CCG, profile picture
Uploaded byCCG
PPTX, PDF533 views

Azure Fundamentals Part 3

The document outlines the fundamentals of Azure security, privacy, compliance, and trust, including key concepts such as identity management, resource management, and defense strategies against security threats. It details various Azure services and features like Azure Active Directory, encryption methods, network security, and resource management best practices. Additionally, it highlights the importance of a layered security approach and provides guidelines for implementing security measures within the Azure environment.

Embed presentation

Downloaded 71 times
FUNDAMENTALS OF AZURE SECURITY, PRIVACY, COMPLIANCE, AND TRUST
HOUSEKEEPING Contact Information: Phillip Scanlon - CCG Email: pscanlon@ccganalytics.com
AGENDA Security, Privacy, Compliance, and Trust: 1. Understand Security Threats 2. Identity Management 3. Resource Manager 4. Potential Exam Questions
AZ-900 EXAM LAYOUT 1. Understand cloud concepts (15-20%) 2. Understand core Azure services (30-35%) 3. Understand security, privacy, compliance, and trust (25-30%) 4. Understand Azure pricing and support (20-25%)
EXAM PREP - STUDY MATERIALS Microsoft Learn Platform Whizlabs
BIGGEST DATA BREACHES OF THE 21ST CENTURY
UNDERSTAND SECURITY THREATS
COMPLIANCE OFFERINGS
SECURITY ADVANTAGES OF CLOUD ERA
RESPONSIBILITY OF SERVICES IaaS (Infrastructure as a Service): • Azure creates virtual machines (VMs) and virtual networks. PaaS (Platform as a Service): • Azure is taking care of the operating system and of most foundational software like database management systems. SaaS (Software as a Service): • Organization outsources almost everything.
DEFENSE IN DEPTH Defense in depth is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information.
DATA In almost all cases, attackers are after data: • Stored in a database • Stored on disk inside virtual machines • Stored on a SaaS application such as Office 365 • Stored in cloud storage
APPLICATION Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code. • Ensure applications are secure and free of vulnerabilities. • Store sensitive application secrets in a secure storage medium. • Make security a design requirement for all application development.
COMPUTE The focus in this layer is on making sure compute resources are secure, and that the proper controls are in place to minimize security issues. • Secure access to virtual machines. • Implement endpoint protection and keep systems patched and current.
NETWORKING The focus is on limiting the network connectivity across all resources to allow only what is required. • Limit communication between resources. • Deny by default. • Restrict inbound internet access and limit outbound, where appropriate. • Implement secure connectivity to on-premises networks.
PERIMETER At the network perimeter, it's about protecting from network- based attacks against resources. • Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users. • Use perimeter firewalls to identify and alert on malicious attacks against your network.
DDOS PROTECTION OPTIONS
IDENTITY AND ACCESS The identity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged. Two fundamental concepts when talking about identity and access control: 1. Authentication:  establishing the identity of a person or service looking to access a resource.  establishes if they are who they say they are. 2. Authorization:  establishing what level of access an authenticated person or service has.  specifies what data they're allowed to access and what they can do with it.
PHYSICAL SECURITY Physical building security and controlling access to computing hardware within the data center is the first line of defense. • Intent is to provide physical safeguards against access to assets, these safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.
IDENTITY MANAGEMENT
AZURE ACTIVE DIRECTORY Azure Active Directory (Azure AD) • Cloud-based identity service • Backbone/core of identity management in Azure, built in support for synchronizing with your existing on-premises Active Directory or can be used stand- alone • All applications (on-premises, cloud (including Office 365), or mobile) can share the same credentials
AZURE ACTIVE DIRECTORY SERVICES Authentication - verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services. • Self-service password reset: According to Forrester Research, the average password reset is $70, and the Gartner Group states 20 to 50 percent of all Help Desk calls are for password resets. • Multi-factor: Detecting logins from locations that are physically impossible to reach within a certain time frame.
AZURE ACTIVE DIRECTORY SERVICES CONTINUED • Single-Sign-On (SSO) - enables users to remember only one ID and one password to access multiple applications. • Application management - manage cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps. • Business to business (B2B) identity services - manage guest users and external partners while maintaining control over your own corporate data Business-to- Customer (B2C) identity services. • Device Management - Manage how your cloud or on-premises devices access your corporate data.
ENCRYPTION What is encryption? Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key. Two top-level types of encryption: symmetric and asymmetric. • Symmetric encryption uses the same key to encrypt and decrypt the data. • Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can't decrypt its own encrypted data. To decrypt, you need the paired key.
ENCRYPTION AT REST Encryption of data at rest ensures that the stored data is unreadable without the keys and secrets needed to decrypt it.
ENCRYPTION IN TRANSIT Encrypting data in transit protects the data from outside observers and provides a mechanism to transmit data while limiting risk of exposure. Data in transit is the data actively moving from one location to another, such as across the internet or through a private network.
