READING TIME -1 HOUR
Module 3 – Security, Privacy, Compliance and Trust
- Lesson 1 – Securing network connectivity in Azure
- Lesson 2 – Core Azure Identity services
- Lesson 3 – Security tools and features
- Lesson 4 – Azure governance methodologies
- Lesson 5 – Monitoring and Reporting in Azure
- Lesson 6 – Privacy, Compliance and Data Protection standards in Azure
In this module you’ve learned about securing network connectivity in Azure, core identity services, security tools and features, Azure governance methodologies, monitoring and reporting in Azure, and privacy, compliance, and data protection standards in Azure.
Securing network connectivity in Azure
In this lesson you learned about Azure Firewalls, Azure DDos protection, NSGs, and choosing Azure network security solutions.
Core Azure identity services
In this lesson you learned about authentication and authorization, Azure AD, and MFA.
Security tools and features
In this lesson you learned about Azure Security Center and some usage scenarios for it, Key Vault, MSIP, and Azure ATP.
Azure governance methodologies
In this lesson you learned about Azure Policy, policies, initiatives, RBAC, locks, Azure Advisor, security assistance, and Azure Blueprint.
Monitoring and reporting in Azure
In this lesson you learned about Azure Monitor and Azure Service Health.
Privacy, compliance and data protection standards in Azure
In this lesson you learned about compliance terms and requirements, the Microsoft Privacy statement, Trust Center, the Service Trust Portal, Compliance Manager, Azure Government, Azure Germany, and Azure China.
Lesson 1 – Securing network connectivity in Azure
- A Firewall is a service that grants server access based on the originating IP address of each request.
- You create firewall rules that specify ranges of IP addresses.
- Only clients from these granted IP addresses will be allowed to access the server. Firewall rules, generally speaking, also include specific network protocol and port information.
- Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network resources.
- It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
- You can create, enforce, and log, application and network connectivity policies across subscriptions, and virtual networks, centrally.
- Azure Firewall uses a static public IP address for your virtual network resources, which allows outside firewalls to identify traffic originating from your virtual network.
- The service is fully integrated with Azure Monitor for logging and analytics.
Azure Firewall provides many features, including:
- Built-in high availability.
- Unrestricted cloud scalability.
- Inbound and outbound filtering rules.
- Azure Monitor logging.
Common Usage Scenarios
You typically deploy Azure Firewall on a central virtual network to control general network access. With Azure Firewall you can configure:
- Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
- Network rules that define source address, protocol, destination port, and destination address.
- Azure Application Gateway also provides a firewall, called the Web Application Firewall (WAF).
- However, WAF is different to Azure Firewall.
- WAF provides centralized, inbound protection for your web applications against common exploits and vulnerabilities.
- While in contrast, Azure Firewall provides outbound, network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
- In addition, Azure Firewall provides inbound protection for non-HTTP/S protocols. Examples of non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP).
- Azure Firewall’s extended functionality make it suitable for different uses.
Azure DDoS Protection
Distributed Denial of Service (DDoS) attacks attempt to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Thus, any resource exposed to the internet, such as a website, is potentially at risk from a DDoS attack.
When you combine Azure DDoS Protection with application design best practices, you help provide defense against DDoS attacks. DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. The Azure DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability.
Azure DDoS protection service tiers
Azure DDoS Protection provides the following service tiers:
- The Basic service tier is automatically enabled as part of the Azure platform.
- Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use.
- Azure’s global network is used to distribute and mitigate attack traffic across regions.
- The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources.
- DDoS Protection Standard is simple to enable and requires no application changes.
- Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms.
- Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
DDoS standard protection
DDoS standard protection can mitigate the following types of attacks:
- Volumetric attacks.
- The attack’s goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.
- Protocol attacks.
- These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.
- Resource (application) layer attacks.
- These attacks target web application packets to disrupt the transmission of data between hosts.
- Note: You can read more about Azure DDoS Protection from the page Azure DDoS Protection.
Network Security Groups (NSG)
- Network Security Groups (NSGs) allow you to filter network traffic to and from Azure resources in an Azure virtual network.
- An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol.
Network security rule properties
A network security group can contain as many rules as you need, within Azure subscription limits. Each rule specifies the following properties:
|Name||Unique name of the NSG.|
|Priority||A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers.|
|Source or Destination||Individual IP address or IP address range, service tag, or application security group.|
|Protocol||TCP, UDP, or Any.|
|Direction||Whether the rule applies to inbound or outbound traffic.|
|Port Range||An individual port or range of ports.|
|Action||Allow or Deny.|
- When you create a network security group, Azure creates a series of default rules to provide a baseline level of security.
