Microsoft Cybersecurity Architect Exam Ref SC-100 E-Book

Microsoft Cybersecurity Architect Exam Ref SC-100

Get certified with ease while learning how to develop highly effective cybersecurity strategies

Dwayne Natwick

BIRMINGHAM—MUMBAI

Microsoft Cybersecurity Architect Exam Ref SC-100

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Associate Group Product Manager: Mohd Riyan Khan

Publishing Product Manager: Mohd Riyan Khan

Senior Editor: Divya Vijayan

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Shankar Kalbhor

Marketing Coordinator: Marylou De Mello and Ankita Bhonsle

First published: January 2023

Production reference: 1091222

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-239-2

www.packt.com

To my wife, Kristy; thank you for always being there and supporting me. You are the love of my life and my best friend. To my children, Austin, Jenna, and Aidan; even with my career accomplishments, you are what makes me the proudest. You are all growing up to be such amazing people with kind hearts.

All four of you are my world and I could not make this journey without you. All my love and support for everything that you do.

– Dwayne Natwick

Foreword

OK. Here’s the deal.

Security is probably the most important topic of the last 5 years. Not only has a multi-billion-dollar industry been birthed from it, but more and more industry professionals have all but forsaken their first love to take part in it. Those stalwarts of IT that swore they would retire doing that thing they did for 30 years and gave everything else the stink-eye, they’re now participating in security. And many of them have given over completely to the life of a security professional.

Why? Security is that important.

And, even beyond that, ensuring that users, their computing habits, and their devices are maintained and secure is the lifeblood of business. Business ceases to function during an outage. In the old days, that outage was considered a stoppage in the internet or a facility failure of some fashion. But today that outage can also relate to the inability to do business during an active cyber threat due to quarantine until the successful intrusion is remediated.

As soon as we put our first foot on the floor every morning, as we prepare for the day ahead, we are continually reminded of what that day will look like. Security is a moving target. So, while the day’s activities and responses may change, we can be sure that it will contain at least a modicum of reaction to the head-shaking habits and patterns of users under our purview. But we know that we can, through due diligence and active adherence to proper policies, minimize our reactive response to surprise.

SC-100 is a role-based exam for the Microsoft Cybersecurity Architect. This book is a testament to preparation. Not only will it allow a deeper understanding of common risks, but it will also provide a better approach to governing business assets, including architecture, data, applications, access management, identity, and infrastructure.

I’ve known Dwayne long enough to know he is the perfect author for this book, and I know you will thoroughly enjoy it. Not only will you get the information needed to pass the SC-100 exam, but if you take the time to retain and employ the learning, you are on your way to minimizing those daily headaches that can sometimes turn into multi-day migraines. And frankly, there’s no better security path today than one that is focused on the Microsoft platform.

Rod Trent

Security Cloud Advocate

Microsoft

Contributors

About the author

Dwayne Natwick is the Global Principal Cloud Security Lead at Atos, a multi-cloud GSI. He has been working in IT, security design, and architecture for over 30 years. His love of teaching led him to become a Microsoft Certified Trainer (MCT) Regional Lead and a Microsoft Most Valuable Professional (MVP).

Dwayne has a master’s degree in Business IT from Walsh College, the CISSP and CCSP certifications from ISC2, and 18 Microsoft certifications, including Identity and Access Administrator, Azure Security Engineer, and Microsoft 365 Security Administrator. Dwayne can be found providing and sharing information on social media, at industry conferences, on his blog site, and on his YouTube channel.

Originally from Maryland, Dwayne currently resides in Michigan with his wife and three children.

About the reviewers

Dan Gora is currently a Lead Cloud Security Architectat Cloudreach, an Atos company. He has over a decade of experience in cybersecurity consulting. He has a broad set of experience in guiding highly regulated industries in securing their cloud transformation journey, adopting approaches such as DevSecOps and Zero Trust.

Dan is also involved in open source communities, where he is an OWASP City Chapter Lead and contributor to the Cloud Security Alliance. Dan has a master’s degree in Secure Software Engineeringand certifications including CISSP and CSSLP from ISC2, CCSK from CSA, as well as multiple Microsoft and AWS certifications.

