0% нашли этот документ полезным (0 голосов)

321 просмотров714 страниц

Design Deploy Secure Azure

Загружено:

martinosint

Авторское право

Мы серьезно относимся к защите прав на контент. Если вы подозреваете, что это ваш контент, заявите об этом здесь.

Доступные форматы

Скачать в формате PDF, TXT или читать онлайн в Scribd

0% нашли этот документ полезным (0 голосов)

321 просмотров714 страниц

Design Deploy Secure Azure

Загружено:

martinosint

Авторское право

Доступные форматы

Скачать в формате PDF, TXT или читать онлайн в Scribd

Design and Deploy

a Secure Azure
Environment
Mapping the NIST Cybersecurity
Framework to Azure Services
—
Puthiyavan Udayakumar
Design and Deploy
a Secure Azure
Environment
Mapping the NIST Cybersecurity
Framework to Azure Services

Puthiyavan Udayakumar
Design and Deploy a Secure Azure Environment: Mapping the NIST Cybersecurity
Framework to Azure Services
Puthiyavan Udayakumar
Abu Dhabi, Abu Dhabi, United Arab Emirates

ISBN-13 (pbk): 978-1-4842-9677-6 ISBN-13 (electronic): 978-1-4842-9678-3

[Link]

Copyright © 2023 by Puthiyavan Udayakumar

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with
every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an
editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not
identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to
proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Smriti Srivastava
Development Editor: Laura Berendson
Editorial Project Manager: Mark Powers
Copyeditor: Kim Wimpsett
Cover designed by eStudioCalamar
Cover image by Steve Buissinne on Pixabay ([Link])
Distributed to the book trade worldwide by Apress Media, LLC, 1 New York Plaza, New York, NY 10004,
U.S.A. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@[Link], or visit
[Link]. Apress Media, LLC is a California LLC and the sole member (owner) is Springer
Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail booktranslations@[Link]; for reprint,
paperback, or audio rights, please e-mail bookpermissions@[Link].
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook versions and
licenses are also available for most titles. For more information, reference our Print and eBook Bulk Sales
web page at [Link]/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is available
to readers on GitHub ([Link] For more detailed information, please visit
[Link]
Paper in this product is recyclable
To the Apress team for supporting the publication of this book
Table of Contents
About the Author��xvii

About the Technical Reviewer��xix

Acknowledgments��xxi
Introduction��xxiii

Chapter 1: Get Started with Azure Security�� 1

Introduction to Cybersecurity�� 2
What Is a Cybersecurity Attack?�� 3
Why Are Cyberattacks Executed?�� 5
A Closer Look at Cybersecurity�� 5
Cybersecurity Risk Analysis�� 6
Threat Landscape�� 8
Attack Vectors�� 8
Security Breaches�� 10
Data Breaches�� 11
Malware�� 12
Known Mitigation Strategies�� 13
Cryptography�� 15
Authentication and Authorization�� 16
Threats to Network Security�� 17
Threats to Application Security�� 20
Applications with Untrustworthy Origins�� 20
Vulnerabilities in Embedded Applications�� 21
Browser-Based Threats�� 21
Threats to Device Security�� 22
Device Threat Vectors�� 22

v
Table of Contents

Getting Started with Cloud Computing�� 23

Top Benefits of Cloud Computing�� 25
Three Delivery Models of Cloud Computing�� 27
Microsoft Azure Overview�� 30
Azure Regions�� 33
Azure Geography�� 33
Azure Availability Zones�� 34
Azure Management Groups�� 38
Azure Subscriptions�� 38
Azure Resource Groups�� 39
Azure Resource Manager�� 39
Azure Management Offerings�� 41
Microsoft Azure Portal�� 43
Microsoft Azure PowerShell�� 44
Microsoft Azure CLI�� 44
Microsoft Azure Cloud Shell�� 45
Microsoft ARM Templates�� 46
Microsoft Azure Mobile App�� 46
Azure Monitoring Offerings�� 46
Microsoft Azure Advisor�� 48
Microsoft Azure Security Capabilities�� 48
Microsoft Sentinel�� 50
Microsoft Defender for Cloud�� 50
Azure Resource Manager�� 50
Application Insights�� 50
Azure Monitor�� 51
Azure Monitor Logs�� 51
Azure Advisor�� 51
Azure-Based Application Security Capabilities�� 52
Penetration Testing�� 52
Web Application Firewall�� 52

vi
Table of Contents

Authentication and Authorization in Azure App Service�� 52

Layered Security Architecture�� 52
Web Server Diagnostics and Application Diagnostics�� 53
Azure-Based Storage Security Capabilities�� 53
Azure Role-Based Access Control (Azure RBAC)�� 53
Shared Access Signature�� 53
Encryption in Transit�� 54
Encryption at Rest�� 54
Storage Analytics�� 54
Enabling Browser-Based Clients Using CORS�� 55
Azure Network Security Capabilities�� 55
Azure Network Communication with the Internet�� 56
Azure Communication Between Azure Resources�� 56
Azure Network Communication with the Private Cloud�� 57
Filter Network Traffic�� 57
Route Network Traffic�� 58
Integrate Azure Services�� 58
Other Network Services�� 58
Azure Compute Security Capabilities�� 61
Azure Confidential Computing�� 61
Anti-malware and Antivirus�� 61
Hardware Security Module�� 62
Virtual Machine Backup�� 62
Azure Site Recovery�� 62
SQL VM TDE�� 62
VM Disk Encryption�� 63
Virtual Networking�� 63
Patch Updates�� 63
Security Policy Management and Reporting�� 63
Azure Identify Security Capabilities�� 64
Azure Active Directory (Azure AD)�� 64

vii
Table of Contents

Azure Active Directory External Identities�� 64

Azure Active Directory Domain Services�� 64
Azure Apps and Data Security Capabilities�� 65
Overview of the NIST CSF�� 66
Summary�� 73

Chapter 2: Design and Deploy Security for Infrastructure, Data,

and Applications�� 75
Design and Deploy a Strategy for Securing Infrastructure Components�� 76
Azure Data Centers and Network�� 77
Azure Data Center Physical Security�� 81
Azure Infrastructure Availability�� 82
Cloud Security Shared Responsibility Model�� 82
Foundation of Cloud Infrastructure and Endpoint Security�� 86
Securing Virtual Machines�� 87
Antimalware�� 88
Protect Sensitive Data�� 88
Organize Your Keys and Secrets with Key Vault�� 88
Virtual Machine Disks for Linux and Windows Can Be Encrypted�� 89
Build More Compliant Solutions�� 89
Shield Network Traffic from Threats�� 89
Securing Containers�� 90
Use a Private Registry�� 90
A Publicly Available Container Image Does Not Guarantee Security�� 91
Monitor and Scan Container Images�� 91
Protect Credentials�� 91
Securing Hosts�� 92
Securing Networks�� 93
Microsoft Cloud Security Benchmark for Network Security�� 94
Deploy Network Segmentation�� 95
Protect Cloud Native Services with Network Security Controls�� 95
Implement a Firewall at the Edge of the Enterprise Network�� 96

viii
Table of Contents

Implement Intrusion Detection/Protection System�� 96

Implement DDOS Protection�� 97
Implement Web Application Firewall�� 97
Follow Simplicity in Network Security Configuration�� 97
In General, Disable Unused Services�� 98
Have a Private Connectivity Between On-Premises and Azure�� 98
Implement DNS Security�� 99
Securing Storage�� 99
Deploy Shared Access Signatures�� 100
Govern Azure AD Storage Authentication�� 100
Azure Storage Encryption for Data at Rest�� 101
Securing Endpoints�� 101
Microsoft Cloud Security Benchmark for Endpoint Security�� 104
Adopt Endpoint Detection and Response (EDR)�� 104
Deploy Modern Anti-malware Software�� 105
Have a Release Parodic Recycle for Anti-Malware Software and Signatures�� 105
Securing Backup and Recovery�� 105
Microsoft Cloud Security Benchmark for Backup and Recovery�� 106
Deploy Scheduled Automated Backups�� 106
Safeguard Backup and Recovery�� 107
Monitor Backups�� 108
Periodically Test Backups�� 108
Design and Deploy a Strategy for Securing Identify�� 109
Microsoft’s Azure Active Directory�� 109
Authentication Choices�� 110
Cloud Authentication�� 111
Federated Authentication�� 112
Azure AD Identify Protection�� 112
Azure AD Privileged Identify Protection�� 112
Microsoft Cloud Security Benchmark for Identify�� 113
Identify and Authenticate Users Using a Centralized System�� 114

ix
Table of Contents

Authentication and Identify Systems Need to Be Protected�� 115

Automate and Secure Application Identify Management�� 116
Servers and Services Must Be Authenticated�� 116
Access Applications Using Single Sign-On (SSO)�� 117
Ensure Strong Authentication Controls Are in Place�� 117
Resource Access Can Be Restricted Based on Conditions�� 118
Ensure That Credentials and Secrets Are Not Exposed�� 119
Existing Applications Can Be Accessed Securely by Users�� 119
Microsoft Cloud Security Benchmark for Privileged Access�� 120
Ensure That Highly Privileged and Administrative Users Are Separated and Limited�� 121
Permissions and Accounts Should Not Be Granted Standing Access�� 122
Life-Cycle Management of Identities and Entitlements�� 123
Reconcile User Access Regularly�� 123
Emergency Access Should Be Set Up�� 123
Workstations with Privileged Access Should Be Used�� 124
Use the Least Privilege Principle (Just-Enough Administration)�� 124
Specify Access Method for Cloud Provider Support�� 125
Design and Deploy a Strategy for Securing Apps and Data�� 125
Software Frameworks and Secure Coding Libraries Should Be Used�� 127
Conduct a Vulnerability Scan�� 128
When Designing an Application, Use Threat Modeling�� 128
Keep Your Attack Surface as Small as Possible�� 128
Identify Identify as the Primary Security Perimeter�� 128
For Important Transactions, Reauthentication Should Be Required�� 129
Ensure the Security of Keys, Credentials, and Other Secrets by Using a
Key Management Solution�� 129
Make Sure Sensitive Data Is Protected�� 129
Make Sure Fail-Safe Measures Are in Place�� 129
Ensure That Errors and Exceptions Are Handled Correctly�� 130
Alerts and Logging Should Be Used�� 130
Modernize�� 130
Microsoft Cloud Security Benchmark for DevOps�� 131

x
Table of Contents

Analyze Threats�� 132

Ensure the Security of the Software Supply Chain�� 133
Infrastructure for DevOps That Is Secure�� 134
DevOps Pipeline Should Include Static Application Security Testing�� 136
Dynamic Application Security Testing Should Be Incorporated Into the
DevOps Pipeline�� 136
DevOps Life-Cycle Security Is Enforced�� 136
Monitoring and Logging Should Be Enabled in DevOps�� 138
Getting Started with Microsoft SecOps�� 138
Category 1: Preparation, Planning, and Prevention�� 141
Category 2: Monitoring, Detection, and Response�� 142
Category 3: Recovery, Refinement, and Compliance�� 143
Microsoft SOC Function for Azure Cloud�� 145
Microsoft Azure Security Operations Center�� 146
SecOps Tools�� 147
Summary�� 148

Chapter 3: Design and Deploy an Identify Solution�� 149

Introduction to NIST Identify�� 150
Asset Management ([Link])�� 151
Azure Mapping for Asset Management ([Link])�� 153
Microsoft Defender for Cloud�� 159
Azure AD Registered Devices�� 163
IoT Hub Identify Registry�� 166
Microsoft Intune�� 168
Azure Service Map�� 171
Azure Network Watcher and Network Security Group�� 174
Azure Information Protection�� 178
Azure AD Privilege Identify Management�� 181
Privilege Access Management�� 183
Business Environment ([Link])�� 188

xi
Table of Contents

Privilege Access Workstation�� 192

Microsoft Azure Bastion�� 193
Azure Reliability by Design�� 194
Governance ([Link])�� 198
Microsoft Incident Response and Shared Responsibility�� 202
Microsoft and General Data Protection Regulation�� 204
Microsoft Compliance Manager�� 205
Azure Policy�� 206
Risk Assessment ([Link])�� 207
Risk Assessment for Microsoft Azure �� 207
Vulnerability Assessments in Microsoft Defender for Cloud�� 214
AD Risk Management�� 218
Design and Implementation of Active Directory�� 218
Microsoft Sentinel�� 220
Microsoft Threat Modeling Tool�� 222
Microsoft Threat Management�� 223
Azure Monitor�� 224
Cybersecurity Operations Services�� 226
Summary�� 227

