MS AZ-900 Fundamentals Preparation Notes - Module 3
We continue with the AZ-900 grades with module 3. If you have not read module 1 and 2 yet, you can click here to read module 1 and module 2 by clicking here. The core content of Module 3 is Security, Privacy, Compliance and Trust.
In this module, we will first take a look Securing Network Connectivity. Next, we will review the Security Tools and Features topic after reviewing Core Azure Idendity Services. Finally, we will finish the module with Azure Governance Methodologies, Monitoring and Reporting in Azure and Privacy, Compliance and Data Protection Standards.
Securing Network Connectivity
Defense in Depth
Defense in Depth is a strategy that uses a set of mechanisms established to slow the progress of an attack attempting to access data. The main purpose is to prevent people who are not authorized to access data from stealing data. For this, an approach known as the CIA is used. Confidentialy, Integrity, Availability.
Confidentialy: Its main purpose is to provide information security. In addition, it aims to prevent unauthorized access, unauthorized changes and unauthorized service disruption. Information such as user passwords, remote access certificates and e-mail contents are also included in the information intended to be protected.
Integrity: Its main purpose is to ensure the integrity of information. It aims to prevent unauthorized alteration of information during the transit or rest phase. The most basic approach used in data transmission is that the sender creates a unique fingerprint for the data using a one-way hashing algorithm. The hash is checked by the receiver to see if there is a change.
Availability: Main purpose is to make information available/accessible. It aims to prevent unauthorized access and denial of service (DoS) attacks.
Defense in Depth can be thought of as a series of layers with data to be secured in the center. Each layer provides protection to prevent further breaches from occurring as a result of a violation in a layer preceding it.
Physical security is the data center's first line of defense. Includes physical security measures.
Identity & access is the data center's second line of defense. It includes measures that control access to infrastructure and changes.
Perimeter is the data center's third line of defense. It includes filtering measures to prevent large scale attacks from causing denial of service for end users. (DDoS protection etc.)
Networking is the data center's fourth line of defense. It includes network communication measures through segmentation and access controls.
Compute is the data center's fifth line of defense. It includes the necessary measures to protect VMs.
Application is the data center's sixth line of defense. It includes the necessary precautions to ensure that the applications are safe and protected from security vulnerabilities.
Somehow I am working with a cloud provider, you should not say that security is not my responsibility. Currently, we need to know both your own responsibilities and Azure's responsibilities for this. We can examine this on a table.
Müşteri sorumluluğunda = You managed
Cloud Provider Sorumluluğunda = Cloud Provider Managed
Firewall is a system that allows each request to be filtered according to a source IP address or specific conditions. Azure Firewall is a cloud-based network security service. With Azure Firewall, you can protect your Azure Virtual Network resources.
The advantage of Azure Firewall over on-premises firewalls is that it is fully statefull and offers built-in high availability and unrestricted cloud scalability.
With Azure Firewall, we can create policies for application and network connectivity centrally between subscription and virtual network. At the same time, we can log them and monitor them with Azure Monitor.
Azure Firewall works with static IP. Many inbound and outbound filtering rules can be written.
In addition, thanks to Azure Application Gateway, we have the opportunity to use WAF - Web Application Firewall.
Azure DDoS Protection
DDoS attacks are usually carried out against public and accessible endpoints on the internet. For this reason, we can say that your endpoints that are open to your customers and accessible to everyone are potentially vulnerable to DDoS attacks. If you combine Azure DDoS Protection with application design best preactices, you can have one of the best DDoS protections.
Azure DDoS Protection consists of 2 tier:
Basic: This plan is auto-activated for free on all subscriptions as part of the Azure platform. Using the Azure global network and region power, it distributes and mitigates incoming attacks across regions.
Standard: This plan is used by the user. It provides additional protection especially for Azure Virtual Network resources. No extra application changes are required to activate this plan. Protection policies are implemented with special traffic monitoring methods and ML algorithms. If you wish, you can run it in combination with Azure Load Balancer and Application Gateway.
In the standard plan, you can get protection for the following attacks:
Volumetric Attacks: The purpose of this attack is to cause service disruption by filling the network layer with a high amount of legimate traffic.
Protocol Attacks: The purpose of this attack is to cause service disruption by taking advantage of the weaknesses of the L3 and L4 level protocols.