Originally from Germany, Dan currently resides in Edinburgh, Scotland, with his partner.

Frank Grimberg has over 35 years of experience in delivering information systems solutions. His expertise spans cybersecurity, Azure, and web application development. His current focus is on providing CISO, cybersecurity architect, and Digital Forensics Incident Response (DFIR) services. He is the author of the Microsoft Official Technical curriculum for the SC-200 Microsoft Security Operations Analyst Learn content. His industry certifications include GIAC Certified Forensic Analyst (GCFA) and Offensive Security Certified Professional (OSCP). His Microsoft certifications include Cybersecurity Architect, Azure Solutions Architect, Azure Security Engineer, Security Operations Analyst, Identity and Access Administrator, and Microsoft Certified Trainer.

Table of Contents

Preface

Part 1: The Evolution of Cybersecurity in the Cloud

1

Cybersecurity in the Cloud

What is cybersecurity?

Evolution of cybersecurity from on-premises to the cloud

Defense-in-depth security strategy

Building a defense-in-depth security posture

Shared responsibility in cloud security

Cybersecurity architecture use cases

Security operations

Understanding the stages of a cyber attack

Understanding the scope of cybersecurity in the cloud

Shared responsibility scope

Principles of the zero-trust methodology

Common threats and attacks

Internal threats

External threats

Summary

Part 2: Designing a Zero-Trust Strategy and Architecture

2

Building an Overall Security Strategy and Architecture

Identifying the integration points in an architecture by using the Microsoft Cybersecurity Reference Architecture

How are the MCRA used?

What are the components of the MCRA?

Translating business goals into security requirements

Threat analysis

Translating security requirements into technical capabilities

Physical

Identity and access

Perimeter security

Network security

Compute

Applications

Data

Designing security for a resiliency strategy

Integrating a hybrid or multi-tenant environment into a security strategy

Developing a technical and governance strategy for traffic filtering and segmentation

Summary

3

Designing a Security Operations Strategy

Designing a logging and auditing strategy to support security operations

Security operations overview

Microsoft security operations tools

Logging and auditing for threat and vulnerability detection

Developing security operations to support a hybrid or multi-cloud environment

Designing a strategy for SIEM and SOAR

Evaluating security workflows

Security strategies for incident management and response

Security workflows

Evaluating a security operations strategy for the incident management life cycle

Evaluating a security operations strategy for sharing technical threat intelligence

Summary

4

Designing an Identity Security Strategy

Zero Trust for identity and access management

Designing a strategy for access to cloud resources

Recommending an identity store

Azure AD tenant synchronization with SCIM

B2B

B2C

Recommending an authentication and authorization strategy

Hybrid identity infrastructure

Secure authorization methods

Designing a strategy for CA

Designing a strategy for role assignment and delegation

Designing a security strategy for privileged role access

Azure AD PIM

Designing a security strategy for privileged activities

Privileged access reviews

Entitlement management (aka permission management)

Cloud tenant administration

Case study – designing a Zero Trust architecture

Summary

Part 3: Evaluating Governance, Risk, and Compliance (GRC) Technical Strategies and Security Operations Strategies

5

Designing a Regulatory Compliance Strategy

Interpreting compliance requirements and translating them into specific technical capabilities

Evaluating infrastructure compliance by using Microsoft Defender for Cloud

Interpreting compliance scores and recommending actions to resolve issues or improve security

Designing the implementation of Azure Policy

Designing for data residency requirements

Translating privacy requirements into requirements for security solutions

Case study – designing for regulatory compliance

Summary

6

Evaluating the Security Posture and Recommending Technical Strategies to Manage Risk

Evaluating the security posture by using benchmarks

Evaluating the security posture by using Microsoft Defender for Cloud

Evaluating the security posture by using Secure Scores

Evaluating the security posture of cloud workloads

Designing security for an Azure Landing Zone

Interpreting technical threat intelligence and recommending risk mitigations

Recommending security capabilities or controls to mitigate identified risks

Case study – evaluating the security posture

Summary

Part 4: Designing Security for Infrastructure

7

Designing a Strategy for Securing Server and Client Endpoints

Planning and implementing a security strategy across teams

Specifying security baselines for server and client endpoints

Specifying security requirements for servers, including multiple platforms and operating systems

