Azure Active Directory
Role Based Access Control
Azure Security and Compliance
Azure Security MonitoringAzure identity services
Azure AD

Access control
Role based access control

Azure Governance
Azure policies and blueprints

Security Networks
Network security groups, firewalls and routing

Reporting and compliance
Standards, data protection and monitoring

Authentication or Authorization?
A user logs in with a password
A user can create virtual machines
A user proves she is a memeber of your staff

A user uses the thumb print scanner on her laptop
A user is given access to some files
A user is allowed access to a building

Comparing Active directory versions:
Azure AD:
User and computer registration
Does not provide group policies
No trust relationships
Application management
Active Directory Domain Services:
User and computer registration
Provides group policies
Can create trusts
Application and device management and deployment
Keberos and NTLM support
Schema management
Hierarchical directory service

Azure AD Domain Services is a PaaS offering provide by Microsoft Azure

Role:
Owner
Contributor
Reader

Azure Tags:
Key/Value pairs assigned to resources
Organizations should have a tagging policy enfored by azure policies

Tags can be used:

  • To enforce security requirements
  • To control costs
  • To deploy software

Azure Policy?
Azure policy is a collection of rules
Each policy is assigned to a scope such as an Azure subscription
Using Azure policy means that resources will remain complaint with corporate standards

User Azure policy

  • Policy definition
  • Policy assignment
  • Policy parameters

Home->Policy - Definitions->Definitions
Home->Policy - Definitions->Allowed virtual machine SKUs

Azure Blueprints:
Blueprints are a way of orchestrating the deployment of resource templates and artifacts
Blueprints maintain a relationship with the deployed resources
Blueprits include Azure plicy and initiatives as well as artificats such as roles
Using Blueprints

  • Blueprint definition
  • Blueprint publishing
  • Blueprint assignment

Home->Blueprints - Getting started

Network Security Groups:
Attached to subnets or network cards
Each NSG can be linked to multiple resources
NSGs are stateful
NSGs properties include

  • Name
  • Priority
  • Source or destination
  • Protocol
  • Direction

Application Security Groups:
Allows us to reference a group of resources
Used as a source or destination in network security groups
Network security groups are still required
Working with application security groups

  • Create the application security group
  • Link the group to resources
  • Use the group when working with network security groups

N-Tier applications:
Each tier would have its own application security groups

DMZ:
Resources in your DMZ would be added to their own application security groups

Automation:
When automating deployments include application security groups

Azure FireWall:
Azure managed stateful firewall service
Protects access to virtual networks
Highly available
Features include

  • Thread intelligence
  • Ourbound and inbound NAT support
  • Integration with Azure Monitor
  • Network traffic filtering rules
  • Unrestricted scalability

Azure DDoS Protection:
DDoS mitigation for network and applications
Always-on monitoring
Application layer protection
Integration with Azure monitor
Feature offered:

  • Multi-layered protection
  • Attack analytics
  • Scale and elasticity
  • Protection against unplanned costs

Azure DDoS service Tiers:
Basic:
Active traffic monitoring and always on detection
Availability Guarantee
Backed by an SLA
Free
Standard:
Everything offered by the basic tier
Real time Metrics
Post attack reports
Access to DDoS experts during and active attack
Security Information and event management (SIEM) integration
Monthly fee and usage based

Azure Security Options:

  1. Azure firewall
  2. Azure DDoS Protection
  3. Azure Web application firewall
  4. Network securith groups
  5. Forced tunneling
  6. Marketplace devices

Azure Monitor:
Collect, analyze and act on telemetry
Azure or non-premises
Troubleshooting and performance monitoring
Data collected by Azure monitor

  • Metrics
  • Logs

Azure Service Health:
Notifies you about service status
Reports incidents and planned maintenance
Azure service health offers

  • Personalized dashoards
  • Configurable alerts
  • Guidance and support

Azure Advanced Threat Protection:
Monitor and analyze user activity
Identifies suspicious activity and events
Works with your on-premises Active Directory

Azure Key Valut:
Centralize the storage of application secrets
Uses FIPS 140-2 level validated HSMs
Enable logging to monitor houw and when secrets are being used
Enables centralized adminstration of secrets

Azure Key Vault Recommendations:
Use seperate key vault for each application or environment
Take regular backups of your key vault
Turn on logging and set up alerts

Compliance Standards:
HIPAA
PCI
GDPR
FedRAMP
ISO 27001

Azure Compliance:
Global Compliance:
More than 90 compliance offerings
Industry compliance:
Over 35 industry specific offerings
Blueprints:
Deploy compliant environments
Proof:
Access to 3rd party reports
Azure security center:
Unify security management


This free site is ad-supported. Learn more