Blog
Blog
SC-900
đź“ť

SC-900

Tags
Computer Science
Cloud
Software Development
Cybersecurity
Published
August 5, 2022
Author
Aniruddha Ghosh

Describe the concepts of security, compliance, and identity

notion image
Examples of layers of security might include:
  • Physical security, such as limiting access to a datacenter to only authorized personnel.
  • Identity and access security controls, such as multifactor authentication or condition-based access, to control access to infrastructure and change control.
  • Perimeter security of your corporate network includes distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
  • Network security, such as network segmentation and network access controls, to limit communication between resources.
  • Compute layer security such as securing access to virtual machines either on-premises or in the cloud by closing certain ports.
  • Application layer security to ensure applications are secure and free of security vulnerabilities.
  • Data-layer security includes controls to manage access to business and customer data and encryption to protect data.

CIA

  • Confidentiality refers to the need to keep confidential sensitive data such as customer information, passwords, or financial data. You can encrypt data to keep it confidential, but then you also need to keep the encryption keys confidential. Confidentiality is the most visible part of security; we can clearly see the need for sensitive data, keys, passwords, and other secrets to be kept confidential.
  • Integrity refers to keeping data or messages correct. When you send an email message, you want to be sure that the message received is the same as the message you sent. When you store data in a database, you want to be sure that the data you retrieve is the same as the data you stored. Encrypting data keeps it confidential, but you must then be able to decrypt it so that it's the same as before it was encrypted. Integrity is about having confidence that data hasn't been tampered with or altered.
  • Availability refers to making data available to those who need it when they need it. It's important for the organization to keep customer data secure, but at the same time, it must also be available to employees who deal with customers. While it might be more secure to store the data in an encrypted format, employees need access to decrypted data.
 
These six elements are the foundational pillars of the Zero Trust model:
  • Identities may be users, services, or devices. When an identity attempts to access a resource, it must be verified with strong authentication and follow least privilege access principles.
  • Devices create a large attack surface as data flows from devices to on-premises workloads and the cloud. Monitoring devices for health and compliance is an important aspect of security.
  • Applications are the way that data is consumed. This includes discovering all applications being used, sometimes called Shadow IT because not all applications are managed centrally. This pillar also includes managing permissions and access.
  • Data should be classified, labeled, and encrypted based on its attributes. Security efforts are ultimately about protecting data and ensuring it remains safe when it leaves devices, applications, infrastructure, and networks that the organization controls.
  • Infrastructure, whether on-premises or cloud-based, represents a threat vector. To improve security, you assess for version, configuration, and JIT access, and use telemetry to detect attacks and anomalies. This allows you to automatically block or flag risky behavior and take protective actions.
  • Networks should be segmented, including deeper in-network micro segmentation. Also, real-time threat protection, end-to-end encryption, monitoring, and analytics should be employed.
 
Listed below are some important concepts and terms that relate to data compliance.
  • Data residency: Data residency regulations govern the physical locations where data can be stored and how and when it can be transferred, processed, or accessed internationally.
  • Data sovereignty: Data, particularly personal data, is subject to the laws and regulations of the country or region in which it's physically collected, held, or processed.
  • Data privacy: Providing notice and being transparent about the collection, processing, use, and sharing of personal data are fundamental principles of privacy laws and regulations.
Modern authentication: When the identity (which can be a user or an application) has been verified, the identity provider issues a security token that the client sends to the server. An identity provider creates, maintains, and manages identity information while offering authentication, authorization, and auditing services.
Federation enables the access of services across organizational or domain boundaries by establishing trust relationships between the respective domain’s identity providers. With federation, there's no need for a user to maintain a different username and password when accessing resources in other domains.

Describe the capabilities of Microsoft's identity and access management solutions

Azure AD business-to-business (B2B) collaboration, a feature within External Identities, includes the capability to add guest users. With B2B collaboration, an organization can securely share applications and services with guest users from another organization.
  • B2B collaboration allows you to share your apps and resources with external users. Sign in and access resources using your own credentials.
  • B2C is an identity management solution for consumers and customer-facing apps. Azure AD B2C is a customer identity access management (CIAM) solution. Sign in using Social Apps, enterprise, local account identities.
Azure AD External Identities are a feature of Premium P1 and P2 Azure AD editions.
Hybrid authentication options:
  • Azure AD Password hash synchronization.
  • Azure AD Pass-through authentication
  • Federated authentication
Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign in to their resources using an external security key or a platform key built into a device, eliminating the need for a username and password.
Windows Hello for Business replaces passwords with strong two-factor authentication on devices. (Biometrics)
Azure AD Multi-Factor Authentication:
  • Microsoft Authenticator app
  • Windows Hello for Business
  • FIDO2 security key
  • OATH hardware token (preview)
  • OATH software token
  • SMS
  • Voice call
Self-service password reset (SSPR) is a feature of Azure AD that allows users to change or reset their password, without administrator or help desk involvement.
Password Protection is a feature of Azure AD that reduces the risk of users setting weak passwords. Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization.
Conditional Access is a feature of Azure AD that provides an extra layer of security before allowing authenticated users to access data or other assets. Conditional Access is implemented through policies that are created and managed in Azure AD. A Conditional Access policy analyses signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data).
Azure AD roles control permissions to manage Azure AD resources. For example, allowing user accounts to be created or billing information to be viewed. Azure AD supports built-in and custom roles.
Managing access using roles is known as role-based access control (RBAC). Azure AD built-in and custom roles are a form of RBAC in that Azure AD roles control access to Azure AD resources. This is referred to as Azure AD RBAC.
  • Azure AD RBAC-Azure AD roles control access to Azure AD resources such as users, groups, and applications.
  • Azure RBAC: Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management.
Entitlement management is an identity governance feature that enables organizations to manage the identity and access lifecycle at scale. Entitlement management automates access request workflows, access assignments, reviews, and expiration.
Azure Active Directory (AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment. Regular access reviews ensure that only the right people have access to the resources. Excessive access rights are a known security risk. However, when people move between teams, or take on or relinquish responsibilities, access rights can be difficult to control.
Azure AD terms of use allow information to be presented to users before they access data or an application. Terms of use ensure users read relevant disclaimers for legal or compliance requirements.
Privileged Identity Management (PIM):PIM reduces the chance of a malicious actor getting access by minimizing the number of people who have access to secure information or resources. By time-limiting authorized users, it reduces the risk of an authorized user inadvertently affecting sensitive resources. PIM also provides oversight of what users are doing with their administrator privileges.
Identity Protection The signals generated by Azure services are fed to Identity Protection. It categorizes risk into three tiers: low, medium, and high. It can also calculate the sign-in risk and user identity risk. A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. It only generates risk detection when the correct credentials are used in the authentication request. It provides organizations with three reports that they can use to investigate identity risks in their environment. These reports are for risky users, risky sign-ins, and risk detections. Investigation of events is key to understanding and identifying any weak points in your security strategy.

Describe the capabilities of Microsoft security solutions

Azure Firewall is a managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers. The Azure Firewall is a fully stateful, centralized network firewall-as-a-service that provides network and application-level protection across different subscriptions and virtual networks.
The Azure DDoS Protection service is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack. Distributed Denial of Service (DDoS) attack is to overwhelm the resources on your applications and servers, making them unresponsive or slow for genuine users.
Azure DDoS Protection comes in two tiers:
  • Basic: The Basic service tier is automatically enabled for every property in Azure, at no extra cost, as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.
  • Standard: The Standard service tier provides extra mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. The DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses, which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities.
Azure Virtual Network (VNet) is the fundamental building block for your organization's private network in Azure. It enables organizations to segment(segmentation is about dividing something into smaller pieces) their networks.
Network security groups (NSGs) let you filter network traffic to and from Azure resources in an Azure virtual network. NSG security rules are evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic.
Azure Bastion is a service you can deploy that lets you connect to a virtual machine using your browser and the Azure portal.
Just-in-time (JIT) access allows lock down of the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. When a user requests access to a VM, Defender for Cloud checks that the user has Azure role-based access control (Azure RBAC) permissions for that VM. If the request is approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range) for the amount of time that was specified. After the time has expired, Defender for Cloud restores the NSGs to their previous states. Connections that are already established are not interrupted.
Azure Key Vault is a centralized cloud service for storing your application secrets.
Cloud security posture management (CSPM) is a relatively new class of tools designed to improve your cloud security management. It assesses your systems and automatically alerts security staff in your IT department when a vulnerability is found. CSPM uses tools and services in your cloud environment to monitor and prioritize security enhancements and features.
Microsoft Defender for the Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources and, with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running on Azure, hybrid, and other cloud platforms.
The Azure Security Benchmark (ASB) and security baselines for Azure, which are closely related, help organizations secure their cloud solutions on Azure.
Cloud workload protection (CWP): The second pillar of cloud security is cloud workload protection. Through cloud workload protection capabilities, Microsoft Defender for Cloud is able to detect and resolve threats to resources, workloads, and services. Cloud workload protection is delivered through integrated Microsoft Defender plans specific to the types of resources in your subscriptions and provides enhanced security features for your workloads.
Security information event management (SIEM) is a tool that an organization uses to collect data from across the whole estate, including infrastructure, software, and resources. It does analysis, looks for correlations or anomalies, and generates alerts and incidents.
Security orchestration automated response (SOAR) system takes alerts from many sources, such as a SIEM system. The SOAR system then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue.
Microsoft Sentinel is a scalable, cloud-native SIEM/SOAR solution that delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response. After you connect data sources to Microsoft Sentinel, you can monitor the data using the Microsoft Sentinel integration with Azure Monitor Workbooks. Use Microsoft Sentinel's powerful hunting search-and-query tools, based on the MITRE framework (a global database of adversary tactics and techniques), to proactively hunt for security threats across your organization’s data sources, before an alert is triggered.
Microsoft 365 Defender allows admins to assess threat signals from endpoints, applications, email, and identities to determine an attack's scope and impact. It gives greater insight into how the threat occurred, and what systems have been affected. Microsoft 365 Defender can then take automated action to prevent or stop the attack.
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB). Office 365 Cloud App Security is a subset of Microsoft Defender for Cloud Apps. Azure Active Directory Premium P1 includes Azure Active Directory Cloud App Discovery at no extra cost.
Microsoft Defender for Identity is a cloud-based security solution. It uses your on-premises Active Directory data (called signals) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
The Microsoft 365 Defender portal home page shows many of the common cards that security teams need. The composition of cards and data depends on the user role. Because the Microsoft 365 Defender portal uses role-based access control, different roles will see cards that are more meaningful to their day-to-day jobs.

Describe the capabilities of Microsoft compliance solutions

The Service Trust Portal provides information, tools, and other resources about Microsoft security, privacy, and compliance practices. Sign in with your Microsoft cloud services account to access all the available documentation.
Microsoft Priva helps you meet these challenges so you can achieve your privacy goals. Priva's capabilities are available through two solutions: Priva Privacy Risk Management, which provides visibility into your organization's data and policy templates for reducing risks; and Priva Subject Rights Requests, which provides automation and workflow tools for fulfilling data requests.
Microsoft's approach to privacy is built on the following six principles:
  1. Control
  1. Transparency
  1. Security
  1. Strong legal protection
  1. No Content-based Targeting
  1. Benefits to you
Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps admins to manage an organization’s compliance requirements with greater ease and convenience. It can help organizations throughout their compliance journey, from taking inventory of data protection risks, to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
Compliance Manager tracks the following types of controls:
  • Microsoft-managed controls: controls for Microsoft cloud services, which Microsoft is responsible for implementing.
  • Your controls: sometimes referred to as customer-managed controls, these are implemented and managed by the organization.
  • Shared controls: responsibility for implementing these controls is shared by the organization and Microsoft.
The compliance portal is available to customers with a Microsoft 365 SKU with one of the following roles:
  • Global administrator
  • Compliance administrator
  • Compliance data administrator
Microsoft Purview Information Protection discovers, classifies, and protects sensitive and business-critical content throughout its lifecycle across your organization. It provides the tools to know your data, protect your data, and prevent data loss.
Microsoft Purview Data Lifecycle Management manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you don't.
Trainable classifiers use artificial intelligence and machine learning to intelligently classify your data. They're most useful classifying data unique to an organization like specific kinds of contracts, invoices, or customer records.
The content explorer is available as a tab in the data classification pane of compliance portal. It enables administrators to gain visibility into the content that has been summarized in the overview pane.
There are two roles that grant access to content explorer:
  • Content explorer list viewer.
  • Content explorer content viewer.
Activity explorer provides visibility into what content has been discovered and labeled, and where that content is. It makes it possible to monitor what's being done with labeled content across the organization.
Sensitivity labels, available as part of information protection in the Microsoft Purview compliance portal, enable the labeling and protection of content, without affecting productivity and collaboration.
After sensitivity labels are created, they need to be published to make them available to people and services in the organization. Sensitivity labels are published to users or groups through label policies.
Microsoft Purview Data Loss Prevention (DLP) is a way to protect sensitive information and prevent its inadvertent disclosure.
notion image
Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices.
Retention labels and policies help organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted
Organizations of all types require a management solution to manage regulatory, legal, and business-critical records across their corporate data. Microsoft Purview Records Management helps an organization look after their legal obligations.
Microsoft Purview Insider Risk Management is a solution that helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities. Insider risk management is available in the Microsoft Purview compliance portal.
Insider risk management is centered around the following principles:
  • Transparency: Balance user privacy versus organization risk with privacy-by-design architecture.
  • Configurable: Configurable policies based on industry, geographical, and business groups.
  • Integrated: Integrated workflow across Microsoft Purview solutions.
  • Actionable: Provides insights to enable user notifications, data investigations, and user investigations.
Communication compliance in the Microsoft Purview compliance portal helps minimize communication risks by enabling organizations to detect, capture, and take remediation actions for inappropriate messages.
Microsoft Purview Information Barriers: An organization might want to restrict communications between some groups to avoid a conflict of interest from occurring in the organization, or to restrict communications between certain people to safeguard internal information. With information barriers, the organization can restrict communications among specific groups of users.
Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases.(eDiscovery Manager role)
notion image
Auditing solutions in Microsoft Purview help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations.
notion image
Azure Policy evaluates all resources in Azure and Arc enabled resources (specific resource types hosted outside of Azure). It evaluates whether the properties of resources match with business rules.
Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments with the knowledge that they're in line with the organization’s compliance requirements.
Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
  • Role Assignments
  • Policy Assignments
  • Azure Resource Manager templates (ARM templates)
  • Resource Groups
Microsoft Purview is designed to address the challenges associated with the rapid growth of data and to help enterprises get the most value from their information assets.
The Microsoft Purview governance portal provides a unified data governance service that helps you manage your on-premises, multi-cloud, and software-as-a-service (SaaS) data.
notion image
Azure Purview Data Map is able to capture metadata about enterprise data, to identify and classify sensitive data.
Device identities can be set up in different ways in Azure AD:
  • Azure AD registered devices. The goal of Azure AD registered devices is to provide users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization’s resources using a personal device. Azure AD registered devices register to Azure AD without requiring an organizational account to sign in to the device. Supported operating systems for Azure AD registered devices include Windows 10 and above, iOS, Android, and macOS.
  • Azure AD joined. An Azure AD joined device is a device joined to Azure AD through an organizational account, which is then used to sign in to the device. Azure AD joined devices are generally owned by the organization. Supported operating systems for Azure AD joined devices include Windows 10 or greater (except Home edition) and Windows Server 2019 Virtual Machines running in Azure.
  • Hybrid Azure AD joined devices. Organizations with existing on-premises Active Directory implementations can benefit from the functionality provided by Azure AD by implementing hybrid Azure AD joined devices. These devices are joined to your on-premises Active Directory and Azure AD, requiring an organizational account to sign in to the device.
Azure AD is available in four editions: Free, Office 365 Apps, Premium P1, and Premium P2:
Azure Active Directory Free. The free version allows you to administer users and create groups, synchronize with on-premises Active Directory, create basic reports, configure self-service password change for cloud users, and enable single sign-on across Azure, Microsoft 365, and many popular SaaS apps. The free edition is included with subscriptions to Office 365, Azure, Dynamics 365, Intune, and Power Platform.
Office 365 Apps. The Office 365 Apps edition allows you to do everything included in the free version, plus self-service password reset for cloud users, and device write-back, which offers two-way synchronization between on-premises directories and Azure AD. The Office 365 Apps edition of Azure Active Directory is included in subscriptions to Office 365 E1, E3, E5, F1, and F3.
Azure Active Directory Premium P1. The Premium P1 edition includes all the features in the free and Office 365 apps editions. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
Azure Active Directory Premium P2. P2 offers all the Premium P1 features, and Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data. P2 also gives you Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources, and to provide just-in-time access when needed.
The following additional forms of verification, described in the previous unit, can be used with Azure AD Multi-Factor Authentication:
  • Microsoft Authenticator app
  • Windows Hello for Business
  • FIDO2 security key
  • OATH hardware token (preview)
  • OATH software token
  • SMS
  • Voice call
 

Keywords to Remember

Defence-in-Depth: Physical, Indentity and Access, Perimeter, Network, Application, Data Security, Encryption,
Shared Responsibility: SAAS,PAAS,IAAS, Customer Organization Responsibilities in Shared Responsibility: Information and Data, Mobiles and PCs, Accounts and Identities.
Zero-Trust: Always Assume Breach, Principal of Least Preveliged(POLP), Never Trust Anything, JIT(Just-in-Time), JEA(just-enough-access),
Federation: Trust is one-directional, needs a single identity for different domains, and uses trust relationships to allow access of resources to different domains.
Conditional Access Policy: sign-in risk, user risk, used after first authentication,
 
 
Copyright 2024 Aniruddha Ghosh