Module 4ba - Security and Network Security - Defense in Depth, Security Posture

Question 1

What is The Principle of Least Privilege?

Answer 1

Restricting access to information to ONLY those individuals who have been explicitly granted access, and ONLY at the minimum level they need to perform their work

Question 2

What’s one of the most common approaches in ensuring Integrity for in-transit data?

Answer 2

Hashing. Use a one-way hash algorithm to create a unique hash using the data being transferred. Send the hash separately from the data to the receiver. The receiver recalculates the hash with the same algo and received data. If the resulting hash matches the sent hash, then the data wasn’t tampered in transit

Question 3

Hint: there’s a service dedicated

What’s a common attack that compromises Availability?

Answer 3

Denial-Of-Service Attacks (DoS). Meant to degrade the availability of a system

Question 4

What is Defense in Depth?

Answer 4

A strategy where each outer layer protects the inner most layers, the last one finally being Data. Microsoft offers several protection services at EACH layer

Question 5

Hint: PS, IA, P, N, C, A, D

What are seven (7) layers that comprise Defense in Depth (i.e. Dante’s Inferno 🔥)?

Answer 5

1. Physical Security Layer
2. Identity & Access Layer
3. Perimeter Layer
4. Network Layer
5. Compute Layer
6. Application Layer
7. Data Layer

Question 6

Describe how to secure the Physical Security Layer

Answer 6

This is things like guarded gates around the data center, armed guards, etc. Physically securing the buildings in the data center

Also keycard access and authorized access by individuals into the data center. Most MS employees never actually get to see or get into a data center.

Question 7

Describe how to secure the Identity & Access Layer

Answer 7

Basically all permissions and access control

• Controls access to infrastructure and change control
• Enforces SSO
• Auditing on Events and other changes

Question 8

Describe how to secure the Perimeter Layer

Answer 8

Refers to the NETWORK perimeter; protecting from network-based attacks.

Focus on protecting your org’s Resources from network-based attacks. Identify, alert and eliminate impact

• Azure DDoS Protection for filtering large-scale attacks
• Azure Firewall to identify and alert on malicious attacks against your network

Question 9

Describe how to secure the Network Layer

Answer 9

Restricting your network connectivity to required communication only. Reduces chance of an attack spreading throughout the entire network infrastructure, thus reducing potential attack vectors

• Define NSG inbound/outbound rules
• Limited communication between Resources to “as-needed”
• “Deny” access by default
• Restrict inbound and limit outbound access appropriately
• Secure connectivity and communication with On-Prem networks

Question 10

Describe how to secure the Compute Layer

Answer 10

Ensuring that your COMPUTE RESOURCES are not just secure, but also UP TO DATE, and that proper controls are in place:

• Securing access to VMs
• Endpoint protection on devices
• Keep systems patched and current (security patches, hotfixes, general updates, etc.)

Question 11

Describe how to secure the Application Layer

Answer 11

Integrating security into the app development lifecycle to reduce potential attack vectors

• Ensure apps are secure/free of vulnerabilities
• Store secrets in a secure form (key vault)
• Security should be a design requirement

Question 12

Describe how to secure the Data Layer

Answer 12

Almost all attackers are after DATA. Securing data is the responsibility of those who store and control access to it. Regulatory requirements dictate what controls/processes are put in place to secure “confidentiality, integrity and availability” - aka Security Posture~

Data attack sources:

• DBs (most obvious)
• VM disks (since scaling requires virtualization)
• SaaS apps (like hacking into Salesforce customer data)
• Cloud storage (how hackers got into iCloud for celebrity pictures)

Question 13

Hint: C I A

What are the three (3) principles of Security Posture?

Answer 13

Confidentiality - protecting secrets, private content, access levels to applications and underlying infrastructure. Principle of Least Privilege

(Data) Integrity - Preventing unauthorized changes to information at rest (stored data) and in-transit (transferred from one place to another)

Availability - Ensure services and apps are functioning and can only be accessed by authorized parties

Question 14

How do you best secure your Perimeter Layer?

Answer 14

Focus on protecting your org’s Resources from network-based attacks. Identify, alert and eliminate impact

• Azure DDoS Protection for filtering large-scale attacks
• Azure Firewall to identify and alert on malicious attacks against your network

Question 15

Give two (2) combinations of Azure networking and security services?

Answer 15

Combo 1: NSGs + Azure Firewall

• Protect Resources INSIDE the AVN with NSGs - NSGs provide distributed network-layer traffic filtering, limiting traffic to Resources within the AVN
• Protect the AVN OUTSIDE using Azure Firewall. It provides inbound protection for non-HTTPS protocols (RDP, SSH, FTP etc.) and outbound network-level protection for all ports and protocols

Basically, Firewall compliments NSGs for defense-in-depth network security

Combo 2: Azure Application Gateways (w/ WAFs) + Azure Firewall

• WAF comes with App Gateway, providing centralized INBOUND protection against common exploits, and app-level protection for OUTBOUND HTTP/HTTPS
• Protect the AVN OUTSIDE using Azure Firewall. It provides inbound protection for non-HTTPS protocols (RDP, SSH, FTP etc.) and outbound network-level protection for all ports and protocols