In early 2019, Microsoft created the AZ-900 Microsoft Azure Fundamentals certification. This is a certification for all individuals, IT or non IT background, who want to further their careers and learn how to navigate the Azure cloud platform. Learn about AZ-900 exam concepts and how to prepare and pass the exam

1. FUNDAMENTALS OF AZURE
SECURITY, PRIVACY, COMPLIANCE, AND TRUST

2. HOUSEKEEPING
Contact Information:
Phillip Scanlon - CCG
Email:
pscanlon@ccganalytics.com

3. AGENDA
Security, Privacy, Compliance, and Trust:
1. Understand Security Threats
2. Identity Management
3. Resource Manager
4. Potential Exam Questions

4. AZ-900 EXAM LAYOUT
1. Understand cloud concepts (15-20%)
2. Understand core Azure services (30-35%)
3. Understand security, privacy, compliance, and trust (25-30%)
4. Understand Azure pricing and support (20-25%)

5. EXAM PREP - STUDY MATERIALS
Microsoft Learn
Platform
Whizlabs

6. BIGGEST DATA BREACHES OF THE 21ST CENTURY

7. UNDERSTAND SECURITY THREATS

8. COMPLIANCE OFFERINGS

9. SECURITY ADVANTAGES OF CLOUD ERA

10. RESPONSIBILITY OF SERVICES
IaaS (Infrastructure as a Service):
• Azure creates virtual machines (VMs) and virtual networks.
PaaS (Platform as a Service):
• Azure is taking care of the operating system and of most
foundational software like database management systems.
SaaS (Software as a Service):
• Organization outsources almost everything.

11. DEFENSE IN DEPTH
Defense in depth is a strategy that employs a
series of mechanisms to slow the advance of an
attack aimed at acquiring unauthorized access
to information.

12. DATA
In almost all cases, attackers are after data:
• Stored in a database
• Stored on disk inside virtual machines
• Stored on a SaaS application such as
Office 365
• Stored in cloud storage

13. APPLICATION
Integrating security into the application development life cycle
will help reduce the number of vulnerabilities introduced in
code.
• Ensure applications are secure and free of vulnerabilities.
• Store sensitive application secrets in a secure storage
medium.
• Make security a design requirement for all application
development.

14. COMPUTE
The focus in this layer is on making sure compute
resources are secure, and that the proper controls are
in place to minimize security issues.
• Secure access to virtual machines.
• Implement endpoint protection and keep systems
patched and current.

15. NETWORKING
The focus is on limiting the network connectivity across all
resources to allow only what is required.
• Limit communication between resources.
• Deny by default.
• Restrict inbound internet access and limit outbound, where
appropriate.
• Implement secure connectivity to on-premises networks.

16. PERIMETER
At the network perimeter, it's about protecting from network-
based attacks against resources.
• Use distributed denial of service (DDoS) protection to
filter large-scale attacks before they can cause a denial of
service for end users.
• Use perimeter firewalls to identify and alert on malicious
attacks against your network.

17. DDOS PROTECTION OPTIONS

18. IDENTITY AND ACCESS
The identity and access layer is all about ensuring identities are secure, access
granted is only what is needed, and changes are logged.
Two fundamental concepts when talking about identity and access control:
1. Authentication:
 establishing the identity of a person or service looking to access a
resource.
 establishes if they are who they say they are.
2. Authorization:
 establishing what level of access an authenticated person or service has.
 specifies what data they're allowed to access and what they can do with
it.

19. PHYSICAL SECURITY
Physical building security and controlling access to computing
hardware within the data center is the first line of defense.
• Intent is to provide physical safeguards against access to
assets, these safeguards ensure that other layers can't be
bypassed, and loss or theft is handled appropriately.

