MCA Microsoft Certified Associate Azure Security Engineer Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Introduction

What Does This Book Cover?

Who Should Read  This Book

Study Guide Features

Interactive Online Learning Environment and Test Bank

Additional Resources

MCA Azure Security Engineer Study Guide Exam Objectives

Objective Map

How to Contact Wiley or the Author

Assessment Test

Answers to Assessment Test

Chapter 1: Introduction to Microsoft Azure

What Is Microsoft Azure?

Cloud Environment Security Objectives

Common Security Issues

The AAAs of Access Management

Encryption

Network Segmentation

Cybersecurity Considerations for the Cloud Environment

Major Cybersecurity Threats

Summary

Exam Essentials

Review Questions

Chapter 2: Managing Identity and Access in Microsoft Azure

Identity and Access Management

IAM in the Microsoft Azure Platform

Managing Application Access

Managing Access Control

Summary

Exam Essentials

Review Questions

Chapter 3: Implementing Platform Protections

Implementing Advanced Network Security

Configuring Enhanced Security for Compute

Exam Essentials

Review Questions

Chapter 4: Managing Security Operations

Configure Centralized Policy Management

Configuring and Managing Threat Protection

Configuring and Managing Security Monitoring Solutions

Summary

Exam Essentials

Review Questions

Chapter 5: Securing Data and Applications

Configuring Security for Storage in Azure

Summary

Exam Essentials

Review Questions

Appendix A: An Azure Security Tools Overview

Chapter 2, “Managing Identity and Access on Microsoft Azure”

Chapter 3, “Implementing Platform Protections”

Chapter 4, “Managing Security Operations”

Chapter 5, “Securing Data and Applications”

Appendix B: Answers to Review Questions

Chapter 1: Introduction to Microsoft Azure

Chapter 2: Managing Identity and Access in Microsoft Azure

Chapter 3: Implementing Platform Protections

Chapter 4: Managing Security Operations

Chapter 5: Securing Data and Applications

Index

End User License Agreement

List of Tables

Chapter 2

TABLE 2.1 Differences between system-assigned and user-assigned managed iden...

TABLE 2.2 PIM terminology

TABLE 2.3 Breakdown of identity access roles

TABLE 2.4 Examples of built-in Azure roles

TABLE 2.5 Breakdown of the custom role properties

Chapter 3

TABLE 3.1 Setting options for your Front Door application

TABLE 3.2 Setting options for your backend pools

TABLE 3.3 Settings for creating a WAF

TABLE 3.4 Basic settings for creating a private link service

TABLE 3.5 Outbound settings for a private link service

TABLE 3.6 Settings for linking to a private endpoint

TABLE 3.7 Settings for the Resource values in a private endpoint

TABLE 3.8 Configuration settings for a private endpoint

TABLE 3.9 Steps to configure Microsoft Endpoint Protection

TABLE 3.10 Microsoft Defender for Cloud features

TABLE 3.11 Features that handle inbound and outbound requests to your applic...

TABLE 3.12 Microsoft inbound use case recommendations

TABLE 3.13 Microsoft outbound use case recommendations

Chapter 4

TABLE 4.1 Threat modeling tools

TABLE 4.2 Activity log alert severity levels

TABLE 4.3 Various platform log types and descriptions

TABLE 4.4 Various log destinations and descriptions

TABLE 4.5 Features of Azure Monitor Logs

TABLE 4.6 Azure Monitor Metrics features and descriptions

TABLE 4.7 The built-in Microsoft Sentinel rules and their descriptions

Chapter 5

TABLE 5.1 Various storage accounts and their usage

TABLE 5.2 Migration scenario breakdown

TABLE 5.3 Built-in share-level permissions (

https://docs.microsoft.com/en-us

...

TABLE 5.4 Users and their definitions

TABLE 5.5 Calling the Get User Delegation Key operation

TABLE 5.6 Specifying the local hostname and blob service port

TABLE 5.7 Request headers

TABLE 5.8 Supported fields when creating a user delegation SAS token (

https:

...

TABLE 5.9 DDM rule descriptions

TABLE 5.10 Settings for creating a network security group in Azure

TABLE 5.11 Benefits of Cosmos DB

TABLE 5.12 Benefits of Azure Synapse Link

TABLE 5.13 Roles supported by Azure Key Vault

Appendix A

TABLE A.1 Rule collection groups

TABLE A.2 Various Azure-supported storage accounts and their breakdown

TABLE A.3 Summary of Azure Cosmo's benefits and features

TABLE A.4 Azure Synapse Analytics Features

TABLE A.5 Key benefits of using Azure Synapse Links

List of Illustrations

Chapter 1

FIGURE 1.1 The CIA triad

FIGURE 1.2 Defense in depth

FIGURE 1.3 Symmetric encryption

FIGURE 1.4 Asymmetric encryption

FIGURE 1.5 A DMZ setup

FIGURE 1.6 Sample phishing email

FIGURE 1.7 How botnets work

Chapter 2

FIGURE 2.1 Enabling a system-assigned managed identity on a VM

FIGURE 2.2 Adding a user-assigned managed identity

FIGURE 2.3 Guest Invite Settings

FIGURE 2.4 How conditional access policies work

FIGURE 2.5 Benefits of passwordless authentication

FIGURE 2.6 Naming your access review

FIGURE 2.7 Selecting an end for your access review

FIGURE 2.8 Enabling notification

FIGURE 2.9 Additional Content for Reviewer Email

FIGURE 2.10 Security principals

FIGURE 2.11 Levels of scope

FIGURE 2.12 Custom roles

Chapter 3

FIGURE 3.1 How VPN tunneling works

FIGURE 3.2 How an Azure firewall works

FIGURE 3.3 Creating an application gateway

FIGURE 3.4 Adding a public IP address

FIGURE 3.5 The contoso-frontend

FIGURE 3.6 Adding a backend

FIGURE 3.7 Click Add to complete the configuration.