Specifying security requirements for mobile devices and clients, including endpoint protection, hardening, and configuration

Specifying requirements to secure AD DS

Designing a strategy to manage secrets, keys, and certificates

Designing a strategy for secure remote access

Understanding security operations frameworks, processes, and procedures

Case study – designing a secure architecture for endpoints

Summary

8

Designing a Strategy for Securing SaaS, PaaS, and IaaS

Specifying security baselines for SaaS, PaaS, and IaaS services

Security baselines for SaaS

Security baselines for IaaS

Security baselines for PaaS

Specifying security requirements for IoT workloads

Specifying security requirements for data workloads, including SQL, Azure SQL Database, Azure Synapse, and Azure Cosmos DB

Specifying security requirements for storage workloads, including Azure Storage

Specifying security requirements for web workloads, including Azure App Service

Specifying security requirements for containers

Specifying security requirements for container orchestration

Case study – security requirements for IaaS, PaaS, and SaaS

Summary

Part 5: Designing a Strategy for Data and Applications

9

Specifying Security Requirements for Applications

Specifying priorities for mitigating threats to applications

Identity and secrets handling and use

Segmentation and configuration

Static and dynamic testing

Data handling and access

Security posture management and workload protection

Specifying a security standard for onboarding a new application

Specifying a security strategy for applications and APIs

Case study – security requirements for applications

Summary

10

Designing a Strategy for Securing Data

Specifying priorities for mitigating threats to data

Managing the risk to data

Ransomware protection and recovery

Designing a strategy to identify and protect sensitive data

Specifying an encryption standard for data at rest and in motion

Encryption at rest

Encryption in transit

Identity and secrets handling and use

Case study – designing a strategy to secure data

Summary

11

Case Study Responses and Final Assessment/Mock Exam

Case study sample responses

Chapter 4 – designing a zero-trust architecture

Chapter 5 – designing for regulatory compliance

Chapter 6 – evaluating the security posture

Chapter 7 – designing a secure architecture for endpoints

Chapter 8 – security requirements for IaaS, PaaS, and SaaS

Chapter 9 – security requirements for applications

Chapter 10 – designing a strategy to secure data

Mock exam practice questions

Questions

Mock exam answers and chapter reference

Summary

Appendix: Preparing for Your Microsoft Exam

Technical requirements

Preparing for a Microsoft exam

Resources to prepare for the exam

Access to a subscription

Where to take the exam

Exam format

Resources available and accessing Microsoft Learn

Accessing Microsoft Learn

Finding content on Microsoft Learn

Exam pages on Microsoft Learn

Creating a Microsoft 365 trial subscription

Office 365 or Microsoft 365 trial subscription

Enterprise Mobility + Security subscription

Setting up a free month of Azure services

Exam objectives

Who should take the SC-100 exam?

Summary

Index

Other Books You May Enjoy

Preface

This book will prepare cybersecurity professionals for the SC-100 exam while also giving them a strong foundation that will help them put their knowledge to work and implement the strategies they learn. A mixture of theoretical and practical knowledge, as well as practice questions and a mock exam, will ensure that you will breeze through the exam.

Who this book is for

This book is for a wide variety of cybersecurity professionals – from security engineers and cybersecurity architects to Microsoft 365 administrators, user and identity administrators, infrastructure administrators, cloud security engineers, and other IT professionals preparing to take the SC-100. It’s also a good resource for those designing cybersecurity architecture without preparing for the exam. To get started, you’ll need a solid understanding of the fundamental services within Microsoft 365 and Azure, along with security, compliance, and identity capabilities in Microsoft and hybrid architectures.

What this book covers

Chapter 1, Cybersecurity in the Cloud, provides an overview of what cybersecurity is and why it is important. This chapter also discusses the evolution of cybersecurity and cyber attacks as cloud technologies have become more prevalent.