20. IDENTITY MANAGEMENT

21. AZURE ACTIVE DIRECTORY
Azure Active Directory (Azure AD)
• Cloud-based identity service
• Backbone/core of identity
management in Azure, built in
support for synchronizing with
your existing on-premises Active
Directory or can be used stand-
alone
• All applications (on-premises,
cloud (including Office 365), or
mobile) can share the same
credentials

22. AZURE ACTIVE DIRECTORY SERVICES
Authentication - verifying identity to access applications and resources, and
providing functionality such as self-service password reset, multi-factor
authentication (MFA), a custom banned password list, and smart lockout
services.
• Self-service password reset: According to Forrester Research, the average
password reset is $70, and the Gartner Group states 20 to 50 percent of
all Help Desk calls are for password resets.
• Multi-factor: Detecting logins from locations that are
physically impossible to reach within a certain time frame.

23. AZURE ACTIVE DIRECTORY SERVICES CONTINUED
• Single-Sign-On (SSO) - enables users to remember only one ID and one password to
access multiple applications.
• Application management - manage cloud and on-premises apps using Azure AD
Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS
apps.
• Business to business (B2B) identity services - manage guest users and external
partners while maintaining control over your own corporate data Business-to-
Customer (B2C) identity services.
• Device Management - Manage how your cloud or on-premises devices access your
corporate data.

24. ENCRYPTION
What is encryption?
Encryption is the process of making data unreadable and unusable to unauthorized viewers.
To use or read the encrypted data, it must be decrypted, which requires the use of a secret
key.
Two top-level types of encryption: symmetric and asymmetric.
• Symmetric encryption uses the same key to encrypt and decrypt the data.
• Asymmetric encryption uses a public key and private key pair. Either key can encrypt
but a single key can't decrypt its own encrypted data. To decrypt, you need the paired
key.

25. ENCRYPTION AT REST
Encryption of data at rest ensures that the stored data is unreadable without the
keys and secrets needed to decrypt it.

26. ENCRYPTION IN TRANSIT
Encrypting data in transit protects the data from
outside observers and provides a mechanism to
transmit data while limiting risk of exposure.
Data in transit is the data actively moving from one
location to another, such as across the internet or
through a private network.

27. AZURE ENCRYPTION ACROSS SERVICES
Azure Storage Service Encryption for data at rest helps protect data to meet
organizational security and compliance commitments. Raw storage encryption.
Azure Disk Encryption is a capability that helps encrypt Windows and Linux IaaS
virtual machine disks.
Transparent data encryption (TDE) helps protect Azure SQL Database and
Azure Data Warehouse against the threat of malicious activity. Database
encryption.
Encrypt secrets
Azure Key Vault is a centralized cloud service for storing your application secrets.

28. HOW TO PROTECT YOUR NETWORK
Azure has a layered approach to network security.
• Reduces risk of exposure through network-based attacks.
• Combine multiple Azure networking and security services to manage network security and
provide increased layered protection.

29. NETWORK SECURITY GROUPS
Contains security rules that allow or deny inbound network traffic to, or outbound network traffic from,
several types of Azure resources.
For each rule, you can specify:
 Source
 Destination
 Port
 Protocol

30. DEFAULT SECURITY RULES

31. PROTECT YOUR SHARED DOCUMENTS
Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-
based solution that helps organizations classify and optionally protect documents and
emails by applying labels.

32. AZURE ATP
Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies,
detects, and helps you investigate advanced threats, compromised identities, and malicious insider
actions directed at your organization.
Components include:
• Azure ATP portal
o Monitor and respond to suspicious activity.
• Azure ATP sensor
o Monitors domain controller traffic without requiring a dedicated server or configuring port
mirroring.
• Azure ATP cloud service
o Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United
States, Europe, and Asia.

33. MICROSOFT SECURITY DEVELOPMENT LIFECYCLE (SDL)
• Define security requirements
• Define metrics and compliance reporting
• Perform threat modeling
• Establish design requirements
• Define and use cryptography standards
• Manage security risks from using third-party components
• Use approved tools
• Perform Static Analysis Security Testing
• Perform Dynamic Analysis Security
Testing
• Perform penetration testing
• Establish a standard incident response
process
The Microsoft Security Development Lifecycle (SDL) introduces security and privacy considerations,
guidance, best practices, tools, and processes throughout all phases of the development process and helps
developers build highly secure software, address security compliance requirements, and reduce
development costs.