FIGURE 3.8 Specify the domain to route requests to

FIGURE 3.9 Create the backend pool.

FIGURE 3.10 Azure backbone explained

FIGURE 3.11 Adding a service endpoint to your subnet

FIGURE 3.12 How service endpoints control information flow

FIGURE 3.13 How Update Management works in Azure

FIGURE 3.14 Results from the latest update assessment

FIGURE 3.15 Choosing update deployments

FIGURE 3.16 Azure's shared responsibility matrix

FIGURE 3.17 How app-assigned addressing works

FIGURE 3.18 Inbound access restrictions

FIGURE 3.19 Gateway-required VNet integration

FIGURE 3.20 Azure ExpressRoute

Chapter 4

FIGURE 4.1 Vulnerability Assessment findings

FIGURE 4.2 Clicking Scan in the Vulnerability Assessment tool

FIGURE 4.3 Vulnerability Scan report findings

FIGURE 4.4 Threat modeling tool preview

FIGURE 4.5 Data visualization

FIGURE 4.6 Creating alert rules

FIGURE 4.7 Choosing advanced options

FIGURE 4.8 Selecting a resource

FIGURE 4.9 Destination Details

FIGURE 4.10 Custom metrics

FIGURE 4.11 Metric database data chart

FIGURE 4.12 Changing the time range

FIGURE 4.13 SOAR and SIEM elements in Azure

FIGURE 4.14 Creating incident alerts

Chapter 5

FIGURE 5.1 Granting access to Azure file resources with Azure AD credentials...

FIGURE 5.2 Audit log info

FIGURE 5.3 Security Insights

FIGURE 5.4 Data masking

FIGURE 5.5 Various category controls

FIGURE 5.6 Azure Firewall

FIGURE 5.7 Network isolation through ACLs

FIGURE 5.8 Azure Synapse Link for Cosmos

FIGURE 5.9 RBAC in Azure Key Vault

FIGURE 5.10 Creating a key rotation policy

FIGURE 5.11 Configuring a rotation policy

Appendix A

FIGURE A.1 Components of a firewall policy

FIGURE A.2 Secure hubs configuration

FIGURE A.3 Web Application Firewall

FIGURE A.4 Preventing data leakage

FIGURE A.5 Azure Synapse

Guide

Cover

Title Page

Copyright

Acknowledgments

About the Author

About the Technical Editor

Introduction

Table of Contents

Begin Reading

Appendix A: An Azure Security Tools Overview

Appendix B: Answers to Review Questions

Index

End User License Agreement

Pages

iii

iv

v

vii

ix

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

309

310

311

312

313

314

315

316

317

318

319

320

321

MCAMicrosoft Certified Associate Azure Security EngineerStudy Guide

Exam AZ-500

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

ISBN: 978-1-119-87037-1ISBN: 978-1-119-87039-5 (ebk.)ISBN: 978-1-119-87038-8 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Microsoft and Azure are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Microsoft Certified Associate Azure Security Engineer Study Guide is an independent publication and is neither affiliated with, nor authorized, sponsored, or approved by, Microsoft Corporation.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2022945256

Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley

Acknowledgments

I have had the pleasure of working with professionals from Wiley to create this study guide.

I would like to thank Kenyon Brown, senior acquisitions editor, for recruiting me and working with me to get my proposal approved for production. He was very helpful in helping me to understand the requirements and getting started with writing the book.

I would like to thank Christine O'Connor and Janette Neal, who oversaw the edits for my book. They are extremely helpful in making sure that my book was up to Wiley's production standards and helped to coordinate my interactions with everyone else on the team.

I am very grateful for Magesh Elangovan, who worked as the content refinement specialist. He helped me to ensure that the quality of the images and overall content of the book was appropriate for all readers and that the ideas of the book will be conveyed clearly to all readers.

Lastly, I would like to thank Mahalingam, the technical editor who helped me refine the book's content. He was extremely knowledgeable on Microsoft Azure and provided excellent feedback on technical concepts that helped me to improve the overall quality of the book.

About the Author

Shimon Brathwaite is author and editor-in-chief of securitymadesimple.org, a website dedicated to teaching business owners how to secure their businesses and helping cybersecurity professionals start and advance their careers.

Before starting his career in cybersecurity, Shimon was a co-op student at Toronto Metropolitan University in Toronto, Canada, where he received a degree in their Business Technology Management program before deciding to specialize in cybersecurity. Through his work at Toronto Metropolitan University and post-graduation, he accumulated over five years of work experience in cybersecurity across financial institutions, startups, and consulting companies. His work was primarily focused on incident response, where he helped companies resolve security incidents and perform digital investigations.

About the Technical Editor

Mahalingam is an Azure Consultant and works with enterprises to design and implement their solutions in Azure. He also assesses large-scale applications hosted on Azure and provides recommendations to optimize them. He started his Azure journey five years ago and is a certified Azure Solutions Architect Expert, Azure Security Engineer Associate, and Azure Administrator Associate. In addition, he is a Microsoft Certified Trainer and delivers workshops on Azure IaaS and PaaS.

Introduction

The Microsoft Azure Platform is one of the most popular and diverse cloud-computing platforms in existence. It includes a wide range of security features designed to help clients protect their cloud environments. The Microsoft Azure Security Technologies exam, AZ-500, focuses on testing a candidate's ability to be a subject matter expert on implementing Azure security controls. The exam focuses on four main areas:

Managing identity and access

Implementing platform protections

Managing security operations

Securing data and applications

What Does This Book Cover?

This book covers the topics outlined in the Microsoft Certified Associate Azure Security Engineer exam guide available at

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3VC70

 Exam policies can change from time to time. We highly recommend that you check the Microsoft site for the most up-to-date information when you begin your preparing, when you register, and again a few days before your scheduled exam date.

The book's outline is as follows:

Chapter 1

: Introduction to Microsoft Azure

Chapter 1

outlines cloud computing best practices. The exam focuses on how to implement security controls that achieve specific goals in the Azure environment. In this chapter, you learn what these goals are for your cloud environment. Each of following chapters will correspond to one or more of these best practices. Before beginning this chapter you can may want to complete the assessment test to help you obtain a baseline of your current understanding of security and the Azure platform.

Chapter 2

: Managing Identity and Access on Microsoft Azure

Chapter 2

focuses on how to implement good identity and access management practices on Azure. Topics include managing Azure Active Directory (AD) identities, securing access to resources and applications, and implementing role-based access control (RBAC).

Chapter 3

: Implementing Platform Protections

Chapter 3

discusses how to implement good network security on the Azure platform. Topics include firewall configuration, endpoint protection, network monitoring, and how to use the Azure-specific security tools to accomplish these tasks. It begins with network security, exploring topics such as security groups; Windows Application Firewall (WAF); endpoint protection; DDoS protection; operational security, such as vulnerability management; disk encryption; and Secure Socket Layer/Transport Layer Security (SSL/TLS) certifications.

Chapter 4

: Managing Security Operations

Chapter 4

focuses on how to use Azure tools like Azure Sentinel and Security Center to manage security operations. It includes discussions on creating custom alerts, policy management, vulnerability scans, and security configurations for the platforms. We then delve into how to configure good network monitoring using Azure Monitor, Azure Security Center, Azure Policy, Azure Blueprint, and Azure Sentinel.

Chapter 5

: Securing Data and Applications

  This chapter will focus on how to secure data and applications on the Azure platform. Topics include using secure data storage, creating data backups seamlessly, implementing database security, and leveraging Azure tools like Azure Defender and Key Vault. We also cover how to protect application backend databases by implementing database encryption, database authentication, and database auditing.

Appendix A

: Azure Security Tools Overview

  This appendix focuses on Microsoft Azure security tools that are used to create a secure platform. In this chapter, I review the tools' functions and how they can be used and integrated together to create security operations, compliance, networking monitoring, automated alerts, and proper logging. It also includes tools like Microsoft Azure Sentinel, Azure Key Vault, Azure Defender, Azure Firewall, Azure Policy, and Azure Monitor.

Who Should Read  This Book

As the title implies, this book is intended for people who have an interest in understanding and implementing security features in Azure. These people probably fall into two basic groups:

Security Professionals in an Azure Environment

  They can be IT administrators or security professionals who are responsible for securing their organization's Azure cloud environment.

Candidates for the AZ-500 Exam

  This book is meant to be a study guide for anyone interested in taking the AZ-500 exam. It gives readers a clear understanding of the topics needed to pass the exam. It also comes with hundreds of practice questions/tests to help readers prepare for the type of questions they can expect on the exam.

This book is designed for people who have some experience in cybersecurity. While we give a breakdown of all key foundational concepts relevant to the course, it's impossible to give readers all the information they would need in this book. For those of you with a cybersecurity/IT background, this will be no issue, but for the rest of you this might be a steep learning curve. So we encourage you to do your research if you ever need more context for the cybersecurity concepts found in this book.

You can use this book in two ways. The most straightforward (and time consuming) is to start at the beginning and follow all the steps to gain a good overall understanding of security controls in Azure. Alternatively, you can skip around from chapter to chapter and only look at the areas of interest to you. For example, if you are having trouble understanding how to implement access management in your environment, then you may want to skip to Chapter 2 and just focus on that. Each chapter includes step-by-step instructions on how to implement the controls that we talk about in that chapter.

Study Guide Features

This study guide uses several common elements to help you prepare. These include the following:

Summaries

  The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials

  The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by Microsoft.

Chapter Review Questions

  A set of questions at the end of each chapter will help you assess your knowledge and if you are ready to take the exam based on your knowledge of that chapter's topics.

 The review questions, assessment test, and other testing elements included in this book are not derived from the actual exam questions, so don't memorize the answers to these questions and assume that doing so will enable you to pass the exam. You should learn the underlying topic, as described in the text of the book. This will let you answer the questions provided with this book and pass the exam. Learning the underlying topic is also the approach that will serve you best in the workplace—the ultimate goal of a certification.

Interactive Online Learning Environment and Test Bank

Studying the material in the Microsoft Certified Associate Azure Security Engineer Study Guide is an important part of preparing for the Azure Security Engineer Associate certification exam, but we also provide additional tools to help you prepare. The online tools will help you understand the types of questions that will appear on the certification exam:

The practice tests include all the questions in each chapter as well as the questions from the assessment test.

In addition,

there are two practice exams with 50 questions each. You can use these tests to evaluate your understanding and identify areas that may require additional study.

The flashcards will push the limits of what you should know for the certification exam. There are 100 questions, which are provided in digital format. Each flashcard has one question and one correct answer.

The online glossary is a searchable list of key terms introduced in this exam guide that you should know for the exam.

To start using these tools to study for the exam, go to www.wiley.com/go/sybextestprep and register your book to receive your unique PIN. Once you have the PIN, return to www.wiley.com/go/sybextestprep, find your book, and click Register to register a new account or add this book to an existing account.

 Like all exams, the Microsoft Certified Associate Azure Security Engineer certification is updated periodically and may eventually be retired or replaced. At some point after Microsoft is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or you are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam's online Sybex tools will be available once the exam is no longer available.

Additional Resources

People learn in different ways. For some, a book is an ideal way to study whereas others may find practice test sites a more efficient way to study. Some of these websites come with exam pass guarantees and consistently update their content with some of the exact exam questions you will see on the official exam. These websites include www.udemy.com, www.exam-labs.com, https://acloudguru.com, and www.whizlabs.com.

MCA Azure Security Engineer Study Guide Exam Objectives

This table provides the extent, by percentage, each section is represented on the actual examination.

Section

% of Examination

Section 1: Manage Identity and Access

30–35%

Section 2: Implement Platform Protection

15–20%

Section 3: Manage Security Operations

25–30%

Section 4: Secure Data and Applications

25–30%

 Exam objectives are subject to change at any time without prior notice and at Microsoft's sole discretion. Please visit the Exam AZ-500: Microsoft Azure Security Technologies website (https://docs.microsoft.com/en-us/certifications/exams/az-500) for the most current listing of exam objectives.

Objective Map

The following objective map will allow you to find the chapter in this book that covers each objective for the exam.

Objective

Chapter

Section 1: Manage Identity and Access

2

1.1 Manage Azure Directory (Azure AD) Identities

2

1.2 Manage secure access by using Azure AD

2

1.3 Manage Application Access

2

1.4 Manage Access Control

2

Section 2: Implement Platform Protection

3

2.1 Implement advanced network security

3

2.2 Configure advanced security for compute

3

Section 3: Manage security operations

4

3.1 Configure centralized policy management

4

3.2 Configure and manage threat protection

4

3.3 Configure and manage security monitoring solutions

4

Section 4: Secure data and applications

5

4.1 Configure security for storage

5

4.2 Configure security for data

5

4.3 Configure and manage Azure Key Vault

5

How to Contact Wiley or the Author

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Assessment Test

What is Azure AD?

It's a cloud version of Windows Active Directory (AD).

It is a cloud-based identity management service.

It is used for enabling multifactor authentication (MFA).

It protects accounts from authentication-based attacks.

What is a managed identity?

A shared user account

A user account managed by another user

An identity that your Azure services can use for authentication

A tool for controlling access to a user account

What is Privileged Identity Management (PIM)?

Protection for highly valuable Azure resources

Protection of your organization's most privileged accounts

Protection for admin-level Azure accounts

A type of role-based access control (RBAC)

What is role-based access control (RBAC)?

Assigning individual permissions based on a user's jobs

Controlling assess based solely on an individual's job titles

An Azure tool for controlling access to resources in Azure

A method where you assign permissions to a job role/identity as needed, rather than assigning permissions to an individual

What is

not

a feature of Azure Firewall Manager?

DDoS protection

Azure Firewall deployment and configuration

Creation of global and local firewall policies

Integration with third-party security features

What is the function of an Azure Application Gateway?

It's a tool for building and operating scalable applications.

It's an application load balancer.

It filters web traffic to applications.

It's Azure's native web application firewall.

What is the function of Azure Front Door?

DDoS protection

Protection against web-based attacks on applications

Filtering of web application attacks

Launching and operating of scalable applications

Where can you configure basic Azure DDoS Protection?

The Azure portal

Under Target Resources settings

It doesn't require configuration.

The Azure command line

What is the purpose of an Azure policy?

To enforce the standards of your organization and ensure compliance of your Azure resources

To set parameters on what resources can be created

To set parameters on who can access the resources

To act as a documentation tool

What is

not

a feature of Microsoft Defender for Cloud?

Real-time protection

Automatic and manual scanning

Detection and remediation

Capture of logs

What is the purpose of threat modeling?

Identifying threats currently on your network

Mapping out potential threats and their mitigation

Identifying vulnerabilities in upcoming applications

Mapping out the secure architecture of a software product

What is the function of Microsoft Sentinel?

It provides logging and monitoring for your Azure environment.

It is an endpoint security tool for protecting network resources.

It is the cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platform that performs threat detection and analytics.

It allows you to manage Azure firewalls from a central location.

What is the purpose of an Azure storage account?

It contains a list of usernames and passwords for authentication.

It's a container for grouping databases.

It's a type of user account.

It stores data.

What is the function of Azure Cosmos Database (DB)?

To store secrets in Azure

To acts as a fully managed NoSQL database designed for modern application development

To manage databases

To manage virtual endpoints

What is Azure Key Vault used for?

It's a cloud service for securely storing and accessing secrets.