AZURE ENCRYPTION ACROSS SERVICES Azure Storage Service Encryption for data at rest helps protect data to meet organizational security and compliance commitments. Raw storage encryption. Azure Disk Encryption is a capability that helps encrypt Windows and Linux IaaS virtual machine disks. Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. Database encryption. Encrypt secrets Azure Key Vault is a centralized cloud service for storing your application secrets.
HOW TO PROTECT YOUR NETWORK Azure has a layered approach to network security. • Reduces risk of exposure through network-based attacks. • Combine multiple Azure networking and security services to manage network security and provide increased layered protection.
NETWORK SECURITY GROUPS Contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify:  Source  Destination  Port  Protocol
DEFAULT SECURITY RULES
PROTECT YOUR SHARED DOCUMENTS Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud- based solution that helps organizations classify and optionally protect documents and emails by applying labels.
AZURE ATP Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Components include: • Azure ATP portal o Monitor and respond to suspicious activity. • Azure ATP sensor o Monitors domain controller traffic without requiring a dedicated server or configuring port mirroring. • Azure ATP cloud service o Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia.
MICROSOFT SECURITY DEVELOPMENT LIFECYCLE (SDL) • Define security requirements • Define metrics and compliance reporting • Perform threat modeling • Establish design requirements • Define and use cryptography standards • Manage security risks from using third-party components • Use approved tools • Perform Static Analysis Security Testing • Perform Dynamic Analysis Security Testing • Perform penetration testing • Establish a standard incident response process The Microsoft Security Development Lifecycle (SDL) introduces security and privacy considerations, guidance, best practices, tools, and processes throughout all phases of the development process and helps developers build highly secure software, address security compliance requirements, and reduce development costs.
SECURITY SUMMARY Azure Security Center centralizes much of the help Azure has to offer. • Provides a single dashboard, with a view into many of your services, and helps make sure organizations are following best practices. • Continuously updated machine learning algorithms help identify whether the latest threats are aimed at users resources and helps mitigate threats.
AZURE RESOURCE MANAGER
UNDERSTAND SCOPE
AZURE MANAGEMENT GROUPS Azure Management groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.
GOVERNANCE FOR THE CLOUD Management Group Define organizational hierarchy Hierarchy Policy Real-time enforcement, compliance assessment and remediation Control Cost Management Monitor cloud spend and optimize resources Consumption NEWNEW Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Environment NEW Resource Graph Query, explore & analyze cloud resources at scale Visibility
WHAT IS AZURE POLICY? Azure Policy is a service you can use to create, assign, and manage policies. • Policies apply and enforce rules that your resources need to follow. • Policies can enforce these rules when resources are created, and can be evaluated against existing resources to give visibility into compliance. Policies can enforce things such as only allowing specific types of resources to be created, or only allowing resources in specific Azure regions. • Enforce naming conventions across your Azure environment. • Enforce that specific tags are applied to resources.
AZURE SUBSCRIPTIONS Azure subscription provides you with authenticated and authorized access to Azure products and services and allows you to provision resources on Azure. It is a logical unit of Azure services that links to an Azure account.
WHAT IS A RESOURCE GROUP? A resource group is a container that holds related resources for an Azure solution. Each resource in Azure must belong to a resource group.
RESOURCE GROUP BEST PRACTICES Logical grouping • Resource groups exist to help manage and organize your Azure resources. By placing resources of similar usage, type, or location, you can provide some order and organization to resources you create in Azure. Life cycle • If you delete a resource group, all resources contained within are also deleted. Resource groups make it easy to remove a set of resources at once. Authorization • Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed.
WHAT ARE TAGS? Tags allow organizations to associate custom details about their resource, in addition to the standard Azure properties a resource has: • Department (like finance, marketing, and more) • Environment (prod, test, dev), • Cost center • Life cycle and automation (like shutdown and startup of virtual machines) Tags are name/value pairs of text data that you can apply to resources and resource groups. • Can have up to 50 tags. • Name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. • Value is limited to 256 characters for all types of resources.
RESOURCES A manageable item that is available through Azure. Examples:  Virtual machines  Storage accounts  Web apps  Databases  Virtual networks  Resource groups, subscriptions, management groups, and tags
HOW DO WE PROTECT THOSE RESOURCES ONCE THEY ARE DEPLOYED? Answer: Role-based access control (core service and is included with all subscription levels at no cost)  Allow one user to manage VMs in a subscription, and another user to manage virtual networks.  Allow a database administrator (DBA) group to manage SQL databases in a subscription.  Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets.  Allow an application to access all resources in a resource group.
WHAT ARE RESOURCE LOCKS? Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only: • Delete will allow all operations against the resource but block the ability to delete it. • Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.
QUESTION 1
QUESTION 2
QUESTION 3
QUESTION 4
THANK YOU