Chapter 2, Building an Overall Security Strategy and Architecture, focuses on the design and architecture of an overall security strategy. This includes the utilization of the Microsoft Cybersecurity Reference Architectures (MCRA) and how to align security requirements with business goals and objectives.

Chapter 3, Designing a Security Operations Strategy, discusses how to design and architect a security operations strategy.

Chapter 4, Designing an Identity Security Strategy, discusses how to design an identity security strategy for cloud-native, hybrid, and multi-cloud identity and access management infrastructures.

Chapter 5, Designing a Regulatory Compliance Strategy, discusses the planning and design of a regulatory compliance strategy.

Chapter 6, Evaluating the Security Posture and Recommending Technical Strategies to Manage Risk, discusses how to evaluate security posture and recommends technical strategies to manage and reduce risk.

Chapter 7, Designing a Strategy for Securing Server and Client Endpoints, focuses on designing a strategy for securing servers and client endpoints.

Chapter 8, Designing a Strategy for Securing SaaS, PaaS, and IaaS, discusses how to design security strategies for SaaS, PaaS, and IaaS infrastructures.

Chapter 9, Specifying Security Requirements for Applications, discusses specifying security requirements for applications.

Chapter 10, Designing a Strategy for Securing Data, discusses designing a strategy for securing data and mitigating threats.

Chapter 11, Case Study Responses and Final Assessment/Mock Exam, provides possible responses to the case studies and sample questions that can be used to test your knowledge and understanding of the content from this book.

Appendix: Preparing for Your Microsoft Exam, provides guidance on getting prepared for a Microsoft exam along with resources that can assist in your learning plan. This includes helpful links along with steps on how to gain access to a trial Microsoft 365 subscription for hands-on practice.

To get the most out of this book

Before you start, please review the Appendix, Preparing for Your Microsoft Exam.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/U8ZhW.

Conventions used

There are a number of text conventions used throughout this book.

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “Select System info from the Administration panel.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Microsoft Cybersecurity Architect Exam Ref SC-100, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781803242392

Part 1: The Evolution of Cybersecurity in the Cloud

This section will focus on an overview of the evolution of cybersecurity in the cloud, including an overview of what cybersecurity is and why it is important.

This part has the following chapter:

1

Cybersecurity in the Cloud

This chapter will provide an overview of what cybersecurity is and why it is important. This chapter will also discuss the evolution of cybersecurity and cyber attacks as cloud technologies have become more prevalent. Once you have completed this chapter, you will have an understanding of what is meant by cybersecurity and how it has changed as we have moved our workloads from on-premises data centers to the cloud.

In this chapter, we are going to cover the following main topics:

What is cybersecurity?

To be able to understand the role of the cybersecurity architect, you should first understand what is meant by the term cybersecurity. The term is used in many different contexts within security, compliance, and identity. To set a base level of understanding for this book, we will use the definitions provided by NIST, the National Institute of Standards and Technology.

According to NIST, there are multiple definitions for the term cybersecurity; the first part of the NIST definition is “the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentications, confidentiality, and nonrepudiation.”

The next part of the NIST definition is “the process of protecting information by preventing, detecting, and responding to attacks.”

They also define cybersecurity for the protection of federal agencies as the ability to protect or defend the use of cyberspace from cyber attacks.

Finally, cybersecurity is also defined as “the prevention of damage to, unauthorized use of, exploitation of, and – if needed – the restoration of electronic information and communications systems and the information they contain, in order to strengthen the confidentiality, integrity, and availability of these systems.”

These are just four areas and approaches that can be taken when it comes to cybersecurity. Overall, the underlying factors here are that you must take the steps to provide assurance for maintaining the confidentiality, integrity, and availability of your data and systems. A cybersecurity architect taking the proper due care and due diligence in analyzing and assessing risks and controls that are in place is an example. Relevant systems consist of the infrastructure, applications, databases and storage, and solutions that your company is using for processing and delivering information to users.