Resouce (Application) Layer Attacks: The purpose of this attack is to cause service disruption by targeting web application packets to disrupt data transmission between hosts.
You can be protected from these with Azure Standard DDoS Protection. (Mitigation)
Those who want to have more detailed information about DDoS can reach my article published in the 10th issue of Arka Kapı magazine by clicking this link.
Network Security Groups (NSG)
Network Security Groups enable us to filter inbound and outbound traffic to our Azure Virtual Network resources. In short, NSG allows you to create many security rules according to the source and destination IP address, port and protocol for incoming and outgoing traffic to resources.
NSG can contain as many rules as you want, within the limits of your subscription. The rules you can use are listed in the table below.
You should note that when you create an NSG, Azure deploys some rules by default. You cannot remove these rules, but you can override these rules by creating higher priority rules.
Application Security Groups (ASG)
In short, ASG allows you to group VMs and specify Network Security policies connected to these groups, allowing you to configure them as a natural extension of an application.
Let's say you have multiple resource groups such as WebServers, AppServers and DbServers that you filter through similar ports, allowing you to manage them from a single point by grouping them together.
Core Azure Identity Services
Authentication and Authorization
Identity management is mentioned with two important concepts. The better these concepts are understood, the more successful identity management can be. The events we will talk about below take place one after the other, namely sequentially.
Authentication is the process of establishing the identity of a person, service or service that wants to access a resource. It determines whether we are the person we really are or not.
Authorization determines the level of access to the person, service or service whose identity is authenticated with the above step. Which data will be allowed to access and what can be done with these data is related to this step.
In addition, Authentication can be referred to as AuthN, and Authorization as AuthZ.
Azure Active Directory
Azure Active Directory, short for Azure AD, is Microsoft's cloud-based Identity and Access Management service. Azure AD allows your staff in your organization to log in and access specified resources.
Here we will split resources into two: External Resources and Internal Resources.
When we say External Resources, you can think of MS Office 365, Azure Portal or any SaaS application.
When we say Internal Resources, you can think of all cloud apps you have developed or apps in your company network.
Azure AD provides us:
- Authentication: It provides services such as authentication, password reset as a self-service, use of MFA (Multi-factor Authentication), creating a special prohibited password list and smart lockout in order to access applications and resources.
- Single-Sign-On (SSO): SSO allows users to use only one ID and one password to access multiple applications. In this way, the attack surface area is reduced. Let's say a staff member with high authority will quit your job. With SSO, you can easily freeze one account and stop all access.
- Application Management: You can manage your applications in the cloud or on-premises with Azure AD Application Proxy, SSO and My Apps Portal (Access Panel).
- B2B and B2C Identity Services: If you wish, you can have control over your own corporate data, while also providing various access to your guest users.
Azure Multi-Factor Authentication
Azure Multi-Factor Authentication provides extra security for your identities with two or more items for Full Authentication. This category is basically divided into three:
- Something you know: It is something you know. For example, it could be the answer to a password or security question.
- Something you possess: It is something you have. It can be a mobile application that can receive notifications or a token-generating device.
- Something you are: It is something that you "are". For example, you could have a fingerprint or a face.
MFA increases identity security with extra steps in order to keep the access secure in case the username and password are stolen. For example, consider a scenario where everyone in your organization logs in by entering a six-digit code via an Authenticator app in addition to their username and password. Even if your staff's usernames and passwords are stolen, access will not be possible without the six-digit code generated by the authenticator.
Azure MFA can be used depending on the following services:
Azure Active Directory Premium license
Multi-Factor Authentication for Office 365
Azure Active Directory Global Administrators
Security Tools and Features
Azure Security Center
Azure Security Center is a monitoring service that provides threat protection for both Azure and on-premises systems.
With Azure Security Center, you can:
- You can receive Security Recommendations for Configuration, Resources, and Networks.
- You can monitor security settings for both cloud and on-premises workloads, and apply the security configuration you set to new services as soon as they are online.
- With the continuous monitor, you can monitor all your services and take precautions for potential vulnerabilities by having prior knowledge.
- Using Machine Learning, you can detect and prevent malware from being installed on your VMs and services.
- You can review after a possible violation.
- By creating just-in-time access control to access ports, you can reduce the attack surface by allowing only the traffic you need to come to your network.
Azure Security Center consists of two Tier:
- Free: Available for free as part of an Azure subscription, you can only see evaluations and recommendations of Azure resources.
