Gain in-depth knowledge for passing your exam with Exam-Labs SC-900: Microsoft Security, Compliance, and Identity Fundamentals certification video training course. The most trusted and reliable name for studying and passing with VCE files which include Microsoft Security SC-900 practice test questions and answers, study guide and exam practice test questions. Unlike any other SC-900: Microsoft Security, Compliance, and Identity Fundamentals video training course for your certification exam.

Module 1 Describe the concepts of security, compliance, and identity

8. Describe Encryption , hashing and Signing -I

All the threats that I just described. Just tell us what kind of a secure world we are living in right now. There must be a way to secure it as well, protected against malicious users who have gotten their hands dirty and all the tools, including John the Reaper, as previously mentioned. Now, we're talking about protection. How do you protect your data? We discussed what the CIA attempted previously, but we needed to go further. How do you encrypt the data? Hashem and sign them. Now, one way to mitigate against common cybersecurity threats is to encrypt sensitive or valuable data. What is encryption? Let's talk about it. Now, encryption is the process of making data unreadable and unusable to unauthorised viewers. So to use or read that encrypted data, one must decrypt it. And that means that both encryption and decryption require a key. Just like when you need a key, the person who has the keys to your home can enter. So you can use it as an analogy for encryption and decryption in a simplified manner. Now, there are two top levels of encryption. There is symmetric encryption and asymmetric encryption. The symmetric encryption uses the same key to encrypt and decrypt the data, just like the way you use the same key to lock your door and the same key to unlock your door. Asymmetric encryption uses a different methodology. It uses two different keys, what we call a public key and a private key. Hence they are called a "key pair." Now, either key can encrypt the data, but a single key cannot be used to decrypt the encrypted data. In order to decrypt, you need a paired key. Asymmetric encryption is used for things like TLS, which is transport layer security. And one example is the HTTPS protocol, which we use to log into sensitive sites like your banking. Encryption may protect the data at rest and the data in transit. That means the data that is sitting on your desk as well as the data that is moving from point A to point B over the Internet or the intranet, the encryption address The data address is the kind of data that is stored on your physical device, such as the server. It may be stored inside a database or, probably, in a storage account in the cloud. But regardless of where it is stored, encryption of data at rest ensures that the data is unreadable without the keys and the secrets needed to decrypt it. So if an attacker obtained the hard drive that is encrypted and does not have access to the encryption keys, they would not be able to read the data from that. What is encryption in transit? Data in transit is about moving the data from one location to another across the Internet or even through a private network. The secure transfer can be handled by several different layers. It could be done by encrypting the data at the application layer before sending it over. A network HTTPS is an example of encryption in transit that I explained earlier. Now, encrypting data in transit protects it from outside observers (for example, a man in the middle) and also provides a mechanism to transmit data while limiting the risk of exposure. Let's talk about hashing signing in the next lesson. Thanks for watching so far. Hopefully, this module has been informative to you so far. Thank you.