More Related Content

PPTX
Azure Fundamentals Part 1
byCCG
 
PPTX
Azure Fundamentals Part 2
byCCG
 
PPTX
Azure Compute, Networking and Storage Overview
byAzure Riyadh User Group
 
PPTX
AZ-900 Microsoft Azure Fundamentals.pptx
byKARMANJAYVERMA1
 
PDF
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
byEdureka!
 
PPTX
Azure Fundamentals || AZ-900
bythisiswali
 
PPTX
Azure Storage
byMustafa
 
PDF
Microsoft Azure Fundamentals AZ 900 ####
byMohanArumugam24
 
Azure Fundamentals Part 1
byCCG
 
Azure Fundamentals Part 2
byCCG
 
Azure Compute, Networking and Storage Overview
byAzure Riyadh User Group
 
AZ-900 Microsoft Azure Fundamentals.pptx
byKARMANJAYVERMA1
 
Microsoft Azure Overview | Cloud Computing Tutorial with Azure | Azure Traini...
byEdureka!
 
Azure Fundamentals || AZ-900
bythisiswali
 
Azure Storage
byMustafa
 
Microsoft Azure Fundamentals AZ 900 ####
byMohanArumugam24
 

What's hot

PDF
AZ-900 Azure Fundamentals.pdf
byssuser5813861
 
PDF
Azure governance v4.0
byMarcos Oikawa
 
PDF
Introduction to Azure
byRobert Crane
 
PDF
Microsoft Azure Fundamentals
byAdwait Ullal
 
PDF
Azure fundamentals
byAlexandre BERGERE
 
PDF
Azure Arc by K.Narisorn // Azure Multi-Cloud
byKumton Suttiraksiri
 
PPTX
What is AWS?
byMartin Yan
 
PDF
Introduction to Azure IaaS
byRobert Crane
 
PPTX
Microsoft Azure - Introduction
byPranav Ainavolu
 
PPTX
Introduction to Microsoft Azure 101
byR M Shahidul Islam Shahed
 
PPTX
Microsoft azure
byCharith Suriyakula
 
PPTX
Azure Migrate
byMustafa
 
PDF
Microsoft AZ-900 Dumps Questions
byBraindumps4IT
 
PPTX
Azure Site Recovery Bootcamp
byAsaf Nakash
 
PPTX
Azure virtual network
byLalit Rawat
 
PDF
Cloud Migration: Cloud Readiness Assessment Case Study
byCAST
 
PPTX
Cloud computing
byhari krishnan.n
 
PPTX
Microsoft azure backup overview
bySumantro Mukherjee
 
PPTX
Azure vnet
byzekeLabs Technologies
 
PPTX
Azure governance
bygirish goudar
 
AZ-900 Azure Fundamentals.pdf
byssuser5813861
 
Azure governance v4.0
byMarcos Oikawa
 
Introduction to Azure
byRobert Crane
 
Microsoft Azure Fundamentals
byAdwait Ullal
 
Azure fundamentals
byAlexandre BERGERE
 
Azure Arc by K.Narisorn // Azure Multi-Cloud
byKumton Suttiraksiri
 
What is AWS?
byMartin Yan
 
Introduction to Azure IaaS
byRobert Crane
 
Microsoft Azure - Introduction
byPranav Ainavolu
 
Introduction to Microsoft Azure 101
byR M Shahidul Islam Shahed
 
Microsoft azure
byCharith Suriyakula
 
Azure Migrate
byMustafa
 
Microsoft AZ-900 Dumps Questions
byBraindumps4IT
 
Azure Site Recovery Bootcamp
byAsaf Nakash
 
Azure virtual network
byLalit Rawat
 
Cloud Migration: Cloud Readiness Assessment Case Study
byCAST
 
Cloud computing
byhari krishnan.n
 
Microsoft azure backup overview
bySumantro Mukherjee
 
Azure vnet
byzekeLabs Technologies
 
Azure governance
bygirish goudar
 

Similar to Azure Fundamentals Part 3

PDF
Azure Security Overview
byDavid J Rosenthal
 
PDF
Microsoft Azure Security Overview
byAlert Logic
 
PPTX
Azure security and Compliance
byKarina Matos
 
PPTX
SC-900 Capabilities of Microsoft Security Solutions
byFredBrandonAuthorMCP
 
PPTX
ciso-workshop-1-cybersecurity-briefing.pptx
bypravinsp141
 
PDF
AZ-900 Summary with all information that
byFadiAlkanani1
 
PPTX
Azure Data Course | Best Microsoft Azure Data Engineering.pptx
bykalyanvisualpath
 
PDF
366864108 azure-security
byober64
 
PDF
Microsoft security compass presentation latest
byKali860857
 
PPTX
Enter The Matrix Securing Azure’s Assets
byBizTalk360
 
PPTX
Azure security basics
byStas Lebedenko
 
PDF
Microsoft Azure Security Infographic
byMicrosoft Azure
 
PDF
CSS17: Houston - Azure Shared Security Model Overview
byAlert Logic
 
PPTX
Azure security
byLalit Rawat
 
PDF
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
byMSAdvAnalytics
 
PPTX
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
byEuropean Collaboration Summit
 
PDF
Azure security infographic 2014 sec
byKesavan Munuswamy
 
PDF
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
byNCCOMMS
 
PDF
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
byAlert Logic
 
PPTX
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
byMorgan Simonsen
 
Azure Security Overview
byDavid J Rosenthal
 
Microsoft Azure Security Overview
byAlert Logic
 
Azure security and Compliance
byKarina Matos
 
SC-900 Capabilities of Microsoft Security Solutions
byFredBrandonAuthorMCP
 
ciso-workshop-1-cybersecurity-briefing.pptx
bypravinsp141
 
AZ-900 Summary with all information that
byFadiAlkanani1
 
Azure Data Course | Best Microsoft Azure Data Engineering.pptx
bykalyanvisualpath
 
366864108 azure-security
byober64
 
Microsoft security compass presentation latest
byKali860857
 
Enter The Matrix Securing Azure’s Assets
byBizTalk360
 
Azure security basics
byStas Lebedenko
 
Microsoft Azure Security Infographic
byMicrosoft Azure
 
CSS17: Houston - Azure Shared Security Model Overview
byAlert Logic
 
Azure security
byLalit Rawat
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
byMSAdvAnalytics
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
byEuropean Collaboration Summit
 
Azure security infographic 2014 sec
byKesavan Munuswamy
 
O365Con18 - Red Team vs Blue Team - Sasha Kranjac & Mustafa Toroman
byNCCOMMS
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
byAlert Logic
 
NIC 2017 Azure AD Identity Protection and Conditional Access: Using the Micro...
byMorgan Simonsen
 

More from CCG

PPTX
Data Governance Workshop
byCCG
 
PDF
Introduction to Machine Learning with Azure & Databricks
byCCG
 
PPTX
Power BI Advance Modeling
byCCG
 
PPTX
Introduction to Microsoft Power BI
byCCG
 
PPTX
Data Governance and MDM | Profisse, Microsoft, and CCG
byCCG
 
PPTX
Machine Learning with Azure and Databricks Virtual Workshop
byCCG
 
PDF
How to Create a Data Analytics Roadmap
byCCG
 
PPTX
Power BI Advanced Data Modeling Virtual Workshop
byCCG
 
PPTX
Advance Data Visualization and Storytelling Virtual Workshop
byCCG
 
PDF
How to Monetize Your Data Assets and Gain a Competitive Advantage
byCCG
 
PDF
Analytics in a Day Ft. Synapse Virtual Workshop
byCCG
 
PPTX
Artificial Intelligence Executive Brief
byCCG
 
PDF
Analytics in a Day Ft. Synapse Virtual Workshop
byCCG
 
PDF
Analytics in a Day Ft. Synapse Virtual Workshop
byCCG
 
PDF
Analytics in a Day Virtual Workshop
byCCG
 
PDF
Analytics in a Day Virtual Workshop
byCCG
 
PDF
Analytics in a Day Ft. Synapse Virtual Workshop
byCCG
 
PDF
Enable Better Decision Making with Power BI Visualizations & Modern Data Estate
byCCG
 
