQL, but it's good to know that those are out there as well. If you're going to be using Azure because you don't necessarily have to spin up a VM and then deploy SQL on top of it, you've got this PaaS service available to you in addition to the Azure database for PostgresSQL and the Azure database for My SQL or other hosted database services that are available as well.

Finally, there's another one, which is Cosmos DB, and this is a pretty interesting one because it's globalscale, and if you're trying to use things like MongoDB, you can run that on top of Cosmos and it can kind of scale out geographically. So again, it's not specifically covered in the course, but just know that it's out there as well. From a storage perspective, there are some other services that we need to talk about there.So if we look at storage, we've got Blob storage. This is covered in detail in the course itself, and you just really need to know that a lot of people are used to traditional file systems, whether it's on premises or Windows file shares, etc. And Blob Story is essentially just a storage container in which we can store large binary objects. So these could be images, videos, or things like that that we just want to keep out there. In addition, there are tables, there are files that are your typical kind of file share, and there are messages as well that you can put up in Azure as part of their storage services.

There are also a plethora of other services available, such as machine learning and AI, as well as cognitive services. So things like facial recognition, translationfor speech, you can automatically doclosed caption and things like that. and we'll hopefully circle back and do a video on that sometime soon. Because that's something we like to do for the course. is to actually record the course, and then when we want to add the closed captioning in, We can put it through something called a Video Indexer. Takes these videos. takes the audio and turns it into English closed captioning. And then I can choose to translate that. Results vary by language and how it translates.

But pretty interesting services that are out there,as well as things like IoT as well. So the Internet of Things is around. Okay, devices that I might run, things like you mighthave your fridge might be connected to the Internet. You might have cars connected to the Internet in the manufacturing community; this is very big right now, as well as things like farming and other things like that where you can have devices out there that need to check in and send messages. And IoT, also known as the Internet of Things, is very powerful there. There are also services that are key, and these are covered predominantly in the course. things like identity. So that's Azure Active Directory. You've probably already seen that by now.

Even if you use an Amazon Web Service, a lot of people use Azure AD as their single identity source. It's a fully managed identity platform for you, and it has a whole host of security features in there. which brings me on to operations and security as well. And a lot of these are covered in the course. So these are things like using Log Analytics to search across all of the different services that you've connected to. For detecting threats in your environment, use the log analytics security center. There's a whole host of services there, as well as monitoring and alerting—all the usual things that come with that as well. The big thing, though, from an access point of view, predominantly throughout the course, is that we will be in the Azure Portal, and we will also do a lot of demos in Azure PowerShell as well. But if we just go to the portal very quickly, it's this link, which is Portal Azure.com.And if we select it, this will take us to the portal where you log in again. Just make sure you have that trial account already set up, and you'll typically get a dashboard when you log in. And I'll have a bunch of stuff on there, such as services you've deployed: there are Help and Support tabs; there are virtual machines that I built earlier, Skylines VM. But just get used to the Portal for a little bit. So you'll notice that we frequently go into this on the left hand side, creating a resource section on the top left. If you just want to see all services, we can click this, and then this will bring up all the services available in Azure. We can also filter them and search for them. ‘

You can search right here in the filter. You can also search in this box at the top. This is actually where I go a lot of the time. I simply go straight up here. And if I'm looking for virtual machines, I'll type in virtual machines. Click that, and that will take me to the Virtual Machine section, where I've got my virtual machine running there right now. There is currently only one for this demo, but these favourites can be found on the left side. So you've got things like, if you want to go back to your dashboard, you can click here. If you want to just see all of the resources running in your Azure subscription, you can click this and you'll see we've got a whole bunch of resources there. If I want to go to those resource groups I mentioned, I can click this, and I can see all the different resource groups that I've got in my environment.