- You cannot remove the default rules, but you can override them by creating new rules with higher priorities.
Note: You can read more about NSGs on the Security groups page.
Application Security Groups (ASG)
- Application security groups (ASGs) enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups.
- This feature allows you to reuse your security policy at scale without manual maintenance of explicit IP addresses.
- The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.
- An ASG enables you to group servers with similar port filtering requirements, and group together servers with similar functions, such as web servers.
- In the below example we have ASGs defined for WebServers, AppServers and DbServers and green and red arrows indicating which network traffic paths are allowable and which are not.
- In the below example, multiple applications are deployed into the same virtual network.
- Based on the security rules described, workloads are isolated from each other.
- If a VM from one of the applications is compromised, lateral exploration is limited, minimizing the potential impact of an attacker.
- In this example, let’s assume one of the web server VMs from application1 is compromised, the rest of the application will continue to be protected, even access to critical workloads like database servers will still be unreachable.
- This implementation provides multiple extra layers of security to your network, making this intrusion less harmful and easy to react on such events.
- ASGs help simplify how you can filter and control network traffic coming into your organization and how that network traffic is allowed to move.
- They allows you to isolate multiple workloads and provide additional levels of protection for your virtual network in a more easily manageable way.
See Application security groups for more details.
Choosing Azure network security solutions
- It’s not enough to simply focus on securing the network perimeter, or on network security between services inside a network.
- A layered approach provides multiple levels of protection so that if an attacker gets through one layer there are further protections in place.
- A common security concept that is applied to computing systems is defense in depth, which is essentially a layered approach to providing security.\\
- As the image illustrates, there are many layers that you need to consider.
- However, a broader security discussion on each layer is beyond the scope at this course.
- Therefore, we will primarily focus on the Perimeter layer and the Networking layer.
- The network perimeter layer is about protecting organizations from network-based attacks against your resources.
- Identifying these attacks, alerting, and eliminating their impact is important to keep your network secure. To do this:
- Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for end users.
- Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network.
- At this layer, the focus is on limiting network connectivity across all your resources to only allow what is required.
- Segment your resources and use network-level controls to restrict communication to only what is needed.
- By restricting connectivity, you reduce the risk of lateral movement throughout your network from an attack.
- Use NSGs to create rules about inbound and outbound communication at this layer. As best practices:
- Limit communication between resources through segmenting your network and configuring access controls.
- Deny by default.
- Restrict inbound internet access and limit outbound where appropriate.
- Implement secure connectivity to on-premises networks.
You can also combine multiple Azure networking and security services to manage your network security and provide increased layered protection. The following are examples of combined services:
- Network security groups and Azure Firewall.
- Azure Firewall complements network security group functionality.
- Together, they provide better defense-in-depth network security.
- Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription.
- Azure Firewall is a fully stateful, centralized network firewall-as-a-service, which provides network and application-level protection across different subscriptions and virtual networks.
- Application Gateway WAF and Azure Firewall.
- WAF is a feature of Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities.
- Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
- Combining both provides additional layers of protection.
As computing environments move from customer-controlled datacenters to cloud datacenters, the responsibility for security also shifts. Security is now a concern shared by both cloud providers and customers.
Lesson 2 – Core Azure Identity services
Authentication and Authorization
Two fundamental concepts that need to be understood when talking about identity and access are authentication and authorization. They underpin everything else that happens and occur sequentially in any identity and access process:
- Authentication is the process of establishing the identity of a person or service looking to access a resource.
- It involves the act of challenging a party for legitimate credentials, and provides the basis for creating a security principal for identity and access control use.
- It establishes if they are who they say they are.
- Authorization is the process of establishing what level of access an authenticated person or service has.
- It specifies what data they’re allowed to access and what they can do with it.
- Note: Authentication is sometimes shortened to AuthN, and authorization is sometimes shortened to AuthZ.
Azure Active Directory
Azure Active Directory (Azure AD) is a Microsoft cloud-based identity and access management service.
Azure AD helps employees of an organization sign in and access resources:
- External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.
- Internal resources might include apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
Azure AD provides services such as:
- Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.
- Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.
- Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.
- Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data
- Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
- Device Management. Manage how your cloud or on-premises devices access your corporate data.