PPTX
Virtual Governance in a Time of Crisis Workshop
byCCG
 
PPTX
Shape Your Data into a Data Model with M
byCCG
 
Data Governance Workshop
byCCG
 
Introduction to Machine Learning with Azure & Databricks
byCCG
 
Power BI Advance Modeling
byCCG
 
Introduction to Microsoft Power BI
byCCG
 
Data Governance and MDM | Profisse, Microsoft, and CCG
byCCG
 
Machine Learning with Azure and Databricks Virtual Workshop
byCCG
 
How to Create a Data Analytics Roadmap
byCCG
 
Power BI Advanced Data Modeling Virtual Workshop
byCCG
 
Advance Data Visualization and Storytelling Virtual Workshop
byCCG
 
How to Monetize Your Data Assets and Gain a Competitive Advantage
byCCG
 
Analytics in a Day Ft. Synapse Virtual Workshop
byCCG
 
Artificial Intelligence Executive Brief
byCCG
 
Analytics in a Day Ft. Synapse Virtual Workshop
byCCG
 
Analytics in a Day Ft. Synapse Virtual Workshop
byCCG
 
Analytics in a Day Virtual Workshop
byCCG
 
Analytics in a Day Virtual Workshop
byCCG
 
Analytics in a Day Ft. Synapse Virtual Workshop
byCCG
 
Enable Better Decision Making with Power BI Visualizations & Modern Data Estate
byCCG
 
Virtual Governance in a Time of Crisis Workshop
byCCG
 
Shape Your Data into a Data Model with M
byCCG
 

Recently uploaded

PDF
Security and confidentiality in big data.pdf
byrayessafa21
 
PPTX
[DSC Europe 25] Marcos Heidemann - Beyond the Hype: Making AI Coding Assistan...
byDataScienceConferenc1
 
PDF
Applied_Data_Science_Unit_One_Notes_for_reference
bysanguleumeshit
 
PDF
SIH2025-IDEA-Presentation-Innogenix320250929144422.pdf
bydevichokkakulacse1
 
PDF
Machine learning genrative AI and agents
bysakingul
 
PPTX
[DSC Europe 25] Egor Krasheninnikov - The Control Stack: Building Guardrails ...
byDataScienceConferenc1
 
PPTX
[DSC Europe 25] Jovan Sumarac - Real-World Applications of Computer Vision in...
byDataScienceConferenc1
 
PDF
MedGard - OBGYN for SMLE Exam presentation
bydrpreehaaslam
 
PDF
Presentation - 5 Essential Steps for Successful Data Migration
byalexmartincaneda
 
PPTX
[DSC Europe 25] Dubravko Culibrk - Deep Learning for Mammography.pptx
byDataScienceConferenc1
 
PPTX
[DSC Europe 25] Paula Garcia Esteban -Building the Future: The Role of Data S...
byDataScienceConferenc1
 
PDF
Trends and Predictions 2026_Reuters Institute
bydominikamizerska1
 
PDF
[DSC Europe 25] Srdj Stanisic - Local and Private AI in UX.pdf
byDataScienceConferenc1
 
PPTX
Week1_Introduction_to_Machine_Learning.pptx
byssuser211a6f
 
PDF
Semantic Technology
byRathachai Chawuthai
 
PDF
[DSC Europe 25] Bojan Djuricic - Predictive Design Process.pdf
byDataScienceConferenc1
 
PDF
The-Authoritarian-Gaze.pdfThe-Authoritarian-Gaze.pdf
by中 央社
 
PDF
Comprehensive Power BI Dashboard for Data-Driven Business Insights and Perfor...
byNusrat Gulbarga
 
PPTX
normal labor normal labor normal labor normal labor normal labor normal labor...
bymeksbaba1
 
PDF
(UPDATE) JADWAL GEREJA OPS LILIN 2025.pdf
byMinlantasSumber
 
Security and confidentiality in big data.pdf
byrayessafa21
 
[DSC Europe 25] Marcos Heidemann - Beyond the Hype: Making AI Coding Assistan...
byDataScienceConferenc1
 
Applied_Data_Science_Unit_One_Notes_for_reference
bysanguleumeshit
 
SIH2025-IDEA-Presentation-Innogenix320250929144422.pdf
bydevichokkakulacse1
 
Machine learning genrative AI and agents
bysakingul
 
[DSC Europe 25] Egor Krasheninnikov - The Control Stack: Building Guardrails ...
byDataScienceConferenc1
 
[DSC Europe 25] Jovan Sumarac - Real-World Applications of Computer Vision in...
byDataScienceConferenc1
 
MedGard - OBGYN for SMLE Exam presentation
bydrpreehaaslam
 
Presentation - 5 Essential Steps for Successful Data Migration
byalexmartincaneda
 
[DSC Europe 25] Dubravko Culibrk - Deep Learning for Mammography.pptx
byDataScienceConferenc1
 
[DSC Europe 25] Paula Garcia Esteban -Building the Future: The Role of Data S...
byDataScienceConferenc1
 
Trends and Predictions 2026_Reuters Institute
bydominikamizerska1
 
[DSC Europe 25] Srdj Stanisic - Local and Private AI in UX.pdf
byDataScienceConferenc1
 
Week1_Introduction_to_Machine_Learning.pptx
byssuser211a6f
 
Semantic Technology
byRathachai Chawuthai
 
[DSC Europe 25] Bojan Djuricic - Predictive Design Process.pdf
byDataScienceConferenc1
 
The-Authoritarian-Gaze.pdfThe-Authoritarian-Gaze.pdf
by中 央社
 
Comprehensive Power BI Dashboard for Data-Driven Business Insights and Perfor...
byNusrat Gulbarga
 
normal labor normal labor normal labor normal labor normal labor normal labor...
bymeksbaba1
 