And then if I want to delete something, I can go into that resource group, delete it, and it will delete all of those objects inside there. So if I go to "Skylines Intro" as an example, I can click this one. This is where I deployed that virtual machine. This is the resource group. And as you can see, it contains a whole bunch of things that got deployed along with the virtual machine. And if I want to delete that resource group, I would simply click Delete Resource Group, and it would ask me to type in the resource group name, and then I would click Delete. And now it will delete that resource group and everything inside of it. Now there is no turning back from that. So make sure you've got backups if this is something critical that you might need to get back later on. But for the purposes of the demos and things you go through, we typically create a new resource group for every single module, and then we just delete that resource group when we're done, and then that cleans everything up. In addition, we've got things like the app services I mentioned.

So if you want to go in there and deploy those web app services, those are there. I'll show you virtual machines from the top, but you can also get to them on the left side. The same is true of things like virtual networks. They're already there, along with storage accounts for you. and you can change this around. You can put your own things in there, but it just helps to get used to the portal itself and make sure you're familiar. In addition, you'll need to know about PowerShell. Now there are a couple of things you can do—and you'll see a few examples throughout the course. In some cases, we will open up PowerShell on our machine, and you can do PowerShell on the Mac or you can do PowerShell on Windows. Just make sure you've installed the Azure commands that you need as well.

But the easiest way to do it now is actually using Cloud Shell, which is on the top of the screen. There's this icon right here. If we click it, it actually opens up a cloud shell for us. And if we go to the lefthand side, we'll find Bash. We can change that to PowerShell. I'm going to click Restart. I'm going to restart my cloud shell with PowerShell, and it's going to restart that. And this will actually open up a PowerShell client inside the Azure Portal for you. already logged in. So it's much easier to get in there and actually run your scripts just by using the built-in cloud shell. It's a new feature they added recently, and you're definitely expected to know about it for the exam. and you can see it's come up there. Now I can select PowerShell windows. It will ask you to create a storage account. This is where it will keep any persistent file shares throughout. But if I go ahead and click Create Storage, it will go ahead and now provision that cloud shell, okay? And after a few moments, probably three or four minutes if this is the first time you load a PowerShell, it will connect and prepare everything for you. And then you can simply go ahead and start running your PowerShell commands, just like you would normally in your PowerShell client. Now, that brings us to the end of this module, and hopefully you got a good overview of Azure.

And it should definitely give you the fundamentals you need to get going, particularly for the certification. And just as your knowledge as a whole In particular, you learned about the different cloud delivery models. So remember those IAS models, PaaS models, and SaaS models and the differences there as one of the core infrastructures for Azure. So those are the regions, the VNET, virtual machines, and resource groups.

Those are the key things to know. In addition, you learn about these other service offerings that are available to you in the Azure environment. And finally, we explore the Azure Portal. As you get going with the course, make sure that you check out the Azure Portal, get familiar with it, and make sure you can open up a PowerShell client, whether that's via the cloud shell or just your own one on your laptop. That's fine. But with that, this is the end. And if you have any questions at all, just let us know. Send us a Tweet at Skyline's Academy. Leave a comment on the YouTube channel or on the module page if you have any questions on this module because we do want to make sure you have the fundamental knowledge to get going with Azure. And we want to arm you with as much as possible.

2. Azure Free Trial Account Creation

One of the key items you'll need to get going with Azure is an Azure account. And as you can probably tell by now from some of the previous lectures, there are a number of account options available to you. In this demonstration, we're going to focus on creating a simple trial account to get you going. will start off in our Web browser. Okay, and here we are in the Web browser. And as you can see, I'm at Azure.Microsoftcom enusfree.You can also just Google that Azure free account, and it will take you to this page. And the first thing you'll see is that it says, "Create your Azure free account today." Get started with twelve months of free services.

And if you scroll down, you'll see what you get with the free account, which is twelve months of services but $200 of credit. So all the services that we use throughout the course, and if you're exploring with Azure, will cost a certain amount of money that will be taken away from your $200 of credit. But some services are always free, and they will always be available. So if you haven't already used the trial account, I encourage you to get one because it will save you a bit of money through the course. If you've already used one, then I'm afraid you're just going to have to swipe the credit card and pay the small fees when you provision services in Azure. But hopefully this will get you underway if you haven't had a trial account yet.