Azure AD is intended for:
- IT administrators. Administrators can use Azure AD to control access to apps and their resources, based on your business requirements.
- App developers. Developers can use Azure AD to provide a standards-based approach for adding functionality to applications that you build, such as adding Single-Sign-On functionality to an app, or allowing an app to work with a user’s pre-existing credentials and other functionality.
- Microsoft 365, Microsoft Office 365, Azure, or Microsoft Dynamics CRM Online subscribers. These subscribers are already using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. You can immediately start to manage access to your integrated cloud apps using Azure AD.
- Note: You can read more about Azure Active Directory on the Azure Active Directory webpage.
Azure Multi-Factor Authentication
Azure Multi-Factor Authentication (MFA) provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:
- Something you know could be a password or the answer to a security question.
- Something you possess might be a mobile app that receives a notification, or a token-generating device.
- Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices.
- Using MFA increases identity security by limiting the impact of credential exposure.
- To fully authenticate, an attacker who has a user’s password would also need to have possession of their phone or their fingerprint, for example.
- Authentication with only a single factor is insufficient and, without MFA, an attacker would be unable to use those credentials to authenticate.
- MFA should be enabled wherever possible as MFA adds enormous benefits to security.
MFA comes as part of the following Azure service offerings:
- Azure Active Directory Premium licenses. These licenses provide full-featured use of Azure Multi-Factor Authentication Service (cloud) or Azure Multi-Factor Authentication Server (on-premises).
- Multi-Factor Authentication for Office 365. A subset of Azure Multi-Factor Authentication capabilities are available as a part of your Office 365 subscription.
- Azure Active Directory global administrators. Because global administrator accounts are highly sensitive, a subset of Azure Multi-Factor Authentication capabilities are available as a means to protect these accounts.
- Note: You can read more about MFA at How it works: Azure Multi-Factor Authentication .
Lesson 3 – Security tools and features
Azure Security Center
Azure Security Center is a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:
- Provide security recommendations based on your configurations, resources, and networks.
- Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online.
- Continuously monitor all your services, and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.
- Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate are allowed to execute.
- Analyze and identify potential inbound attacks, and help to investigate threats and any post-breach activity that might have occurred.
- Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require.
Azure Security Center is part of the Center for Internet Security (CIS) recommendations.
Azure Security Center Versions
Azure Security Center is available in two tiers:
- Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.
- Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.
To access the full suite of Azure Security Center services you will need to upgrade to a Standard tier subscription. You can access the 30-day free trial from within the Azure Security Center dashboard in the Azure Portal.
- To upgrade a subscription to the Standard tier, you must be assigned the role of Subscription Owner, Subscription Contributor, or Security Admin.
- After the 30-day trial period is over, Azure Security Center is priced as per details on the Security Center pricing page.
- Note: You can read more about Azure Security Center at Azure Security Center.
Azure Security Center usage scenarios
You can integrate Security Center into your workflows and use it in many ways. Here are two examples.
- Use Security Center for an incident response.Many organizations learn how to respond to security incidents only after suffering an attack.To reduce costs and damage, it’s important to have an incident response plan in place before an attack occurs. You can use Azure Security Center in different stages of an incident response.
- You can use Security Center during the detect, assess, and diagnose stages. Here are examples of how Security Center can be useful during the three initial incident response stages:
- Detect. Review the first indication of an event investigation. Example: Use the Security Center dashboard to review the initial verification that a high-priority security alert was raised.
- Assess. Perform the initial assessment to obtain more information about the suspicious activity. Example: Obtain more information about the security alert.
- Diagnose. Conduct a technical investigation and identify containment, mitigation, and workaround strategies. Example: Follow the remediation steps described by Security Center in that particular security alert.
2.Use Security Center recommendations to enhance security.
- You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center.
- A security policy defines the set of controls that are recommended for resources within that specified subscription or resource group.
- In Security Center, you define policies according to your company’s security requirements.
- Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy.
- The recommendations guide you through the process of configuring the needed security controls.
- For example, if you have workloads that do not require the Azure SQL Database Transparent Data Encryption (TDE) policy, turn off the policy at the subscription level and enable it only in the resources groups where SQL TDE is required.
Note: You can read more about Azure Security Center at Azure Security Center. More implementation and scenario detail is also available in the Azure Security Center planning and operations guide
- Azure Key Vault is a centralized cloud service for storing your applications’ secrets.
- Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
- Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
- Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
- Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.
- Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.