(UPDATE) JADWAL GEREJA OPS LILIN 2025.pdf
byMinlantasSumber
 

Azure Fundamentals Part 3

  • 1.
    FUNDAMENTALS OF AZURE SECURITY,PRIVACY, COMPLIANCE, AND TRUST
  • 2.
    HOUSEKEEPING Contact Information: Phillip Scanlon- CCG Email: pscanlon@ccganalytics.com
  • 3.
    AGENDA Security, Privacy, Compliance,and Trust: 1. Understand Security Threats 2. Identity Management 3. Resource Manager 4. Potential Exam Questions
  • 4.
    AZ-900 EXAM LAYOUT 1.Understand cloud concepts (15-20%) 2. Understand core Azure services (30-35%) 3. Understand security, privacy, compliance, and trust (25-30%) 4. Understand Azure pricing and support (20-25%)
  • 5.
    EXAM PREP -STUDY MATERIALS Microsoft Learn Platform Whizlabs
  • 6.
    BIGGEST DATA BREACHESOF THE 21ST CENTURY
  • 7.
  • 8.
  • 9.
  • 10.
    RESPONSIBILITY OF SERVICES IaaS(Infrastructure as a Service): • Azure creates virtual machines (VMs) and virtual networks. PaaS (Platform as a Service): • Azure is taking care of the operating system and of most foundational software like database management systems. SaaS (Software as a Service): • Organization outsources almost everything.
  • 11.
    DEFENSE IN DEPTH Defensein depth is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to information.
  • 12.
    DATA In almost allcases, attackers are after data: • Stored in a database • Stored on disk inside virtual machines • Stored on a SaaS application such as Office 365 • Stored in cloud storage
  • 13.
    APPLICATION Integrating security intothe application development life cycle will help reduce the number of vulnerabilities introduced in code. • Ensure applications are secure and free of vulnerabilities. • Store sensitive application secrets in a secure storage medium. • Make security a design requirement for all application development.
  • 14.
    COMPUTE The focus inthis layer is on making sure compute resources are secure, and that the proper controls are in place to minimize security issues. • Secure access to virtual machines. • Implement endpoint protection and keep systems patched and current.
  • 15.
    NETWORKING The focus ison limiting the network connectivity across all resources to allow only what is required. • Limit communication between resources. • Deny by default. • Restrict inbound internet access and limit outbound, where appropriate. • Implement secure connectivity to on-premises networks.
  • 16.
    PERIMETER At the networkperimeter, it's about protecting from network- based attacks against resources. • Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users. • Use perimeter firewalls to identify and alert on malicious attacks against your network.
  • 17.
  • 18.
    IDENTITY AND ACCESS Theidentity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged. Two fundamental concepts when talking about identity and access control: 1. Authentication:  establishing the identity of a person or service looking to access a resource.  establishes if they are who they say they are. 2. Authorization:  establishing what level of access an authenticated person or service has.  specifies what data they're allowed to access and what they can do with it.
  • 19.
    PHYSICAL SECURITY Physical buildingsecurity and controlling access to computing hardware within the data center is the first line of defense. • Intent is to provide physical safeguards against access to assets, these safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.
  • 20.
  • 21.
    AZURE ACTIVE DIRECTORY AzureActive Directory (Azure AD) • Cloud-based identity service • Backbone/core of identity management in Azure, built in support for synchronizing with your existing on-premises Active Directory or can be used stand- alone • All applications (on-premises, cloud (including Office 365), or mobile) can share the same credentials
  • 22.
    AZURE ACTIVE DIRECTORYSERVICES Authentication - verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services. • Self-service password reset: According to Forrester Research, the average password reset is $70, and the Gartner Group states 20 to 50 percent of all Help Desk calls are for password resets. • Multi-factor: Detecting logins from locations that are physically impossible to reach within a certain time frame.
  • 23.
    AZURE ACTIVE DIRECTORYSERVICES CONTINUED • Single-Sign-On (SSO) - enables users to remember only one ID and one password to access multiple applications. • Application management - manage cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps. • Business to business (B2B) identity services - manage guest users and external partners while maintaining control over your own corporate data Business-to- Customer (B2C) identity services. • Device Management - Manage how your cloud or on-premises devices access your corporate data.
  • 24.
    ENCRYPTION What is encryption? Encryptionis the process of making data unreadable and unusable to unauthorized viewers. To use or read the encrypted data, it must be decrypted, which requires the use of a secret key. Two top-level types of encryption: symmetric and asymmetric. • Symmetric encryption uses the same key to encrypt and decrypt the data. • Asymmetric encryption uses a public key and private key pair. Either key can encrypt but a single key can't decrypt its own encrypted data. To decrypt, you need the paired key.
  • 25.
    ENCRYPTION AT REST Encryptionof data at rest ensures that the stored data is unreadable without the keys and secrets needed to decrypt it.
  • 26.
    ENCRYPTION IN TRANSIT Encryptingdata in transit protects the data from outside observers and provides a mechanism to transmit data while limiting risk of exposure. Data in transit is the data actively moving from one location to another, such as across the internet or through a private network.
  • 27.
    AZURE ENCRYPTION ACROSSSERVICES Azure Storage Service Encryption for data at rest helps protect data to meet organizational security and compliance commitments. Raw storage encryption. Azure Disk Encryption is a capability that helps encrypt Windows and Linux IaaS virtual machine disks. Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. Database encryption. Encrypt secrets Azure Key Vault is a centralized cloud service for storing your application secrets.
  • 28.