Further information can be found at this link: https://csrc.nist.gov/glossary/term/cybersecurity

At this link, you will find the definition of cybersecurity and the various approaches that can be taken toward it. In the next section, you will learn more about how the role of cybersecurity has changed from an on-premises to a cloud network and infrastructure.

Evolution of cybersecurity from on-premises to the cloud

When protecting an on-premises data center and infrastructure, a cybersecurity architect designs many of the controls to protect physical assets and keep bad actors from entering at either physical data center entry points or internet service provider (ISP) network entry points. Traditionally, these protections would have been a combination of physical security appliances, such as firewalls for packet investigation, and protection against attacks through endpoint devices by only allowing access to the data center with SSL VPN-encrypted connections. These devices were managed by the company and given antivirus and anti-malware software to mitigate potential attacks.

As companies move to more cloud-native applications, such as Microsoft 365, and build infrastructure on cloud providers, such as Microsoft Azure, companies have moved their responsibility for security away from physical to virtual environments. This creates new vulnerabilities that the company must identify and plan ways in which to mitigate against threats. The following sections will discuss how a cybersecurity architect should begin to plan for protection and controls within a cloud and hybrid infrastructure.

Defense-in-depth security strategy

When protecting the cloud and hybrid infrastructure, there are many aspects that need to be considered. As you go through the various solutions offered within Microsoft 365 and Azure, these methodologies and principles play a key role in the process of protecting resources, identity, and data. One of the primary strategies for protecting your company is through defense in depth. Having a strong defense-in-depth security posture addresses the areas of the cybersecurity kill chain. The next section will discuss the concept of building a defense-in-depth security posture.

Building a defense-in-depth security posture

In order to protect your company from cyber attacks, you should have controls in place that address the stages of cyber attacks and that maintain a defense-in-depth security posture. When planning for the security of information technology resources, protecting one aspect is not enough; every aspect of the infrastructure should have security controls in place to protect at all levels. Controls are the services or solutions that we have in place to properly secure and protect the resources at that level of defense.

Each of these levels of defense is important since attackers look for various entry points into a company network. The levels of defense in depth are shown in Figure 1.1.

Figure 1.1 – Defense-in-depth security

Now that you know why defense in depth is important, let’s discuss each of these areas and provide an example of a control that can be used for protecting resources.

Physical

The physical level of defense includes the actual hardware technology and spans the entire data center facility. This includes the compute, storage, and networking components, rack spaces, power, internet, and cooling. It also includes the room that the equipment is housed in, the building location and its surroundings, and the processes that are in place for the guards, physical security staff, or guests that access these locations.

Protecting the physical level of defense in depth encompasses how we create redundancy and resiliency in the previously mentioned systems, and how we record and audit who accesses the building and systems. This could include gated fences, guard stations, video surveillance, logging visitors, and background checks. These physical controls should be in place for any company that utilizes its own private data center.

When utilizing Microsoft cloud services, the physical controls are Microsoft’s responsibility. We will discuss shared responsibility for cloud security in the next section.

Identity and access

Since the provider is responsible for the physical controls within cloud services, identity and access become the first line of defense that a customer can configure and protect against threats. This is why statements such as “Identity is the new control plane” or “Identity is the new perimeter” have become popular when discussing cloud security. Even if your company maintains a private data center for the primary business applications, there is still a good chance that you are consuming a cloud application that uses your company identity. For this reason, having the proper controls in place, such as multi-factor authentication (MFA), conditional access policies, and Azure AD Identity Protection, will help to decrease vulnerabilities and recognize potential threats before a widespread attack can take place.

Perimeter security

Within a private data center, where the company controls the internet provider connection terminations and has their firewall appliances, intrusion detection and protection solutions, and DDoS protection in place and fully configured, the protection of the perimeter is a straightforward architecture.

When working within cloud providers, perimeter security takes on a different focus. The cloud providers have agreements with the internet providers that provide services to their data centers and these providers terminate these connections with their hardware. The company perimeter security then becomes more of a virtual perimeter to their tenant, rather than a physical perimeter to the data center network facilities. The company now relies on the provider’s ability to protect against DDoS attacks at the internet perimeter.