Key Vault benefits
The benefits of using Key Vault include:
- Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution, and reduces the chances that secrets may be accidentally leaked.
- Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.
- Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.
- Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions, and use standard certificate management tools.
- Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.
- Note: You can read more about Key Vault on the Key Vault webpage.
Azure Information Protection (AIP)
- Microsoft Azure Information Protection (MSIP) is a cloud-based solution that helps organizations classify and (optionally) protect its documents and emails by applying labels.
- Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations).
- The following screen capture is an example of MSIP in action on a user’s computer.
- In this example, the administrator has configured a label with rules that detect sensitive data.
- When a user saves a Microsoft Word document containing a credit card number, a custom tooltip is displayed.
- The tooltip recommends labeling the file as Confidential/ All Employees, which is a label that the administrator has configured.
- This label classifies the document and protects it.
- After your content is classified (and optionally protected), you can then track and control how the content is used.
- For example, you can analyze data flows to gain insight into your business; detect risky behaviors and take corrective measures; track access to documents; and prevent data leakage or misuse.
Note: You can purchase MSIP either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise Mobility + Security, or Microsoft 365 Enterprise. Purchasing details are available on the Azure Information Protection pricing webpage.
Note: You can read more about MSIP on the What is Azure Information Protection? webpage.
Azure Advanced Threat Protection (ATP)
- Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
- Azure ATP is capable of detecting known malicious attacks and techniques, security issues, and risks against your network.
Azure ATP components
Azure ATP consists of the following components:
- Azure ATP portal.
- Azure ATP has its own portal, through which you can monitor and respond to suspicious activity.
- The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors.
- You can also use the portal to monitor, manage, and investigate threats in your network environment.
- You can sign in to the Azure ATP portal at https://portal.atp.azure.com. You must sign in with a user account that is assigned to an Azure AD security group which has access to the Azure ATP portal.
- Azure ATP sensor.
- Azure ATP sensors are installed directly on your domain controllers.
- The sensor monitors domain controller traffic without requiring a dedicated server, or configuring port mirroring.
- Azure ATP cloud service.
- Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia.
- Azure ATP cloud service is connected to Microsoft’s intelligent security graph.
Azure ATP is available as part of the Enterprise Mobility + Security 5 suite (EMS E5), and as a standalone license. You can acquire a license directly from the Enterprise Mobility + Security Pricing Options page, or through the Cloud Solution Provider (CSP) licensing model. It is not available to purchase via the Azure portal.
Note: You can read more about Azure Advanced Threat Protection on the Azure Advanced Threat Protectionwebpage.
Lesson 4 – Azure governance methodologies
- Azure Policy is a service in Azure that you use to create, assign, and, manage policies.
- These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements (SLAs)
- Azure Policy does this by using policies and initiatives.
- It runs evaluations of your resources and scans for those not compliant with the policies you have created.
- For example, you can have a policy to allow only a certain stock keeping unit (SKU) size of virtual machines (VMs) in your environment.
- Once you implement this policy, it will evaluate resources when you create new ones or update existing ones.
- It will also evaluate your existing resources.
- Azure Policy comes with a number of built-in policy and initiative definitions that you can use, under categories such as Storage, Networking , Compute, Security Center, and Monitoring.
- Azure Policy can also integrate with Azure DevOps, by applying any continuous integration and delivery pipeline policies that apply to the pre-deployment and post-deployment of your applications.
- Azure Policy also has the ability to automatically remediate resources and configurations that are deemed non-compliant, thus ensuring the integrity of the state of the resources.
- Note: You can read more about Azure Policy on the Azure Policy webpage.
- The journey of creating and implementing a policy in Azure Policy begins with creating a policy definition.
- Every policy definition has conditions under which it is enforced.
- And, it has an accompanying effect that takes place if the conditions are met.
The process of applying a policy to your resources consist of the following steps:
- Create a policy definition.
- Assign a definition to a scope of resources.
- View policy evaluation results.
- A policy definition expresses what to evaluate and what action to take.
- For example, you could prevent VMs from being deployed if they are exposed to a public IP address.
- You also could prevent a particular hard disk from being used when deploying VMs to control costs.
The following list contains example policy definitions:
- Allowed Storage Account SKUs.
- This policy definition has a set of conditions/rules that determine whether a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.
- Allowed Resource Type.
- This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of this defined list.
- Allowed Locations.
- This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geographic compliance requirements.
- Allowed Virtual Machine SKUs.
- This policy enables you to specify a set of VM SKUs that your organization can deploy.