    HOW TO PROTECTYOUR NETWORK Azure has a layered approach to network security. • Reduces risk of exposure through network-based attacks. • Combine multiple Azure networking and security services to manage network security and provide increased layered protection.
  • 29.
    NETWORK SECURITY GROUPS Containssecurity rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify:  Source  Destination  Port  Protocol
  • 30.
  • 31.
    PROTECT YOUR SHAREDDOCUMENTS Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud- based solution that helps organizations classify and optionally protect documents and emails by applying labels.
  • 32.
    AZURE ATP Azure AdvancedThreat Protection (Azure ATP) is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Components include: • Azure ATP portal o Monitor and respond to suspicious activity. • Azure ATP sensor o Monitors domain controller traffic without requiring a dedicated server or configuring port mirroring. • Azure ATP cloud service o Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia.
  • 33.
    MICROSOFT SECURITY DEVELOPMENTLIFECYCLE (SDL) • Define security requirements • Define metrics and compliance reporting • Perform threat modeling • Establish design requirements • Define and use cryptography standards • Manage security risks from using third-party components • Use approved tools • Perform Static Analysis Security Testing • Perform Dynamic Analysis Security Testing • Perform penetration testing • Establish a standard incident response process The Microsoft Security Development Lifecycle (SDL) introduces security and privacy considerations, guidance, best practices, tools, and processes throughout all phases of the development process and helps developers build highly secure software, address security compliance requirements, and reduce development costs.
  • 34.
    SECURITY SUMMARY Azure SecurityCenter centralizes much of the help Azure has to offer. • Provides a single dashboard, with a view into many of your services, and helps make sure organizations are following best practices. • Continuously updated machine learning algorithms help identify whether the latest threats are aimed at users resources and helps mitigate threats.
  • 35.
  • 36.
  • 37.
    AZURE MANAGEMENT GROUPS AzureManagement groups are containers for managing access, policies, and compliance across multiple Azure subscriptions.
  • 38.
    GOVERNANCE FOR THECLOUD Management Group Define organizational hierarchy Hierarchy Policy Real-time enforcement, compliance assessment and remediation Control Cost Management Monitor cloud spend and optimize resources Consumption NEWNEW Blueprints Deploy and update cloud environments in a repeatable manner using composable artifacts Environment NEW Resource Graph Query, explore & analyze cloud resources at scale Visibility
  • 39.
    WHAT IS AZUREPOLICY? Azure Policy is a service you can use to create, assign, and manage policies. • Policies apply and enforce rules that your resources need to follow. • Policies can enforce these rules when resources are created, and can be evaluated against existing resources to give visibility into compliance. Policies can enforce things such as only allowing specific types of resources to be created, or only allowing resources in specific Azure regions. • Enforce naming conventions across your Azure environment. • Enforce that specific tags are applied to resources.
  • 40.
    AZURE SUBSCRIPTIONS Azure subscriptionprovides you with authenticated and authorized access to Azure products and services and allows you to provision resources on Azure. It is a logical unit of Azure services that links to an Azure account.
  • 41.
    WHAT IS ARESOURCE GROUP? A resource group is a container that holds related resources for an Azure solution. Each resource in Azure must belong to a resource group.
  • 42.
    RESOURCE GROUP BESTPRACTICES Logical grouping • Resource groups exist to help manage and organize your Azure resources. By placing resources of similar usage, type, or location, you can provide some order and organization to resources you create in Azure. Life cycle • If you delete a resource group, all resources contained within are also deleted. Resource groups make it easy to remove a set of resources at once. Authorization • Resource groups are also a scope for applying role-based access control (RBAC) permissions. By applying RBAC permissions to a resource group, you can ease administration and limit access to allow only what is needed.
  • 43.
    WHAT ARE TAGS? Tagsallow organizations to associate custom details about their resource, in addition to the standard Azure properties a resource has: • Department (like finance, marketing, and more) • Environment (prod, test, dev), • Cost center • Life cycle and automation (like shutdown and startup of virtual machines) Tags are name/value pairs of text data that you can apply to resources and resource groups. • Can have up to 50 tags. • Name is limited to 512 characters for all types of resources except storage accounts, which have a limit of 128 characters. • Value is limited to 256 characters for all types of resources.
  • 44.
    RESOURCES A manageable itemthat is available through Azure. Examples:  Virtual machines  Storage accounts  Web apps  Databases  Virtual networks  Resource groups, subscriptions, management groups, and tags
  • 45.
    HOW DO WEPROTECT THOSE RESOURCES ONCE THEY ARE DEPLOYED? Answer: Role-based access control (core service and is included with all subscription levels at no cost)  Allow one user to manage VMs in a subscription, and another user to manage virtual networks.  Allow a database administrator (DBA) group to manage SQL databases in a subscription.  Allow a user to manage all resources in a resource group, such as VMs, websites, and virtual subnets.  Allow an application to access all resources in a resource group.
  • 46.
    WHAT ARE RESOURCELOCKS? Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource locks can set to either Delete or Read-only: • Delete will allow all operations against the resource but block the ability to delete it. • Read-only will only allow read activities to be performed against it, blocking any modification or deletion of the resource. Resource locks can be applied to subscriptions, resource groups, and to individual resources, and are inherited when applied at higher levels.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.

Editor's Notes

  • #3 We have a lot to cover and may not get to live questions at the end. Please send your questions to Sami, and I will get back to you after the webinar. Provided is my contact information and reach out any time. I do provide half day and full day workshops for this course. The workshops are more hands on and we do more live demos within the product. Something to note if interested.
  • #5 Once again, here is the exam layout. In part three of our three part series, we will be focusing on understanding security, privacy, compliance, and, trust which is 25-30% of the exam.
  • #6 As mentioned in part 1, I used 2 resources and spent around $16 combined for those resources. The exam itself is $99. This is the same study plan I used for the AZ-900 exam: Microsoft Learn Platform Whizlabs If you want to learn more about these and how I leveraged them for the exam, request part 1 of the webinar series from Sami.
  • #7 Every system, architecture, and application needs to be designed with security in mind. Before we begin better understanding Azure Security, let’s look back at some of the biggest data breaches of the 21st century. From 2014-2018, a data breach impacted over 500 million Marriott customers. The breach actually occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018. From 2013 to 2014, 3 billion user Yahoo accounts were breached. In September 2016, while in negotiations to sell itself to Verizon, it announced it had been the victim of the biggest data breach in history, likely by “a state-sponsored actor,” in 2014. The attack compromised the real names, email addresses, dates of birth and telephone numbers of 3 billion users. The breaches knocked an estimated $350 million off Yahoo’s sale price. Verizon eventually paid $4.48 billion for Yahoo’s core Internet business.
  • #8 Let’s first discuss how we secure our data center. Physical security – who can access the building and touch server racks. Microsoft invests heavily in protecting Azure’s infrastructure with walls and security cameras, security personnel, and strict procedures for employees. Should be noted, Microsoft has the most cloud certifications from outside vendors among all cloud vendors to date. Digital Security – who can connect to your systems and data over the network Azure is a network of large data center throughout the world. There are real security threats when companies deploy compute resources like VMs that run company applications and services in the cloud as well as data stored in the cloud and data traveling outside of Azure and across the public internet. There are security threats at each endpoint, for example user devices or computers, that consume data or services. It is very important to note, Microsoft provides the tools that help mitigate the threats, but the user must use these tools to protect the resources they use. To assist with security, Microsoft provides two-factor authentication and role-based access control to authorized users. Data encryption is avaible, which provides a second layer of security in case of a breach. Users can monitor login failures, login attempts from suspicious locations, etc. Microsoft provides automatic denial of service protection, real-time telemetry to see where requests are coming from, firewalls to block malicious traffic.
  • #9 As previously mentioned, Azure has over 90 compliance offerings and some are displayed here. Now you do not need to know all these, but there will be a few exam questions around compliance offerings. For example, I had four matching questions where I needed to properly match NIST, ISO, GDPR, and SOC to their appropriate groupings. Let’s start with: ISO - The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations NIST - The National Institute of Standards and Technology is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce.  GDPR - The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. 
  • #10 I found this image very impactful. The important thing to note here is the shift in commodity responsibilities to the provider. The question becomes, how will you allocate your employees, time, resources to other challenges now that the commodity responsibilities have been shifted to the provider?
  • #11 Before we begin responsibility of services, you should note that regardless of the deployment type, you always retain responsibility for the following items: Data Endpoints Accounts Access management IaaS (Infrastructure as a Service): Organization responsibility to patch and secure operating systems and software, as well as configure network to be secure. Security advantage of having outsourced concern over protecting the physical parts of the network. PaaS (Platform as a Service): Azure is taking care of the operating system and of most foundational software like database management systems. Everything is updated with the latest security patches and can be integrated with Azure Active Directory for access controls. “Point and click" within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed. SaaS (Software as a Service): Organization outsources almost everything. The code is controlled by the Microsoft Azure but configured to be used by the organization. Well I am a visual learner, what does this look like: Show chart.
  • #12 Lets discuss defending our information. Defense in Depth: If one layer is breached, a subsequent layer is already in place to prevent further exposure. Microsoft applies a layered approach to security, both in physical data centers and across Azure services. The objective is to protect and prevent information from being stolen by individuals who are not authorized to access it. Now we will discuss these layers in more detail.
  • #13 It's the responsibility of those storing and controlling access to data to ensure that it's properly secured.
  • #15 Before bullets: Malware, unpatched systems, and improperly secured systems open environment to attacks. So you want to Secure access to virtual machines. Implement endpoint protection and keep systems patched and current.
  • #16 Before bullets: By limiting this communication, the organization reduces the risk of lateral movement throughout the network. Limit communication between resources. Deny by default. Restrict inbound internet access and limit outbound, where appropriate. Implement secure connectivity to on-premises networks.
  • #17 Before bullets: Identifying these attacks, eliminating their impact, and alerting the org when they happen are important ways to keep the organizations network secure. Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users. Use perimeter firewalls to identify and alert on malicious attacks against your network. If you remember from Part 2 of our Azure series, a distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers,” it generally means it has become a victim of a DDoS attack. In short, this means that hackers have attempted to make a website or computer unavailable by flooding or crashing the website with too much traffic.
  • #20 There are motion sensors, 24x7 protected access, biometric access systems, video surveillance, security breach alarms, and I am sure some other pretty formidable things unknown to most.
  • #21 Identity management provides authentication, privileges, authorization, and roles of the enterprise boundaries. The main purpose is to upgrade security and productivity by decreasing the total cost, repetitive tasks, and system downtime.
  • #22 If you have O365, you have Azure AD. Administrators and developers can control access to internal and external data and applications using centralized rules and policies. The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on and multi-factor authentication to help protect your users from 99.9 percent of cybersecurity attacks.
  • #23 Multi-factor example: You have a user who logs in from Los Angeles. 20 minutes later that same user logs in from Tokyo. Using this method, the second login attempt would be forced to provide a secondary means of authentication. Something you know Something you possess Something you are
  • #24 Application Management: Access Panel is a web based portal that allows users to reset their own passwords, and it provides a list of all the groups users can join within the organization. B2B identity services: Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.
  • #25 Symmetric Example: Consider a desktop password manager application. You enter your passwords and they are encrypted with your own personal key (your key is often derived from your master password). When the data needs to be retrieved, the same key is used, and the data is decrypted. Asymmetric Example: Used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing. Both symmetric and asymmetric encryption play a role in properly securing data and Encryption is typically approached in two ways: Encryption at rest and Encryption in transit. Lets discuss those a little more.
  • #26 The actual data that is encrypted could vary in its content, usage, and importance to the organization. 2. Data at rest is the data that has been stored on a physical medium, stored on the disk of a server, data stored in a database, or data stored in a storage account. Encryption of Data Example: If an attacker was to obtain a hard drive with encrypted data and did not have access to the encryption keys, the attacker would not compromise the data without great difficulty. In the Graphic: This financial information could be critical to the business, intellectual property that has been developed by the business, personal data about customers or employees that the business stores, and even the keys and secrets used for the encryption of the data itself.
  • #27 Encrypting the Data Example: HTTPS = application layer in transit encryption. In the graphic, Customer data is encrypted as it's sent over the network. Only the receiver has the secret key that can decrypt the data to a usable form.
  • #28 Key Vault helps control applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.
  • #29 Azure has a layered approach to network security. Reduces risk of exposure through network-based attacks. Several available services and capabilities to secure your internet-facing resource, internal resources, and communication between on-premises networks. Combine multiple Azure networking and security services to manage network security and provide increased layered protection. Example: use Azure Firewall to protect inbound and outbound traffic to the Internet, and Network Security Groups to limit traffic to resources inside virtual networks.
  • #31 Azure creates the following default rules in each network security group that you create: You cannot remove the default rules, but you can override them by creating rules with higher priorities. Name: A unique name within the network security group. Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. Once traffic matches a rule, processing stops. Source or destination: Any, or an individual IP address, (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. If you specify an address for an Azure resource, specify the private IP address assigned to the resource. Protocol: TCP, UDP, ICMP or Any. Direction: Whether the rule applies to inbound, or outbound traffic. Port range: You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to create fewer security rules. Action: Allow or deny Highlighting port further, you will likely see port 80 or port 443 on the exam within examples. A little background information, port 80 was chosen as the default HTTP port and 443 as the default HTTPS port. HTTPS (443) is HTTP with encryption. The only difference between the two protocols is that HTTPS (443) uses TLS (SSL) to encrypt normal HTTP (80) requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has http:// in its URL, while a website that uses HTTPS has https://
  • #32 Microsoft Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps organizations classify and optionally protect documents and emails by applying labels. Labels can be applied automatically based on rules and conditions. Labels can also be applied manually. Guide users to choose recommended labels with a combination of automatic and manual steps. Here is an example of AIP in action on a user's computer. The administrator has configured a label with rules that detect sensitive data. When a user saves a Microsoft Word document containing a credit card number, a custom tooltip is displayed. This label is configured by the administrator. Using this label classifies the document and protects it. Analyze data flows to gain insight into your business Detect risky behaviors and take corrective measures Track access to documents Prevent data leakage or misuse of confidential information
  • #33 Last image: Installed directly on your domain controllers, the Azure ATP sensor accesses the event logs it requires directly from the domain controller. After the logs and network traffic are parsed by the sensor, Azure ATP sends only the parsed information to the Azure ATP cloud service (only a percentage of the logs are sent).
  • #34 The Microsoft SDL became an integral part of the software development process at Microsoft in 2004. The development, implementation, and constant improvement of the SDL represents a strategic investment to the security effort. This is an evolution in the way that software is designed, developed, and tested, and has now matured into a well-defined methodology. Now, over a decade later, the Microsoft SDL continues to be fundamental to how Microsoft develops products and services. With the rise of mobile, cloud computing, Internet of Things, artificial intelligence, and other new technologies, Microsoft continues to evolve the practices.
  • #35 Note: This is highly introductory. Security is a deep and complex topic, so whatever your cloud approach, an ongoing security education is necessary.
  • #36 he Azure Resource Manager service is designed for resiliency and continuous availability.  Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment. We are going to drill down into these further. Graphic: When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager receives the request. It authenticates and authorizes the request. Resource Manager sends the request to the Azure service, which takes the requested action. Because all requests are handled through the same API, you see consistent results and capabilities in all the different tools. The following image shows the role Azure Resource Manager plays in handling Azure requests.
  • #37 Graphic: You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied the resource group and all its resources. However, another resource group doesn't have that policy assignment. Lets discuss these levels in more detail.
  • #38 In the early days, subscriptions had limits and those limits helped decide whether your subscriptions needed to sprawl.  This was mostly based on whether or not you were supporting customer or breaking up your subscriptions across different departments.  The biggest issue with this sprawl was how to manage it, both from a security and policies standpoint.  Then Azure management groups entered the picture. When I say sprawl or Data sprawl, it refers to the overwhelming amount and variety of data produced by enterprises every day. With the growing number of operating systems, data warehouses, various BYOD (Bring Your Own Device) devices, and enterprise and mobile applications, it’s no wonder that the proliferation of data is becoming a problem. Azure management groups provide a way for an organization to control and manage access, compliance, and policies for their subscription within their tenant. Management groups allow you to order your Azure resources hierarchically into collections, which provide a further level of classification beyond subscriptions.
  • #39 Azure governance consists of 5 capabilities (Policy, Blueprints, Resource Graph, Management Group, Cost Management) to ensure you will have the right tools for your applications or workload teams, so they can use cloud resources in an accountable & responsible fashion.
  • #41 It serves as a single billing unit for Azure resources in that services used in Azure are billed to a subscription. An Azure subscription is linked to a single account, the one that was used to create the subscription and is used for billing purposes. ... Free Azure accounts can be converted to pay-as-you-go accounts. Azure offers free and paid subscription options to suit different needs and requirements. An account can have one subscription or multiple subscriptions that have different billing models, and to which you apply different access-management policies.
  • #42 The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group. The resource group stores metadata about the resources. Therefore, when you specify a location for the resource group, you are specifying where that metadata is stored. For compliance reasons, you may need to ensure that your data is stored in a particular region. Resource groups are a logical container for resources deployed on Azure and are anything created in a Azure subscription like Virtual machines, Application Gateways, CosmosDB.
  • #44 And here is what the tags look like in the portal.
  • #46 RBAC provides fine-grained access management for Azure resources, enabling organizations to grant users the specific rights they need to perform their jobs. Using RBAC, you can:
  • #47 Further protection, how can we protect or how can administrators protect themselves from doing something they may not have intended to do. And important to note, even if you are an owner of the resource, you must still remove the lock before you'll actually be able to perform the blocked activity.
  • #48 A. User Defined Routes. You can create custom, or user defined routes in Azure to override Azures default system routes or add additional routes to a subnets route tables.
  • #49 A. Yes. Authentication methods of both multi factor and self service password reset are the usage, SMS (short message service) is the authentication method.
  • #50 B. No. Support also for components like Azure SQL and Storage services.
  • #51 A. Azure key vault. You can import or generate keys.
  • #52 That concludes part three of our three part series. Thank you for all those who attended todays session and the previous sessions. I wish you the best of luck on your pursuit of AZ-900 and other Azure certs. Over to Sami.