- Standard: In this optional version, you can fully benefit from all the features of Azure Security Center.
Azure Key Vault is a cloud-based service to keep the secrets of your applications securely.
With Azure Key Vault, you can control access to secrets, keep access logs and terminate these access whenever you want.
So where should the Key Vault be used?
- Secret Management: With Key Vault, you can keep all your secrets or API keys securely.
- Key Management: You can use Key Vault to keep your encryption keys securely.
- Certificate Management: If you wish, you can safely store and manage all your SSL / TLS certificates (public / private secure sockets).
- HSM Management: If you wish, you can safely keep secrets supported by HSMs (Hardware Security Modules).
Azure Information Protection (Azure AIP)
Azure Information Protection enables cloud-based employees and companies to tag and categorize their documents and emails and optionally protect them.
Tags can be created and used automatically by administrators, as well as manually created and used by users.
Azure Advanced Threat Protection (Azure ATP)
Azure ATP is a cloud-based security product that detects threats, compromised identities and behaviors ranging from malicious software to malicious actions against your company, and supports your research. Azure ATP can detect known malware, attacks, techniques, and security issues and notify you.
Azure ATP consists of 3 components:
Azure ATP Portal: Portal is a portal where you can monitor and respond to the activities of suspicious transactions. With Azure ATP Portal, you can view data received from ATP Sensor, monitor and manage threats in your network environment.
Azure ATP Sensor: It is installed directly on your domain controller. Azure ATP Sensor can monitor your domain controller traffic without needing a dedicated server or creating a mirror port.
Azure ATP Cloud Service: Runs on Azure infrastructure and can be used in the USA, Europe and Asia. Azure ATP Cloud Service runs on Microsoft's Intelligent Security Graph.
Azure Governance Methodologies
Azure Policy is a service used to create, assign and manage policies in Azure. The policies you create allow you to apply different rules on your resources, and each resource or resource group can use these policies without leaving the standard and SLA you set.
It comes with a number of built-in policies that you can use under categories such as Azure Policy, Storage, Networking, Compute, Security Center, and Monitoring. It can also be provided to work with Azure DevOps.
Azure Policy also has the ability to automatically fix resources and configurations that it will see as incompatible.
Implementing Azure Policy
There are three steps to implementing Policy in Azure.
Create a Policy Definition > Assign the Definition to Resources > Review the Evaluation Result
Create a Policy Definition
Creating a policy definition refers to what action will be taken and how. With a policy you specify, you can save costs by preventing the use of the hard disk when deploying VMs, or prevent it from exposing to a Public IP address.
Each policy has some conditions that it must meet according to the area it is applied to. Unless these are met, that policy cannot be defined. We can express these conditions under the following fish:
- Allowed Storage Account SKUs
- Allowed Resource Type
- Allowed Locations
- Allowed Virtual Machine SKUs
Assign the Definition to Resources
At this stage, we need to assign the policy to resources. If you wish, you can assign a policy you have created only to a resoure or you can assign the resources you want collectively.
Review the Evaluation Result
When a state or action occurs and that state or action is incompatible with a policy you created, it is marked as non-compliant, and if compatible, as compliant. You can review the results marked as non-compliant, and if you need to make changes to the policies as a result of this review, you can.
Policy Evaluation takes place on average once every hour. For this reason, it would be more useful to review the results of a policy you have applied at least an hour later.
An initiative definition is to set a set of policy definitions that help you track your compliance state for a larger goal.
Let's make them concrete with a few examples:
- It can be used to monitor unencrypted SQL Database on the Security Center. Likewise, it can be used to monitor unencrypted servers.
- It can be configured to monitor OS vulnerabilities on the Security Center.
Just like policy assignment, initiative assignments are initiatives assigned to specific scopes.
Role-based Access Control (RBAC)
RBAC provides us with fine-grained access management. So what does that mean? For Azure resources, it means enabling us to authorize the users we want only as much as we need. RBAC is provided free of charge for all Azure subscribers.
Let's give a few examples of what we can do with RBAC:
- We may allow one user to manage only the VMs in our subscription, and another user to manage only Virtual Networks.
- We may allow a Database Administrator to manage the SQL databases in our subscription.
- We can allow a developer to manage VMs, websites and all subnets within their resource group.
- We can allow an application to access all resources in the resuorce group where it is located.
RBAC works with "allow method". So only when you give permission will the person have permission. For example, you should understand that RBAC allows you to perform actions such as read, write, and delete when a role is assigned to you. Therefore, when assigning a role, we must be careful about what permissions we will grant to whom. While giving a user only read authorization for a resource, you can grant the same user read & write authorization on another resource.
Resource Locks, as its name suggests, helps us to lock resources against certain actions. This way you can prevent a resource from being accidentally deleted or changed.
You can set a resource as CanNotDelete or ReadOnly from the Resource Lock tab.
When you set it as CanNotDelete, you will see a scenario where the people you authorize will have read and write authority on the resource but cannot delete the resource.
When you set it as ReadOnly, you will see that the people you authorize can only view on the resource and cannot use write & delete rights.
Azure Blueprints enables your staff working as cloud architects to create a repeatable set of Azure resources that meet your organization's standards and requirements. In this way, you can use these prepared blueprints instead of dealing with making the same setups over and over.
Monitoring and Reporting in Azure
Thanks to Azure Tags, we can tag our resources with various tags. Tags provide us with ease of management and are free of charge.
Each tag consists of a name and value.
Knowing the limits of the tags will be more useful at this stage.
- Certain resource types support tags, but some resource types do not support tags.
Each resource or resource group can have a maximum of 50 tags. (Storage Account as of June 2020- only supports 15 tags, but with the next update this limit will be 50) It is possible to use JSON string to use more tags than allowed.
- Tag name is limited to a maximum of 512 characters and value is limited to 256 characters. The same limits are as follows for storage accounts: name = 128, value = 256.
- VM and VM Sets are configured so that the sum of the character values name and value does not exceed 2048 characters.
- When you apply a tag to a resource group, a single resource in that group cannot inherit that tag.
- If you wish, you can make tags mandatory by using Azure Policy.
Azure Monitor is a monitoring service created to collect, analyze and act on telemetry from cloud or on-premises systems. It helps you understand the performance of your applications and identifies the conditions that affect them.
So what data does Azure Monitor collect:
Azure Monitor can collect data from many layers, from your applications, operating systems and their services to the platform itself.
- Application Monitoring Data
- Guest OS Monitoring Data
- Azure Resource Monitoring Data
- Azure Subscription Monitoring Data
- Azure Tenant Mobitoring Data
Azure Health Service
Azure Health Service examines if there is a problem with the services in Azure and provides you with various notifications. It can also help you prepare for planned maintenance or changes that could affect the availability of your resources with Health Service.
We can examine Azure Health Service in three categories:
Azure Status gives you information about the health status of Azure services.
Service Health provides a custom dashboard that monitors the conditions in the regions where you use Azure services. You can also see the health history for up to 90 days.
Resource Health enables you to diagnose situations when one of your Azure services creates situations that affect your resources. You can also check if an SLA has been breached here.
Monitoring Applications and Services
Application Insights is a service where you can monitor the availability, usage and performance of web applications you host both in the cloud and on-premises. It also has integration with Microsoft Visual Studio.
Azure Monitor for Containers is a service designed to monitor the workloads and performance of containers hosted on AKS, ie Azure Kubernetes service. In Kubernetes, CPU and memory data are collected from controllers, nodes and containers through the metrics API, ensuring that the performance is visible. Container logs are also collected.
Azure Monitor for VM, this service, which has been developed entirely for your VMs, analyzes the performance and health of your Windows and Linux VMs and offers you a dashboard. If you wish, you can link your applications that you run as on-premises here.
Alerts refers to the alarms you create on Azure Monitor. By creating alerts so that you can intervene in critical situations, you can intervene before a problem occurs or when you are approaching the exit. We could say it works almost in real time.
Autoscale is a service that Azure Monitor uses to effectively manage the load on your application and make sure you have the right amount of resources. Thanks to the collected metrics, you can reduce your Azure costs to minimum by removing unused resources and prevent disruption of your system's uptime by automatically creating resources when you need more resources.
This service exists to allow you to create more efficient reporting modules using tracking data graphs and tables. Azure Monitor has its own features for visualizing monitoring data, but if you want to make specific adjustments, you can use the following tools:
- Power BI
You can view the details of Privacy, Compliance and Data Protection Standards on Microsoft's official document by clicking here.
We have come to the end of chapter 3. See you in chapter 4.