A List of sample policies is available on the Azure Policy Samples page.
- To implement these policy definitions, whether custom or built-in, you will need to assign them.
- A policy assignment is a policy definition that has been assigned to take place within a specific scope.
- This scope could range from a management group to a resource group.
- Policy assignments are inherited by all child resources.
- This means that if a policy is applied to a resource group, it is applied to all the resources within that resource group.
- However, you can exclude a subscope from the policy assignment.
- Note: You can read more about Azure Policy on the Azure Policy webpage.
- Initiatives work alongside policies in Azure Policy.
- An initiative definition is a set of policy definitions to help track your compliance state for a larger goal.
- Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.
- Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope.
- Initiative assignments reduce the need to make several initiative definitions for each scope.
- This scope could also range from a management group to a resource group.
Initiatives can be assigned just as policies can.
- Initiative definitions simplify the process of managing and assigning policy definitions by grouping a set of policies as one single item.
- For example, you could create an initiative named Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center.
Under this initiative, you would have the following policy definitions:
- Monitor unencrypted SQL Database in Security Center – For monitoring unencrypted SQL databases and servers.
- Monitor OS vulnerabilities in Security Center – For monitoring servers that do not satisfy the configured baseline.
- Monitor missing Endpoint Protection in Security Center – For monitoring servers without an installed endpoint protection agent.
- Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope.
- Initiative assignments reduce the need to make several initiative definitions for each scope.
- This scope could also range from a management group to a resource group.
Role-Based Access Control (RBAC)
A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.
- User – An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants. For information about users in other organizations, see Azure Active Directory B2B.
- Group – A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role.
- Service principal – A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application.
- Managed identity – An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.
A role definition is a collection of permissions. It’s sometimes just called a role. A role definition lists the operations that can be performed, such as read, write, and delete. Roles can be high-level, like owner, or specific, like virtual machine reader.
Scope is the set of resources that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope.
A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.
Role-based access control (RBAC) provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. RBAC is provided at no additional cost to all Azure subscribers.
Examples of when you might use RBAC include when you want to:
- Allow one user to manage VMs in a subscription, and another user to manage virtual networks.
- Allow a database administrator (DBA) group to manage SQL databases in a subscription.
- Allow a user to manage all resources in a resource group, such as VMs, websites, and subnets.
- Allow an application to access all resources in a resource group.
- To view access permissions, access the Access Control (IAM) blade in the Azure portal.
- On this blade, you can see who has access to an area and their role.
- Using this same blade, you can also grant or remove access.
- The following shows an example of the Access Control (IAM) blade for a resource group.
- In this example, Alain Charon has been assigned the Backup Operator role for this resource group.
RBAC uses an allow model.
This means that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete.
Therefore, if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have write permissions on that resource group.
The following list details RBAC best practices:
- Using RBAC, segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.
- Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope.
- When planning your access control strategy, grant users the lowest privilege level that they need to do their work.
- Note: You can read more about RBAC at What is role-based access control (RBAC)?
- Locks help you prevent accidental deletion or modification of your Azure resources.
- You can manage these locks from within the Azure portal.
- To view, add, or delete locks, go to the SETTINGS section of any resource’s settings blade.
- You may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.
You can set the lock level to CanNotDelete or ReadOnly:
- CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
- ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.
In the Azure portal, the locks are called Delete and Read-only respectively.
Note: You can read more about Locks at Lock resources to prevent unexpected changes.
Azure Advisor security assistance
- As discussed earlier in the course, Azure Advisor is a free service built into Azure that provides recommendations on high availability, security, performance, and cost.
- Advisor analyzes your deployed services and looks for ways to improve your environment across those four areas.
Azure Advisor and Azure Security Center
- Azure Advisor provides security recommendations by integrating with Azure Security Center.
- You can view the security recommendations on the Security tab of the Advisor dashboard.
- You can then click deeper into the Security Center recommendations.
- Azure Blueprints enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and requirements.
- Azure Blueprint enables development teams to rapidly build and deploy new environments with the knowledge that they’re building within organizational compliance with a set of built-in components that speed up development and delivery.
- Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:
- Role assignments
- Policy assignments
- Azure Resource Manager templates
- Resource groups
The process of implementing Azure Blueprint consists of the following high-level steps:
- Create an Azure Blueprint.
- Assign the blueprint.
- Track the blueprint assignments.
- With Azure Blueprint, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved.
- This connection supports improved deployment tracking and auditing.