Now if you go ahead and click "Start Free," it will then prompt you to sign in with a Microsoft account. And at this point, simply login with your Microsoft account. If you already have one, or if you don't have one, go ahead and click "Create one." Type in your email address, type in a password, and you'll get a code sent to your email address, which you'll need to type in here. So simply refresh your email account, grab that code from there and punch it in here, and then decide if you want to receive the Microsoft promotional emails or not. Go ahead and click Next, and it will ask you to just type in this prompt to make sure you are a person actually doing it and not a bot as you've probably seen from other websites, and click Next again. At this point, I also ask you if you want to stay signed in. So this will reduce the number of times you're asked to sign in. This is very useful, otherwise you'll get prompted repeatedly as you sign into different Microsoft services. If you click yes, you will be able to sign up for a free account. Start with your $200 in credit at this point. If you already had a free account with that email address, it will redirect you to a screen where you can sign up for a pay-as-you-go account and enter your credit card information.

But at this point, I'm just going to go ahead and continue typing in my information. And after you type in your phone number, you'll hit text me or call me, and it will send a verification code to you, which you also need to punch in here. That's just verifying your phone number. Okay. And then you'll need to enter a credit card for the account as well. So I'm just going to skim through this and, after you've entered the credit card information and clicked Next, it will then prompt you to accept the agreement. This is the subscription agreement, the offer details that surround the free offer that you're being given, and the privacy statement. So either read through all those and then, when you're done, go ahead and click the box here and then click Sign Up. Okay, when all that's completed, you'll see you're ready to start with Azure, and you can go ahead and go to the Portal. Okay, here we are. Welcome to Microsoft Azure. You can start the tour that will give you a tour of everything here. We can choose maybe later if we don't want to do that now.

And then on the top right, you can see this is the account that you've signed into, and it also prompts you to say, Hey, you've got $200 of credit remaining. In fact, if we go to All Services as well and choose Subscriptions, we can type in Subscriptions or you can just select it on the right here from the general menu. I would favourite this as well as the menu on the left hand side.So you click on the star that favourites it for you because you'll go to "Subscriptions" a lot throughout the course. Click Subscriptions, and you will see in there the free trial that is available. You can click the "free trial" link, and here you can see the subscription. It'll break down all of the different costs, et cetera. Your free credit expires in 30 days, which we currently have here. If I click on Manage, this will then take you to the Account page, which is a little bit different from the Portal.

So what you'll notice if we click back to the free trial portal that we have here is that this is Portal Azure.com, and this other page it takes you to is Account Azure.com. So the account section is where you'll do things like add payments, set up billing alerts, and things like that. And you can see here the subscription status onthis, 130 days left, $200 in credits remaining, which basically aligns with that free trial as mentioned before. But then when we want to go ahead and execute on anything, we just go back to the free trial at this point over here.Now if we want to give other people access to it as well, simply go down to Azure Active Directory, and you'll also see that you have different users available to you, and there's only going to be one currently. So if I click Users in the default directory, you'll see this is the default user that gets created when we create the subscription.

I can create new users at this point. I can also create new guest users. I can invite people with just their personal email address as well and give them access to our Active Directory that's created in there. You will see more of Azure Active Directory in future modules. But just know, if you're looking to share this account with somebody else that you're studying with, this is where you would go to do that. And then, if you go back to Subscriptions again, I'm going to scroll down. You'll see it's in the Favorites now because we added it. If I go to Subscriptions and then to this free trial, Subscription: If I want to give somebody access to this, you'll see the Access Control section here. So I click Access Control, and while I do have Azure Active Directory to create users, etc. I do need to assign rights to the subscription if I want somebody to be able to access it and have full administrative rights over it. So I can click "Add Role Assignment," and at this point I would select the role, and if I wanted them to be the complete owner of the subscription, same as you have by default, you'd click the Owner role.

If I want them to have a lot of rights but not be able to give access to other people, I would choose the contributor role. And if I only wanted to grant them readAccess, I would select the reader role. Now there are a whole bunch of other role assignments as well. Those are also covered later on in the course. But for now, just know about these three. And if I click Owner, what I would do then is assign access to either an Azure AD user group or service principal. And if I created that user from the Azure Active Directory section I just showed you, that user would appear here, and then I could basically assign them the access. But for right now, it's an empty account, so there's nothing to assign. It's only my email address that's essentially in there right now. And so with that, this concludes the Stemillustration, and hopefully we'll get you up and running and get your trial account set up so you can continue on with the course.