9. Describe Encryption , hashing and Signing – II

We are in the second part of this section. Describe encryption, hashing, and signing hashing. Hashing uses an algorithm to convert the original text to a, let's say, unique fixed-length hash value. Now, each time the same text is hashed using the same algorithm, the same hash value is produced. The hash can then be used as a unique identifier for its associated data. Hashing is different from encryption in that it does not use keys. The hashed value is not subsequently decrypted back to the original. Let's talk about some use cases where hashing can be used. Hashing is used to store passwords. So when you enter the password on the Control All Delete screen, there will be some algorithm that will be creating the hash of your password. This is compared to the stored-hashed version of the password. And if these hashes match, the user has entered the password correctly. This is more secure than storing passwords as text or plain text. But hashing algorithms are also known to attackers because hash functions are deterministic. Hackers can use brute-force dictionary attacks by hashing the passwords. So for every matched hashthey know the actual password. Now, how do you mitigate this? In order to mitigate this, there's a method called assaulting, which is often employed. This refers to adding a fixed-length random value to the input of the hashed function, and this will create unique hashes for every input. Now, attackers and hackers will not know the salt value, and the password hashes will be more secure. So, we spoke about what hashing is as an example of that. And the methodology is to prevent attackers from running brute-force dictionary attacks by hashing the passwords. So we'll be using salting mechanisms. So, what is "signing"?We're talking about digital signatures. Now, digital signatures verify that a message has been sent by the sender and that the contents have not been tampered with. If you look closely, you'll notice that this falls under the CIA triad, specifically the integrity section. Signing a message does not encrypt or alter the message. Signing works by creating a digital signature string that can either be sent with a message or transmitted separately. The digital signature is generated by the private key owner and attached to the message. The receiver can then verify that it was created by the key owner, and they do it by using the public key. Now, there are two steps involved in creating a digital signature from a message. First, you will create a hash value from the message. In the second step, the hash value is signed using the signer's private key. as you see in the picture at the receiving end. What happens is that the message is hashed again and verified against the digital signature, which is decrypted using the public key. Now, if they match, you can be confident that the message is the same one that the signer originally signed and that it has not been tampered with.

10. Lesson Conclusion

Now, this brings us to the end of this module. Let's go ahead and understand what we learned in this module. You learned about important security concepts and methodologies. You learned about the Zero Trust methodology and how the guiding principles of explicitly verifying the least-privileged, granting access, and assuming a breach strengthen the security. You learned about the six foundational elements of identity devices, applications, data, and networks used in the Zero Trust model. We also looked at the shared responsibility model, which considers who is responsible for what as organisations these days are migrating their workloads to the cloud. You also learned about defence in depth and how the security principles of confidentiality, integrity, and availability are helping guide security decisions. Finally, we learned about certain common cyber security threats, including threats to business and personal data. Thanks for watching so far. I hope Module One has been informative and interesting to you. I hope to see you in the next module as well.

11. Microsoft security and compliance principles - Lesson Introduction

Here we are at the next lesson. Microsoft security and compliance principles It is a very daunting task to keep up with the security legislation and regulatory requirements. Microsoft helps you keep abreast of the relevant guidelines by providing information that you need. In the next couple of videos you'll learn aboutthe Microsoft Privacy Principles and the Service Trust portal. You'll learn where to find compliance documentation that is relevant to your geographic location and industry. So let's get started without any further delay. The first one to start with is Microsoft's Privacy Principles.

12. Microsoft's Privacy Principles

Microsoft has an array of products and services. They all run on trust. Microsoft focuses on six key privacy principles when making decisions about data. Privacy is about making meaningful choices about how and why data is collected and used. It is about ensuring that you have the information you need in order to make the choices that are correct for you across all Microsoft products and services. Let's take a look at the six privacy principles, which are control, transparency, security, strong legal protections, no content-based targeting, and benefits to you as a customer. The first is control, which is putting you, the customer, in control of your privacy with easy-to-use tools and clear choices. Transparency is about being transparent about data collection and use so that everyone can make informed decisions. Security: it is paramount to protect the data that is entrusted to Microsoft by using strong encryption and security. Strong legal protection is really required in order to respect the local privacy laws and fight for legal protection of privacy as a fundamental human right. The next one is no content-based targeting. That means that Microsoft will not be using the emails, chats, files, or other personal content to target advertising. And finally, when Microsoft does collect the data, it is used to benefit you, the customer, and to make your experiences better. These principles guide the Microsoft Privacy Foundation, and they shape the way its products and services are designed. Let's also understand the service trust portal and the various components inside it. in the next lesson.