- Azure Blueprints are different from Azure Resource Manager Templates.
- When Azure Resource Manager Templates deploy resources, they have no active relationship with the deployed resources (they exist in a local environment or in source control).
- By contrast, with Azure Blueprint, each deployment is tied to an Azure Blueprint package.
- This means that the relationship with resources will be maintained, even after deployment.
- Maintaining relationships, in this way, improves auditing and tracking capabilities.
- Adhering to security or compliance requirements, whether government or industry requirements, can be difficult and time-consuming.
- To help you with auditing, traceability, and compliance with your deployments, use Azure Blueprint artifacts and tools.
- Time-consuming paperwork is no longer needed, and your path to certification is expedited.
- Azure Blueprint are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines, and can be tracked more rigorously.
NOTE: At the time of writing, Azure Blueprint is in preview and has not been released generally.
Note: You can read more about Azure Blueprints at Azure Blueprints.
We will discuss and define subscriptions in more detail later in the course, however we wish to briefly mention them here in the context of governance.
There are mainly three aspects to consider in relation to creating and managing subscriptions: Billing, Access Control and Subscription limits.
- Reports can be generated by subscriptions, if you have multiple internal departments and need to do “chargeback”, a possible scenario is to create subscriptions by department or project.
- Access Control:
- A subscription is a deployment boundary for Azure resources and every subscription is associated with an Azure AD tenant that provides administrators the ability to set up role-based access control (RBAC).
- When designing a subscription model, one should consider the deployment boundary factor, some customers have separate subscriptions for Development and Production, each one is completely isolated from each other from a resource perspective and managed using RBAC.
- Subscription Limits:
- Subscriptions are also bound to some hard limitations.
- For example, the maximum number of Express Route circuits per subscription is 10.
- Those limits should be considered during the design phase, if there is a need to go over those limits in particular scenarios, then additional subscriptions may be needed.
- If you hit a hard limit, there is no flexibility.
Also available to assist with managing subscriptions are management groups, which manage access, policies, and compliance across multiple Azure subscription.
Note: For more information about subscription limits, refer to Azure subscription and service limits, quotas, and constraints.
Lesson 5 – Monitoring and Reporting in Azure
- You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy.
- Each tag consists of a name and a value pair.
- For example, you can apply the name Environment and the value Production to all the resources in production, or
- tag by company departments i.e. apply the name of Department and a value of IT etc
- After you apply tags, you can retrieve all the resources in your subscription with that tag name and value.
- Tags enable you to retrieve related resources from different resource groups.
- This approach is helpful when you need to organize resources for billing or management.
There are some limitations with using Tags, such as:
- Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for Azure resources. Tag support for Azure resources
- Each resource or resource group can have a maximum of 15 tag name/value pairs. This limitation applies only to tags directly applied to the resource group or resource.
- A resource group can contain many resources that each have 15 tag name/value pairs.
- If you have more than 15 values that you need to associate with a resource, use a JSON string for the tag value.
- The JSON string can contain many values that are applied to a single tag name.
- The tag name is limited to 512 characters, and the tag value is limited to 256 characters.
- For storage accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.
- Virtual Machines and Virtual Machine Scale Sets are limited to a total of 2048 characters for all tag names and values.
- Tags applied to the resource group are not inherited by the resources in that resource group.
- Tags can’t be applied to classic resources such as Cloud Services.Note: You can use Azure Policy to enforce tagging values and rules on resources.
Azure Monitor maximizes the
availability and performance of your applications by delivering a comprehensive solution for
- analyzing, and
- acting on telemetry
- from your cloud and on-premises environments.
It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on
What data does Azure Monitor collect?
Azure Monitor can collect data from a variety of sources.
You can think of monitoring data for your applications in tiers ranging from your application, any operating system and services it relies on, down to the platform itself. Azure Monitor collects data from each of the following tiers:
- Application monitoring data:
- Data about the performance and functionality of the code you have written, regardless of its platform.
- Guest OS monitoring data:
- Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
- Azure resource monitoring data:
- Data about the operation of an Azure resource.
- Azure subscription monitoring data:
- Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
- Azure tenant monitoring data:
- Data about the operation of tenant-level Azure services, such as Azure Active Directory.
As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps, Azure Monitor starts collecting data.
- Activity Logs record when resources are created or modified.
- Metrics tell you how the resource is performing and the resources that it’s consuming.
You can extend the data you’re collecting into the actual operation of the resources by enabling diagnostics and adding an agent to compute resources. Under the resource settings you can enable Diagnostics
- Enable guest-level monitoring
- Performance counters: collect performance data
- Event Logs: enable various event logs
- Crash Dumps: enable or disable
- Sinks: send your diagnostic data to other services for more analysis
- Agent: configure agent settings
- Note: You can read more about Azure Monitor the page Azure Monitor
Azure Service Health
Azure Service Health is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you.
It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved.
Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources.
Azure Service Health is composed of the following:
- Azure Status
- provides a global view of the health state of Azure services.
- With Azure Status, you can get up-to-the-minute information on service availability.
- Everyone has access to Azure Status and can view all services that report their health state.
- Service Health
- provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them.
- In this dashboard, you can track active events such as ongoing service issues, upcoming planned maintenance, or relevant Health advisories.
- When events become inactive, they are placed in your Health history for up to 90 days.
- Finally, you can use the Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you.
- Resource Health
- helps you diagnose and obtain support when an Azure service issue affects your resources.
- It provides you details with about the current and past state of your resources.
- It also provides technical support to help you mitigate problems.
- In contrast to Azure Status, which informs you about service problems that affect a broad set of Azure customers, Resource Health gives you a personalized dashboard of your resources’ health.
- Resource Health shows you times, in the past, when your resources were unavailable because of Azure service problems.
- It’s then easier for you to understand if an SLA was violated.
Together, the Azure Service Health components provide you with a comprehensive view of the health status of Azure, at the level of granularity that is most relevant to you.
Note: You can read more about Azure Service Health on the Azure Service Health webpage.
Monitoring Applications and Services
- Data monitoring is only useful if it improves your visibility of the operations in your computing environment.
- Azure Monitor includes several features and tools that provide valuable insights into your applications, and the other resources they may depend on.
- Monitoring solutions and features, such as Application Insights and Container Insights, provide you with a deeper look into different aspects of your application and Azure services.
- Azure Monitor features can be organized into four categories, these categories are: Analyze, Respond, Visualize and Integrate.
- Application Insights
- is a service that monitors the availability, performance, and usage of your web applications, whether they’re hosted in the cloud or on-premises.
- It leverages the powerful data analysis platform in Log Analytics to provide you with deeper insights into your application’s operations.
- Application Insights can diagnose errors, without waiting for a user to report them.
- Application Insights includes connection points to a variety of development tools, and integrates with Microsoft Visual Studio to support your DevOps processes.
- Azure Monitor for containers
- is a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS).
- It gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API.
- Container logs are also collected.
- Azure Monitor for VMs
- is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes).
- Azure Monitor for VMs includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers.
- Integrating any, or all, of these monitoring services with Azure Service Health has additional benefits.
- Staying informed of the health status of Azure services will help you understand if, and when, an issue affecting an Azure service is impacting your environment.
- What may seem like a localized problem could be the result of a more widespread issue, and Azure Service Health provides this kind of insight.
- Azure Service Health identifies any issues with Azure services that might affect your application. Azure Service Health also helps you to plan for scheduled maintenance.
- In addition to allowing you to analyze your monitoring data interactively, an effective monitoring solution must respond proactively to any critical conditions that are identified within the data it collects.
- This might involve, for example, sending a text or email to an administrator who is responsible for investigating an issue, or launching an automated process that attempts to correct an error condition.
- Azure Monitor proactively notifies you of critical conditions using Alerts, and can potentially attempt to take corrective actions.
- Alert rules based on metrics can provide alerts in almost real-time, based on numeric values.
- Alert rules based on logs allow for complex logic across data, from multiple sources.
- Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively.
- Autoscale enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load.
- Autoscale can also help reduce your Azure costs by removing resources that are not being used.
- You can specify a minimum and maximum number of instances, and provide the logic that determines when Autoscale should increase or decrease resources.
- Visualizations, such as charts and tables, are effective tools for summarizing monitoring data and for presenting data to different audiences.
- Azure Monitor has its own features for visualizing monitoring data, and it leverages other Azure services for publishing data for different audiences.
- Other tools you may use for visualizing data, for particular audiences and scenarios, include:
- Power BI
- You’ll often need to integrate Azure Monitor with other systems, and build customized solutions that use your monitoring data.
- Other Azure services can work with Azure Monitor to provide this integration
Lesson 6 – Privacy, Compliance and Data Protection standards in Azure
Compliance Terms and requirements
- When selecting a cloud provider to host your solutions, you should understand how that provider can help you comply with regulations and standards.