Within Microsoft, DDoS protection is a free service, since Microsoft wants to avoid a DDoS attack that would bring down a large number of their customers in a data center. For additional perimeter protection, the company can implement virtual firewall appliances to protect the tenant perimeter, to block port and packet level attacks, and additional solutions, such as Application Gateway, with a web application firewall (WAF) to protect from application layer attacks.

Network security

The perimeter and network security layers work closely together. Both focus on the network traffic aspect of the company infrastructure. Where perimeter security handles the internet traffic that is entering the tenant, or data center, network security solutions protect how and where that traffic can be routed once it passes through the perimeter. Once an attacker can gain access to a system on the network, they will want to find ways to move laterally within the network infrastructure. Having proper IP address and network segmentation on the network can protect against this lateral movement taking place.

On a private data center network, this can be accomplished within switch ports with virtual Local Area Networks (LANs), or VLANs, configured to block traffic between network segments. In a cloud provider infrastructure, virtual networking, or VNETs, can accomplish similar network segmentation. In an Azure infrastructure, network security groups and application security groups can also be configured on network interfaces with additional port, IP address, or application layer rules for how traffic can be routed within the network.

Compute

After network security, we begin to get into the resources that hold our data. The first of these is our compute resources. In order to maintain clarity, we will generalize the compute layer as the devices with an operating system, such as Linux or Windows. Compute resources also include platform-based services where the compute layer is managed by the cloud provider, such as Azure App Service, Azure Functions, or containers. Within your own private data center with equipment that you own, protecting the host equipment and avoiding exposure by hardening the virtual hypervisor is necessary. In the public cloud, Microsoft or another cloud provider will be responsible for this. Our responsibility on virtual machines relies on maintaining proper patching of updates and security, to avoid having exploit vulnerabilities within the operating system. In addition, encrypting virtual machine operating systems and disks with Azure Disk Encryption will protect the image from being exposed.

A common attack at the compute layer is scanning and gaining access to management ports on devices. Not exposing these ports, 3389 for Windows Remote DesktopProtocol (RDP) and 22 for Linux Secure Shell (SSH) Protocol, to the internet will provide a layer of protection against these attacks. Within Microsoft Azure, this can be accomplished with network security group rules, removing public IP addresses on virtual machines, bastion hosts, and/or utilizing just-in-time virtual machine access. Many of these security options will be discussed in Chapter 7, Designing a Strategy for Securing Server and Client Endpoints.

Applications

The layer of defense that is closest to our data is our applications. Applications present data to users through our internet websites, intranet sites, and our line of business applications that are used to perform our day-to-day business. A cybersecurity architect will determine how to protect applications against common threats, such as cross-site scripting on our websites. To protect against these common threats, a WAF can be used for proper evaluation of the traffic accessing our applications. Utilizing secure transport layer (TLS) protocols that are encrypted can also help to avoid the exposure of sensitive data to unauthorized individuals.

Prior to an application being moved to production, it should be properly tested to make sure that there are no open management ports and that all API connections are also secured.

If the application references connections to databases and storage accounts, the secrets and keys should not be exposed and a key management solution, such as Azure Key Vault, should be in place for the proper rotation of secrets, keys, and certificates. Properly securing these areas of our applications will assist in avoiding exposure of sensitive data to those that are not authorized.

Data

Always at the center of our defense-in-depth security posture is our data. Data is the primary asset of our company. This includes the business and financial data that is necessary for the company’s survival and the personal information of our employees and customers. Exposure or theft of this information would have potentially catastrophic effects on the company’s ability to continue. These effects could be reputational and involve financial loss.

As a security professional, one must protect data from intentional and accidental exposure to those that are not authorized to view it. Data resides in various areas within our technology infrastructure. Data can be found primarily in different storage accounts, such as blob containers or file shares, and within relational and non-relational databases. The common practice to accomplish this is through encryption.

