38,99 €
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Prep for the SC-100 exam like a pro with Sybex' latest Study Guide In the MCE Microsoft Certified Expert Cybersecurity Architect Study Guide: Exam SC-100, a team of dedicated software architects delivers an authoritative and easy-to-follow guide to preparing for the SC-100 Cybersecurity Architect certification exam offered by Microsoft. In the book, you'll find comprehensive coverage of the objectives tested by the exam, covering the evaluation of Governance Risk Compliance technical and security operations strategies, the design of Zero Trust strategies and architectures, and data and application strategy design. With the information provided by the authors, you'll be prepared for your first day in a new role as a cybersecurity architect, gaining practical, hands-on skills with modern Azure deployments. You'll also find: * In-depth discussions of every single objective covered by the SC-100 exam and, by extension, the skills necessary to succeed as a Microsoft cybersecurity architect * Critical information to help you obtain a widely sought-after credential that is increasingly popular across the industry (especially in government roles) * Valuable online study tools, including hundreds of bonus practice exam questions, electronic flashcards, and a searchable glossary of crucial technical terms An essential roadmap to the SC-100 exam and a new career in cybersecurity architecture on the Microsoft Azure cloud platform, MCE Microsoft Certified Expert Cybersecurity Architect Study Guide: Exam SC-100 is also ideal for anyone seeking to improve their knowledge and understanding of cloud-based management and security.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 791
Veröffentlichungsjahr: 2023
Ähnliche
Table of Contents
Cover
Title Page
Copyright
Dedication
Acknowledgments
About the Authors
About the Technical Editor
Introduction
What Is Azure?
About the SC-100 Certification Exam
Why Become a Certified Microsoft Azure Cybersecurity Architect?
Preparing to Become a Certified Microsoft Cybersecurity Architect
How to Become a Certified Microsoft Cybersecurity Architect
Who Should Buy This Book
How This Book Is Organized
Bonus Digital Contents
Conventions Used in This Book
Using This Book
SC-100 Exam Objectives
How to Contact the Publisher
Assessment Test
Answers to Assessment Test
Chapter 1: Define and Implement an Overall Security Strategy and Architecture
Basics of Cloud Computing
Introduction to Cybersecurity
Cybersecurity Domains
Getting Started with Zero Trust
Design Integration Points in an Architecture
Design Security Needs to Be Based on Business Goals
Decode Security Requirements to Technical Abilities
Design Security for a Resiliency Approach
Identify the Security Risks Associated with Hybrid and Multi-Tenant Environments
Plan Traffic Filtering and Segmentation Technical and Governance Strategies
Summary
Exam Essentials
Review Questions
Chapter 2: Define a Security Operations Strategy
Foundation of Security Operations and Strategy
Design a Logging and Auditing Strategy to Support Security Operations
Develop Security Operations to Support a Hybrid or Multi-Cloud Environment
Design a Strategy for SIEM and SOAR
Evaluate Security Workflows
Evaluate a Security Operations Strategy for the Incident Management Life Cycle
Evaluate a Security Operations Strategy for Sharing Technical Threat Intelligence
Summary
Exam Essentials
Review Questions
Chapter 3: Define an Identity Security Strategy
Design a Strategy for Access to Cloud Resources
Recommend an Identity Store (Tenants, B2B, B2C, Hybrid)
Recommend an Authentication and Authorization Strategy
Design a Strategy for Conditional Access
Design a Strategy for Role Assignment and Delegation
Design a Security Strategy for Privileged Role Access to Infrastructure Including Identity-Based Firewall Rules and Azure PIM
Design a Security Strategy for Privileged Activities Including PAM, Entitlement Management, and Cloud Tenant Administration
Summary
Exam Essentials
Review Questions
Chapter 4: Identify a Regulatory Compliance Strategy
Interpret Compliance Requirements and Translate into Specific Technical Capabilities
Evaluate Infrastructure Compliance by Using Microsoft Defender for Cloud
Interpret Compliance Scores and Recommend Actions to Resolve Issues or Improve Security
Design and Validate Implementation of Azure Policy
Design for Data Residency Requirements
Translate Privacy Requirements into Requirements for Security Solutions
Summary
Exam Essentials
Review Questions
Chapter 5: Identify Security Posture and Recommend Technical Strategies to Manage Risk
Analyze Security Posture by Using Azure Security Benchmark
Analyze Security Posture by Using Microsoft Defender for Cloud
Assess the Security Hygiene of Cloud Workloads
Evaluate the Security Posture of Cloud Workloads
Design Security for an Azure Landing Zone
Evaluate Security Postures by Using Secure Scores
Identify Technical Threats and Recommend Mitigation Measures
Recommend Security Capabilities or Controls to Mitigate Identified Risks
Summary
Exam Essentials
Review Questions
Chapter 6: Define a Strategy for Securing Infrastructure
Plan and Deploy a Security Strategy Across Teams
Deploy a Process for Proactive and Continuous Evolution of a Security Strategy
Specify Security Baselines for Server and Client Endpoints
Specify Security Baselines for the Server, Including Multiple Platforms and Operating Systems
Specify Security Requirements for Mobile Devices and Clients, Including Endpoint Protection, Hardening, and Configuration
Specify Requirements for Securing Active Directory Domain Services
Design a Strategy to Manage Secrets, Keys, and Certificates
Design a Strategy for Secure Remote Access
Design a Strategy for Securing Privileged Access
Summary
Exam Essentials
Review Questions
Chapter 7: Define a Strategy and Requirements for Securing PaaS, IaaS, and SaaS Services