It's a cloud password manager.

It provides physical protection for Azure servers.

It stores data objects in Azure.

What is a threat vector?

A nation-state threat actor

A group or individual with malicious intent

A type of malware

A path or means for exploiting a vulnerability

Which of the following is a type of administrative security control?

The separation of duties

Security guards

Security group policies

Computer logging

Which of the following is a NoSQL store for structured data?

Azure files

Azure blobs

Azure tables

Azure disks

What are threat actors?

A type of hacker group

A group or individual with malicious intent

A group with knowledge of company vulnerabilities

Insider threats

What tool is best used for threat hunting?

Microsoft's Threat Modeling Tool

Azure Storage

Microsoft Sentinel

Azure Active Directory (AD)

Answers to Assessment Test

B. Azure AD allows employees (or anyone on an on-premises network) to access external resources with proper authentication.

C. Managed identities allow your Azure Services to authenticate.

B. Azure PIM has special features for managing, controlling, and monitoring access to your organization's most privileged accounts.

D. In RBAC, you assign permissions to a job role/identity, and then assign that role/identity to users as needed.

A. Azure has a dedicated tool for DDoS protection.

B. Azure Application Gateway is an application load balancer for managing traffic to backend resources.

D. Azure Front Door is a tool for launching web applications.

C. Azure DDoS protection is enabled by default.

A. An Azure policy allows you check whether resources meet the standards you set and to correct those resources automatically.

D. Microsoft Defender for Cloud does log analytics but it doesn't capture logs.

B. Threat modeling is the process of identifying potential threats and mitigation of such threats.

C. Microsoft Sentinel provides SIEM and SOAR functionality in Azure.

D. Storage accounts contain all the different types of data objects in Azure.

B. Azure Cosmos DB is a service for creating NoSQL databases for application development.

A. Azure Key Vault is a service for securely storing secrets in Azure.

D. A threat vector is the path or means that a threat actor takes for exploiting a vulnerability.

A. The separation of duties is an admin security control where a company requires more than one person to complete a given task in order to prevent fraud.

C. Azure tables are a NoSQL store for the storage of structured data.

B. Threat actors are any group with a malicious intent that hacks into a company.

C. Microsoft Sentinel is Azure's premier threat-hunting solution as well as a SOAR and SIEM platform.

Chapter 1Introduction to Microsoft Azure

THE MCA MICROSOFT CERTIFIED ASSOCIATE AZURE SECURITY ENGINEER ASSESSMENT TEST TOPICS COVERED IN THIS CHAPTER INCLUDE:

What Is Microsoft Azure?

Cloud Environment Security Objectives

Confidentiality

Integrity

Availability

Nonrepudiation

Common Security Issues

Principle of Least Privilege

Zero-Trust Model

Defense in Depth

Avoid Security through Obscurity

The AAAs of Access Management

Encryption

End-to-End Encryption

Symmetric Key Encryption

Asymmetric Key Encryption

Network Segmentation

Basic Network Configuration

Unsegmented Network Example

Internal and External Compliance

PCI-DSS

CCPA

GDPR

HIPAA

PIPEDA

Cybersecurity Considerations for the Cloud Environment

Configuration Management

Unauthorized Access

Insecure Interfaces/APIs

Hijacking of Accounts

Compliance

Lack of Visibility

Accurate Logging

Cloud Storage

Vendor Contracts

Link Sharing

Major Cybersecurity Threats

DDOS

Social Engineering

Password Attacks

Malware

Adware

Ransomware

Spyware

Backdoors

Bots/Botnets

Cryptojacker

Keylogger

RAM Scraper

Browser Hijacking

In this chapter, I discuss Microsoft Azure as a platform and the common security issues for cloud computing. Security issues include common vulnerabilities, types of security threats, and their potential impact on a company. My goal is to outline the problems that the Azure Security Engineer certification is trying to teach you to solve.

What Is Microsoft Azure?

Microsoft Azure is a cloud platform consisting of more than 200 products and cloud services. It allows you to have your own contained IT infrastructure, which is entirely physically hosted at one or more of Microsoft's data centers. Azure allows you to develop and scale new applications or to run existing applications in the cloud. Its cloud services include the following:

Compute

  These services allow you to deploy and manage virtual machines (VMs), Azure containers, and batch jobs. Compute resources created in Azure can be configured to use public IP addresses or private addresses, depending on whether or not they need to be accessible to the outside world.

Mobile

  These products and services allow developers to build cloud applications for mobile devices and notification services, as well as support for backend tasks and tools for building application programming interfaces (APIs).

Analytics

  These services provide analytics and storage for services across your Azure environment. They include features for real-time analytics, big data analytics, machine learning, and business intelligence.

Storage

  Azure supports scalable cloud storage for structured and unstructured data. It also supports persistent storage and archival storage.

Security

  These specialized products and services help identify, prevent, and respond to different cloud security threats. They include data security features such as encryption keys and data loss prevention solutions.

Networking

  Azure allows you to create virtual networks, dedicated connections, and gateways, as well as services for traffic management and diagnostics, load balancing, DNS hosting, and security features.

Cloud Environment Security Objectives

When studying for the MCA Azure Security Engineer certification. you must first know the overall objectives of security and the common challenges involved in securing a cloud environment. Knowing the objectives and the challenges are important to understand the practical implications of the concepts that are taught in this book and for directly answering many exam questions. So, the first thing we must review is the CIA triad (see Figure 1.1).

FIGURE 1.1 The CIA triad

CIA stands for confidentiality, integrity, and availability, the three goals you are trying to accomplish.

Confidentiality

Confidentiality means that only people with the right access should be able to access any piece of information. In this section of the CIA triad, the focus is on implementing proper security controls that prevent unauthorized access to your company's resources. A common example of a control used to maintain confidentiality is requiring a login username and password, the idea being that only an authorized person will be able to provide the credentials and gain access to your resource.

Integrity

Integrity means that only people with the correct access are able to change or edit any piece of information within a company. It ensures that information is always accurate and can be trusted to be free of manipulation. A common example of a security control used to ensure integrity is the use of a digital signature. A digital signature is an encrypted hash value used to prove that a message has not been altered and to prove the identity of the sender. In a communication between two people, the digital signature leverages hashing algorithms and public key encryption to create a unique hash value of the original message or document, which can only be decrypted and read by the receiver. The message or document is then digitally signed and sent to the receiver. Once the receiver gets the message or document, they can generate their own hash value for the message or document, and if it matches the hash value that was shared by the sender along with the message, then they know the message has not been changed in transit (i.e., when moving from the sender to the receiver over the Internet).

Availability

Availability means that you want to ensure that your information and services are always available for use by the right user. Think about a company website, for example. As a business, you want to ensure that your company's website is always working and available for customer interactions. However, cyberattacks like distributed denial-of-service (DDoS) attacks make these services unavailable and can cost businesses thousands or even millions of dollars. Common examples of security controls that help maintain website availability are next-generation firewalls and specialized DDoS protection software.

Nonrepudiation

A fourth term, nonrepudiation, isn't included in the triad, but it is associated with the first three. Nonrepudiation simply means that no one should be able to perform an action online and then deny that they performed that action. For example, if I send an email or delete a file, there must be proof that I performed this action so that I can't deny it at a later date. One way that we prove it is by using the previously discussed digital signature.

Pretty much everything that you do within your cybersecurity operations is related to one or multiple elements of this triad; it's the most commonly used framework for understanding what you are trying to achieve as a cybersecurity professional.

Common Security Issues

Now that you have a basic understanding of what cybersecurity generally is trying to achieve, let's look at some of the common issues that cloud security professionals must deal with. Many of Azure's tools are built to address these issues, and it's very likely you have come across some of them in your daily work.

Principle of Least Privilege

The principle of least privilege simply means that you should only give users the amount of privilege they need to do their job and nothing more. Giving users anything more than what is necessary creates risk for the company without providing any benefit. For example, giving users more privilege than needed can be detrimental in a situation where an employee is being fired. Disgruntled employees are one of the biggest threats to a company because they have access to the internal network and have a motive to damage or steal information from it. Roughly 59 percent of employees steal information when they quit or are fired from their company. The amount of information that they have access to steal can be limited if you implement the principle of least privilege. Even if it's not a situation where the employee is leaving, if an employee's account has a high level of privilege and that account is misused or hacked by a cybercriminal, they will be able to access more information and perform more harmful actions using that account than with an account that has limited privileges. Think of what an admin-level account would be capable of accessing compared to a normal user account. The amount of damage a cybercriminal could do is staggering in such cases.

Zero-Trust Model

A zero-trust model is a security concept stating that an organization shouldn't automatically trust implicitly any device or entity inside or outside its perimeter and instead should verify everything before granting the device or entity access to anything. This model may contradict what some people assume—that if a device is inside the company network, then it should be okay to trust and it's not harmful. However, this is certainly not the case. Insider threats, advanced persistent threats (i.e., threat actors that sit on the network for extended periods of time), and legitimate accounts that have been compromised are all examples of cyberthreats that sit inside the company perimeter but shouldn't be trusted. Keep in mind the words of Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Massachusetts:

The strategy around Zero Trust boils down to don't trust anyone. We're talking about, “Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized…”

www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html

Defense in Depth

Defense in depth is the idea that any important network resource should be protected by multiple layers of security (see Figure 1.2). This means that you should not have a single point of failure when it comes to the security controls that you use. It requires that you implement a variety of controls covering different aspects of security. The layers include the following:

Policies, Procedures, and Awareness Training

  While not technical controls, these documents and actions are part of overall security governance. They outline how the organization should approach their cybersecurity operations and mandate that certain actions must be taken to ensure the overall security of the company.

Physical Security

  Even in a cloud environment, you should take time to audit how the cloud provider physically secures its servers and physical infrastructure. If someone is able to gain access to a machine physically, they can often bypass whatever security controls are in place on the machine itself. This can be as simple as disabling USB ports on a machine to prevent someone from plugging in a USB and uploading a virus. Also, in the event of a natural disaster, building fires, or other unforeseen circumstances, you must ensure that your systems are well protected.

Perimeter Security

  Perimeter security is the first layer of security that sits between your digital network and outside attackers. It includes controls like perimeter firewalls, honeypots, and demilitarized zones (DMZs). Perimeter security is what separates your internal network from the outside world (the Internet). This area separates parts of your network so that only the resources that need to be exposed to the Internet will be exposed. For example, a DMZ is a separate part of the network, usually hosting only things like a web server that needs to be accessed by people outside the company network.