Encryption makes data unreadable to those that are not properly authenticated and authorized to view it. Encryption can be used in different ways with data. First, there is encrypting data at rest, which is when it is stored and not being accessed. Next, there is encryption in transit, or while it is being delivered from where it is stored to the person requesting access. Finally, there is encryption in use, which maintains the encryption of the data within the application throughout the time that it is being viewed. This is the more complex of the types of data encryption since it requires the application to have the capability of presenting the encrypted data. Microsoft provides options for these encryption types that will be discussed later in this book.

Encrypting our data in our storage accounts and databases decreases the potential of this data being exposed to those that are not authorized. Additionally, requiring verification through authentication and authorization maintains the protection of data. This includes avoiding anonymous access to storage accounts and masking sensitive data within our databases. The most important aspect of protecting our data is knowing where our sensitive data is located and planning proper steps to avoid it being exposed to the unauthorized. Bringing together the protection of data within the entire defense-in-depth strategy provides us with an effective way to protect against vulnerabilities and threats.

Maintaining a proper security posture across all of the defense-in-depth layers is the best way to protect our company from loss or exposure across the stages of a cyber attack. These stages will be further discussed later in this chapter. As security professionals, it is important that we take ownership of the planning, execution, monitoring, and management of all of these layers and work with other stakeholders at each of these layers to maintain the overall security posture for the company.

Special considerations need to be accounted for within this security posture when utilizing public cloud services. In the next section, we will discuss how this shared responsibility for cloud services requires possible adjustments to our defense-in-depth security approach.

Shared responsibility in cloud security

As technology has evolved and more resources have a level of exposure to external internet connections, the attack surface that is potentially vulnerable also increases. We must understand this and know where our responsibilities lie for each of the areas within our defense-in-depth security approach.

Shared responsibility is the relationship between the customer and the cloud provider at each of the layers of defense in depth. This relationship differs depending on the technology that is being consumed.

Shared responsibility focuses on who has the ownership to interact at a specific level of protection. This may be physical ownership of equipment or administrative ownership for enabling various controls. The level of ownership between the company using the service and the cloud provider changes depending on the type of service that is being consumed by the company.

Table 1.1 shows shared responsibility for customers and Microsoft within the various cloud and on-premises services.

Responsibility

On-Premises

IaaS

PaaS

SaaS

Data governance and rights management

Customer

Customer

Customer

Customer

Client endpoints

Customer

Customer

Customer

Customer

Account and access management

Customer

Customer

Customer

Customer

Identity and directory infrastructure

Customer

Customer

Microsoft/

Customer

Microsoft/

Customer

Application

Customer

Customer

Microsoft/

Customer

Microsoft

Network controls

Customer

Customer

Microsoft/

Customer

Microsoft

Operating system

Customer

Customer

Microsoft

Microsoft

Physical hosts

Customer

Microsoft

Microsoft

Microsoft

Physical network

Customer

Microsoft

Microsoft

Microsoft

Physical data center

Customer

Microsoft

Microsoft

Microsoft

Table 1.1 – Shared responsibility in the cloud

As you look at the customer’s and Microsoft’s responsibilities for security, the cybersecurity architect should determine the levels of controls that the company should have in place for each of the areas of potential vulnerabilities and exposure to attacks.

The next section will build upon the areas of controls and security posture, and we will discuss the various components of cybersecurity operations.

Cybersecurity architecture use cases

Now that we understand security posture, defense in depth, and shared responsibility as we begin to architect cybersecurity for the cloud, we will discuss the makeup of a security operations team and the levels of a cybersecurity attack.

Security operations

In discussing security operations, you will hear terms such as red team, blue team, yellow team, purple team, white hat, and black hat. Let’s define each of these:

Understanding the stages of a cyber attack

There are many ways that an attacker can attempt to access resources within the company. How they gain this access and what they attempt to accomplish once they gain access is the foundation of a cyber attack. Figure 1.2 shows the stages of a cyber attack in a linear format:

Figure 1.2 – Stages of a cyber attack

In many cases, an attacker is attempting to enter and do some level of damage at one of these stages. Sophisticated attackers may go through every one of these stages in order to gain full access to resources and increase the amount of damage that they can do to a company. Let’s define each of these stages for further understanding: