{"id":1179,"date":"2024-01-19T14:00:15","date_gmt":"2024-01-19T14:00:15","guid":{"rendered":"https:\/\/bogdanburuiana.com\/?p=1179"},"modified":"2024-01-22T12:59:34","modified_gmt":"2024-01-22T12:59:34","slug":"az-900-module-4","status":"publish","type":"post","link":"https:\/\/bogdanburuiana.com\/index.php\/2024\/01\/19\/az-900-module-4\/","title":{"rendered":"AZ-900 \u2013 Module 4 \u2013 General security and network security"},"content":{"rendered":"\n<p><strong>Microsoft Defender for Cloud<\/strong><\/p>\n\n\n\n<p><strong>Microsoft Defender for Cloud<\/strong> is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud &#8211; whether they&#8217;re in Azure or not &#8211; as well as on premises.<\/p>\n\n\n\n<ul>\n<li><strong>Strengthen security posture:<\/strong> Defender for Cloud assesses your environment and enables you to understand the status of your resources, and whether they are secure.<\/li>\n\n\n\n<li><strong>Protect against threats:<\/strong> Defender for Cloud assesses your workloads and raises threat prevention recommendations and security alerts.<\/li>\n\n\n\n<li><strong>Get secure faster:<\/strong> In Defender for Cloud, everything is done in cloud speed. Because it is natively integrated, deployment is easy, providing you with auto-provisioning and protection with Azure services.<\/li>\n\n\n\n<li><strong>Policy compliance<\/strong><br>Defender for Cloud is built on top of Azure Policy controls so you can set and monitor your policies to run on management groups, across subscriptions, and even for a whole tenant.<\/li>\n\n\n\n<li><strong>Security alerts<\/strong><br>Defender for Cloud automatically collects, analyzes, and integrates log data from your Azure resources like firewall and endpoint protection to detect real threats. Then list of prioritized security alerts is shown in Microsoft Defender for Cloud along with the information you need to quickly investigate and remediate an attack.<\/li>\n\n\n\n<li><strong>Secure score<\/strong><br>Defender for Cloud continually assesses your resources for security issues; then aggregates all the findings into a single score so that you can tell your current security situation.<\/li>\n<\/ul>\n\n\n\n<p><em>Learn and SkillPipe content:<\/em><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/2-protect-threats-security-center\">https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/2-protect-threats-security-center<\/a><\/p>\n\n\n\n<p><strong>Defender for Cloud &#8211; capabilities<\/strong><\/p>\n\n\n\n<p><strong>Policy Compliance<\/strong> &#8211; Run policies across management groups, subscriptions, or tenants.<\/p>\n\n\n\n<p><strong>Continuous Assessments<\/strong> &#8211; Assess new and deployed resources to ensure that they are configure properly.&nbsp;<\/p>\n\n\n\n<p><strong>Tailored Recommendations<\/strong> &#8211; Recommendations based on existing workload with instructions on how to implement them.<\/p>\n\n\n\n<p><strong>Threat Protection<\/strong> &#8211; Analyze attempted threats through alerts and impacted resource reports.<\/p>\n\n\n\n<p><em>Learn and SkillPipe content:<\/em><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/2-protect-threats-security-center\">https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/2-protect-threats-security-center<\/a><\/p>\n\n\n\n<p><strong>Microsoft Sentinel<\/strong><\/p>\n\n\n\n<p><strong>Microsoft Sentinel <\/strong>is a security information and event management (SIEM) solution that provides security analytics and threat intelligence across an enterprise.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"451\" height=\"463\" src=\"https:\/\/bogdanburuiana.com\/wp-content\/uploads\/2024\/01\/image-12.png\" alt=\"\" class=\"wp-image-1181\" srcset=\"\/wp-content\/uploads\/2024\/01\/image-12.png 451w, \/wp-content\/uploads\/2024\/01\/image-12-292x300.png 292w\" sizes=\"(max-width: 451px) 100vw, 451px\" \/><\/figure>\n\n\n\n<ul>\n<li><strong>Collect<\/strong> &#8211; data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.<\/li>\n\n\n\n<li><strong>Detect<\/strong> threats and minimize false positives using analytics.<\/li>\n\n\n\n<li><strong>Investigate<\/strong> threats with AI and hunt suspicious activities at scale.<\/li>\n\n\n\n<li><strong>Respond<\/strong> to incidents with built-in orchestration and automation of common tasks.<\/li>\n<\/ul>\n\n\n\n<p><em>Learn and SkillPipe content:<\/em><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/3-detect-respond-threats-sentinel\">https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/3-detect-respond-threats-sentinel<\/a><\/p>\n\n\n\n<p><strong>Azure Key Vault<\/strong><\/p>\n\n\n\n<p><strong>Azure Key Vault<\/strong> is a centralized cloud service for storing an application&#8217;s secrets in a single, central<br>location. It provides secure access to sensitive information by providing access control and logging<br>capabilities.<\/p>\n\n\n\n<ul>\n<li><strong>Manage secrets<\/strong> You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.<\/li>\n\n\n\n<li><strong>Manage encryption keys<\/strong> You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys that are used to encrypt your data.<\/li>\n\n\n\n<li><strong>Manage SSL\/TLS certificates<\/strong> Key Vault enables you to provision, manage, and deploy your publicand private Secure Sockets Layer\/Transport Layer Security (SSL\/TLS) certificates for both your Azure resources and your internal resources.<\/li>\n\n\n\n<li><strong>Store secrets backed by hardware security modules (HSMs)<\/strong> These secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.<\/li>\n<\/ul>\n\n\n\n<p><em>Learn and SkillPipe conten<\/em>t:<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/4-manage-secrets-key-vault\">https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/4-manage-secrets-key-vault<\/a><\/p>\n\n\n\n<p><strong>Azure Dedicated Host<\/strong><\/p>\n\n\n\n<p><strong>Azure Dedicated Host<\/strong> is a service that provides physical servers &#8211; able to host one or more virtual machines &#8211; dedicated to one Azure subscription. Dedicated hosts are the same physical servers used in our data centers, provided as a resource. You can provision dedicated hosts within a region, availability zone, and fault domain. Then, you can place VMs directly into your provisioned hosts, in whatever configuration best meets your needs.<br><strong>Limitations<\/strong><br>&#8211; Virtual machine scale sets are not currently supported on dedicated hosts.<br><strong>Benefits<\/strong><br>Reserving the entire host provides the following benefits:<br>&#8211; Hardware isolation at the physical server level. No other VMs will be placed on your hosts. Dedicated hosts are deployed in the same data centers and share the same network and underlying storage infrastructure as other, non-isolated hosts.<br>&#8211; Control over maintenance events initiated by the Azure platform. While the majority of maintenance events have little to no impact on your virtual machines, there are some sensitive workloads where each second of pause can have an impact. With dedicated hosts, you can opt-in to a maintenance window to reduce the impact to your service.<br>&#8211; With the Azure hybrid benefit, you can bring your own licenses for Windows and SQL to Azure. Using the hybrid benefits provides you with additional benefits. For more information, see&nbsp;Azure Hybrid Benefit.<\/p>\n\n\n\n<p><em>Learn and SkillPipe conten<\/em>t:<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/6-host-virtual-machines-dedicated-hosts\">https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/6-host-virtual-machines-dedicated-hosts<\/a><\/p>\n\n\n\n<p><strong>Secure Network Connectivity<\/strong><\/p>\n\n\n\n<p><strong>Defense in depth<\/strong><\/p>\n\n\n\n<p>A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at<br>acquiring unauthorized access to data.<\/p>\n\n\n\n<p>You can visualize defense in depth as a set of layers, with the data to be secured at the center.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"609\" height=\"528\" src=\"https:\/\/bogdanburuiana.com\/wp-content\/uploads\/2024\/01\/image-13.png\" alt=\"\" class=\"wp-image-1184\" style=\"aspect-ratio:1.1534090909090908;width:223px;height:auto\" srcset=\"\/wp-content\/uploads\/2024\/01\/image-13.png 609w, \/wp-content\/uploads\/2024\/01\/image-13-300x260.png 300w\" sizes=\"(max-width: 609px) 100vw, 609px\" \/><\/figure>\n\n\n\n<p>Here&#8217;s a brief overview of the role of each layer:<\/p>\n\n\n\n<ul>\n<li>The <strong>physical security<\/strong> layer is the first line of defense to protect computing hardware in the datacenter.<\/li>\n\n\n\n<li>The <strong>identity and access<\/strong> layer controls access to infrastructure and change control.<\/li>\n\n\n\n<li>The <strong>perimeter <\/strong>layer uses distributed denial of service (DDoS) protection to filter large-scale attacks<br>before they can cause a denial of service for users.<\/li>\n\n\n\n<li>The <strong>network<\/strong> layer limits communication between resources through segmentation and access controls.<\/li>\n\n\n\n<li>The <strong>compute<\/strong> layer secures access to virtual machines.<\/li>\n\n\n\n<li>The <strong>application<\/strong> layer helps ensure that applications are secure and free of security vulnerabilities.<\/li>\n\n\n\n<li>The <strong>data<\/strong> layer controls access to business and customer data that you need to protect.<\/li>\n<\/ul>\n\n\n\n<p><em>Learn and SkillPipe content:<\/em><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/secure-network-connectivity-azure\/2-what-is-defense-in-depth\">https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/secure-network-connectivity-azure\/2-what-is-defense-in-depth<\/a><\/p>\n\n\n\n<p><strong>Shared Security<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"877\" height=\"639\" src=\"https:\/\/bogdanburuiana.com\/wp-content\/uploads\/2024\/01\/image-14.png\" alt=\"\" class=\"wp-image-1186\" srcset=\"\/wp-content\/uploads\/2024\/01\/image-14.png 877w, \/wp-content\/uploads\/2024\/01\/image-14-300x219.png 300w, \/wp-content\/uploads\/2024\/01\/image-14-768x560.png 768w\" sizes=\"(max-width: 877px) 100vw, 877px\" \/><\/figure>\n\n\n\n<ul>\n<li>Migrating from customer-controlled to cloud-based datacenters shifts the responsibility for security.<\/li>\n<\/ul>\n\n\n\n<ul>\n<li>Security becomes a shared concern between cloud providers and customers.<\/li>\n<\/ul>\n\n\n\n<p><strong>Network Security Groups (NSGs)<\/strong><\/p>\n\n\n\n<p><strong>Network Security Groups (NSGs)<\/strong> filter network traffic to and from Azure resources on Azure Virtual Networks.<\/p>\n\n\n\n<ul>\n<li>Filters network traffic to, and from, Azure resources on Azure Virtual Networks.<\/li>\n\n\n\n<li>Set inbound and outbound rules to filter by source and destination IP address, port, and protocol.<\/li>\n\n\n\n<li>Add multiple rules, as needed, within subscription limits.<\/li>\n\n\n\n<li>Azure applies default, baseline, security rules to new NSGs.<\/li>\n\n\n\n<li>Override default rules with new, higher priority, rules.<\/li>\n<\/ul>\n\n\n\n<p><em>Learn and SkillPipe content:<\/em><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/secure-network-connectivity-azure\/5-filter-traffic-network-security-groups\">https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/secure-network-connectivity-azure\/5-filter-traffic-network-security-groups<\/a><\/p>\n\n\n\n<p><strong>Azure Firewall<\/strong><\/p>\n\n\n\n<p><strong>Azure Firewall<\/strong> is a managed, cloud-based network security service that helps protect resources in your<br>Azure virtual networks. A virtual network is similar to a traditional network that you&#8217;d operate in your own datacenter. It&#8217;s a fundamental building block for your private network that enables virtual machines and<br>other compute resources to securely communicate with each other, the internet, and on-premises<br>networks.<\/p>\n\n\n\n<ul>\n<li>Applies inbound and outbound traffic filtering rules<\/li>\n\n\n\n<li>Built-in high availability<\/li>\n\n\n\n<li>Unrestricted cloud scalability<\/li>\n\n\n\n<li>Uses Azure Monitor logging<\/li>\n<\/ul>\n\n\n\n<p><em>Learn and SkillPipe content:<\/em><\/p>\n\n\n\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/secure-network-connectivity-azure\/3-protect-network-azure-firewall\">https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/secure-network-connectivity-azure\/3-protect-network-azure-firewall<\/a><\/p>\n\n\n\n<p><strong>Azure Distributed Denial of Service (DDoS) protection<\/strong><\/p>\n\n\n\n<p>DDoS Protection identifies the attacker&#8217;s attempt to overwhelm the network and blocks further traffic<br>from them, ensuring that traffic never reaches Azure resources. Legitimate traffic from customers still<br>flows into Azure without any interruption of service.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"953\" height=\"192\" src=\"https:\/\/bogdanburuiana.com\/wp-content\/uploads\/2024\/01\/image-15.png\" alt=\"\" class=\"wp-image-1187\" srcset=\"\/wp-content\/uploads\/2024\/01\/image-15.png 953w, \/wp-content\/uploads\/2024\/01\/image-15-300x60.png 300w, \/wp-content\/uploads\/2024\/01\/image-15-768x155.png 768w\" sizes=\"(max-width: 953px) 100vw, 953px\" \/><\/figure>\n\n\n\n<ul>\n<li>Sanitizes unwanted network traffic before it impacts service availability.<\/li>\n\n\n\n<li>Basic service tier is automatically enabled in Azure.<\/li>\n\n\n\n<li>Standard service tier adds mitigation capabilities that are tuned to protect \u000bAzure Virtual Network resources.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Defender for Cloud Microsoft Defender for Cloud is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection across your hybrid workloads in the cloud &#8211; whether they&#8217;re in Azure or not &#8211; as well as on premises. Learn and SkillPipe content: https:\/\/docs.microsoft.com\/en-us\/learn\/modules\/protect-against-security-threats-azure\/2-protect-threats-security-center Defender [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/posts\/1179"}],"collection":[{"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/comments?post=1179"}],"version-history":[{"count":6,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/posts\/1179\/revisions"}],"predecessor-version":[{"id":1201,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/posts\/1179\/revisions\/1201"}],"wp:attachment":[{"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/media?parent=1179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/categories?post=1179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bogdanburuiana.com\/index.php\/wp-json\/wp\/v2\/tags?post=1179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}