Establish Security Baselines for SaaS, PaaS, and IaaS Services
Establish Security Requirements for IoT Workloads
Establish Security Requirements for Data Workloads, Including SQL Server, Azure SQL, Azure Synapse, and Azure Cosmos DB
Define the Security Requirements for Web Workloads
Determine the Security Requirements for Storage Workloads
Define Container Security Requirements
Define Container Orchestration Security Requirements
Summary
Exam Essentials
Review Questions
Chapter 8: Define a Strategy and Requirements for Applications and Data
Knowing the Application Threat Intelligence Model
Specify Priorities for Mitigating Threats to Applications
Specify a Security Standard for Onboarding a New Application
Specify a Security Strategy for Applications and APIs
Specify Priorities for Mitigating Threats to Data
Design a Strategy to Identify and Protect Sensitive Data
Specify an Encryption Standard for Data at Rest and in Motion
Summary
Exam Essentials
Review Questions
Chapter 9: Recommend Security Best Practices and Priorities
Recommend Best Practices for Cybersecurity Capabilities and Controls
Recommend Best Practices for Protecting from Insider and External Attacks
Recommend Best Practices for Zero Trust Security
Recommend Best Practices for Zero Trust Rapid Modernization Plan
Recommend a DevSecOps Process
Recommend a Methodology for Asset Protection
Recommend Strategies for Managing and Minimizing Risk
Plan for Ransomware Protection and Extortion-Based Attacks
Protect Assets from Ransomware Attacks
Recommend Microsoft Ransomware Best Practices
Summary
Exam Essentials
Review Questions
Appendix: Answers to Review Questions
Chapter 1: Define and Implement an Overall Security Strategy and Architecture
Chapter 2: Define a Security Operations Strategy
Chapter 3: Define an Identity Security Strategy
Chapter 4: Identify a Regulatory Compliance Strategy
Chapter 5: Identify Security Posture and Recommend Technical Strategies to Manage Risk
Chapter 6: Define a Strategy for Securing Infrastructure
Chapter 7: Define a Strategy and Requirements for Securing PaaS, IaaS, and SaaS Services
Chapter 8: Define a Strategy and Requirements for Applications and Data
Chapter 9: Recommend Security Best Practices and Priorities
Index
End User License Agreement
List of Tables
Chapter 2
TABLE 2.1 Azure Logs
TABLE 2.2 Security Logs
Chapter 3
TABLE 3.1 Authentication Methods
TABLE 3.2 Personas
Chapter 4
TABLE 4.1 Azure Compliance
TABLE 4.2 Operational compliance problems and solutions
TABLE 4.3 Azure Policy Glossary
TABLE 4.4 Azure Policy's configuration maximum
Chapter 6
TABLE 6.1 Sample Metrics
TABLE 6.2 Best Practices
TABLE 6.3 Benefits
Chapter 7
TABLE 7.1 Azure Cloud Services and Azure Security Benchmark
TABLE 7.2 App Service Mapping to the Microsoft Cloud Security Benchmark
TABLE 7.3 Microsoft Windows Virtual Machine Mapping
TABLE 7.4 Roles and Security Requirements
TABLE 7.5 Steps to Identify Data
Chapter 8
TABLE 8.1 Questions to Ask
TABLE 8.2 Microsoft Threat Modeling Tool Mitigations
TABLE 8.3 Risky Applications
TABLE 8.4 DevOps Phases and Tasks
TABLE 8.5 Security Strategy Components
TABLE 8.6 Method to Protect Data
TABLE 8.7 Data Classification
TABLE 8.8 Purview Capabilities
TABLE 8.9 Data Protection Capabilities
TABLE 8.10 Purview Data Life-Cycle Management Capabilities
TABLE 8.11 Records Management
Chapter 9
TABLE 9.1 Microsoft Azure Security Benchmark Key bestpratices across various...
TABLE 9.2 Microsoft Security benchmark for Incident response and logging per...
TABLE 9.3 Best Practices for Identity Management, Privileged Access, and Net...
TABLE 9.4 Protecting Against Ransomware
TABLE 9.5 Securing Your Backup Infrastructure
TABLE 9.6 Protecting from Ransomware
TABLE 9.7 Protecting Organization Data
TABLE 9.8 Privileged Access Perspective
TABLE 9.9 Deployment Checklist
TABLE 9.10 Detection and Response Time Perspective
TABLE 9.11 Deployment Checklist
TABLE 9.12 Remote Access Perspective
TABLE 9.13 Deployment Checklist
TABLE 9.14 Email and Collaboration Perspective
TABLE 9.15 Deployment Checklist
TABLE 9.16 Endpoints Perspective
TABLE 9.17 Deployment Checklist
TABLE 9.18 Accounts Perspective
TABLE 9.19 Deployment Checklist
List of Illustrations
Chapter 1
FIGURE 1.1 Microsoft Zero Trust architecture
FIGURE 1.2 High-level Microsoft Cybersecurity Reference Architecture
FIGURE 1.3 High-level Microsoft Cybersecurity Reference Architecture SOC bui...
FIGURE 1.4 High-level Microsoft Cybersecurity Reference Architecture SaaS bu...
FIGURE 1.5 High-level Microsoft Cybersecurity Reference Architecture Hybrid ...
FIGURE 1.6 High-level Microsoft Cybersecurity Reference Architecture Endpoin...
FIGURE 1.7 High-level Microsoft Cybersecurity Reference Architecture Informa...
FIGURE 1.8 High-level Microsoft Cybersecurity Reference Architecture Identit...
FIGURE 1.9 High-level Microsoft Cybersecurity Reference Architecture People ...
FIGURE 1.10 High-level Microsoft Cybersecurity Reference Architecture IOT an...
FIGURE 1.11 Microsoft Cloud Adoption Framework
FIGURE 1.12 Cybersecurity business alignment and disciplines
FIGURE 1.13 Security resiliency managing risk
FIGURE 1.14 Hybrid security identity environment
FIGURE 1.15 Deploying a secure hybrid network
Chapter 2
FIGURE 2.1 SOC operating model
FIGURE 2.2 Microsoft unified operations
FIGURE 2.3 References architecture for Microsoft Sentinel and Defender for C...
Chapter 3
FIGURE 3.1 Enterprise access solution based on Zero Trust
FIGURE 3.2 Microsoft identity governance method to manage identities and acc...
FIGURE 3.3 Microsoft Azure AD password hash synchronization reference archit...
FIGURE 3.4 Microsoft Azure AD pass-through authentication reference architec...
FIGURE 3.5 Microsoft federated authentication reference architecture
FIGURE 3.6 Microsoft authentication method decision tree
FIGURE 3.7 Microsoft recommends end-to-end security.