Network Security

  Network security controls are located on the company network and are responsible for monitoring and controlling the company's internal network. These controls are not located on any one particular machine, but rather are attached to things such as a router, where they can monitor communications between different network devices and filter and block traffic accordingly. A common example of this is the network intrusion detection and prevention system (IDPS), which monitors all of the traffic on a network for signs of malicious activity. Once the IDPS locates such activity, it can provide alerts as well as take action to block that malicious activity from occurring.

Endpoint Security

  Endpoint security controls are located on the actual endpoints on the network. An easy example to discuss is the antivirus software that you download to your computer. This antivirus software doesn't help to protect the network itself; it only scans files on your computer. The advantage is that it can do file-level detection as the software that operates on the network level cannot see the file or processes on any of the machines on the network. Endpoint security controls allow for more detailed detection and remediation.

Application Security

  Application security is focused on securing the software applications that your business hosts. In the context of the cloud, many applications are hosted on cloud servers and are publicly available to anyone on the Internet. You need to know how to secure your applications so that people who visit the application and use it won't be able to exploit it. Application security begins during the creation of the application with source code reviews or dynamic application testing, where you try to find security bugs in the application. Once the application is completed, you need security like web application firewalls (WAFs) to protect the application from exploitation.

Data Security

  The last element of defense in depth is data security—implementing controls that help you protect the data within your organization from being accessed by unauthorized people. A common security control is data encryption, which ensures that anyone who is eavesdropping will be unable to obtain information in a usable format. In a cloud environment, one of the biggest challenges is to control the access that people have so that only those who are supposed to have access to view information are able to.

FIGURE 1.2 Defense in depth

Avoid Security through Obscurity

Security through obscurity is the idea that you can keep a system secure by keeping it a secret, which isn't a good idea. Although keeping the system hidden does reduce the number of threats that might target it, it's typically only a matter of time before an attacker finds out about it. If you didn't take time to protect it, then it's relatively easy for the attacker to discover and exploit. A lot of interconnectivity exists among the systems in a cloud environment, so even if that system isn't connected to the Internet directly, it may be connected through numerous other systems to a device exposed to the Internet, and it can be discovered that way.

The AAAs of Access Management

Another part of cloud environment security that's heavily focused on throughout the exam is identity and access management (IAM). IAM is about ensuring that only authorized people have access to resources within a company. If people are able to gain unauthorized access, they may be able to plant malware on company systems, steal company information, or perform other damaging actions on company devices. There are three main components to IAM that you must understand: authentication, authorization, and accounting (AAA).

Authentication pertains to confirming that a user is who they claim to be. Each user has unique identification information that sets them apart from all other users, and that information can be used to prove their identity when needed. For example, when you log into a website, you provide a username and a password. That combination of information should only be known by you, the owner of the account, and it provides the website with a somewhat reliable method of authenticating their users.

There are three primary categories of authentication:

Something you know (for example, a password)

Something you have (for example, an access card)

Something you are (for example, your fingerprint)

When you require a user to have at least two authentication methods across two categories, it's called multifactor authentication, which makes it much harder for attackers to authenticate themselves as someone else because they must steal two different sets of information.

The second A in AAA is authorization, which is the process of granting or denying a user access to system resources once the user is authenticated. Authorization determines the amount of information or services that a user can gain access to. If you've ever watched a military movie or worked in the military, you may have heard them use the phrase “classified information.” Classified information means that only people who have a certain authorization level can access classified information. While your environmental resources may not be as important as classified military information, you should apply the same principle and work to limit user access to the least amount that they need in order to do their job (refer back to the principle of least privilege from earlier). On the system side, it means figuring out the privileges the user's account needs to work. For example, you must decide whether you are provisioning an account with guest access, regular user access, or administration-level privileges.

The final A in AAA stands for accounting, which is the ability to track a user's activity while accessing the company's resources and includes the amount of time spent on the network, the services accessed while there, and the amount of data transferred during their session. While this might seem invasive, it's an essential part of your organization's security policy. Accounting data is used for many things. First, this information enables you to perform a trends analysis and identify failed login attempts, which could indicate an attack. This information can also aid in detecting data breaches, forensics and computer investigations, billing, cost allocation, audits, and much more. It's important to be able to trace events back to specific user accounts during an investigation. For example, if you have a malware outbreak in the company, you want to know what account the malware originated from, how it could have spread, and if the situation has been contained. By tracing the events back to a specific user account, you can identify where it started from, whom it may have spread to, and therefore, if it has been contained based on the actions of that user account.

Properly enforcing the AAAs is your only reliable defense against insider threats. As stated previously, insider threats include disgruntled employees—people who feel like they've been mistreated by the company or perhaps are about to be fired. Having this accounting data can help you identify these bad actors ahead of time and prevent them from doing something malicious. Insider threats also can include employees who are committing fraud. By collecting this information on a regular basis, you will detect clues about those committing fraud and who are using their company position to hide it. Keep in mind that for IAM accounting to be effective, you should eliminate the use of generic or shared accounts. If an action on your system can't be tracked back to a single person, then it's not going to be very useful information to single out the bad actor in most cases.

Encryption

Encryption is an essential part of security in a cloud environment. Encryption is the process of encoding information so that it cannot be read by anyone other the intended recipient. This process begins with the original message (plaintext), which is encoded and converted into ciphertext, sent to the recipient, and then converted back into plaintext, where it can be read. Because a cloud environment can only be accessed over the Internet, a larger than normal opportunity exists for users to “eavesdrop” or gain unauthorized access to network resources. Therefore, you must encrypt your communications (e.g., email) whenever you are going to be sending sensitive data over the Internet.

Several types of encryption exist:

End-to-end encryption

Symmetric key encryption

Asymmetric key encryption (public key cryptography)

End-to-End Encryption

End-to-end encryption is a system of communication where only the communicating users can read the messages. When the information is not being read by one of the users, it is always encrypted. As you read through this study guide, an emphasis is placed on trying to obtain end-to-end encryption wherever possible. This is important for preventing third parties from eavesdropping on your communications. You should have encryption through the entire communicating process with any sensitive information to avoid data leaks. The only time when sensitive information should be in plaintext, or unencrypted, is when it is in use.

Symmetric Key Encryption

In this form of encryption, the same or identical encryption keys are used to both encrypt and decrypt information (see Figure 1.3). An encryption key is a string of characters that is used to encode or decode data. Symmetric key encryption is divided into stream ciphers and block ciphers. Stream ciphers encrypt the message one bit at a time in a continuous flow, which is why it's called a stream cipher because it is a constant stream of bits being encrypted. A block cipher breaks the message up into a predetermined number of bits and encrypts them as a unit, one block at a time, until the entire message is encrypted. Symmetric encryption is typically less secure than asymmetric because it requires you to share the encryption key with everyone that you want to communicate with. However, it is much faster and best used in situations where you value speed over security.

Asymmetric Key Encryption

In asymmetric key encryption (see Figure 1.4), different keys are used for encryption and decryption of a message. First, the message is encrypted using a public key, which is shared between both users. Then the message is decrypted using a private key, which only the recipient of the message has. Asymmetric key encryption is arguably more secure than symmetric key encryption because you never have to send the decryption key over an insecure channel—your private key is kept on your personal workstation and is never emailed, thus reducing the risk of being read by attackers. Also known as public key encryption, this type of encryption is best suited for situations where you are processing smaller datasets and where speed isn't a huge concern.

FIGURE 1.3 Symmetric encryption

FIGURE 1.4 Asymmetric encryption

Network Segmentation

The next element of cybersecurity we are going to discuss is network segmentation, which is all about dividing your computer network into smaller physical, or logical, components. Two devices on the same network segment can talk to each other directly, while separating a network into segments enables you to create some boundaries. Typically, each network segment will have data filtered by a router and a firewall (which is usually one device). Requiring data traffic to pass through a device allows for traffic to be inspected and security policies to be applied.

Network segmentation is a great way to limit the damage of data breaches. For example, the ability of ransomware or any other malware to spread is greatly reduced when a network is segmented properly and usually limits the malware to only the network segment where the infection began. Second, it helps to enforce the principle of least privilege by limiting an individual's access to certain network segments they need access to. Also, if you need to provide access to a third party, you can isolate the resource that they need to its own subnet and keep the third party isolated from the rest of your resources. Network segmentation can also boost the performance of a network because with fewer hosts on a subnet, local traffic is reduced. With less overall traffic on each subnet, it's also easier for you to identify potential suspicious behavior on each subnet because there is less noise to go through.

Basic Network Configuration

You always want to ensure that a firewall is located between you and the Internet to filter traffic that comes through to your internal network. In Figure 1.5, you see an example of simple but effective network segmentation for your organization. Called a demilitarized zone (DMZ), this is where you want to put your Internet-facing servers. You don't want application servers sitting on the same subnet as your internal servers. You also shouldn't have all of your Internet-facing servers on the same DMZ—only those that must communicate with one another regularly should be placed on the same DMZ. This way, if a hacker is able to compromise these Internet-facing servers, they'll be limited to its restricted zone.

Traffic from the DMZ1 zone is allowed to come in from the servers and workstations in the internal zone, but it cannot send information to the internal zone. Only traffic from DMZ2 is allowed to flow both ways. Because traffic from the Internet is routed to DMZ1, you'll want to prevent DMZ1 from sending traffic directly to the internal servers. Therefore, any traffic that needs to go to the internal servers must be routed to DMZ2, through the firewall, and then passed on to the internal zone. No traffic should go directly from the Internet to your internal zone, inbound or outbound.

Another important aspect is that typically Internet user access should be routed from an HTTP proxy server, which in Figure 1.5 is located on DMZ1. Again, you need to place a buffer between your internal network and the Internet because this is where most of your threats will be located.

FIGURE 1.5 A DMZ setup

Finally, traffic for every subnet should be restricted to certain ports that are necessary for their job function and everything else should be closed. This restriction limits the number of attack options that a hacker has, because each open port on your machine represents a potential entry point to the machines on that subnet.

Unsegmented Network Example

To illustrate how important this is, let's use an example of a famous data breach that only occurred because the company's network was not segmented properly. In 2013, the department store Target had a data breach. This data breach began with a phishing email that was opened by an employee of a small HVAC company that did business with Target. The malware from this breach remained on the network of the HVAC company for two months before spreading to Target's network. Once inside Target's network, it was able to move laterally through the network and eventually installed itself on the point-of-sale (POS) terminals at many of the company's stores. The result: Over 110 million customers' data was compromised, resulting in over 100 lawsuits being filed and banks handing over $200 million to customers as a result. If Target had used proper network segmentation, this attack probably would have never happened, because the third party's network access would have been restricted to its own subnet. The cost of this data breach to Target itself was an estimated $61 million.

Internal and External Compliance