Hide

Azure Security Overview

1. Lecture: Defense in Depth

relayered approach, which begins with confidentiality, integrity, and availability And you can remember it quickly with CIA. Not to be confused with the American CIA, but a good way to remember that. But let's break these down in a little bit more detail. With confidentiality, this is the principle of least privilege. Essentially, restrict access to information only to individuals who are explicitly granted access to that information. Information includes protection of user passwords, remote access certificates, and things like email content. Again, the goal being only give out the informationto people that should have access to that information. Next, we need to think about integrity. This is all about the prevention of unauthorised changes to information at rest or while it's in transit. Think about data transmission. A sender can create a unique fingerprint of the data with a one-way hashing algorithm. This makes sure that when the data is received on the other side, it can be verified that it's intact, correct, and hasn't been tampered with in any way. Finally, we have availability. This is all about ensuring services are available to authorised users in particular and preventing denial of service attacks. This could also include things like natural disasters that we need to be aware of, as well as high availability and disaster recovery. So think about it. There we've got the confidentiality and integrity of our data, but we have to make sure all of our data and services are available, because people might just create a tax on your business to basically prevent service from being available to your applications and ultimately to your users. And that's it in a nutshell. Again, remember CIA confidentiality, integrity, and availability as you think about securing all of your resources in Azure.

2. Lecture: Security Layers

Look at the layers as a whole; you know, looking at the bottom, ultimately everybody is after data. So there are things we can do to secure that data, which will go into the applications themselves that get access. Maybe there are vulnerabilities we need to deal with. Looking up further, we've got compute, all the operating system infrastructure, network security, so that's the network inside of our data centre or in our cloud that we control, and then there's the perimeter of that network as people try to penetrate into our network infrastructure. On top of that, we have identity and access. Identity is becoming one of the major barriers that we need to protect now because if people compromise their identities, that means they get access to a lot of the data. Having a good, solid, robust strategy for identity security is key. And finally, in a data center—in Microsoft's case, they are hosting the data centres for you.

Physical security is still important, right? This is stuff like badged access, etc., but let's go into each one of these in a little bit more detail. The point here is that we are doing security at multiple layers. Even if one layer is attacked and broken into, that doesn't mean they can get all the way down to accessing that data. Let's begin, then, with physical security. This is all about physical building security. So controlling access to data centre hardware and access to the building could be done in that data center. Think about somebody coming into a data centre and being able to say, "Plug something into a USB port and get data off," or other different mechanisms that they have to sort of pull hard drives out, etc. The intent here is to provide physical safeguards to ensure other layers are not bypassed. Then we move on to identity and access.

Think about identity in two ways. first, authenticate yourself and demonstrate who you are. Authorization: this is what you are allowed to do. So prove who you are, and then this is what you can basically access. Again, it's all about controlling access to your infrastructure and auditing events and changes to know who did what. So we have an audit trail. Even if somebody is authorised to do something, maybe they have some malevolent intent. Well, we can audit that event to find out who it was, what they did, and take action against them at that point. Next we'll look at the perimeter itself. Things here could be DDoS attacks, which you'll learn more about. These are distributed denial of service attacks where people are trying to attack your perimeter to prevent your applications from being serviced.

They might be trying to crash your firewall, crash your application services, et cetera. And you can use Distributed Denial of Service Protection to filter large-scale attacks. Other common things firewalls at the perimeter. A very common process that we've implemented for a long time now is to put firewalls at the perimeter to prevent intrusion, and the goal here is to protect your network from attacks against your resources. Identify the attacks, minimise their impact, and alert people about them. because we know they're going to happen. We need to be able to take action. When that does occur, then we have the network itself. So think about your network. What you really want to do here is limit communication via micro-segmentation and access controls. The approach generally is to deny by default, restrict inbound internet access, and limit outbound access. And you can get the sense that we really want to only allow what is required. And again, going back to that first bullet, we can create software-defined networks very easily. Now we can micro-segment them with things like network security groups and other firewall technologies.

But there are options now for segmenting out different applications. We don't have to have everything in one giant VLAN. We do have options now to prevent traffic that just doesn't need to happen. Moving on, we go to compute and think about these as your virtual machines, your operating systems. How do we harden them? How do we implement endpoint protection? How do we control access to operating systems? There's a point where a lot of vulnerabilities can occur. When people get access to an OS, they might have access to other machines in the environment just by getting access to that operating system. So ultimately, here, it's good housekeeping. It's also essential to patch systems to make sure you aren't exposed to the environment or to additional risks that are out there. So this is all about hardening your compute infrastructure and making sure it's secure.

Then we move on to our application itself. And think about how this ensures applications are secure. Store sensitive application secrets appropriately. This is one of the areas where people run into a lot of trouble. Passwords are stored in plaintext and other such things. These are things that we need to really take care of. But ultimately, if you just make security design a requirement for all new application development, things like security reviews and security design reviews are basically what you go through. If you're doing CI, CD, and DevOps processes, then making sure that security is baked into those processes as well is definitely essential. Now, last but not least, let's come back to data. Again, almost all attackers are trying to gather data that can be stored in databases, on disks, inside virtual machines, SAS apps such as 365, or in cloud storage.

You are responsible for ensuring that data is properly secured while at rest and in transit. So this is like encryption on disk. This is stuff like the one-way hash we talked about earlier on. All of this is important to making sure that the data is ultimately protected, because this is whatever everybody is trying to get at and going back to. If you think through these layers and go through them, you definitely understand them. If we are doing security at every single layer, right from the physical billing security to the identity, the perimeter, the network, the compute infrastructure, the app infrastructure, and the data, Even if they get through one layer, it doesn't mean they're going to get access to the data as a whole. And with that, this concludes the approach to security layers. something you definitely need to be aware of for the exam.

3. Lecture: Compliance and Security Requirements

Now let's shift tocompliance and security requirements. And first of all, you need to understand the shared responsibility model and how that shifts between on-premises IAS, PaaS, and SaaS services. So if you look at our first priority, security is a joint responsibility. Cloud computing clearly provides manybenefits over on premises. And you can see that because if you look at the section in blue on premises, everything is basically responsible for the customer to take care of physical security, host security network controls, application level controls, identity endpoint protection, and data classification because you own the entire stack. As you move from IAS to PAS to Assassin, you can offload more of those controls to Microsoft.

So first of all, just take IAS to begin with. Well, physical security is completely taken away because you don't need a manager. Microsoft is managing and meeting all requirements as part of the security they have for their data centers. In fact, it is very difficult for even partner vendors to get that Tier 1 status, so they can even go into the data center. different vendors like NetApp, etc. sort of racking NetApp files in Microsoft data centers. They want the first-tier vendors that were approved, and they have to go through rigorous security screening and process and control methodology to make that happen. In addition, as you move up, we look at host infrastructure that's like your VMware hosts, but these are now running in Azure, as well as your network control as well.You still see that some of that is your responsibility and some of that is the cloud provider's responsibility. But as we continue to move up from iOS to Pairs to SAS, more and more of that is being offloaded to Microsoft themselves. in the case of Azure. But there is one catch: you are always responsible for data. So even if you're using a pair of services or a SAS service, you're going to put data on there; you've got to classify the data; you're responsible for it. You need to know whose data that is, what it's being used for, and how it's going in and out of that system.

You're always responsible for that. You're responsible for endpoints. So those could be VMs, desktops, or anything else that will communicate with the service, and you're in charge of those specific endpoints, as well as the accounts, so you're in charge of the keys, passwords, and all of that. And you're responsible for access management as well. and that includes making sure things like multifactor authentication and things like that are implemented. Because again, you're responsible for anyone who logs into these systems. It doesn't matter if they're SaaS; you're still responsible for the fact that somebody gained access to that system. In addition, there's a Shared Responsibility PDF file you can download from Microsoft. If you click this link and go in here, you'll see the shared responsibilities for cloud computing. There's a whole PDF that kind of explains that and what Microsoft's responsibility is, as well as what your responsibility is as well. If we move on a little bit, there's also the Microsoft Trust Center. So this is in-depth information that you have access to.

So this is FedRAMP Sock, audit reports, data protection, white papers, and security assessments that Microsoft does. They have two teams that essentially do the attacking and the defending to continually harden Microsoft services, and they make all of that publicly available as well as some powerful assessment tools as well. So you may get asked a question around where to get information, and the Trust Center is the main place there. You won't be expected to know any of the assessments in detail, but you will need to know that they exist and where to get that information. In addition, that also leads you to compliance managers. You may get a question on what tools can potentially help you with compliance. Compliance Manager is a place where you can manage compliance at a central location. It does proactive risk assessment; it will also provide insights and recommend actions; and it prepares compliance reports for audits as well. So that's the kind of thing, again, when you're thinking, Hey, I've got to design an audit in strategy, which is one of the things in the curriculum.

You could say I'm going to use Compliance Manager to provide auditing reports on specific technologies that Compliance Manager can hit. Similar to how Azure Security Center will provide you with certain elements of data—perhaps your antivirus product has logged in and is reporting—you'll also have Azure Monitor, Loganalytics, and other tools that will come into play later. But think about it in the context of what I am required to provide for an audit. In addition, there are some other data protection resources. So if you go to servicetrust.microsoft.com and head over to trust documents, which I'll just click here as well, you'll get this page that comes up, and if we scroll down, you can see here all the audited controls. So you can see the AzureGDPR mapping, which is very popular on here. The compliance guides are all here. And, once again, I encourage you to look through a few of these because they will be useful to you. There are some white papers, assessment reports, and here's that pen test and security assessment report that I mentioned as well.

And again, Microsoft routinely makes these available. They have to do that to ensure that their services are certified because, again, because Microsoft is taking on some of that responsibility, we need to know that those systems have been tested and that there aren't vulnerabilities that they are exposing even though you're responsible for your areas. Specifically, we also have blueprints. So if we go to the Blueprints page, also under ServiceTrust.Microsoft.com, here are the Security and Compliance Blueprints for Azure themselves. If we go down, you can see some HIPAA high trust healthcare blueprints. As an example, some government blueprints around FedRAMP We've got PCI DSS blueprints there. These are all there to help you.

And in fact, if I just go over to one here, I've got the PCI DSS Customer Responsibility Matrix, which lists all the PCI DSS requirements that you're expected to account for. And if you scroll to the right, you can see it lists different ownership levels. So is the customer responsible for this? Is it a shared responsibility? And in case one four, which is a PCR requirement, establish and implement firewall and other router configuration standards that include the following requirements for a firewall at each Internet connection and between any DMZ zones and the internal network: and actually have an example of that later on around networking design examples for you to look at. But if we look just at the requirement for the moment, we can see it's a shared responsibility. So Microsoft Azure employees use boundary protection devices such as gateways, network ACLs, and application firewalls to control communications at external and internal boundaries at the platform level. However, the customer then configures these to their specifications and requirements. When communication enters the platform, it is filtered by Microsoft Azure.

So what does that mean? Well, Microsoft is essentially giving you the tools to say, Hey, I want to put a network security group between these two zones. Does that then meet the requirement? Do I need to put a specific type of firewall, maybe beyond this one, like a Palo Alto? Microsoft also allows network virtual appliances to be put in place, and you can do user-defined routes to redirect traffic through those appliances as well.

It says the application supports firewalls too. Well, a good example is that you can put an application gateway with a web application firewall in front of your application as well, and that would also help you meet the requirements. So it's very important. Take a look at the ones below; perhaps you're in one of these particular sectors. Take a look at the blueprint that applies to your sector because it will give you a lot of data across iOS and across paths, and we'll tell you anything. That is where Microsoft has already covered it, and where you must go specifically to address that control. With that, this concludes this section on security and compliance. And again, keep this in mind as you're learning about the different technologies; know the ways to secure and harden your workloads as you go through them.

Hide