Chapter 4
FIGURE 4.1 Microsoft's five cybersecurity disciplines of cloud governance
FIGURE 4.2 Microsoft Defender for Cloud
FIGURE 4.3 Azure policy logical view
Chapter 5
FIGURE 5.1 Overall security governance
FIGURE 5.2 Security posture management rapid modernization plan
FIGURE 5.3 Security posture management pillars
FIGURE 5.4 Microsoft Defender for Cloud regulatory compliance
FIGURE 5.5 Microsoft Defender for Cloud Dashboard
FIGURE 5.6 Security hygiene recommendation remediation
FIGURE 5.7 Security hygiene remediation workflow
FIGURE 5.8 Microsoft Defender for Cloud—security hygiene of workloads
FIGURE 5.9 Microsoft Defender for Cloud Score dashboard
FIGURE 5.10 Microsoft Defender for Cloud recommendation dashboard
FIGURE 5.11 Building block CTI in SIEM
FIGURE 5.12 Azure AD Identity Protection risk detection
FIGURE 5.13 Risk management framework
FIGURE 5.14 Security control secure management dashboard
FIGURE 5.15 Security encrypt data in transit dashboard
Chapter 6
FIGURE 6.1 Microsoft-defined security roles and responsibilities
FIGURE 6.2 Microsoft approach to continuous assessment
FIGURE 6.3 Microsoft Defender for Cloud ASB OSB baseline for Windows and Lin...
FIGURE 6.4 Detailed view about remediation
FIGURE 6.5 Microsoft approach to continuous assessment
FIGURE 6.6 Microsoft Defender for Identity with AD FS
FIGURE 6.7 Microsoft Certified Authority integrated
FIGURE 6.8 Microsoft Certified Authority and Key Vault integrated
FIGURE 6.9 Site-to-site VPN
FIGURE 6.10 Microsoft Azure multisite S2S VPN
FIGURE 6.11 Point-to-site VPN
FIGURE 6.12 Microsoft Azure connectivity
FIGURE 6.13 Microsoft Azure Remote connectivity
FIGURE 6.14 Microsoft Azure privileged access security strategy guideline
Chapter 7
FIGURE 7.1 Microsoft Defender for IoT
FIGURE 7.2 Security best practices
FIGURE 7.3 Security posture management for data
FIGURE 7.4 Microsoft Defender for Azure SQL database servers
FIGURE 7.5 Security recommendations for SQL databases
FIGURE 7.6 Defender for Storage two-action view
FIGURE 7.7 Microsoft Defender for Containers
FIGURE 7.8 Azure Kubernetes Service clusters
Chapter 9
FIGURE 9.1 Microsoft Cybersecurity Reference Architecture
FIGURE 9.2 Prepare-enter-traverse-execute
FIGURE 9.3 Technical-oriented program
Guide
Cover
Table of Contents
Title Page
Copyright
Dedication
Acknowledgments
About the Authors
Introduction
Begin Reading
Appendix: Answers to Review Questions
Index
End User License Agreement
Pages
iii
iv
v
vii
ix
xxi
xxii
xxiii
xxiv
xxv
xxvi
xxvii
xxviii
xxix
xxx
xxxi
xxxii
xxxiii
xxxiv
xxxv
xxxvi
xxxvii
xxxviii
xxxix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
MCEMicrosoft® Certified Expert Cybersecurity Architect Study Guide
Exam SC-100
Kathiravan Udayakumar
Puthiyavan Udayakumar
Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada and the United Kingdom.
ISBN: 978-1-394-18021-9ISBN: 978-1-394-18022-6 (ebk.)ISBN: 978-1-394-18023-3 (ebk.)
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.
Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Microsoft is a registered trademark of Microsoft Corporation.. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. MCE Microsoft Certified Expert Cybersecurity Architect Study Guide is an independent publication and is neither affiliated with, nor authorized, sponsored, or approved by, Microsoft Corporation.
Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress Control Number: 2022950346
Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley
To the Wiley team for this opportunity and all their support to complete this book.
—Kathiravan Udayakumar
I am grateful to my mother and father for all you have done for me.
I am deeply thankful to my better half for helping me thrive in our life journey.
To my dearest brother and mentor, my sincere gratitude.
To the Wiley team, thanks for creating this opportunity.
—Puthiyavan Udayakumar
Acknowledgments
We want to express our sincere thanks to Sybex for continuing to support this project.
Although this book bears our name as authors, numerous people contributed to its design and development of the content. They helped make this book possible, or at best, it would be in a lesser form without them. Kenyon Brown was the acquisitions editor and so helped get the book started. Pete Gaughan, the managing editor, oversaw the book as it progressed through all its stages. Jon Buhagiar was the technical editor who checked the text for technical errors and omissions—but any remaining mistakes are our own. Patrick Walsh, the project editor, helped keep the text grammatical and understandable. Archana Pragash, content refinement specialist, and others from her team helped check the text for typos and shaped the content.
About the Authors
Kathiravan Udayakumar is Head of Delivery and Chief Architect for Oracle Technologies & Analytics (Europe Practice) at Cognizant covering various elements of technology services in on-prem and cloud. He has more than 19 years of experience in architecture, design, implementation, administration, and integration with greenfield IT systems, ERP, and cloud platforms and solutions across various business domains and industries. He is passionate about networking from his undergraduate studies and is a Cisco Certified Network Associate (CCNA). He has also proposed, in his undergraduate thesis protocols for optimal routings in complex networks, using the Differential Routing Information Protocol (DRIP) to avoid pinhole congestion.
Puthiyavan Udayakumar is an infrastructure architect with more than 14 years of experience in modernizing and securing IT infrastructure, including the cloud. He has been writing technical books for more than 10 years on various infrastructure and security domains. He has designed, deployed, and secured IT infrastructure out of and on-premises and on the cloud, including virtual servers, networks, storage, and desktops for various industries such as pharmaceutical, banking, healthcare, aviation, federal entities, and so on. He is an Open Group Certified Master Certified Architect.