34. SECURITY SUMMARY
Azure Security Center centralizes much of the help Azure has to offer.
• Provides a single dashboard, with a view into many of your services, and helps make
sure organizations are following best practices.
• Continuously updated machine learning algorithms help identify whether the latest
threats are aimed at users resources and helps mitigate threats.

35. AZURE RESOURCE MANAGER

36. UNDERSTAND SCOPE

37. AZURE MANAGEMENT GROUPS
Azure Management groups are containers for managing access, policies, and compliance across
multiple Azure subscriptions.

38. GOVERNANCE FOR THE CLOUD
Management Group
Define
organizational
hierarchy
Hierarchy
Policy
Real-time
enforcement,
compliance
assessment and
remediation
Control
Cost Management
Monitor cloud
spend and
optimize resources
Consumption
NEWNEW
Blueprints
Deploy and update
cloud environments
in a repeatable
manner using
composable artifacts
Environment
NEW
Resource Graph
Query, explore &
analyze cloud
resources at scale
Visibility

39. WHAT IS AZURE POLICY?
Azure Policy is a service you can use to create, assign, and manage policies.
• Policies apply and enforce rules that your resources need to follow.
• Policies can enforce these rules when resources are created, and can be evaluated against
existing resources to give visibility into compliance.
Policies can enforce things such as only allowing specific types of resources to be created, or
only allowing resources in specific Azure regions.
• Enforce naming conventions across your Azure environment.
• Enforce that specific tags are applied to resources.

40. AZURE SUBSCRIPTIONS
Azure subscription provides you with authenticated and authorized access to Azure products
and services and allows you to provision resources on Azure.
It is a logical unit of Azure services that links to an Azure account.

41. WHAT IS A RESOURCE GROUP?
A resource group is a container that
holds related resources for an Azure
solution.
Each resource in Azure must
belong to a resource group.

42. RESOURCE GROUP BEST PRACTICES
Logical grouping
• Resource groups exist to help manage and organize your Azure resources. By placing resources of
similar usage, type, or location, you can provide some order and organization to resources you create
in Azure.
Life cycle
• If you delete a resource group, all resources contained within are also deleted. Resource groups make
it easy to remove a set of resources at once.
Authorization
• Resource groups are also a scope for applying role-based access control (RBAC) permissions. By
applying RBAC permissions to a resource group, you can ease administration and limit access to
allow only what is needed.

43. WHAT ARE TAGS?
Tags allow organizations to associate custom details about their resource, in addition to the standard Azure
properties a resource has:
• Department (like finance, marketing, and more)
• Environment (prod, test, dev),
• Cost center
• Life cycle and automation (like shutdown and startup of virtual machines)
Tags are name/value pairs of text data that you can apply to resources and resource groups.
• Can have up to 50 tags.
• Name is limited to 512 characters for all types of resources except storage accounts, which have a
limit of 128 characters.
• Value is limited to 256 characters for all types of resources.

44. RESOURCES
A manageable item that is available through Azure.
Examples:
 Virtual machines
 Storage accounts
 Web apps
 Databases
 Virtual networks
 Resource groups, subscriptions, management groups, and tags

45. HOW DO WE PROTECT THOSE RESOURCES ONCE THEY ARE
DEPLOYED?
Answer:
Role-based access control (core service and is included with all subscription levels at no
cost)
 Allow one user to manage VMs in a subscription, and another user to manage
virtual networks.
 Allow a database administrator (DBA) group to manage SQL databases in a
subscription.
 Allow a user to manage all resources in a resource group, such as VMs, websites,
and virtual subnets.
 Allow an application to access all resources in a resource group.

46. WHAT ARE RESOURCE LOCKS?
Resource locks are a setting that can be applied to any resource to block modification or
deletion.
Resource locks can set to either Delete or Read-only:
• Delete will allow all operations against the resource but block the ability to delete it.
• Read-only will only allow read activities to be performed against it, blocking any
modification or deletion of the resource.
Resource locks can be applied to subscriptions, resource groups, and to individual
resources, and are inherited when applied at higher levels.

47. QUESTION 1

48. QUESTION 2

49. QUESTION 3

50. QUESTION 4

51. THANK YOU