13. What is Service Trust Portal

The service trust portal. This is a repository of information, tools, and other resources about Microsoft Security, Privacy, and Compliance Practices. If you would like to access all the documentation that's relevant to your regulation and your compliance, you need to sign in with your Microsoft Cloud Services account now. Once you're here in the Service Trust Portal, you get access to volumes of information. This is where you can measure your progress in completing actions that help reduce risks around data protection and regulatory standards. You can also get links to security, implementation, and design information. You can also get compliance information about Microsoft Cloud Services organised by industry and region. You'll get information about compliance in regions like Austria, Canada, the Czech Republic, Denmark, Germany, Poland, Romania, Spain, and the United Kingdom. This is where you can also get information about the Trust Center so you can get more information about security, compliance, and privacy in the Microsoft Cloud. Under the Resources section, you get information about the features and tools that are available for data governance and protection in Office 365. You can also create your own library where you can add documents and resources that are relevant to your organization. everything under one umbrella. You also have the option to have email notifications sent when a document is updated, as well as the frequency with which you want to receive notifications.

14. Azure Compliance Documentation

There will be different kinds of requirements that organizations have to comply and if they are legal or regulatory, compliances or standards. And when you're using many of the Azure services, for example Microsoft 365 Dynamics or the Power Platform, you will find all that legal and regulatory standard information in the Azure compliance documentation page. You will find links to documents and articles that will explain the regulations. You will also have links to audit reports, certificates, FAQs, and much more information than this. In order to make things easier for us, the compliance documentation is grouped geographically and by industry as well. That means that you can find the compliance documentation that is relevant to everyone, relevant to the USA, or relevant to other regions. These are also grouped based on industries, for example financial services, health media, and manufacturing documentation. There is a separate template document for audits that you can tailor to your needs. Anyone can review and use the documentation as a reference to help them understand and keep up-to-date with the regulations. For a complete list of compliance documentation and to get an updated list, please go to this URL, docs.Microsoft.com Azure compliance Thanks for watching so far, and I'll see you in the next module.

15. Module 1 : Chapter Summary

This lesson taught us about Microsoft's six privacy principles and how they guide security strategies. You also learned about the Service Trust Portal as well as where to find the Azure compliance and regulator documentation. Hopefully, this module has been informative to you. Thanks for watching so far, and I'll see you in the next module.

Module 2 Describe the concepts & capabilities of Microsoft identity and access

1. Describe Identity Concepts – Introduction

Everyone and every device has an identity that can be used to gain access to resources. Identity is the way in which people and things are identified on your corporate network and in the cloud. Being certain about who or what is accessing your organization's data and other resources is a fundamental part of securing your environment, and this is known as identity and access management. This is made up of two key steps, authentication and authorization of identities. In the subsequent lessons, we'll learn about the concept of identity as a security perimeter. You'll also learn the distinctions between authentication and authorization, and you'll be able to connect various identity services. Let's get started with the common identity attacks that we have in the world today.

2. Common Identity Attacks

Some of the most common types of security threats that organisations face today are identity attacks. Identity attacks are designed to steal the credentials used to validate or authenticate the claim that someone or something is who they claim to be. The result of that is identity theft. We need to know about different kinds of attacks that are employed for the purposes of identity theft. These thefts include but are not limited to password-based attacks. And then there's phishing, as well.Most organisations today are spending a lot of time dealing with phishing attacks, specifically spear phishing. So if these terminologies like "password-based attack" and "phishing" are new to you, let's get into it and try to understand what they actually mean. Password-based Attacks Password-based attacks include password-spraying attacks and brute-force attacks. A password spray attack attempts to match your username against a list of weak passwords. A brute force attack will try several passwords against one or more accounts, sometimes using dictionaries of commonly used passwords. Now when a user has assigned a weak password to their account, the hacker will find a match and gain access to that account. What is phishing? A phishing attack is when a hacker sends an email that appears to be from a reputable source. The email contains a credible story, such as a security breach, or probably instructs the user to sign in and change their password. So instead of going to a legitimate website, the user is directed to a scammer's website where they enter their username and password, and that's the end of it. The hacker has now captured the user's identity and their password. Although many phishing scam emails are badly written and easy to identify, when users are really busy or they are tired, they make mistakes, and at that time they are more easily deceived. As hackers' techniques become more sophisticated, their phishing emails become more and more difficult to identify. So that means that attackers are able to craft an email that looks like it has come from a legitimate company. Spear phishing is also a variant of a phishing attack where hackers build databases of information about users. Now, this information is then used to create highly credible emails. The email may appear to come from someone within your organization who is requesting information. Although careful scrutiny might uncover the fraud, users might not read it carefully enough and send the requested information, or probably even log onto the website, before they realize it is fraud. This is called spear phishing because it is highly targeted at specific individuals. Now, to protect against all types of identity attacks, what you need are robust identity security and monitoring techniques. Azure Active Directory has certain features within a module called identity protection, which has risk detection and will cause any unidentified suspicious actions related to the user accounts to be blocked immediately. So there are two types of risks in Azure AD identity protection. There is a user risk and a sign-in risk. What's the user's risk? A user risk represents the probability that a given identity or account is compromised. What is the probability of that user being compromised? That is user risk, whereas sign-in risk represents the probability that a given authentication request is not authorized by the identity owner. So these concepts are clear to you when it comes to password-based phishing or spearfishing attacks and what Active Directory can do to prevent them, specifically when it comes to user risk and sign-in risk. OK, so that's all for now. In the next lesson, let's go ahead and chat about identity as the primary security perimeter. Thanks for watching so far, and I'll see you in the next lesson.

3. Identity As a Security perimeter

If we believe we are secure because you have a network, we will be living in an illusionary world. Perimeter attacks today are networkless in a way that they are not controlled by the network perimeter. Trying to secure identities is not an easy task. The best IT organisations have lots of logs and can potentially use that information for threat hunting to look for anomalous activities in a modern IT environment. There are remote workers, third-party vendors, distributed offices, and deployments from mobile as well as from the cloud. The classic perimeter no longer exists. Instead, the fundamental unit of access is identity. In the cloud, and specifically when accessing SaaS-based services, identity is everything. With an identity, which is essentially your username and password or access credentials, a user or device can get access to a service, and if the same thing is in the hands of an attacker, the same identity grants the same level of access time and again, breach after breach. The modern attack cycle, particularly in the cloud, starts with identities. Attackers seek to get access to that identity and then pave their way through the resources, discovering credentials, discovering other identities, and then granting themselves more and more access to get what they want. Identity in the cloud-native era is not just about a simple Microsoft Active Directory implementation. In the Cloud Era, it's about APIs, which are the gatekeepers of access. Since it's a network-less perimeter, identity is the entirety of a data since it's a network less perimeter.I'm just trying to stress the point that digital collaboration has changed. Employees and partners now expect to be able to collaborate and access organisational resources from anywhere, on any device, and without sacrificing productivity. In addition, there has been an acceleration in the number of people working from home these days. Enterprise security needs to adapt to its new reality. The security perimeter can no longer be justly viewed as an on-premise network. It extends to several other things like SaaS applications, which are critical for business workloads and may be hosted outside the corporate network. Think about bringing your own device. Personal devices used by employees to access corporate resources while working from home should also be considered unmanaged devices used by your partners or customers when interacting with corporate data or collaborating with employees, which must also be kept within security boundaries. There's a lot said and done with IoT devices. IoT devices installed throughout your corporate network and inside your customers' locations must also be in the eyes of the security team. This just tells us that the traditional perimeter-based security model is no longer enough. Identity has now become the new security perimeter. This enables organisations to secure their assets. But what do we mean by an identity? Well, an identity is how someone or something can be verified and authenticated to be who they say they are. And identity may be associated with the user, an application, a device, or something else. to understand about identities. Further, we need to think about the four pillars of identities, which are administration, authentication, authorization, and auditing. Talking about this in this particular section would be overkill. So let's talk about this in the next lesson. Thanks for watching so far, and I'll see you in the next lesson.

Pay a fraction of the cost to study with Exam-Labs SC-900: Microsoft Security, Compliance, and Identity Fundamentals certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including SC-900: Microsoft Security, Compliance, and Identity Fundamentals certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.

Hide