- Some questions to ask about a potential provider include:
- How compliant is the cloud provider when it comes to handling sensitive data?
- How compliant are the services offered by the cloud provider?
- How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements?
- Microsoft invests heavily in the development of robust and innovative compliance processes.
- The Microsoft compliance framework for online services maps controls to multiple regulatory standards.
- This enables Microsoft to design and build services using a common set of controls, streamlining compliance across a range of regulations today and as they evolve in the future.
- Note: Microsoft provides the most comprehensive set of compliance offerings (including certifications and attestations) of any cloud service provider.
While the following image is not a full list of compliance offerings, it will provide you with an idea of the level of compliance offerings that are available with Azure.
The following list provides details about some (but most definitely not all) of the compliance offerings available on Azure:
- CSA STAR Certification.
- General Data Protection Regulation (GDPR).
- EU Model Clauses.
- ISO/IEC 27018.
- Multi-Tier Cloud Security (MTCS) Singapore.
- Service Organization Controls (SOC) 1, 2, and 3.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
- UK Government G-Cloud.
- Note: You can view all the Microsoft compliance offerings on the Compliance Offerings webpage.
Microsoft Privacy Statement
- The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes.
- The statement applies to the interactions Microsoft has with you and Microsoft products such as Microsoft services, websites, apps, software, servers, and devices.
- It is intended to provide openness and honesty about how Microsoft deals with personal data in its products and services.
- Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services.
- The Trust Center is an important part of the Microsoft Trusted Cloud Initiative, and provides support and resources for the legal and compliance community.
The Trust Center site provides:
- In-depth information about
- compliance offerings,
- features, and
- practices across Microsoft cloud products.
- Recommended resources in the form of a curated list of the most applicable and widely-used resources for each topic.
- Information specific to
- key organizational roles,
- including business managers,
- tenant admins or
- data security teams,
- risk assessment and privacy officers, and
- legal compliance teams.
- Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal.
- Direct guidance and support for when you can’t find what you’re looking for.
Service Trust Portal
- The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services.
- STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services.
- STP also includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as:
STP is a companion feature to the Trust Center, and allows you to:
- Access audit reports across Microsoft cloud services on a single page.
- Access compliance guides to help you understand how can you use Microsoft cloud service features to manage compliance with various regulations.
- Access trust documents to help you understand how Microsoft cloud services help protect your data.
Accessing the STP
To access some STP materials, you must sign in as an authenticated user with your Microsoft cloud services account (either an Azure AD organization account or a Microsoft account), and then review and accept the Microsoft Non-Disclosure Agreement for Compliance Materials.
Existing customers can access the STP at the Service Trust Portal webpage, with one of the following online subscriptions (trial or paid):
- Office 365
- Dynamics 365
Compliance Manager is a
- workflow-based risk assessment dashboard
- within the Trust Portal
- that enables you to track, assign, and
- verify your organization’s regulatory compliance activities
related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.
Compliance Manager provides the following features:
- Combines the following three items:
- Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft ‘s cloud services against various standards (for example, ISO 27001, ISO 27018, and NIST).
- Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU GDPR).
- An organization’s self-assessment of their own compliance with these standards and regulations.
- Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization’s compliance goals.
- Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization’s exposure to risk.
- Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities.
- Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders.
- Compliance Manager provides ongoing risk assessments with a risk-based scores reference displayed in a dashboard view for regulations and standards.
- Alternatively, you can create assessments for the regulations or standards that matter more to your organization.
- As part of the risk assessment, Compliance Manager also provides recommended actions you can take to improve your regulatory compliance.
- You can view all action items, or select the action items that correspond with a specific certification.
- Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature, and recommendations to improve data protection and compliance.
- The Customer Actions provided in Compliance Manager are recommendations only; it is up to each organization to evaluate the effectiveness of these recommendations in their respective regulatory environment prior to implementation.
- Recommendations found in Compliance Manager should not be interpreted as a guarantee of compliance.
Azure Germany services
- Microsoft Azure Germany is built on the Microsoft trusted cloud principles of security, privacy, compliance, and transparency.
- It brings data residency in transit and at rest in Germany, and data replication across German datacenters for business continuity.
Azure China 21Vianet
- Microsoft Azure operated by 21Vianet (Azure China 21Vianet) is a physically separated instance of cloud services located in China, independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. (“21Vianet”), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd.