Security, responsibility and trust in Azure Flashcards
Describe security concept “Defense in depth”
strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure.
Layers of defense in depth strategy
DATA APPLICATION COMPUTE NETWORKING PERIMETER FIREWALLS IDENTITY & ACCESS PHYSICAL SECURITY
Azure Security Center
Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises.
Azure Security Center is available in two tiers
Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.
Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.
Use cases
Use Security Center for incident response - You can use Security Center during the detect, assess, and diagnose stages.
Use Security Center recommendations to enhance security.
You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center.
Describe the difference between authentication and authorisation
Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials, and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.
What is Azure AD?
cloud-based identity service
built in support for synchronizing with your existing on-premises Active Directory or can be used stand-alone
Services:
Authentication - to apps and resources (includes MFA, password reset, password reqs)
SSO - one ID + pw for multiple apps. Identity tied to user.
App management - mange cloud and on-prem apps using Azure AD App Proxy, SSO and SaaS apps
B2B identity services - guest users
B2C identity services - users sign-up, sign-in etc
Device management - how cloud or on-prem accesses corporate data
Describe Multi-factor authentication
Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:
Something you know - password
Something you possess - auth app
Something you are - biometric
Service Principal
First > Identity
Second > Principal
Identity - thing that can be authenticated (users, apps, servers)
Principal - identity with certain roles or claims
A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.
Managed identity
A managed identity can be instantly created for any Azure service that supports it
When you create a managed identity for a service, you are creating an account on your organization’s Active Directory
RBAC
Roles are sets of permissions, like “Read-only” or “Contributor”, that users can be granted to access an Azure service instance.
Identities are mapped to roles directly or through group membership.
Privileged Identity Management
Azure AD Privileged Identity Management (PIM) is an additional, paid-for offering that provides oversight of role assignments, self-service, and just-in-time role activation and Azure AD and Azure resource access reviews.
What is encryption?
Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key. There are two top-level types of encryption: symmetric and asymmetric.
Symmetric encryption
Symmetric encryption uses the same key to encrypt and decrypt the data.
Asymmetric encryption
Asymmetric encryption uses a public key and private key pair.
Encryption at rest
Data is unreadable without the keys and secrets needed to decrypt it.
Encryption in transit
application layer prior to sending it over a network. HTTPS is an example of application layer in transit encryption.
set up a secure channel, like a virtual private network (VPN), at a network layer, to transmit data between two systems.
Azure Storage Service Encryption
Azure storage platform automatically encrypts your data before persisting it to Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage, and decrypts the data before retrieval.
Azure Disk Encryption
Disk Encryption leverages the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets (and you can use managed service identities for accessing Key Vault).
Transparent data encryption
helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Azure Key Vault
Azure Key Vault is a centralized cloud service for storing your application secrets.
Azure Key Vault - useful scenarios
Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.
Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.
The benefits of using Key Vault include:
Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution, and reduces the chances that secrets may be accidentally leaked.
Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.
Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.
Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions, and use standard certificate management tools.
Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs, and many more Azure services.
Types of certificates
Service certificates are used for cloud services
Management certificates are used for authenticating with the management API