About the Technical Editor
Jon Buhagiar (Network+, A+, CCNA, MCSA, MCSE, BS/ITM) is an information technology professional with two decades of experience in higher education. During the past 23 years he has been responsible for network operations at Pittsburgh Technical College and has led several projects, such as virtualization (server and desktop), VoIP, Microsoft 365, and many other projects supporting the quality of education at the college. He has achieved several certifications from Cisco, CompTIA, and Microsoft, and has taught many of the certification paths. He is the author of several books, including Sybex's CompTIA Network+ Review Guide: Exam N10-008 (Sybex, 2021) and CCNA Certification Practice Tests: Exam 200-301 (Sybex, 2020).
Introduction
Welcome to MCE Microsoft® Certified Expert Cybersecurity Architect Study Guide: Exam SC-100. This book offers a firm grounding for Microsoft's Exam SC-100. This introduction provides a basic overview of this book and the Microsoft Certified Architect SC-100 exam.
What Is Azure?
The Microsoft Azure cloud platform consists of more than 200 IT products and services designed to help you bring new IT solutions to life to solve today's challenges and create the future. You can build, run, and manage applications across multiple clouds, on-premises, and at the edge, with the tools and frameworks of your choice.
Organizations worldwide can become more digitally connected with Microsoft Azure, and cybersecurity strategy can transform their security. In a cloud environment, security as a service provides security strategies for data, applications, identity, and infrastructure to customers. The Cybersecurity Architect role continues to evolve in the cloud landscape as professionals secure the workloads to the cloud, manage hybrid security, secure remote workers, and support strategic scenario-led digital transformations.
About the SC-100 Certification Exam
The SC-100 certification exam tests your knowledge and understanding of the Microsoft Azure Cybersecurity Architect role. Specifically, the certification aims to validate your expertise in securing Azure workloads, including data, applications, access management, identity, infrastructure compliance, governance risk compliance, and privacy access to Azure services.
You will be tested on your capabilities to translate requirements into secure, scalable, and reliable cybersecurity design and deployment of cybersecurity solutions.
The exam tests your deep understanding of all aspects of enterprise architecture and the Microsoft Cybersecurity Architect's role to design and evolve a cybersecurity strategy that protects a company's mission and business processes. In addition to GRC technical strategies, your skills as a Cybersecurity Architect in creating Zero Trust security strategies for data, applications, access management, identity, and infrastructure, as well as designing Zero Trust architectures and evaluating security operations strategies, will be validated in this SC-100 exam.
Why Become a Certified Microsoft Azure Cybersecurity Architect?
Would you like to demonstrate your Microsoft Azure cybersecurity skills and experience to your company or clients by planning, designing, deploying, and managing their Azure cybersecurity solutions?
Because Microsoft certification is a globally recognized and industry-endorsed proof of mastering real-world skills, those with such a certification are known to be more productive and efficient. Microsoft certifications differentiate you by proving your broad skills and experience with current Microsoft network solutions.
A Microsoft certification exam is a great way to demonstrate your expertise and build your résumé. You can validate your product knowledge and experience by taking Microsoft certification SC-100 exams.
During and following the COVID-19 pandemic that began in 2020, many testing organizations changed their on-site testing procedures, some even offering remote exam proctoring. In light of this, be sure you check with Microsoft's website and the provider where you plan to take the exam prior to registration and again prior to exam day for the latest, up-to-the-minute changes in exam site procedures.
Preparing to Become a Certified Microsoft Cybersecurity Architect
To plan and implement an organization's cybersecurity strategy, a Cybersecurity Architect collaborates continuously with IT security, privacy, and other organizational roles.
This exam requires advanced knowledge and experience in several security engineering areas, including identity and access, platform protection, security operations, and data and application security. Additionally, you should be familiar with hybrid and cloud implementations.
To earn the Microsoft Cybersecurity Architect Expert certification, candidates must pass one of the following exams: SC-200, SC-300, AZ-500, or MS-500. Microsoft strongly recommends that you do this before taking the SC-100 exam.
The best preparation for the exam is through studying and hands-on practice. Studying this book will give you the necessary information and skills to prepare for the Microsoft Cybersecurity Architect Certification SC-100.
We recommend spending 10 weeks or so of intensive study for the MCE SC-100 exam. The following are some recommendations to maximize your learning time. You can modify this list as necessary based on your own learning experiences.
Get hands-on experience with the Azure Portal daily, read articles about Azure, and learn Azure cybersecurity terminology.
Take one or two evenings to read each chapter in this book and work through its review materials.
Answer all the review questions and take the practice exam provided on the book's website.
Review the Microsoft Azure SC-100 skills measured on Microsoft's page for this exam.
learn.microsoft.com/en-us/certifications/exams/sc-100
You'll find a “skills measured” section on every exam and Microsoft certification page. The following are the primary skills that will be assessed for the SC-100 exam. A detailed outline can be downloaded from the Microsoft site for this exam.
Design a Zero Trust strategy and architecture.
Evaluate governance risk compliance technical strategies and security operations strategies.
Design security for infrastructure.
Design a strategy for data and applications.
Recommend security best practices and priorities.
Use the flashcards included with the online study tools for this book to reinforce your understanding of concepts.
Take free hands-on learning courses on Microsoft Learn.
learn.microsoft.com/en-gb/certifications/exams/sc-100
Read the Microsoft Azure documentation.
docs.microsoft.com/en-us/azure/?product=popular
How to Become a Certified Microsoft Cybersecurity Architect
You can register for your exam from the Microsoft certification Exam SC-100 details page once you are ready.
learn.microsoft.com/en-gb/certifications/exams/sc-100
On the certification detail pages, you'll find the choice to register in the “Schedule Exam” section.
Azure security engineers with previous Azure certifications in security, compliance, and identity will be tested for this exam. Security engineers should have advanced expertise and knowledge in various security engineering fields, including identity and access, platform protection, security operations, data security, and applications. A hybrid or cloud-based implementation should also be familiar to them. Those just starting should take SC-900: Microsoft Security, Compliance, and Identity Fundamentals instead.
You can take the exam online or at a local testing center, so you need to choose a test center or use online proctoring. There are advantages to each. Local test centers provide a secure environment. By taking your exam online, you can take it almost anywhere at any time. However, a reliable connection and a secure browser are required. When you take your test online, your system will first be checked to be sure it meets the requirements.
Who Should Buy This Book
Anybody who wants to pass the Microsoft SC-100 exam will benefit from reading this book. If you're new to Azure cybersecurity, this book covers the material you will need to learn, starting from the basics. It continues by providing the knowledge you need to be proficient enough to pass the SC-100 exams. If you're already familiar with Azure cybersecurity, this book can serve as a review and a refresher course for the information you might not be entirely aware of. Reading this book will help you pass the Microsoft SC-100 exams in either case.
This book is written assuming that you know at least a little about Azure and have essential cybersecurity experience and knowledge in a wide range of security engineering areas, including identity and access, platform protection, security operations, securing data, and securing applications. If you have experience with hybrid and cloud implementations, it will be a great value to add to kick-start your journey with SC-100.
How This Book Is Organized
This book covers four areas: Zero Trust, governance risk compliance (GRC), security operations (SecOps), and data and applications. In addition, students will be able to design and architect solutions using Zero Trust principles and specify security requirements for cloud infrastructure in multiple service models (SaaS, PaaS, IaaS).
This book consists of nine chapters plus supplementary information. The chapters are organized as follows:
Chapter 1
: Define and Implement an Overall Security Strategy and Architecture
This chapter covers the basics of cloud and cybersecurity, getting started with Zero Trust, designing integration points in an architecture, designing security needs based on business goals, decoding security needs' technical abilities, designing security for a resiliency approach, identifying the security risks associated with hybrid and multi-tenant environments, and planning traffic filtering and segmentation of technical and governance strategies.
Chapter 2
: Define a Security Operations Strategy
Chapter 2
covers designing a logging and auditing security strategy, developing security operations for hybrid and multi-cloud environments, designing a strategy for security information and event management (SIEM) & security orchestration, automation, and response (SOAR), evaluating security workflows, reviewing security strategies for incident management, evaluating security operations for technical threat intelligence, monitoring sources for insights on threats and mitigations, and developing integration points in an architecture.
Chapter 3
: Define an Identity Security Strategy
This chapter covers the design of a strategy for access to cloud resources, recommending an identity store (tenants, B2B, B2C, hybrid), recommending an authentication strategy, recommending an authorization strategy, designing a system for conditional access, designing a strategy for role assignment and delegation, designing a security strategy for privileged role access to infrastructure including identity-based firewall rules, using Azure PIM, and designing a security strategy for privileged activities including PAM, entitlement management, cloud tenant administration.
Chapter 4
: Identify a Regulatory Compliance Strategy
Chapter 4
covers getting started with a regulatory compliance strategy, assessing the technical capabilities of compliance requirements, assessing infrastructure compliance with Microsoft Defender for Cloud, identifying compliance issues and recommending actions to resolve them, developing and validating Azure policies, designing data residency requirements, and converting privacy requirements into security requirements.
Chapter 5
: Identify Security Posture and Recommend Technical Strategies to Manage Risk
This chapter covers analyzing security postures using benchmarks, analyzing security postures using Microsoft Defender for Cloud, assessing security postures using Secure Scores, evaluating cloud workload security, planning and design security for an Azure landing zone, identifying technical threats, recommending mitigation measures, and providing recommendations for reducing identified risks through the use of security controls.
Chapter 6
: Define a Strategy for Securing Infrastructure
Chapter 6
covers planning and deploying a security strategy across teams, establishing a process for proactive and continuous evolution of a security strategy, specifying security baselines for server and client endpoints, specifying security baselines for servers, and specifying security requirements for mobile devices and clients, including endpoint protection, hardening, and configuration. It also includes specifying requirements for securing Active Directory Domain Services; designing a strategy to manage secrets, keys, and certificates; designing a strategy for secure remote access; and designing a strategy for securing privileged access.
Chapter 7
: Define a Strategy and Requirements for Securing PaaS, IaaS, and SaaS Services
This chapter covers establishing PaaS security baselines, establishing security baselines for IaaS services, establishing SaaS security baselines, establishing security requirements for IoT workloads, establishing data security requirements, defining the security requirements for web workloads, determining the security requirements for storage workloads, defining container security requirements, and providing a security specification for container orchestration.
Chapter 8
: Define a Strategy and Requirements for Applications and Data
Chapter 8
covers specifying priorities for mitigating threats to applications, defining a security standard for onboarding a new application, defining a security strategy for applications and APIs, identifying sensitive data and protecting it, designing a strategy to mitigate threats to data, and defining the encryption standard for data at rest and in motion.
Chapter 9
: Recommend Security Best Practices and Priorities
This chapter covers best practices for several areas, including cybersecurity capabilities and controls, insider and external attacks, Zero Trust security, Zero Trust rapid modernization plans, DevSecOps processes, and asset protection. It also covers strategies for managing and minimizing risk, planning for ransomware protection and extortion-based attacks, protecting assets from ransomware attacks, and recommending Microsoft ransomware best practices.
Chapter Features
Each chapter begins with a list of the Microsoft Cybersecurity Architect SC-100 exam objectives covered in that chapter. Note that the book doesn't cover the goals in order. Thus, you shouldn't be alarmed at some of the odd ordering of the objectives within the book.
The examples within each chapter are intended to reinforce the content just learned. We have listed a few elements you can use to prepare for the exam for each chapter:
Exam Essentials
This section in each chapter provides an overview of the critical information presented in the chapter. It should be possible for you to complete each task or convey the information requested.
Review Questions
There are 20 review questions at the end of each chapter. The answers to these questions are provided in the appendix at the back of the book; you can check your answers there. You should review the chapter or the sections you are having trouble understanding if you can't answer at least 80 percent of these questions correctly.
The review questions, assessment test, and other testing elements included in this book are not derived from the SC-100 exam questions, so don't memorize the answers to these questions and assume that doing so will enable you to pass the exam. You should learn the underlying topic, as described in the text of the book. This will let you answer the questions provided with this book and pass the exam. Learning the underlying topic is also the approach that will serve you best in the workplace—the goal of a certification like SC-100.
To get the most out of this book, you should read each chapter from start to finish and then check your memory and understanding with the chapter-end elements. Even if you're already familiar with a topic, you should skim the chapter; Azure cybersecurity is complex enough that there are often multiple ways to accomplish a task, so you may learn something even if you're already competent in an area.
Bonus Digital Contents
We've put together some great online tools to help you pass the SC-100 exam. The interactive online learning environment that accompanies MCEMicrosoft® Certified Expert Cybersecurity Architect Study Guide: Exam SC-100 provides a test bank and study tools to help you prepare for the exam.
Items available among these companion files include the following:
Practice Tests
All of the questions in this book appear in our proprietary digital test engine—including the 30-question assessment test at the end of this introduction, a 65-question practice exam, and the 180 questions that make up the review question sections at the end of each chapter. In addition, there is a 30-question bonus exam.
Electronic Flashcards
The digital companion files include 100 questions in flashcard format (a question followed by a single correct answer). You can use these to review your knowledge of the SC-100 exam objectives.
Glossary
The key terms from this book, and their definitions, are available as a fully searchable PDF.
Interactive Online Learning Environment and Test Bank
You can access all these resources at www.wiley.com/go/sybextestprep. Once there, select your book from the list, complete the registration including the question to show you own the book, and you will be emailed your personal PIN code. When you receive the PIN code, follow the directions in the email or go to www.wiley.com/go/sybextestprep where you will activate the PIN code and sign up for an account or add your new book to an existing account.
Like all exams, the Exam SC-100: Microsoft Cybersecurity Architect is updated periodically and may eventually be retired or replaced. At some point after Microsoft is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam's online Sybex tools will be available once the exam is no longer available.
Conventions Used in This Book
This book uses certain typographic styles to help you quickly identify important information and to avoid confusion over the meaning of words such as on-screen prompts. In particular, look for the following styles:
A monospaced font
indicates the contents of configuration files, messages displayed at a text-mode Linux shell prompt, filenames, text-mode command names, and Internet URLs.
In addition to these text conventions, which can apply to individual words or entire paragraphs, a few conventions highlight segments of text.
A tip provides information that can save you time or frustration and that may not be entirely obvious. A tip might describe how to get around a limitation or how to use a feature to perform an unusual task.
A note indicates information that's useful or interesting or provides additional relevant information that's somewhat peripheral to the main text.
Sidebars
A sidebar is like a note but longer. The information in a sidebar is useful, but it doesn't fit into the main flow of the text.
Using This Book
To get the most out of this book, all you need are an Azure subscription (paid) and a connection to the Internet, which is required to use and practice the online exercises for this book.
In addition to its web-based console, the Azure Portal is available for desktop, tablet, and mobile devices. JavaScript must be enabled on your browser to use the Azure Portal. Make sure you use the latest browser for your operating system.
There are detailed explanations of real-world examples and scenarios included in this book covering all SC-100 Cybersecurity Architect exam objectives. With this exam reference, IT security professionals will learn the critical thinking and decision-making skills they need to succeed at the Microsoft Certified Expert level.
While we have made every effort to ensure this book is as accurate as possible, Azure is constantly changing. In this book, some screenshots referring to the Azure Portal may look different from what you see on your monitor because the Azure Portal is different now than it was when the book was published. Additionally, minor interface changes, a name change, and so on, might have taken place as well.
As a Cybersecurity Architect, your responsibilities include designing and deploying Azure cybersecurity solutions. You're expected to maintain security, privacy, and compliance with cybersecurity solutions. This book will help you design, deploy and manage cybersecurity solutions using the Azure References Framework, architecture, security baselines, and best practices.
While this book covers all the topics found on the exam, you won't find every question that might appear in the real exam. We cannot cover specific questions because only Microsoft examination team members have access to exam questions, and Microsoft continuously adds new exam questions. So view this book as a complement to your related real-world experience and other study materials.
Technology Requirements
In addition to a paid Azure subscription and a connection to the Internet, the following are good to have for going through the book easily:
An Azure subscription (must have):
You can sign up by visiting
azure.microsoft.com
.
PowerShell:
Run
$PSVersionTable.PSVersion
to check which version of PowerShell you have installed. You must have PowerShell 7.0.6 LTS or PowerShell 7.1.3 or higher.
Azure PowerShell module:
Download the latest PowerShell module for Azure Security modules. You will not have it all by default.
Azure PowerShell:
To run PowerShell, a Windows 10 or 11 machine with 4 GB of RAM is sufficient.
SC-100 Exam Objectives
The structure of this book is based on Microsoft's published “Exam SC-100: Microsoft Cybersecurity Architect–Skills Measured” document (available at query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWVbXN).
SC-100 covers the following five major topic areas:
Subject Area
% of Exam
Design a Zero Trust strategy and architecture
30%–35%
Evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies
10%–15%
Design security for infrastructure
10%–15%
Design a strategy for data and applications
15%–20%
Recommend security best practices and priorities
20%–15%
The book's nine chapters are mapped to each Azure skill measured. The following tables indicate where in the book the topics are covered.
Skill Measured: Design a Zero Trust Strategy and Architecture
Exam Objective
Chapter
Define and implement an overall security strategy and architecture
1
Define a security operations strategy
2
Define an identity security strategy
3
Skill Measured: Evaluate Governance Risk Compliance (GRC) Technical Strategies and Security Operations Strategies
Exam Objective
Chapter
Design a regulatory compliance strategy
4
Evaluate security posture and recommend technical strategies to manage risk
5
Skill Measured: Design Security for Infrastructure
Exam Objective
Chapter
Define a strategy for securing server and client endpoints
6
Define a strategy and requirements for securing PaaS, IaaS, and SaaS services
7
Skill Measured: Design a Strategy for Data and Applications
Exam Objective
Chapter
Define a strategy and requirements for applications
8
Define a strategy and requirements for securing data
8
Skill Measured: Recommend Security Best Practices and Priorities
Exam Objective
Chapter
Recommend security best practices by using the Microsoft Cybersecurity Reference Architecture (MCRA) and Azure Security Benchmarks
9
Recommend a secure methodology by using the Cloud Adoption Framework (CAF)
9
Recommend a ransomware strategy by using Microsoft Security Best Practices
9
Microsoft reserves the right to change exam domains and objectives without prior notice. The most up-to-date information can be found on the Microsoft website at query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWVbXN.
How to Contact the Publisher
If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.
To submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”
Assessment Test
Who is responsible for designing, building, and maintaining the security functions of an organization's IT environment?
Infrastructure architect
Application architect
Security analyst
Cybersecurity Architect
Sybex wants a new security model that effectively adapts to the complexity of the modern environment; embraces the mobile workforce; and protects people, devices, applications, and data wherever they're located. Which of the following meets these requirements?
Zero Trust
DMZ firewall
Internal firewall
None of the above
The company wants to establish a secure communication tunnel between its remote offices. Which of the following technologies CANNOT be used?
Site-to-site VPN
Point-to-site VPN
ExpressRoute
Implicit FTP over SSL
Azure resource logs provide insight into operations that your resource performed using which integrated Azure service?
Azure Monitor
Graph API
Network Watcher
All of the above
True or False: The Azure Active Directory (Azure AD) activity logs do not include audit logs, which provide an overview of every logged event.
True
False
True or False: The Microsoft 365 admin center does not provide access to activity logs for Microsoft 365.
True
False
What measures might be implemented as part of a company's in-depth security methodology?
Multifactor authentication for all users
Domain username and password
Anonymous login
None of the above
A company is launching a new app for its end users. End users will use a sign-in screen customized with the company's brand identity. Which Azure external identity solution should the organization use?
Azure AD B2B
Azure AD B2C
Azure AD hybrid identities
None of the above
Your company has finished a full migration to the cloud and has purchased devices for all its end users. End users log into the device through a company account configured in Azure AD. Select the option that best describes how these devices are configured in Azure AD.
Devices are connected to Azure AD.
Devices are connected to On-Premises AD joined.
Devices are connected to external cloud joined.
None of the above.
A Sybex developer wants an application to connect Azure resources that support Azure AD authentication without incurring additional costs. What is the best way to describe the identity type of the application?
Third-party identity
Managed identity
Hybrid identity
None of the above
True or False: With single sign-on, a user logs in only once and can then access a wide array of applications or resources.
True
False
True or False: By enabling admins to understand and improve their compliance score, Microsoft Purview Compliance Manager helps organizations improve their compliance posture, stay compliant, mitigate data protection risks, implement controls, and stay current with regulations and certifications.
True
False
True or False: You can enforce your privacy requirements with Azure Policy, deeply integrated into Azure Resource Manager, which allows your organization to enforce policies across resources.
True
False
Customers can utilize various Microsoft options to secure data in transit internally within the Azure network and externally across the Internet; which of the following is valid?
VPNs (encrypted with IPsec/IKE)
TLS 1.2 or later (via Azure components such as Azure Front Door or Application Gateway)
Using Windows IPsec or SMB directly on the Azure virtual machines and other protocols
All of the above
True or False: Every customer should consider security when designing and implementing an Azure landing zone.
True
False
True or False: Through Microsoft Defender for Cloud, the Azure Security Benchmark OS baseline is available as Windows or Linux security recommendations.
True
False
Providing remote access to VMs, Azure offers different technologies. Which of the following are they? (Choose three.)
Just in Time
Azure Bastion
VPN and Express Route
Azure Resource Manager
Your company has deployed Microsoft 365 applications to all employees. Based on the shared responsibility model, who is responsible for these employees' accounts and identities?
You
Microsoft
Another cloud service provided
None of the above
True or False: Credentials do not need to access APIs, because container clusters cannot span several Azure regions.
True
False
Which Azure service is a cloud-native solution that improves, monitors, and maintains the security of clusters, containers, and their applications?
Azure Monitor
Azure Insights
Microsoft Defender for Cloud
Microsoft Defender for Containers
Defender for Containers protects your Kubernetes clusters while they are running in which of the following environments? (Choose three.)
Azure Kubernetes Service
Kubernetes on-premises/IaaS
Amazon EKS
Azure Insights
True or False: When you assign permissions through Azure RBAC to an Azure AD security principal, keep the principle of least privilege in mind.
True
False
Which tool allows software architects to identify and mitigate potential security issues early when they're relatively easy and cost-effective to resolve?
OWASP
STRIDE
Microsoft Threat Modeling Tool
All of the above
True or False: Consistently authenticate with identity services, preferably with cryptographic keys when available.
True
False
Which security mechanism would you use to ensure that employee data is encrypted?
Data at rest
Data in transit
Data in motion
All of the above
What is the best way to describe the concept of data sovereignty?
Trust no one, verify everything.
All data, especially personal data, must adhere to the laws and regulations of the country or region where they are stored, processed, or collected.
Regulations governing data storage locations.
None of the above.
True or False: As per Microsoft's recommendation for web applications, ensure that sensitive content is cached on the browser.
True
False
True or False: The Zero Trust rapid modernization plan (RaMP) is not included in the Microsoft Cybersecurity Reference Architecture (MCRA).
True
False
You company has moved to the cloud. Which of the following responsibilities can transfer to the cloud provider?
Physical hardware firmware updates
Host virtualization solution
Storage virtualization solution
A and B
Your company needs responsive detection and remediation of common attacks on endpoints, emails, and identities; needs high-quality alerts; and wants to minimize friction and manual steps during response. Which of the Azure services should you adopt?
Extended Detection and Response (XDR) tools like Microsoft 365 Defender
Azure Monitor
Azure Sentinel
None of the above
Answers to Assessment Test
D. Cybersecurity Architects are responsible for designing, building, and maintaining the security functions of an organization's IT environment.
A. Today, organizations need a new security model that effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications, and data wherever they're located. This is offered by Zero Trust.
D. FTP over SSL can't be used to deploy a secure communication tunnel.
A. Azure resource logs provide insight into operations that your resource itself performed using integration with Azure Monitor.
B. Changes to applications, groups, users, and licenses are all reflected in the Azure Active Directory audit logs, which comprehensively report the logged events in Azure AD.
B. Microsoft 365 activity logs can be viewed only in the Microsoft 365 admin center, even though Microsoft 365 activity logs and Azure AD activity logs share many directory resources.
A. Multifactor authentication is an example of defense in depth at the identity and access layer.
B. Azure AD B2C is a customer authentication solution that you can customize with your brand identity.
A. An Azure AD joined device is joined to Azure AD through an organizational account, which is then used to sign into the device. Devices are generally owned by Azure AD, which joined the organization.
A. Managed identities are a kind of service principal instantly collected in Azure AD and eradicate the demand for developers to manage credentials.
A. Using single sign-on (SSO), users can access multiple applications using only one set of login credentials, such as a username and password.
A. A feature within the Microsoft Purview compliance portal, Microsoft Purview Compliance Manager enables your organization to manage its multi-cloud compliance requirements more conveniently and quickly. Using Compliance Manager, you can take inventory of your data protection risks, implement controls, stay current with regulations and certifications, and report to auditors throughout your compliance journey.
A. You can enforce your privacy requirements using Azure Policy. Azure Policy is deeply integrated into Azure Resource Manager, so your organization can enforce policies across all resources. By defining Azure Policy at the organizational level, you can prevent developers from allocating resources violating those policies.
D. Customers can utilize various Microsoft options such as VPN, TLS 1.2 or later, Windows IPsec, or SMB Azure VM (and much more) to secure data in transit internally within the Azure network and externally across the Internet.
True. Designing and deploying security controls and processes to protect your cloud environments is an essential factor.
A. Microsoft Defender for Cloud provides security recommendations for Linux and Windows servers based on the Azure Security Benchmark (ASB) OS baseline.
A, B, C. For remote access to VMs, Azure offers the following technologies: Azure Bastion, hybrid connectivity options including Azure ExpressRoute and VPNs, and just in time (JIT).
A. Using a shared responsibility model, the customer organization is responsible for their data, including employee, device, account, and identity information.
B. Credentials needed to access APIs and logins must be secured, such as passwords and tokens, because container clusters may span several Azure regions.
D. The Microsoft Defender for Containers cloud-native solution improves, monitors, and maintains the security of clusters, containers, and their applications.
A, B, C. Azure Kubernetes Service, Kubernetes on-premises/IaaS, and Amazon EKS protect your Kubernetes clusters.
True. In configuring your Azure Storage Account, Microsoft recommends considering the principle of least privilege when assigning permissions to an Azure AD security principal through Azure RBAC.
C. The Microsoft Threat Modeling Tool is critical to the Microsoft Security Development Lifecycle (SDL). It allows software architects to identify and mitigate potential security issues early in development.
A. Rather than starting from zero, organizations should use guidance and automation to secure cloud applications; one of the key recommendations is to always authenticate with identity services preferably with cryptographic keys when available.
A. An employee data security strategy could include encryption at rest.
B. Data sovereignty is closely related to data security, cloud computing, network, and technological sovereignty. Data sovereignty is the principle that data is subject to the laws and governance structures of the nation where they are collected.
B. Microsoft does not recommend caching sensitive content on the browser.
B. The Zero Trust rapid modernization plan is included in the Microsoft Cybersecurity Reference Architecture and outlines best practices that aid you to prioritize security modernization.
D. Cloud computing allows many responsibilities to be transferred to the cloud provider, including updating firmware and virtualization solutions.
A. Microsoft 365 Defender delivers comprehensive alerts and minimizes variance and manual steps during responsive detection and remediation of common attacks on endpoints, emails, and identities.
Chapter 1Define and Implement an Overall Security Strategy and Architecture
THE MICROSOFT AZ-700 EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE:
Introduction to Cybersecurity
Getting started with Zero Trust
Identify the integration points in an architecture by using Microsoft Cybersecurity Reference Architecture (MCRA)
Translate business goals into security requirements
Translate security requirements into technical capabilities, including security services, security products, and security processes
Design security for a resiliency strategy
Integrate a hybrid or multi-tenant environment into a security strategy
Develop a technical governance strategy for security
In Chapter 1, we will focus on prerequisites for SC-100 preparation. You will read about the basics of cloud and cybersecurity. You will learn how to design and deploy an overall security strategy and architecture.
Microsoft Azure provides infrastructure as a service, platform as a service, and software as a service through its cloud computing service. Azure's cloud computing services include the ability to add virtual networks, storage, compute resources, database services, analytics reporting, security services, and many more. With Azure, you can access various operating systems, programming languages, frameworks, tools, databases, and devices. JavaScript, Python, .NET, PHP, Java, and Node.js apps can be built, along with back ends for iOS, Android, and Windows devices.
Microsoft Azure public cloud services support the same solutions that millions of developers and IT professionals already count on. Organizations rely on a public cloud service provider to protect their applications and data with the services and controls needed to manage the security of cloud-based assets when organizations build on or migrate IT assets to the cloud service. Organizations can meet their security requirements using Azure's secure infrastructure, designed to host millions of customers simultaneously.
By the end of this chapter, you will have read about the basics of cloud and cybersecurity and getting started with Zero Trust. You will learn about designing integration points in an architecture, designing security needs to be based on business goals, decoding security requirements against available Azure technical capabilities, designing security for a resiliency approach, identifying the security risks associated with hybrid and multi-tenant environments, and planning traffic filtering and segmentation technical and governance strategies.
Basics of Cloud Computing
Let's get started with a basics of cloud computing and cybersecurity. Information technology (IT) resources are delivered via the Internet on demand on a pay-per-use basis through cloud computing. Rather than building and maintaining physical data centers, an organization can rent IT resources from a cloud service provider like Microsoft Azure and access technology services in real time as needed.
Despite cloud computing's profound impact on IT, real transformational opportunities are still to come. Cloud-first cultures have emerged in companies of all sizes in recent years, as more resources are dedicated to following a cloud-first strategy.
When comparing cloud computing to traditional on-premises IT, and depending on the cloud services organization chosen, cloud computing helps lower IT costs, increases agility and time-to-value, and scales more efficiently and cheaply.
Cloud computing is defined by the National Institute of Standards and Technology (NIST) as follows:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. (nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf)