Chapter 4: Design and Deploy a Protect Solution: Part 1�� 229

Introduction to NIST Protect�� 230
Identify Management, Authentication, and Access Control ([Link])�� 232
Key Aspects of IDM�� 232
Methods of Authentication�� 234
Azure Mapping for [Link]�� 235
Azure AD�� 242
Azure IoT�� 248
Conditional Access�� 253
Azure AD’s Application Proxy�� 260

xii
Table of Contents

Just Enough Administration�� 267

Managed and Protected Physical Access to Assets�� 272
Awareness and Training ([Link])�� 273
Azure Mapping for [Link]�� 278
Summary�� 279

Chapter 5: Design and Deploy a Protect Solution: Part 2�� 281

Data Security�� 281
Azure Mapping for Data Security�� 284
Azure Disk Encryption�� 293
Azure Storage Service Encryption�� 301
Azure Key Vault�� 306
Azure Information Protection�� 310
Azure Backup Encryption�� 318
Azure VPN Gateway�� 324
Azure Site-to-Site VPN�� 329
Azure Point-to-Site VPN�� 336
Azure ExpressRoute�� 344
Azure WAF�� 351
Microsoft Purview DLP�� 357
Data Segregation�� 364
Summary�� 365

Chapter 6: Design and Deploy a Protect Solution: Part 3�� 367

Information Protection Processes and Procedures ([Link])�� 368
Azure Mapping for [Link]�� 370
Azure Automation Desired State Configuration�� 381
PowerShell Desired State Configuration�� 386
Microsoft SDL�� 390
Security and Compliance in Office 365�� 394
Office 365 Secure Score�� 397

xiii
Table of Contents

Chapter 7: Design and Deploy a Detect Solution�� 457

Incident Detection in Cybersecurity�� 458
Introduction to NIST Detect�� 460
Anomalies and Events ([Link])�� 462
Example 1: Cybersecurity Security Professional at Midsize Client�� 462
Example 2: Cybersecurity Analyst Working for a Financial Institution�� 463
Azure Mapping to Anomalies and Events ([Link])�� 464
Azure Sentinel�� 470
Security Continuous Monitoring ([Link])�� 477
Getting Started with DevSecOps�� 477
DevSecOps Continuous Monitoring�� 478
Azure Mapping to Security Continuous Monitoring ([Link])�� 480
Azure Monitor�� 487
Azure AD Conditional Access�� 492
Microsoft Defender for Cloud�� 497
Microsoft Defender for Endpoint�� 503
Azure Policy�� 509
Detection Processes ([Link])�� 514
Azure Mapping to [Link]�� 517
Azure AD Identify Protection�� 524

xiv
Table of Contents

Microsoft Defender ATP�� 530

Microsoft Red Team�� 538
Summary�� 540

Chapter 8: Design and Deploy a Respond Solution�� 541

Incident Response in Cybersecurity�� 542
Introduction to NIST Respond�� 545
Response Planning ([Link])�� 547
Communications ([Link])�� 569
Analysis ([Link])�� 580
Mitigation ([Link])�� 592
Azure Security Center�� 600
Summary�� 605

Chapter 9: Design and Deploy a Recovery Solution�� 607

Cybersecurity Incident Recovery�� 607
Introduction to NIST Recovery�� 609
Example: Data Breach�� 611
Overview of the NIST CSF Recovery Module�� 613
Example: Recovering from a Ransomware Attack�� 614
Azure Mapping to NIST Recovery�� 617
Benefits of Azure Recovery Services�� 618
Azure Backup�� 623
Key Components of Azure Backup�� 624
Overview of Supported Elements�� 626
Protect Against Ransomware�� 630
Azure Backup Security Features Overview�� 632
Azure VM Backup�� 634
Azure Disk Backup�� 637
Azure Blob Backup�� 640
Azure File Share Backup�� 643
Azure Backup for Database�� 647

xv
Table of Contents

Azure Backup for Azure Kubernetes Service�� 649

Azure Offline Backup�� 650
Azure Site Recovery�� 652
Key Features of Azure Site Recovery�� 654
Site Recovery Services�� 656
Azure Site Recovery in the Event of a Cybersecurity Incident�� 658
Recovery Plans�� 659
The Modernization of Disaster Recovery Failovers/Failbacks On-Premises�� 661
Azure Traffic Manager and Azure Site Recovery�� 662
Azure ExpressRoute with Azure Site Recovery�� 664
Azure Virtual Machine Recovery with Azure Site Recovery�� 666
Overall Security Integration Component with Azure Site Recovery�� 667
How to Set Up Disaster Recovery for an Azure VM to a Secondary Azure Region�� 669
Azure Security Baselines for Azure Site Recovery�� 670
Backup and Restore Plan to Protect Against Ransomware�� 671
Summary�� 674

Index�� 675

xvi
About the Author
Puthiyavan Udayakumar is an infrastructure architect with more than 15 years of
experience in modernizing and securing IT infrastructure, including in the cloud. He
has been writing technical books for more than 10 years on various infrastructure and
cybersecurity domains. He has designed, deployed, and secured IT infrastructure on
premises and in the cloud, including virtual servers, networks, storage, and desktops for
various industries (such as pharmaceutical, banking, healthcare, aviation, and federal
entities). He also earned the Master Certified Architect certification from Open Group.

xvii
About the Technical Reviewer
Kalyan Chanumolu is a senior technical program manager
at Microsoft. He works on building the engineering systems
that power the world’s computers. He has been a technical
reviewer for books on [Link], Blazor, microservices, and
more, and is passionate about distributed systems and cloud
computing. He has vast experience in software development,
consulting, and migrating large customer workloads to the
cloud. He loves cycling, swimming, and reading books.

xix
Acknowledgments
Thanks to Smriti Srivastava for your invaluable support and guidance throughout the
publication process of this book. Your role as an acquisitions editor was instrumental in
bringing this book to fruition, and I am truly grateful for your expertise and dedication.
To Kalyan Chanumolu, I appreciate your time and effort in reviewing my work,
providing detailed feedback, and assisting with the necessary revisions. Your
professional approach, prompt communication, and attention to detail have made the
publishing journey smoother and more fulfilling.
Special thanks to Shonmirin P. A for your tireless efforts in publishing this book.
Thanks to all the Apress production team members.

xxi
Introduction
The rapid growth and adoption of cloud computing technologies have revolutionized
how organizations manage and deploy their information systems. However, with this
technological advancement comes an increased risk of cyber threats and security
breaches. Organizations need comprehensive frameworks and guidelines to address
these concerns and to establish robust cybersecurity practices. One such framework that
has gained significant traction in recent years is the National Institute of Standards and
Technology (NIST) Cybersecurity Framework (CSF).
In this book, we will explore the implementation of the NIST CSF within an Azure
cloud environment. This book provides a 360-degree view of the NIST CSF in line with
Microsoft Azure Services.
In alignment with industry best practices, the NIST CSF provides a structure for
organizations to assess and enhance their cybersecurity posture. This book shows
how to leverage Azure’s security features with the NIST CSF, enabling organizations to
strengthen their cloud security and protect their valuable assets. Specifically, the book’s
chapters cover the following:

Chapter 1: Get Started with Azure Security

Chapter 1 is an introductory guide to Azure and the NIST CSF, providing essential
knowledge to understand the subsequent chapters. The chapter covers the following
key topics:

• Introduction to cybersecurity

• Getting started with cloud computing and Azure

• Microsoft Azure security capabilities

• The foundation of the NIST CSF

By the end of this chapter, you will have a clear understanding of the basic concepts of
cybersecurity, cloud computing, and Microsoft Azure’s security capabilities. You will also
gain familiarity with the NIST CSF and its functions. This foundation sets the stage for the
subsequent chapters, which map the Azure security controls to the framework and guide
you on implementing effective cybersecurity practices within the Azure environment.

xxiii
Introduction

Chapter 2: Design and Deploy Security for Infrastructure, Data, and Applications
Chapter 2 focuses on designing and deploying effective security strategies in Azure,
covering three key areas: securing infrastructure and platform components, securing
identify, and securing apps and data. Additionally, the chapter introduces the concept of
Microsoft SecOps, which integrates security and operations to enable proactive security
practices. The chapter provides key insights for the following:

• Designing and deploying a strategy for securing infrastructure and

platform components

• Designing and deploying a strategy for securing identify

• Designing and deploying a strategy for securing apps and data

• Getting started with Microsoft SecOps

By the end of this chapter, you will have a comprehensive understanding of

designing and deploying security strategies in Azure. The chapter provides insights
into securing infrastructure and platform components, implementing robust identify
management, and safeguarding applications and data. Additionally, the chapter
introduces you to the concept of Microsoft SecOps and the significance of integrating
security and operations in Azure environments. This knowledge equips you with the
foundation to implement adequate security practices in subsequent chapters.

Chapter 3: Design and Deploy an Identify Solution

Chapter 3 introduces Azure’s identify security services and their alignment with the NIST
CSF’s Identify functions. It explores vital Azure services that support asset management,
business environment analysis, governance, and risk assessment. The chapter offers key
insights about the following topics:

• Introduction to Azure identify security services

• Asset Management ([Link])

• Business Environment ([Link])

• Governance ([Link])

• Risk Assessment ([Link])

By the end of this chapter, you will have a solid understanding of Azure’s identify
security services and their alignment with the NIST CSF’s Identify functions. You will
gain insights into asset management, business environment analysis, governance, and

xxiv
Introduction

risk assessment within Azure. This knowledge will lay the foundation for implementing
effective identify security strategies in subsequent chapters, strengthening the overall
security posture of Azure environments.

Chapter 4: Design and Deploy a Protect Solution – Part 01

Chapter 4 introduces Azure’s protect security services and their alignment with the
NIST Cybersecurity Framework’s Protect functions. It explores vital Azure services that
support identify management, authentication, access control, awareness and training.

• Introduction to Azure protect security services

• [Link]: Identify Management, Authentication and Access Control

• [Link]: Awareness and Training

By the end of this chapter, readers will have a solid understanding of Azure’s protect
security services and their alignment with the NIST Cybersecurity Framework’s Protect
functions. They will gain insights into identify management, authentication, access
control, awareness and training within Azure.

Chapter 5: Design and Deploy a Protect Solution – Part 02

Chapter 5 introduces Azure’s protect security services and their alignment with the NIST
Cybersecurity Framework’s Protect functions. It explores vital Azure services that align
with data security.

• [Link]: Data Security

By the end of this chapter, readers will have a solid understanding of Azure’s protect
security services and their alignment with the NIST Cybersecurity Framework’s Protect
functions. They will gain insights into ata security, within Azure. This knowledge will
enable readers to implement adequate security measures in Azure environments,
safeguarding data against security threats.

Chapter 6: Design and Deploy a Protect Solution – Part 03

Chapter 6 introduces Azure’s protect security services and their alignment with the NIST
Cybersecurity Framework’s Protect functions. It explores vital Azure services that align
with Information Protection Processes and Procedures and Protective Technology.
• [Link]: Information Protection Processes and Procedures

• [Link]: Protective Technology

xxv
Introduction

By the end of this chapter, readers will have a solid understanding of Azure’s protect
security services and their alignment with the NIST Cybersecurity Framework’s Protect
functions. They will gain insights into information protection processes and procedures,
and protective technology within Azure. This knowledge will enable readers to
implement adequate security measures in Azure environments.

Chapter 7: Design and Deploy a Detect Solution

Chapter 7 introduces Azure’s detect security services and their alignment with the NIST
Cybersecurity Framework’s Detect functions. It explores critical Azure services that
support the detection of anomalies, events, and security incidents, as well as continuous
monitoring and detection processes.

• Introduction to Azure detect security services

• [Link]: Anomalies and Events

• [Link]: Security Continuous Monitoring

• DE. DP: Detection Processes

By the end of this chapter, readers will have a solid understanding of Azure’s
detect security services and their alignment with the NIST Cybersecurity Framework’s
Detect functions. They will gain insights into detecting anomalies, events, and security
incidents within Azure environments and the importance of continuous monitoring
and efficient detection processes. This knowledge will equip readers with the tools and
techniques to implement effective threat detection and incident response strategies in
Azure, enhancing the overall security posture of their environments.

Chapter 8: Design and Deploy Respond Solution

Chapter 8 introduces Azure’s response security services and their alignment with the
NIST Cybersecurity Framework’s Respond functions. It explores critical Azure services
that support response planning, communications, analysis, and mitigation during
security incidents. The chapter offers the following key insights:

• Introduction to Azure respond security services

• [Link]: Response Planning

• [Link]: Communications

• [Link]: Analysis

• [Link]: Mitigation

xxvi
Introduction

By the end of this chapter, readers will have a solid understanding of Azure’s respond
security services and their alignment with the NIST Cybersecurity Framework’s Respond
functions. They will gain insights into response planning, effective communications,
incident analysis, and mitigation strategies within Azure environments. This knowledge
will equip readers with the tools and techniques to develop robust incident response
capabilities in Azure, minimizing the impact of security incidents and facilitating a swift
and effective response.

Chapter 9: Design and Deploy Recover Solution

Chapter 9 introduces NIST recovery principles and explores Azure’s recovery services
that align with these principles. It focuses on Azure Recovery Services Mapping, Azure
Backup, and Azure Site Recovery, which are integral components of Azure’s robust
recovery capabilities.

• Introduction to NIST recovery

• Azure Recovery Services Mapping

• Azure Backup

• Azure Site Recovery

By the end of this chapter, readers will have a solid understanding of NIST recovery
principles and how Azure’s recovery services align with these principles. They will gain
insights into Azure Recovery Services Mapping, Azure Backup, and Azure Site Recovery
and their role in facilitating efficient and reliable recovery in Azure environments. This
knowledge will enable readers to develop robust recovery strategies, implement appro-
priate backup mechanisms, and leverage Azure’s recovery services to minimize down-
time and ensure the resiliency of their systems and data.

xxvii
CHAPTER 1

Get Started with

Azure Security
Since the dawn of the Internet, people, organizations, and governments have fallen
victim to cyberattacks. Cybersecurity, cyberattacks, cybercriminals, and more have been
frequently discussed in the IT and business world. You’ll need a basic understanding of
these concepts to protect yourself and those around you.
Cybersecurity aims to prevent attacks, damage, and unauthorized access to
networks, programs, and data. In computing, security includes both cyber and physical
security—organizations use both to prevent unauthorized access to data centers and
other computerized systems.
Data security, which maintains data confidentiality, integrity, and availability, is a
subset of cybersecurity. Cybersecurity refers to techniques and practices designed to
secure digital data. Organizations and individuals are protected from the unauthorized
exploitation of systems, networks, and technologies when organizations and individuals
have effective cybersecurity.
This chapter explains the fundamentals of cybersecurity and the key terminology
you will need to understand to implement Azure security and the National Institute of
Standards and Technology (NIST) Cybersecurity Framework (CSF).
Specifically, in this chapter, we will cover the following:

• Introduction to cybersecurity

• Getting started with cloud computing and Azure

• Microsoft Azure security capabilities

• Foundation of the NIST CSF

1
© Puthiyavan Udayakumar 2023
P. Udayakumar, Design and Deploy a Secure Azure Environment,
[Link]
Chapter 1 Get Started with Azure Security

Introduction to Cybersecurity
In this section, we’ll get started by understanding what cybersecurity is.
In a nutshell, cybersecurity is the practice of protecting systems, networks, and
programs from digital attacks. These attacks usually aim to access, change, or destroy
sensitive information, extort money from users, or interrupt normal business processes.
It is an essential part of any organization’s IT strategy. Cybersecurity is critical because
cybercriminals are constantly developing new methods to attack systems, networks, and
programs. Without proper security measures, organizations risk losing data, which can
be costly and can damage their reputation. It is, therefore, essential for organizations
to invest in cybersecurity to protect their data and systems. For example, organizations
should invest in cybersecurity for the following reasons:

• Protect sensitive data: One of the main reasons to invest in

cybersecurity is to protect sensitive data, such as financial
information, customer data, and intellectual property. A data breach
can have serious financial and reputational consequences for an
organization, and investing in cybersecurity can help prevent such
breaches.

• Comply with regulations: Many industries have regulations that

require organizations to have certain cybersecurity measures in
place. Failure to comply with these regulations can result in fines and
legal action. Investing in cybersecurity can help organizations stay
compliant with these regulations.

• Maintain customer trust: Customers expect organizations to keep

their data safe, and a data breach can erode trust in an organization.
By investing in cybersecurity, organizations can demonstrate
their commitment to protecting customer data and maintaining
customer trust.

• Prevent business disruption: Cyberattacks can disrupt business

operations, causing downtime and lost productivity. Investing in
cybersecurity can help prevent such disruptions and ensure that
business operations continue smoothly.

2
Chapter 1 Get Started with Azure Security

• Stay ahead of evolving threats: Cybersecurity threats are constantly

changing, and investing in cybersecurity can help organizations
stay ahead of these threats. This may involve investing in new
technologies, training employees on cybersecurity best practices, and
regularly updating cybersecurity measures to keep current with the
latest threats.

What Is a Cybersecurity Attack?

A cybersecurity attack is a malicious attempt to compromise a computer system, website,
or other digital platform, usually to steal data or disrupt operations. Cybersecurity
attacks can take many forms, such as phishing, malware, ransomware, and distributed
denial-of-service (DDoS) attacks.
The most notable cyberattacks in history have been in the last five years.
Atlanta Ransomware Attack (2018): In March 2018, the city of Atlanta, Georgia, in the
United States, fell victim to a ransomware attack. City services and systems were widely
affected. The attackers demanded a payment in Bitcoin to restore the systems, but the
city refused to pay.
VPNFilter (2018): A sophisticated malware campaign that targeted routers and
network-attached storage (NAS) devices. It is believed to have affected over half a million
devices. The FBI attributed the campaign to a group known as APT 28, which is thought
to have ties to Russia.
British Airways Data Breach (2018): Between August and September 2018, British
Airways reported a significant data breach that affected around 380,000 transactions.
Credit card information, names, addresses, and travel booking details were exposed.
Marriott Data Breach (2018): In November 2018, Marriott International announced
that the Starwood guest reservation database had been breached, exposing the personal
information of approximately 500 million guests.
Capital One Data Breach (2019): In July 2019, Capital One Financial Corporation
announced a significant data breach affecting over 100 million customers in the United
States and 6 million in Canada. Personal information was exposed, including names,
addresses, credit scores, and social security numbers.
Maze Ransomware Attacks (2019-2020): Maze was a prominent ransomware strain
known for encrypting victims’ files and exfiltrating data, and threatening to make it
public if the ransom wasn’t paid. It targeted a wide range of industries and organizations.

3
Chapter 1 Get Started with Azure Security

SolarWinds Cyberattack (2020): In late 2020, a large-scale, sophisticated supply chain

attack was uncovered. It was initiated by compromising the infrastructure of SolarWinds,
a company that creates software for managing and monitoring computer networks.
The attackers were able to insert a vulnerability into SolarWinds’ Orion product, and
this compromised software update was subsequently distributed to thousands of
SolarWinds’ customers. The U.S. government and many other organizations worldwide
were affected. This attack is attributed to a state-sponsored actor suspected to be
Russian.
Microsoft Exchange Server Attacks (2021): In early 2021, multiple zero-day
vulnerabilities in Microsoft Exchange Server were exploited in a widespread campaign.
Tens of thousands of organizations around the world were affected. Microsoft attributed
the attack to a group it calls HAFNIUM, which it believes to be state-sponsored and
operating out of China.
Colonial Pipeline Ransomware Attack (2021): In May 2021, a major U.S. fuel
pipeline operator, Colonial Pipeline, was hit by a ransomware attack attributed to a
criminal group known as DarkSide. The attack forced the company to shut down its fuel
distribution network, leading to fuel shortages in parts of the U.S. Eastern Seaboard.
Kaseya Ransomware Attack (2021): In July 2021, a ransomware attack targeted
Kaseya, a company that provides software tools to IT outsourcing shops. The attack
propagated through Kaseya’s software to the systems of companies that use Kaseya’s
products, resulting in one of the most widespread ransomware attacks on record.
Here are some of history’s other significant cyberattacks:

• The Melissa virus

• NASA cyberattack

• The 2007 Estonia cyberattack

• A cyberattack on Sony’s PlayStation Network

• Adobe cyberattack

• The 2014 cyberattack on Yahoo

• Ukraine’s power grid attack

4
Chapter 1 Get Started with Azure Security

Why Are Cyberattacks Executed?

Malicious actors carry out cyberattacks to steal data or disrupt operations.
Cybercriminals may have financial motives, such as extorting money from users or being
motivated by political or ideological reasons. Cyberattacks can also be used to gain
access to sensitive data, disrupt services, or damage an organization’s reputation.

A Closer Look at Cybersecurity

Enterprises must invest in cybersecurity and protect themselves against threats such as
hacking, data compromise, and identify theft, especially as more and more companies
switch to remote/hybrid working models and the online space expands. With technology
getting more innovative, cybercriminals are getting smarter. Cybercrimes include
cyberextortion, ransomware attacks, identify fraud, Internet of Things (IoT) hacking,
malware, and phishing scams.
As cyber threats and attacks increase, cybersecurity is of utmost concern.
Cyberattackers now use sophisticated techniques to target systems, impacting
individuals, small businesses, and large organizations. As a result, these IT or non-IT
firms are taking measures to combat cyber threats and understand the importance of
cybersecurity. There is a shortage of cybersecurity workers, even when cyberattacks are
happening constantly. Now is the time to start a career in cybersecurity.
To meet the growing demands of today’s businesses, we need 65 percent more
cybersecurity professionals, according to the (ISC)2 Cybersecurity Workforce Study.
Cybersecurity consists of techniques to safeguard the integrity of users, applications,
infrastructure, and data from attack damage and unauthorized access. It focuses on
organizational information security management and addresses business objectives and
IT security interdependence.
The benefits of cybersecurity programs include protecting the system from viruses,
worms, spyware, and other unwanted programs; minimizing computer crashes
and freezing; preventing hackers from hacking the system; and increasing cyber
defense. Cybersecurity aims to protect systems against digital attacks, damage, and
unauthorized access.
Information systems must be protected from unauthorized access, integrity, and
availability by cybersecurity analysts. Information security must be viewed from a
defense-in-depth perspective that utilizes multiple, overlapping security controls to

5
Chapter 1 Get Started with Azure Security

accomplish every cybersecurity objective. For analysts to develop controls capable

of rising to the occasion and responding to threats, they need to understand their
organization’s threat environment.

Cybersecurity Risk Analysis

The cornerstone of any information security program is cybersecurity risk analysis.
Analysts must thoroughly understand their technology environments and the external
threats that threaten them. Cybersecurity risk assessments combine information about
internal and external factors to understand the threats their organization faces and
design controls that address them. To communicate clearly with other risk analysts, you
must understand three critical terms: vulnerabilities, threats, and risks.

• A vulnerability is a weakness in a device, system, application,

or process that might allow an attacker to occur. Cybersecurity
professionals can protect vulnerabilities. An attacker can, for
example, conduct a denial-of-service (DoS) attack against the
websites hosted on an outdated version of the Apache web server
by exploiting a vulnerability. A DoS attack can be mitigated by
upgrading the Apache service within the organization to the most
recent version that is not susceptible to this vulnerability.

• When it comes to cybersecurity, a threat is any outside force that

might exploit a vulnerability, such as a hacker who wants to attack a
website with a DoS attack and knows about an Apache vulnerability.
Many threats are malicious, but this is only sometimes the case. For
example, earthquakes may damage the data center containing the
web servers, causing the website to be unavailable. Earthquakes have
no malicious intent at all. In most cases, cybersecurity professionals
cannot do much to eliminate a threat. Hackers will hack, and
earthquakes will strike whether we like it or not.

• There must be a combination of a threat and a vulnerability to pose a

security risk to an organization. In the example of a hacker targeting
a web server for a DoS attack, say the server is patched so that it
cannot be attacked; in that case, there is no risk because even though
a threat is present (the hacker), there is no vulnerability. Similarly,
a data center may be vulnerable to earthquakes because the walls
6
Chapter 1 Get Started with Azure Security

are not built to withstand the extreme movements present during

an earthquake. However, it may be located in an area that does not
experience earthquakes. It may be vulnerable to earthquakes, but its
location does not threaten an earthquake, so no risk exists.

According to the Federal Information Processing Standards (FIPS), there are three
core security principles that guide the information security area: confidentiality,
integrity, and availability.
The three together make up the CIA triad, as shown in Figure 1-1.

Confidentiality

Cybersecurity
CIA Triad

Integrity Availability

Figure 1-1. FIPS CIA triad

The role of the cybersecurity architect is to ensure that the built systems or solutions
will meet the three principles.

• Confidentiality: A cybersecurity architect wants to preserve the access

control and disclosure restrictions on information. It guarantees
that no one will be able to break the rules of personal privacy and
proprietary information.

• Integrity: A cybersecurity architect wants to avoid improper

(unauthorized) information modification or destruction. Here we
ensure nonrepudiation and information authenticity.

7
Chapter 1 Get Started with Azure Security

• Availability: The information must be available to access and use

all the time and with reliable access. Certainly, this must be true for
those who have the proper rights of access.

Cyberattacks and their ramifications are everywhere these days. Global supply
chains are being attacked, resulting in significant economic consequences. It seems like
almost daily we hear about cybercriminals stealing the personal information of millions
of consumers from e-commerce sites. Government and health services are sometimes
blocked and extorted for ransom.
As cyberattacks evolve, they become more sophisticated. An organization or
institution can be targeted by cybercriminals from anywhere, including from inside an
organization.

Threat Landscape
Cyberattacks can exploit the entire digital landscape in which an organization
interacts, whether large or small. The following are key areas of the threat landscape:
email accounts, social media accounts, mobile devices, the organization’s technology
infrastructure, cloud services, and people.
Besides computers and mobile phones, threat landscapes can encompass any
element owned or managed by an organization and some that are not. Criminals use any
method to mount and carry out attacks, as you will learn next.
Threat modeling is an approach for analyzing the security of an application. In this
method, security risks are identified, quantified, and addressed in a structured manner.
It should be noted that a threat is not a vulnerability, as mentioned earlier. Threats can
exist even if there are no vulnerabilities.

Attack Vectors
Assailants access a system through an attack vector.
For example, cybercriminals can use email as a vector to attack users. These emails
may appear legitimate but ultimately result in a user downloading files or clicking links
that compromise their devices. Wireless networks are another common attack vector.
Bad actors in airports and coffee shops often exploit vulnerabilities in people’s devices
by accessing unsecured wireless networks. Another common way for cyberattacks to
take advantage of a system is by gaining access to unsecured Internet of Things (IoT)
devices.
8
Chapter 1 Get Started with Azure Security

However, it is essential to know that attackers do not have to use any of these. They
can use a variety of less obvious attack vectors. Figure 1-2 shows some key attack vectors.

Key Attack Vectors

Removable Weak Comprised

Browser Cloud Services Insiders
Media Credentials Credentials

Ransomware Brute Force

Figure 1-2. Key attack vectors

These are the attack vectors shown in the figure:

• Removable media: Media such as USB drives, smart cables, storage

cards, and more can be used by attackers to compromise a device. As
an example, hackers might load malicious code into USB devices that
are given to users as gifts or left in public spaces to be found.

• Browser: By using malicious websites or browser extensions,

attackers can install malicious software on their devices or change
the settings of their browsers. This allows access to a broader system
or network.

• Cloud services: In today’s world, organizations are increasingly

dependent on cloud services to conduct their business. An attacker
can compromise a poorly secured cloud resource or service or an
account in a cloud service, gaining control over all the resources
and services accessible to that account. They can also gain access to
another account with even more permissions.

• Insider threats: An organization’s employees can be an attack vector

in a cyberattack, intentionally or unintentionally. An employee might
become the victim of a cybercriminal who impersonates them as a
person of authority to gain unauthorized access to a system. This type
of attack is called social engineering. Although the employee may act
unintentionally as an attack vector in this scenario, employees with
authorized access can also use it to steal or harm others.
9
Chapter 1 Get Started with Azure Security

• Weak credentials: A data breach caused by a weak password can lead

to many more due to reused and weak passwords.

• Compromised credentials: In data leaks, phishing scams, and

malware, usernames and passwords continue to be exposed as
access credentials. When lost, stolen, or exposed, credentials allow
attackers unfettered access.

• Ransomware: Ransomware is malicious software (malware) that blocks

access to a system or data until a ransom is paid. This attack is typically
carried out by encrypting the victim’s files and demanding payment
in exchange for the decryption key. Ransomware attacks can be
delivered through various methods, including phishing emails, infected
websites, or exploiting software or systems vulnerabilities. The impact of
ransomware attacks can be severe, with victims potentially losing access
to essential data or systems and facing significant financial losses.

• Brute force: Attackers may try to access your organization in a brute-

force attack until one attack succeeds. This may include phishing
emails, infected attachments, or weak passwords or encryption.

Security Breaches
It is a security breach when someone gains unauthorized access to devices, services, or
networks. This is similar to an intruder (attacker) successfully breaking into a building (a
device, application, or network).
The following are forms of security breaches:

• Social engineering attacks: There is a common misconception that

security breaches occur when a flaw or vulnerability in a technology
service or equipment is exploited or that security breaches can
happen only when technology is vulnerable. That’s only sometimes
true. Attackers can exploit or manipulate users into granting them
unauthorized access to a system through social engineering attacks.
• Browser attacks: Browser attacks are a type of cyberattack that
targets vulnerabilities in web browsers to compromise user data and
systems. These attacks can take many forms, including phishing,
malvertising, and drive-by downloads.
10
Chapter 1 Get Started with Azure Security

Phishing attacks involve tricking users into clicking malicious links or

downloading malware disguised as legitimate software. Malvertising
involves injecting malicious code into online advertisements,
which can compromise the user’s browser when clicked. Drive-by
downloads involve automatically downloading malware onto the
user’s system when they visit a compromised website.

Browser attacks can have serious consequences, including data theft,

system compromise, and financial loss. To protect against these
attacks, users should keep their browsers and plugins up-to-date, use
strong and unique passwords, and avoid clicking suspicious links or
downloading unknown software. Additionally, businesses should
employ security measures such as web filters, intrusion detection,
and prevention systems to detect and block these attacks.

• Password attacks: During a password attack, someone tries to gain

access to a device or system by using authentication for a password-
protected account. For example, suppose an attacker has somehow
discovered someone’s work account username. They often use
software to speed up cracking and guessing passwords.

This is known as a brute-force attack, and it involves trying

many different password combinations to gain access to a user’s
account. The password must be correct only once for the attacker
to gain access.

Data Breaches
Data breaches occur when an attacker successfully gets access to someone’s data.
This can lead to severe consequences for the victim, whether that is a person, an
organization, or even a government. This is because the victim’s data could be abused
in many ways. For example, it can be held as ransom or used to cause financial or
reputational harm.

11
Chapter 1 Get Started with Azure Security

Malware
Cybercriminals use malware to infect systems and carry out actions that cause harm,
such as stealing data or disrupting normal operations. A malware program consists of
two main components: the propagation mechanism and the payload.
Propagation is how the malware spreads itself across one or more systems. Here are
a few examples of standard propagation techniques:

• Virus: In biology, a virus enters the human body and can spread
once it has caused harm. We are already familiar with the term. A
technology-based virus enters a system through a means of entry,
a user action. For example, a user might download a file or plug in
a USB device that contains the virus, contaminating the system. A
security breach has occurred.

• Worm: Once a worm has infected the system, it can spread to other
computers connected to it, and it does not require any action from
the user to apply itself across systems like viruses do. Worms can
infect a device by exploiting a vulnerability in an application, and
they cause damage by finding vulnerable systems they can exploit. A
worm can spread to other devices on the same network or connected
networks once it has infected one.

• Trojan: Trojan horses are malware that mimics real software. They
got their name from soldiers hiding inside the wooden horse given
by the Trojans to soldiers. After installation, the program performs
malicious actions, including stealing information.

The payload is a malware action on an infected device or system. Here are some
common types of payloads:
• A ransomware payload locks down systems or data until a ransom
is paid. Cybercriminals can exploit an unknown vulnerability
in a network of connected devices to access all files across this
network and encrypt them. The attacker then demands a ransom
for decrypting the files. They may threaten to remove the files if the
ransom is not paid by a deadline.

12
Chapter 1 Get Started with Azure Security

• A malware payload installs spyware on a device or system. For

instance, the malware installs keyboard scanner software, collects
password information, and transmits it to the attacker without the
user’s knowledge.

It is the payload that enables a cybercriminal to bypass existing

security measures and cause harm to a system or device by
exploiting a vulnerability in the system or device. Cybercriminals
leave some code behind after infiltrating a software development
company and carrying out attacks on the company. A
cybercriminal can use this backdoor to hack into the application,
the device it runs on, and even the network and systems of an
organization or customer.

• As a payload, botnets link computers, servers, and other devices to a

network of infected devices that can be remotely controlled to carry
out malicious activities. Crypto-mining (often referred to as crypto-
mining malware) is one of the most common applications of botnet
malware. A device is connected to a botnet that mines or generates
cryptocurrencies with the device’s computing power. Users might
notice their computers running slower than normal and getting
worse daily.

Known Mitigation Strategies

Cyberattacks come in many forms. But how can you protect your organization
against them?
Organizations can keep cyberattackers at bay in several ways, from multifactor
authentication to improved browser security to advising and educating end users.
An organization’s mitigation strategy consists of steps to prevent or defend
against a cyberattack. Attacks are usually controlled by implementing technological
and organizational policies and processes. The following are some of the numerous
additional mitigation strategies.

13
Chapter 1 Get Started with Azure Security

Multifactor Authentication
Cybercriminals can access an account if a password or username is compromised, but
multifactor authentication prevents this.
It is common for users to provide more than one form of identification during
multifactor authentication. A password, which the user understands, is one of the most
common forms of identification.
A phone, hardware key, or another trusted device can also be used for
authentication, as can fingerprints or retinal scans (biometric authentication). The
purpose of multifactor authentication is to verify the identify of a user using two or more
of these forms of verification.
When accessing an online account, a bank might require users to enter security
codes received on their mobile device and their username and password.

Browser Security
As you have already seen, our Internet access can be compromised by attackers
compromising poorly secured browsers. By downloading malicious files or installing
malicious add-ons, users can compromise their browsers, devices, and even their
organizations’ systems by compromising them. Organizations can prevent attacks of this
type by implementing these security policies:

• You should avoid installing unauthorized browser extensions and

add-ons.

• Allow only permitted browsers to be installed on devices.

• Block specific sites from using web content filters.

• Keep browsers up-to-date.

• Educate users.

Educating your staff about social engineering attacks can help organizations defend
themselves. Social engineering attacks aim to exploit human vulnerabilities to harm
individuals. Organizations can teach users how to recognize malicious content they
receive or encounter and act when they see something suspicious.

• Recognize suspicious elements in a message.

• Never respond to external requests for personal information.

14
Chapter 1 Get Started with Azure Security

• Lock devices when they’re not in use.

• Store, share, and remove data according to the organization’s

policies only.

Threat Intelligence
It is not uncommon for cybercriminals to target organizations via a wide range of attack
vectors, and the threat landscape can be vast. As a result, organizations need to monitor,
prevent, defend against, and even identify potential vulnerabilities before cybercriminals
use them to conduct attacks.
Organizations can use threat intelligence to gather information about their systems,
vulnerabilities, and attacks. As a result of its understanding of this information, the
organization will be able to develop policies that protect against cyberattacks, including
those for security, devices, and user access. Threat intelligence collects information that
enables a company to gain insights into cyberattacks and respond accordingly.
Organizations can use technological solutions to implement threat intelligence
across their systems. These are often threat-intelligent solutions that automatically
collect information and even hunt and respond to attacks and vulnerabilities.
These are just some mitigation strategies organizations can take to protect against
cyberattacks. Mitigation strategies enable an organization to take a robust approach to
cybersecurity, ultimately preserving confidentiality, integrity, and availability.

Cryptography
Cryptography and encryption may conjure up visions of spies and covert operations
or hackers sitting in windowless rooms. Yet much of today’s modern online world is
possible only with these two techniques. In fact, cryptography and encryption are the
cornerstones of any good cybersecurity solution. For example, they help to keep your
emails safe from prying eyes and protect online payments. As you continue your journey
into cybersecurity, you’ll see how we use cryptography and encryption to protect
ourselves in day-to-day activities.
Information confidentiality, integrity, and availability are protected by cryptography,
which also protects against cyberattacks. Derived from the Greek word kryptos, which
means “hidden” or “secret,” cryptography is the application of secure communication
between a sender and a recipient. Cryptography is typically used to obscure a written
message’s meaning, but it can also be applied to images.
15
Chapter 1 Get Started with Azure Security

The first known use of cryptography can be traced back to ancient Egypt and the
use of complex hieroglyphics. One of the first ciphers ever used to secure military
communications came from the Roman emperor Julius Caesar.
These two examples make clear that cryptography has many uses and isn’t limited to
the digital world. However, from those humble origins, one thing is sure: cryptography is
now a fundamental requirement in helping secure our digitally connected planet.

• Each time you use a browser to access, for example, an HTTPS

address, an online retail store, or your bank, elements of
cryptography keep your interactions confidential and secure.

• Whenever you wirelessly connect a device to a router to access the

Internet, cryptography helps make it secure.

• You can use cryptography to secure and protect external and internal
storage files.

• Smartphones have changed communication, from video and

audio calls to text messaging. Cryptography is used to maintain the
confidentiality and integrity of these communications.

As with all systems, cryptography has its own language; two important ones are
plaintext and ciphertext.

• The term plaintext represents any message, including documents,

music, pictures, movies, data, and computer programs, waiting to be
cryptographically transformed.

• When the plaintext has been turned into a secret message, it’s called
ciphertext. This term represents the encrypted/secured data.

Authentication and Authorization

Protecting against cybersecurity threats begins with secure authentication and
authorization. Discover how to prevent unauthorized access and identify identify-based
attacks.
Good cybersecurity relies on several factors to provide confidence and assurance
that your data is safe and being used as expected. For authentication to be effective, it
must be robust and straightforward, and it provides the mechanism by which you know
someone is who they claim to be.

16
Chapter 1 Get Started with Azure Security

As a rule, users should be given just enough permission to access the resources they
need once they have been authenticated. Authorization grants the user access to the
appropriate data and assets.
For example, when you go to the airport to board a flight, you must validate your
identify before receiving the boarding pass. You present yourself and your passport; if
they match, you are granted the boarding pass. Your boarding pass is your authorization,
allowing you to board the aircraft only for the booked flight.

Threats to Network Security

Protecting your network is essential in today’s modern online world, where information
is a valuable currency. Every day, networks are bombarded by thousands of cyberattacks.
Mostly, these attacks are thwarted, but occasionally, the news headlines will report on
the theft of data.
Here you’ll discover the different types of networks, how you connect with them,
and how data moves around a network. You’ll get an idea of the types of attacks
cybercriminals use to break into a network and the tools available to help you stop them.
Our modern world is built on networks, allowing us to communicate, shop, play, and
work from anywhere. This makes networks a prime target for cybercriminals who see
information as the new currency. They allow us access to a vast amount of information
not only about ourselves but also about businesses. A weak network security system may
compromise critical data’s confidentiality, availability, and integrity.
A robust security network requires an understanding of threats.
Attacks on networks can take the following forms:

• Active: The attacker gains unauthorized access to the network and

then compromises data (say, by encrypting it) to compromise its
usability and value.

• Passive: Cybercriminals attack networks to collect and monitor data

without altering it.

17
Chapter 1 Get Started with Azure Security

The following are common attacks on networks:

• Distributed denial-of-service attack: Malicious actors deploy botnets

to redirect high volumes of false traffic to enterprise networks via
large networks of malware-compromised devices. An organization’s
entire IT infrastructure can be crippled by DDoS attacks, which
overwhelm servers, prevent legitimate users from accessing a
website, and cause crashes.

• Man-in-the-middle attack: During a man-in-the-middle attack, an

attacker intercepts legitimate data traffic between a network and an
external data source (like a website) or within the network. Generally,
weak security protocols allow bad actors to steal credit card numbers,
usernames, and sessions from real-time transactions.

• Unauthorized access: In unauthorized network access attacks,

attackers often use weak passwords to guess legitimate users’
passwords and log in under false pretenses.

The following are the most common causes:

• Unencrypted networks or data

• Previously compromised accounts

• Insider threats

• Accounts with misused administrator rights

• Social engineering

• Phishing or spear-phishing attacks

Because social engineering attacks rely on human weaknesses,

they are notoriously difficult to prevent. Stronger cybersecurity
protections can better address technical vulnerabilities.

• Insider threats: There was a 47 percent increase in insider threat–

related incidents between 2018 and 2020 and an $11.45 million
increase in the total cost of insider threats.

18
Chapter 1 Get Started with Azure Security

Any individual with access to an organization’s computer

systems and data increases the risk of a network attack, whether
employees, vendors, contractors, or partners. It is difficult to
detect and prevent such attacks because the attacker already has
access to the network’s systems and data.

• Privilege escalation: Cleverly, attackers use privilege escalation to

expand their reach within a target system or network. In horizontal
attacks, they gain access to adjacent systems; in vertical attacks, they
gain high privileges within the target system.

Organizations must strictly adhere to the principle of least

privilege (PoLP) to prevent privilege escalation and protect
high-value data from unauthorized access. All users, whether
employees, third parties, applications, systems, or connected IoT
devices, are granted only the access levels necessary to perform
their job functions.

• SQL injection attacks: Less mature websites accept user input without
validating or moderating it, exposing their networks to SQL injection
attacks.

The attacker may submit malicious code instead of the expected

data values by filling out a support request form, leaving a
comment, or calling an API. Upon execution of this code, a
hacker can compromise the network and gain access to sensitive
information.

SQL injection attacks are more likely to occur on websites and

web applications using SQL-based databases.

• Bluetooth attacks: Bluetooth devices, such as smartwatches and

audio devices, have made communication more common. Although
Bluetooth networks are less common than wireless networks, they
are still suitable attack vectors. However, the criminal must be within
your device’s range. In bluejacking attacks, criminals send unsolicited
messages to Bluetooth-enabled devices. They are similar to how
someone rings your doorbell and runs away before you can answer,
and it’s mostly an annoyance.

19
Chapter 1 Get Started with Azure Security

• Wireless attacks: We can connect to networks anywhere in the world

seamlessly using wireless networks. Using a wireless network at
home, your smartphone and always-on IoT devices can connect to
the Internet. Cybercriminals use these networks to commit crimes
since they are widely available. Wardriving and spoofing Wi-Fi
hotspots are common wireless attacks.

• DNS attacks: A DNS server is designed for efficiency and usability

rather than security, so DNS attacks aim to exploit its weaknesses. For
example, DNS poisoning is one of the most common DNS attacks.
This is when a bad site redirects traffic from a legitimate site to a
bad site containing malicious links or malware by changing the IP
addresses in DNS lookup tables.

Threats to Application Security

There are applications for nearly everything in today’s digitally connected world, from
how we interact with friends to how we work, what we buy and purchase, and how we
learn. As a result, cybercriminals have increased opportunities to wreak havoc.
Protecting your data is essential whether you’re a small business or a big
corporation. Understanding how applications can be compromised and where these
threats come from will enhance your application security and the confidentiality of any
stored or accessed data.

Applications with Untrustworthy Origins

In recent years, downloading applications has become easier, regardless of whether you
use a computer, smartphone, or tablet. Almost all of us use the more significant, well-
established app stores. Some of these will verify the authenticity of applications before
listing them and will prohibit certain types from being sold.
However, some app stores have few restrictions and minimal verification of an app’s
authenticity. Only some of the apps available in these stores are good. It is possible,
however, for cybercriminals to package source code, give it the name of a legitimate
application that users might be familiar with, and upload it along with legitimate
applications to a hosting site.
It is therefore possible to become a cyberattack victim if you install or run
applications from untrustworthy sources.
20
Chapter 1 Get Started with Azure Security

Vulnerabilities in Embedded Applications

Even though developers strive to keep their apps secure, it is impossible to guarantee 100
percent protection. Cybercriminals will inevitably try to exploit any vulnerability they
can find, and open-source and zero-day vulnerabilities are among the most common
application vulnerabilities.

Open-Source Vulnerabilities
The source code of open-source libraries is usually freely available, so anyone can access
it when they need to solve a specific problem. Developers will always check for open-
source solutions when solving a particular problem.
In addition to being publicly developed, open-source libraries can be used by
cybercriminals who try to exploit them. If a developer uses open-source libraries as part of
their application, they need to stay current on the latest versions to prevent cyberattacks.

Zero-Day Vulnerabilities
When cybercriminals find a zero-day vulnerability, they won’t publicize it but will take
full advantage of it. A cybercriminal conducts detailed reconnaissance of applications,
looking for vulnerabilities. By definition, the application owner was previously unaware
of zero-day vulnerabilities and has not patched them.
A cybercriminal might have noticed that a banking app has a zero-day vulnerability
and use this to steal money and information from application users. The zero days refers
to the number of days between discovering a vulnerability and releasing a fix.

Browser-Based Threats
In addition to serving as our gateway to the Internet, browsers play a key role in our daily
lives. The following are two more common browser-based threats to look out for.

Cookie-Based Attacks
You have probably heard about cookies, but do you actually know what they are?
Cookies are plaintext files containing small bits of data, such as your user credentials,
the last search you made, the last time you bought something, etc. By simplifying the
need to constantly log in to the site, cookies enhance your browser experience and make
browsing easier.
21
Chapter 1 Get Started with Azure Security

In a session replay attack, the cybercriminal intercepts your communication,

eavesdrops on your login details, and then steals the cookie data to access the website
posing as you.

Typosquatting
A typosquatting attack involves a cybercriminal obtaining a domain name that is
mistakenly spelled, putting malicious code on it, and disguising it as a legitimate
website.
It is possible for users to confuse the malicious website for the legitimate one they
intended to visit.

Threats to Device Security

Every aspect of our daily lives and business relies on Internet-connected devices. In our
modern world, people and organizations depend on connected devices to meet their
most vital day-to-day needs. Devices access, store, and continuously collect information
about us while accessing and storing important business and personal data. Therefore,
cybercriminals target devices for unauthorized access and control of valuable data,
causing havoc for users and organizations alike.
Everyday life is reliant on devices in so many ways. All kinds of sensitive information
about us must be captured, stored, and shared by devices to do their jobs effectively.
Some devices may be almost invisible to us; we don’t realize how often we use them.

Device Threat Vectors

Cybercriminals can use devices to carry out attacks, such as the following, while using
them to do their work and go about their daily lives.

Phone, Laptop, or Tablet

Malicious apps can contaminate devices with malware that can exfiltrate sensitive data
from local storage without the user’s knowledge, compromising confidentiality and
integrity.

22
Chapter 1 Get Started with Azure Security

USB Drives
In the case of ransomware, the data has been compromised because it’s locked in
exchange for a ransom. Cybercriminals can, for instance, load malicious software or files
onto USB drives and insert them into laptops.

Always-On Home Assistant Devices

Cybercriminals can add malicious software to app stores for these devices, so they can
always be listening or watching. Cybercriminals can, for instance, secretly attack the
device with spyware to record information and compromise data confidentiality if a user
installs it. The data could be compromised laterally by moving from one home device to
another.

Device Vulnerabilities
Devices can be compromised when they lack the latest security updates or strong
authentication. Attackers know the common vulnerabilities of devices and applications
and how to gain unauthorized access. If a device is connected to a Wi-Fi hotspot—in an
airport, for instance—it’s a prime target for attackers.
In most cases, malware such as backdoors and botnets can persist on a device even
after being updated, causing further damage when connected to a network.
Jailbreaking is when users find unofficial ways to get full access to their devices’ core
systems to customize them or to achieve other purposes. As a result, the device becomes
vulnerable because it might circumvent security measures. Cybercriminals can provide
false instructions or software that compromises the device.
When connected devices are not adequately secured, they can represent a threat vector.
Having learned this, we will now look at ways to keep them safe with cloud computing.

Getting Started with Cloud Computing

In this section, we’ll start by understanding what cloud computing is.
A cloud computing service delivers IT resources and applications via the Internet
with pay-per-use pricing on a pay-as-you-go basis. Suppose cloud consumers need to
share photos with millions of mobile users or provide services that help enterprises run
effectively and efficiently. In that case, the cloud offers rapid access to flexible and low-
cost IT resources.
23
Chapter 1 Get Started with Azure Security

Cloud computing delivers computing functions such as compute, network, storage,

database, software, analytics, artificial intelligence, and other IT functions to businesses
and consumers through a secured network, thus achieving economies of scale.
The concept of cloud computing has evolved enormously from a confusing and
highly insecure concept to one that IT consumers widely embrace. Whether the cloud
consumer’s business is large, medium, or small, cloud computing is now a crucial part of
an IT strategy.
Providers such as Microsoft Azure, Amazon Web Services, Google Cloud, and others
own the network-connected devices required for cloud services and allow consumers to
utilize cloud services as needed.
The following are the key characteristics of cloud computing:

1. Self Service: Once deployed, method of the self-provisioned

IT functions can be automated, requiring no further IT
administrator’s involvement by the cloud consumer or cloud
provider.

2. Flexibility: Cloud hosting provides businesses with more

flexibility than on-premises hosting. Furthermore, if cloud
consumers need extra bandwidth, a cloud-based service can
deliver it instantly.

3. Pooled resource: Cloud to transparently scale IT resources, as

required in response to runtime conditions or as pre-determined
by the cloud consumer or cloud provider.

4. Measured Service: Measured usage characteristic represents

a cloud platform’s ability to keep track of the usage of its IT
resources, primarily by cloud consumers.

5. Rapid elasticity: Different virtual and container resources are

dynamically provisioned and deprovisioned according to cloud
consumer demand, typically followed by execution through auto
scaling.

6. Broad Network Access: Broad network access includes private

clouds that operate within a company’s firewall, public clouds, or
a hybrid deployment.

24
Chapter 1 Get Started with Azure Security

7. Automation: Automation is an essential characteristic of cloud

computing. Automating a cloud service is the process by which
it can be installed, configured, and maintained automatically. In
other words, it reduces manual effort by maximizing the use of
technology.

8. Security: As one of the best features of Cloud Computing, data

security is one of its best features. Cloud services make a copy of
the data they store so that it cannot be lost. If one server fails the
data, the copy version can be restored from the other server.

Consumers of cloud computing don’t have to make significant up-front investments

in hardware or spend a great deal of time managing their networks. Cloud consumers
can select the exact type and size of computing resources they need. Using cloud
computing, cloud consumers can access as many resources as they need almost
instantly.
In a nutshell, cloud computing enables you to access servers, storage, databases,
and a wide range of application services over the Internet. Cloud computing service
providers such as Microsoft own and maintain the network-connected hardware
necessary for these application services while also providing and using the computing
resources required by cloud consumers.
Cloud computing introduces a paradigm shift in how businesses obtain, use,
and manage their technology and how they budget and pay for technology services.
Adapting the computing environment quickly to changing business requirements
enables organizations to optimize spending. As usage patterns fluctuate, capacity can be
automatically scaled up or down, and services can be temporarily taken down or shut
down permanently as needed. In addition, Azure cloud services become operational
(opex) rather than capital expenses (capex) with pay-per-use billing.

Top Benefits of Cloud Computing

Both small and large organizations use cloud computing technology to store information
in the cloud and access it from anywhere using an Internet connection. The benefits
of moving to the cloud vary based on the organization, but as illustrated in Figure 1-3,
several advantages are consistent.

25
Chapter 1 Get Started with Azure Security

Cloud Computing

Pay attention on
Stop Guessing Reliability and
Economies of Scale Opex v/s Capex Business Global Reach
Capacity Security
Differentiators.

Increased
Mobility Disaster Recovery Competitive Edge
Collaboration

Figure 1-3. Benefits of cloud computing

Cloud computing offers economies of scale. Cloud computing is available in both

global or local availability to meet security, regulation, and compliance requirements.
Enterprises can lower their variable costs compared to private cloud consumers.
Azure, for example, can achieve economies of scale by aggregating usage from hundreds
of thousands of customers, which translates into lower prices.
The second benefit is the opex versus capex—cloud computing eliminates the need
for capital expenditures such as hardware and software running in on-prem data centers,
round-the-clock power and cooling, and subject-matter experts in managing complex
components 24/7. Cloud service providers run on a consumption-based model, which
means no up-front costs or capex. Companies pay for additional resources only when
needed and stop paying when they’re no longer needed.
The third benefit is the ability to stop guessing about capacity. Consumers of cloud
services often end up with either expensive idle resources or limited capacity when
making a capacity decision before deploying any applications. Cloud computing allows
organizations to stop guessing about their infrastructure requirements for meeting their
business needs. With a few minutes’ notice, cloud consumers can scale up or down as
necessary based on what is required.
Another benefit is being able to pay attention to business differentiators. Instead
of spending time racking, stacking, and powering servers, organizations can focus
on their business priorities with cloud computing. This paradigm shift can free
organizations from spending money on maintaining and running data centers. By using
cloud computing, businesses can concentrate on projects that differentiate them from
competitors, such as analyzing petabytes of data, delivering video content, creating
mobile applications, or exploring Mars.

26
Chapter 1 Get Started with Azure Security

Cloud computing offers companies reliability and security. Cloud computing makes
data backup, business continuity, and disaster recovery significantly less expensive
with availability zones. Cloud computing also has site-level redundancy. Data and
applications are replicated and mirrored across the redundant sites as per subscriptions.
In addition, modern-day cloud service providers offer unlimited security
components, controls, policies, compliance needs, and regulations standards,
which heavily increase a security posture from end to end. As a result, application
infrastructure data is highly secure against potential vulnerabilities and threats.
Global reach is another benefit. Cloud computing provides the advantage of
going global in minutes and in just a few clicks. Organizations can use this technology
to provide redundancy across the globe and provide lower latency and better
experiences to their customers at a minimal cost. Cloud computing makes it possible
for any organization to go global, which was previously available only to the biggest
corporations.
Mobility, increased collaboration, disaster recovery, and competitive edge are other
key benefits of cloud computing.

Three Delivery Models of Cloud Computing

Today IT infrastructure must meet growing client expectations for speedy, secure, and
stable services. As companies strive to develop their IT systems’ processing, compute,
and storage abilities, they often find that improving and managing a hardy, scalable, and
secure IT foundation is prohibitively high-priced.
Cloud computing equips DevOps, DevSecOps, and SRE engineers with the ability
to converge on what matters most and avoid unnecessary procurement, support, and
retention planning. As cloud computing has increased in prevalence, numerous distinct
models and deployment strategies have emerged to improve the specific needs of other
users. Each cloud service and deployment organization provides consumers with diverse
control, flexibility, and management levels.
Cloud-native and hybrid cloud deployment models are the two available cloud
computing deployment models that enterprises focus on, as shown in Figure 1-4.
Understanding how each strategy applies to architectural decisions and options is
crucial.

27
Chapter 1 Get Started with Azure Security

Cloud Computing

Cloud Native Hybrid Cloud

IaaS
Private

PaaS
Public

SaaS

Figure 1-4. Cloud computing deployment types

Cloud native refers to all application components running on the cloud, with
the cloud-based application is fully deployed in the cloud. Applications in the cloud
have been either developed using cloud technology or migrated from conventional
infrastructure to take advantage of its benefits. In cloud-based applications, low-
level infrastructure pieces or higher-level services can be used, abstracting away the
management, scalability, and architecture requirements of the core infrastructure.
Cloud hybridization refers to workloads run on-premises, on co-located
infrastructure, and on infrastructure that the cloud provider hosts. A hybrid cloud
environment enables cloud consumers to maximize the agility and flexibility of a public
cloud environment while taking advantage of their existing investments.
Imagine using the same tools cloud consumers have used for years to manage all
these resources. Cloud consumers can extend VMware infrastructure to the Azure cloud
using a hybrid cloud. The hybrid cloud can quickly and securely expand or consolidate
data centers, build disaster recovery environments, and modernize applications to meet
urgent security and compliance goals.
The cloud-native delivery model depicts a specific flow of IT resources offered
by a cloud provider. This terminology is typically linked with cloud computing and is
commonly used to represent a remote environment and administration level.

28
Chapter 1 Get Started with Azure Security

Cloud computing has three distinct delivery models: infrastructure as a service,

platform as a service, and software as a service, as depicted in Figure 1-5.

IaaS PaaS SaaS

Application Application Application

Platform Platform Platform

Owned by Service Provider

Network Network Network

Owned by Service Provider

Storage Storage Storage

Compute Compute Compute

Figure 1-5. Cloud computing deployment models

Here are more details about the three types:

• Infrastructure as a service (IaaS) is about delivering compute,

network, storage, and backup as a service that can be consumed
either yearly, monthly, or hourly. Resource units and their prices are
provided as a catalog.

• Platform as a service (PaaS) is all about IaaS with an integrated set

of middleware functions. Software development and deployment
tools allow a consistent way to create, modify, update, and deploy an
application on the cloud environment.

• Software as a service (SaaS) is all about the application hosted on

top of PaaS or IaaS, either dedicated or shared. In this deployment
model, cloud consumers pay based on the app’s consumption. The
cloud service provider fully manages the underlying infrastructure
and platform.

Now let’s explore the Azure cloud.

29
Chapter 1 Get Started with Azure Security

Microsoft Azure Overview

The integrated tools, prebuilt templates, and managed services from Microsoft Azure
make building and operating enterprise, mobile, web, and IoT apps easier, using skills
cloud consumers already have and technology they already understand.
Azure offers 200 or more online IT services and enables businesses to accomplish
almost all their needs in modern digital environments.
Azure supports the broadest range of operating systems, programming languages,
frameworks, tools, databases, and devices of any cloud provider. With Docker
integration, cloud consumers can run Linux containers; build apps with JavaScript,
Python, .NET, PHP, Java, and [Link]; and create back ends for any device. Millions of
users trust Azure services.
Azure has features such as networks with secure private connections, hybrid
databases, storage solutions, and data residency and encryption to integrate with
existing IT environments. With the Azure stack, cloud consumers can bring the Azure
model of app development and deployment into their data centers.
Microsoft also provides industry-leading protection and privacy to cloud consumers.
The European Union’s data protection authorities have recognized Microsoft for its
commitment to strict EU privacy laws. Microsoft was also the first global cloud provider
to adopt the new ISO 27018 international privacy standard.
Cloud consumers pay only for what they use with Azure’s pay-as-you-go services.
Microsoft can guarantee unbeatable performance prices by offering per-minute billing
and comparing competitor prices for popular infrastructure services such as compute
storage and bandwidth.
At the time of writing this book, Microsoft manages Azure’s worldwide network
of data centers in 26 regions—more than Amazon Web Services and Google Cloud
combined. With this fast-growing global footprint, cloud consumers can run apps and
ensure excellent performance for cloud consumers.
Azure’s predictive analytics services redefine business intelligence, including
machine learning, Cortana analytics, and stream analytics. By analyzing cloud
consumers’ structured, unstructured, and streaming IoT data, cloud consumers can
improve customer service and uncover new business opportunities.
No workload is too big or too small for Azure. At the time of writing this book, Azure
is used by more than 66 percent of Fortune 500 companies because it offers enterprise-
grade service-level agreements, 24/7 tech support, and round-the-clock service
monitoring.
30
Chapter 1 Get Started with Azure Security

Generally, large businesses integrate Azure into their existing environments by

migrating from a lower one. Cloud computing is not just about moving workloads to the
cloud, though; with constant improvements and new features, it is much more.
Cloud consumers access Azure services in many ways, such as Azure CLI, Azure
Mobile App, Azure PowerShell, Azure REST API, Azure Storage Explorer, and the
Azure Portal.
The Azure Portal can be used by businesses to manage Azure tenant subscriptions,
and IT can deploy, manage, and monitor all subscribed IT services. Customized
IT dashboards can be created in the Azure Portal so that cloud consumers can see
structured views of the IT services they consume. Azure Portal users can also customize
accessibility options for a better experience.
The Azure cloud offers cloud high availability, scalability, reliability, elasticity, agility,
geo-distribution, resiliency, security, and edge to provide end users with the maximum
uptime. The following are the nine critical concepts associated with the Azure cloud.

1. High availability: Azure wide variety of service-level agreements

(SLA) to choose from; Cloud consumer cloud-based applications
can implement continuous user action without possible
downtime.

2. Reliability: Azure is in a stable position; Azure offers an IT

services workload to perform its intended function accurately
and consistently when demanded. Offer a wide variety of
auto-recovery from failure.

3. Scalability: Application in the cloud can scale both formats such

as vertically and horizontally: Scale vertical add compute capacity
by adding vCPU or vRAM to a virtual machine. Scaling horizontal
add compute capacity by adding instances of resources, such as
adding VMs.

4. Elasticity: Cloud consumers can configure cloud-based

applications to take advantage of autoscaling, so cloud
consumers’ applications forever have the resources on demand.
5. Agility: Deploy and configure cloud-based resources promptly as
cloud consumers’ app requirements demands.

31
Chapter 1 Get Started with Azure Security

6. Geo-distribution: Cloud consumers can deploy applications and

data to regional data centers around the globe. Efficiently deploy
cloud consumer applications in multiple regions throughout
the world.

7. Resiliency: By taking advantage of cloud-based backup services,

data replication, and geo-distribution, Cloud consumers have a
fallback solution whenever disaster kicks in.
8. Security: Azure security is the highest priority. Azure cloud
consumers benefit from a cloud architecture developed to meet
the obligations of the standard security-sensitive businesses.
9. Edge: Azure IoT Edge is a fully managed Microsoft service built
on Azure IoT Hub. Deploy cloud consumers workloads artificial
intelligence, Azure services, 3rd party services, and cloud consumer
business logic to operate on Internet of Things edge devices.
An Azure global infrastructure is developed with two key elements: physical
infrastructure and connective network components. The physical infrastructure
comprises 200+ physical data centers, organized into regions and connected by one of
the most extensive interconnected networks.
An Azure global infrastructure is classified into the following: regions, geographies,
availability zones, and availability sets, as shown in Figure 1-6.

Azure Geographies

Azure Regions Pairs

Azure Regions Azure Regions

Availability Sets Availability Sets Availability Sets Availability Sets

Azure Availability Zones Azure Availability Zones

Figure 1-6. Microsoft Azure global infrastructure logical view

32
Chapter 1 Get Started with Azure Security

Azure Regions
Azure regions are a collection of physical data centers installed within a security and
latency-defined network perimeter and connected via a dedicated, in part secure, low-
latency network.
Dedicated regional low-latency networks connect each region’s data centers within a
latency-defined perimeter. Azure’s design ensures optimal performance and security for
all regions.
With Microsoft Azure, cloud consumers have the freedom to install and configure
applications on demand. Each Azure region is equipped with a variety of IT services
and pricing. A pair of regions is what Azure calls a logical boundary, and regional teams
contain two geographically defined regions. Azure regions are defined by a specific
geographical boundary, typically hundreds of miles apart.
There are more Azure regions globally than any other cloud provider. Azure
architects can bring cloud consumer applications close by putting them in these regions
no matter where cloud consumer end users are. The global regions provide better
scalability and redundancy, and cloud consumers can also maintain data residency.

Azure Geography
Azure geography is composed of regions that meet various compliance and data
residency requirements. As much as possible, Azure geography enables cloud
consumers to keep their apps and data close to their business. Azure geography is fault-
tolerant to withstand region failure via the dedicated high-capacity networking elements
of Azure.
By utilizing the dedicated high-capacity networking elements, Azure geography is
fault tolerant to withstand region failures. There are at least two regions separated by a
considerable physical distance in each geography, which is vital to the Azure cloud. This
pattern allows Azure to achieve disaster recovery in each region.
Microsoft encourages customers to replicate their data across multiple Azure
regions. Microsoft promises network performance between regions of 2 milliseconds
or less.

33
Chapter 1 Get Started with Azure Security

Azure Availability Zones

Microsoft Azure developed a cloud pattern named availability zones to achieve
maximum availability for IT services that demand maximum uptime.
Availability zones are physically separate locations within a region that can
withstand local failures, including software and hardware failures, earthquakes, floods,
and fires. Because of Azure’s redundancy and logical isolation, it has a high degree
of fault tolerance. Each availability zone-enabled region has a minimum of three
availability zones for resiliency.
Availability zones enable the cloud to consume data with high availability and fault
tolerance. Figure 1-7 shows an Azure availability zone logical view. Availability zones
apply only to the available services and not all services offered by Azure.
By deploying IT services to two or more availability zones, the business achieves
maximum availability. Microsoft Azure offers a service-level agreement of 99.99 percent
uptime for virtual machines provided that two or more VMs are deployed into two or
more zones.
For the first-time user, it isn’t easy to differentiate between availability zones and
availability sets. Availability sets allow an IT service to create two or more virtual
machines in different physical server racks in an Azure DataCenter (DC). Microsoft Azure
offers a service-level agreement of 99.95 percent for availability sets, while Microsoft
Azure provides a service-level agreement of a 99.99 percent for availability zones.

34
Chapter 1 Get Started with Azure Security

Availability Zone 1 Availability Zone 3

Diverse fiber paths

connecting AZ.

One or More Physical DCs One or More Physical DCs

One or More Physical DCs

Availability Zone 2

Figure 1-7. Azure availability zone

Microsoft Azure offers three types of availability zones: zonal services, zone-
redundant services, and zone nonregional services. Figure 1-10 shows a logical view of
three availability zones.
Microsoft Azure zonal services are IT services such as VMs, managed disks used in
VMs, and public IP addresses used in VMs. To achieve the high availability (HA) design
pattern, the IT function must explicitly install zonal services into two or more zones.
Microsoft Azure zone-redundant services are services such as zone-redundant
storage and SQL databases. To use the availability zones with ZRS and SQL DB services,
we need to specify the option to make them zone redundant during the deployment.
Microsoft Azure nonregional services are Azure services that are constantly ready
from Azure geographies and are resilient to zone-wide blackouts and region-wide
blackouts.
Azure services enabled by availability zones are designed to offer the right reliability
and flexibility. They can be configured in two ways. Depending on the configuration,
they can be zone redundant, with automatic replication across zones, or zonal, with
instances pinned to specific zones. Clients can combine these patterns.
35
Chapter 1 Get Started with Azure Security

Azure Geography

Availability Zone 3 Disaster Recovery

Availability Zone 1

Diverse fiber
paths connecting
AZ.

One or More Physical One or More Physical One or More Physical DCs
DCs DCs

One or More Physical DCs

Availability Zone 2
Azure Regions

Figure 1-8. Azure regions by making use of another region

It is important to understand the FinTech management choices offered by Azure. By

grouping your Azure subscriptions, you can take bulk actions on them. You can manage
your subscriptions and resources efficiently by creating an Azure management group
hierarchy tailored to your business needs. You can apply governance conditions to any
Azure service, such as policies, access controls, or full-fledged blueprints, using the full
platform integration. You can manage resources better and get visibility into all your
resources. Using a single dashboard, you can monitor costs and usage.
Microsoft Azure requires you to assign Azure services to Azure resource groups when
you create them. Even though this grouping structure may seem like just another form of
administration, cloud consumers will use it for better infrastructure governance and cost
management. Figure 1-9 shows logical view of the Azure infrastructure governance and
cost management.

36
Chapter 1 Get Started with Azure Security

Management Groups

Subscriptions

Resource Group

Azure Resources

Figure 1-9. Azure infrastructure governance and cost management

Let’s walk through each level of organization from the bottom up.

• A resource is an instance of a service cloud that consumers create,

such as a virtual machine, storage, or SQL database.

• Resource groups act as logical containers that Azure uses to deploy

and manage resources, such as web apps, databases, and storage
accounts.

• An account subscription is a grouping of user accounts and the

resources they create. A certain number of resources can be created
and used per subscription. Organizations can use subscribers
to manage costs and the resources that users, teams, and
projects create.

• You can manage access, policy, and compliance across multiple

subscriptions with management groups. All subscriptions
inherit the conditions applied to the management group in a
management group.

Let’s look at these in more detail.

37
Chapter 1 Get Started with Azure Security

Azure Management Groups

Management groups are an efficient way to enforce policies and privilege control
to Azure cloud resources. Like a resource group, a management group is a logical
container for structuring Azure resources. However, management groups can hold a
single Azure subscription or a nested management group. An Azure management group
hierarchy supports up to six levels. It is impossible to have multiple parents on a single
management group or a single subscription.
Here are a few facts about management groups:

• It is possible to support 10,000 management groups in one directory.

• It is possible to have a depth of six levels in a management group tree.

Subscription and root levels are excluded.

• There can be only one parent for each management group and
subscription.

• There can be many children for each management group.

• All subscriptions and management groups are grouped into a single

hierarchy in each directory.

Azure Subscriptions
Azure subscriptions are automatically initiated as soon as you sign up for the Azure
cloud, and all the resources are created within the subscription. However, a business can
create additional subscriptions that are tied to the Azure account. Other subscriptions
are applicable whenever companies want to have logical groupings for Azure resources,
especially for reports on resources consumed by departments.
Microsoft Azure subscriptions are offered in the following three categories:

• Free trial: This offers completely free access for a limited time per
account for limited resources; expired accounts cannot be reused.

• Pay-as-you-go: Pay only for resources consumed in Azure. No capex

is involved, and cancellation is possible at any time.
• Pay-as-you-go dev/test: A subscription for Visual Studio can be used
for dev and testing. This offers no production usage.

38
Chapter 1 Get Started with Azure Security

Each Microsoft Azure subscription has a unique identifier called a subscription ID.
Microsoft recommends using the subscription ID to recognize the subscription.

Azure Resource Groups

A resource group is a logical collection of virtual machines, containers, storage accounts,
virtual networks, web apps, databases, and dedicated servers. Users typically group
related resources for an application, divided into production and nonproduction, but
you may decide to further subdivide them on demand.
Admins can deploy and run all services integrated with a specific app by grouping
them. Maintaining an enterprise array of services within a silo is now unnecessary.
It is impossible to attach an Azure resource to more than one resource group. You
can also move resources from one group to another whenever you delete a resource
group. All resources associated with a resource group are deleted when the resource
group is deleted.

Azure Resource Manager

Azure Resource Manager (ARM) is a crucial component for managing the underlying
IT resources and avoiding the operational overhead when managing all Azure services
separately.
Both the Azure Portal and the Azure command-line tools work by using ARM, which
permits cloud consumers to deploy multiple Azure resources on the go quickly. ARM
makes it possible to reproduce any redeployment with a consistent outcome after a
failure of an existing build.
Here are the most popular Azure resources and services:

• Azure virtual machines are an IaaS from Microsoft, and Microsoft

manages the underlying physical compute, network, and storage.
Cloud consumers manage the operating system, apps, and data that
run on top of the VM.

• Availability sets protect VMs with fault domains. Fault domains

protect VMs from hardware failures in a hardware rack.

• Scale sets allow the business to set up autoscale rules to scale

horizontally when needed.

39
Chapter 1 Get Started with Azure Security

• Azure App Service makes it easy to host web apps in the cloud
because it’s a PaaS service that removes the management burden
from the user.

• Azure App Service apps run inside an App Service plan that specifies
the number of VMs and the configuration of those VMs.

• Containers allow cloud consumers to create an image of an

application and everything needed to run it.

• Azure Container Instances (ACI) allows cloud consumers to run

containers for a minimal cost.

• Azure Container Apps simplifies the deployment of containerized

applications in the cloud. It enables developers to package their
applications into containers, deploy them to Azure, and manage
them using familiar tools and workflows.

• Azure Kubernetes Service (AKS) is a managed service that makes it

easy to host Kubernetes clusters in the cloud.

• Azure Cosmos DB is a NoSQL database for unstructured data.

• Azure SQL Database is a Microsoft-managed relational database.

• Azure Database is a Microsoft-managed MySQL.

• An Azure virtual network provides Azure services to communicate

with several others and the Internet.

• Azure Load Balancer can distribute traffic from the Internet across
various VMs in a dedicated VNet.

• ExpressRoute allows cloud consumers to have a high-bandwidth

connection to Azure of up to 10 Gbps by attaching to a Microsoft
Enterprise Edge router.

• Azure DNS accommodates fast DNS responses and high domain

availability.
• Azure Disk Storage is virtual disk storage specific to Azure VMs.
Managed disks remove the operation burden of disks.

40
Chapter 1 Get Started with Azure Security

• Azure Files allows cloud consumers to have disk space in the cloud to
map to a drive on-premises.

• Azure Blob Storage offers hot, cool, and archive storage tiers based on
how long cloud consumers intend to store the data, whereby usually
the data is accessed.

• Azure DevOps uses development collaboration tools such as

pipelines, Kanban boards, Git repositories, and comprehensive
automated and cloud-based nonfunctional testing.

• Azure Virtual Desktop makes apps and desktop readily available to

multiple users from almost any device anywhere.

Azure Management Offerings

Management in Azure is the foundational building block for deploying and supporting
resources in Azure. Management tools can be divided into visual and code-based tools at
a high level, as shown in Figure 1-10.

Azure Management methods.

Interactive Command line

Visual Code-based

Figure 1-10. Azure management methods

Azure’s visual tools provide full access to all functionality in a visually friendly
manner. It may be less valuable to use visual tools when you’re trying to deploy a large
number of interdependent resources and have multiple configuration options.
In most cases, a code-based tool is the better choice when configuring Azure
resources quickly. The correct commands and parameters may take some time
to understand, but they can be saved into files and used repeatedly. Setup and

41
Chapter 1 Get Started with Azure Security

configuration code can also be stored, versioned, and maintained in a source code
management tool such as Git. When developers write application code, they use this
approach to manage hardware and cloud resources. It is called infrastructure as code.
In infrastructure as code, two approaches are available: imperative and declarative.
The imperative code details each step required to achieve the desired result. Contrary to
declarative code, the declarative code specifies only the desired outcome, and it allows
an interpreter to determine how to achieve it. It is crucial to distinguish declarative code
tools from those based on logic, as declarative code tools provide a more robust way of
deploying dozens or hundreds of resources simultaneously and reliably.
To manage your cloud environment, Microsoft offers a variety of tools and services,
each geared toward a different scenario and user.
Management refers to the assignments and methods required to maintain IT
applications and the resources supporting the organization’s business. Azure has several
services and tools that operate together to give complete management tools to cloud
consumers, as shown in Figure 1-11.
Microsoft Azure Portal

Microsoft Azure PowerShell

Microsoft Azure CLI

Microsoft ARM Templates

Microsoft Azure Mobile App

Microsoft Azure Management

Figure 1-11. Microsoft Azure management methods

42
Chapter 1 Get Started with Azure Security

Microsoft Azure Portal

Use the Azure Portal to deploy, run, and monitor everything via a single management
plane from web apps, databases, virtual machines, virtual networks, storage, and Visual
Studio team projects to the aggregate cloud-native application from a unified console.
The first time you sign up for the Azure Portal, you’ll be given a choice to take a tour
of it. If you are not familiar with it, take the time to see how the Azure Portal works.
The Azure Portal provides a web-based interface that accesses almost all of the Azure
features. The Azure Portal provides an intuitive graphical user interface to view all of
the services you are using, create new services, and configure them. This is how most
people engage with Azure for the first time. As your Azure usage grows, cloud consumers
are more likely to choose a more repeatable, code-centric approach to managing cloud
consumers’ Azure resources.
Figure 1-12 shows the first view of the Azure Portal.

Figure 1-12. Microsoft Azure Portal

43
Chapter 1 Get Started with Azure Security

Microsoft Azure PowerShell

Azure PowerShell is a kit of cmdlets for operating Azure resources that can be used from
the PowerShell command-line interface. Microsoft developed Azure PowerShell to make
it easy to read, write, and execute the code to provide powerful automation features for
IT support functions. AVD cloud administrators can use Azure PowerShell when they
want to automate.
Microsoft PowerShell 7.x and higher are the Microsoft Azure Az PowerShell module’s
recommended PowerShell module on all platforms.
Use the following command to check the PowerShell version:

$[Link]

Use the following command to install the Azure PowerShell Module (Az PowerShell
module):

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Use the following command to connect to an Azure account (Az PowerShell module):

Connect-AzAccount

Microsoft Azure CLI

The Azure command-line interface (CLI) is a convenient way to deploy in Windows,
macOS, and Linux environments. The most straightforward way to begin with Azure
PowerShell is by trying it in an Azure Cloud Shell environment.
Use the following command to install the Azure CLI on Windows or to download and
deploy the latest release of the Azure CLI:

Invoke-WebRequest -Uri [Link] -OutFile

.\[Link]; Start-Process [Link] -Wait -ArgumentList
'/I [Link] /quiet'; rm .\[Link]

Use the following command to log in with cloud consumer account credentials in
the browser:

az login

44
Chapter 1 Get Started with Azure Security

Microsoft Azure Cloud Shell

The Azure Cloud Shell is a completely online version; there’s no need for any
deployment.
To reach the Azure Cloud Shell, click the Cloud Shell button in the Microsoft Azure
Portal. When you first launch the Cloud Shell, you choose the environment to be used.
The Cloud Shell is presented with two choices, Bash and PowerShell, as shown in
Figure 1-13; cloud consumers can change this if they want.

Figure 1-13. Azure Cloud Shell

Upon clicking, the console loads, and you can then create an Azure storage account;
however, you need an active subscription.
Type the following command to get knowledge about PowerShell in the Azure
Cloud Shell:

Get-Help.

45
Chapter 1 Get Started with Azure Security

Microsoft ARM Templates

The Azure CLI and Azure PowerShell both allow Azure administrators/developers to
set up and tear down one Azure resource or orchestrate an infrastructure comprised of
hundreds of resources; however, there’s a better way to do this.
Azure Resource Manager templates (ARM templates) allow Azure administrators/
developers to describe resources in a declarative JSON format. As a result, the entire
ARM template is verified before any code is executed, ensuring that the resources are
correctly created and connected. The template then orchestrates parallel creation.
Consequently, if Azure administrators/developers need 50 instances of the same
resource, all will be created simultaneously.
Developers, DevOps professionals, or IT professionals specify each resource’s
desired state and configuration in the ARM template, and the template takes care of
the rest. Scripts can even be executed before or after a resource has been set up using
templates.

Microsoft Azure Mobile App

While users are away from their computers, they can still access Azure resources via the
Azure mobile app. Consumers can use the app to do the following:

• Monitor the Azure resource’s health and status.

• Restart a web app or virtual machine to catch alerts, diagnose

problems, and fix them fast.

• Manage Azure resources for cloud consumers using the Azure CLI
and Azure PowerShell commands.

Azure Monitoring Offerings

Azure Monitor allows cloud consumers to maximize the functional and nonfunctional
KPIs of applications and services. It gives an end-to-end solution for gathering,
interpreting, and acting on data from the Azure tenant cloud and for integrating it
with on-premises environments. In addition, it offers golden signals to identify issues
affecting KPIs proactively.

46
Chapter 1 Get Started with Azure Security

Azure Monitor can perform the following tasks such as gathering metrics, storing
logs, and providing insights:

• Metrics: The Azure service automatically gathers metrics (defined

as key performance indicators) and puts them in Azure Monitor
metrics.

• Logs: The Azure service maintains diagnostic configurations,

collecting platform logs and key performance indicators for Azure
Monitor logs.

• Application Insights: Azure Application Insights is available and

presents a well-defined monitoring experience for the consuming
service.

• Service health (complementary services): Microsoft runs an Azure

Status web page where cloud consumers can observe Azure services’
status in each region where Azure runs. While it is a healthy aspect
of overall Azure health, the immense complexity of the web page
doesn’t make it a common way to get an overview of the health of
cloud consumer-specific services. Instead, Azure Service Health can
provide cloud consumers with a picture of the consumed resources.

To reach Azure Monitor, click the Monitor button in the Microsoft Azure Portal.
Figure 1-14 shows the Azure Monitor dashboard.

Figure 1-14. Azure Monitor

47
Chapter 1 Get Started with Azure Security

Microsoft Azure Advisor

Microsoft Azure Advisor offers recommendations and impacts of services against cost,
security, reliability, performance, and operational excellence. It also guarantees that
cloud consumer resources are configured accurately for availability and efficiency. In
addition, Microsoft Azure Advisor can inform cloud consumers about predicaments in
an Azure services configuration to avoid troubles.
To reach Azure Advisor, click the Advisor button in the Microsoft Azure Portal;
Figure 1-15 shows the Azure Advisor dashboard.

Figure 1-15. Azure Advisor overview

Microsoft Azure Security Capabilities

In this section, we’ll look at the Azure security offerings.
Obviously, you need accurate and timely information about Azure security since
security is job one in the cloud. Azure’s wide range of security tools and capabilities
is one of the best reasons to use it for your applications and services. Through these
tools and capabilities, it is possible to build secure solutions on Azure’s platform. Using
Microsoft Azure, customers can access confidential, secure, and reliable data while
maintaining transparency and accountability.
Computer attacks are commonly defined as attempts to gain illegal access to
computers or computer systems to damage or harm them. But thinking only about
computers or computer systems is limiting, as virtually any modern digital device can

48
Chapter 1 Get Started with Azure Security

be a target for a cyberattack. As covered earlier in the chapter, they can range in severity
from a minor inconvenience to a global disruption of economic and social systems.
A cloud service model determines who manages the application or service’s security.
As part of the Azure platform, built-in features and partner solutions can be deployed
within a subscription to assist you with meeting these responsibilities.
The Azure platform has six distinct functional areas: operations, applications,
storage, networking, compute, and identify, as shown in Figure 1-16.

Operations,

Identify Applications,

Compute, Storage,

Networking,

Figure 1-16. Azure security functional areas

The following are the key features in security operations.

49
Chapter 1 Get Started with Azure Security

Microsoft Sentinel
With Microsoft Sentinel, you can manage security information and events online, as
well as automate security orchestration, automation, and response (SOAR). As a threat
intelligence and security analytics solution, Sentinel allows organizations to detect,
visualize, respond to, and monitor attacks in one place.

Microsoft Defender for Cloud

Thanks to Microsoft Defender for Cloud, Azure resources can be protected, detected,
and responded to with more visibility and control. Integrated security monitoring and
policy management across Azure subscriptions help detect threats that might otherwise
go unnoticed; it also integrates with a broad ecosystem of security products.
Additionally, Defender for Cloud helps you manage security operations by providing
a single dashboard that surfaces alerts and recommendations for immediate action.
Many issues can be resolved with just a single click within the console.

Azure Resource Manager

As mentioned earlier, with Azure Resource Manager, your solution resources can be
deployed, updated, or deleted in a single, coordinated operation. You can deploy,
update, or delete all the resources at once. Azure Resource Manager templates are used
for deployments, which can be used for testing, staging, and production environments.
When you deploy your resources, Resource Manager provides security, auditing, and
tagging features to make them easier to manage.
By integrating standard security control settings into standardized template-
based deployments, ARM template-based deployments improve the security of
Azure solutions because manual implementations are more likely to result in security
configuration errors.

Application Insights
With Application Insights, web developers can monitor live web applications and detect
performance anomalies automatically. The service provides extensible application
performance management (APM). It monitors your application constantly as it runs
during testing and after deployment.

50
Chapter 1 Get Started with Azure Security

Charts and tables generated by Application Insights show you, for example, when
you get the most users, how responsive the app is, and how well it interacts with external
services.
When your app becomes available or performs poorly, the service sends you an
email notification. In the case of crashes, failures, or performance issues, you can
examine telemetry data in detail to determine what’s causing them. Application Insights
ensures confidentiality, integrity, and availability, making it an effective security tool.

Azure Monitor
Both the Azure subscription (activity log) and individual Azure resources (resource logs)
can be visualized, queried, routed, alerted, autoscaled, and automated using Azure
Monitor. Azure Monitor alerts you to Azure logs that contain security-related events.

Azure Monitor Logs

With Azure Monitor logs, you can manage Azure resources and third-party cloud
infrastructure (such as Amazon Web Services). With Azure Monitor logs, you can view
metrics and logs for your entire environment in one place because data from Azure
Monitor can be routed directly there.
As the tool enables you to quickly search through large amounts of security-related
entries with a flexible query approach, Azure Monitor logs can be helpful in forensic and
other security analyses.

Azure Advisor
Azure Advisor is a customized cloud consultant that helps you optimize your Azure
deployments by analyzing your resource configuration and usage telemetry. After
analyzing your resources, it recommends ways to improve their performance, security,
and reliability and reduce the costs of Azure. With Azure Advisor, your security posture
can be significantly improved for the Azure solutions you deploy by providing security
recommendations. Microsoft Defender for Cloud generates these recommendations
based on its security analysis.

51
Chapter 1 Get Started with Azure Security

Azure-Based Application Security Capabilities

A summary of key features in application security is provided in the following sections.

Penetration Testing
Microsoft is not responsible for performing penetration testing on your application, but
we understand you would like to do so yourself. As a result, you contribute to the security
of the entire Azure ecosystem by enhancing your applications’ security. Although
notifying Microsoft of pen testing activities is no longer required, customers must still
follow Microsoft Cloud Penetration Testing Rules of Engagement.

Web Application Firewall

Web application firewalls (WAFs) are part of Azure Application Gateway, which help
protect web applications from common web-based attacks like SQL injection, cross-site
scripting, and session hijacking. OWASP’s top 10 vulnerabilities are preconfigured into
the system so it defends against them automatically.

Authentication and Authorization in Azure App Service

App Service authentication/authorization allows you to protect your application and
work with per-user data without changing your back-end code.

Layered Security Architecture

Using App Service environments, developers can create layered security architectures
that grant each application tier different levels of access to the network because they
provide an isolated runtime environment deployed within an Azure Virtual Network
(VNet). There is a common desire to hide API back ends from general Internet access
and allow only upstream web applications to use APIs. Azure VNet subnets containing
App Service environments can be configured with network security groups (NSGs) to
restrict public access to API applications.

52
Chapter 1 Get Started with Azure Security

Web Server Diagnostics and Application Diagnostics

Diagnostic capabilities are provided by App Service web apps, which log information
from both the web server and the web application. Web server and application
diagnostics are logically separated. There are two significant advances in diagnosing and
troubleshooting sites and applications on the web server.
In addition, the tracing events track requests throughout the entire request-and-
response cycle, providing real-time information about application pools, worker
processes, sites, and domains.
Using elapsed time or error codes, IIS 7 can automatically capture full trace logs for
any specific request in XML format.

Azure-Based Storage Security Capabilities

The following are the key features of Azure storage security.

Azure Role-Based Access Control (Azure RBAC)

Azure RBAC can be configured to secure your storage account. For organizations
that want to enforce security policies for data access, it is imperative to restrict access
according to the need-to-know and least-privilege security principles. The Azure roles
you assign to groups and applications at a certain scope allow you to grant access rights
to users and groups.
In addition to built-in roles in Azure, such as Storage Account Contributor, Azure
RBAC can also be used to secure your storage account.

Shared Access Signature

Delegating access to resources in your storage account is possible with shared access
signatures. You can grant limited permissions to objects in your storage account using
SAS for a specific period of time and with a specific set of permissions. You do not need
to share your account access keys to grant these limited permissions.

53
Chapter 1 Get Started with Azure Security

Encryption in Transit
With Azure Storage, you can secure data when it is transmitted across networks using
encryption in transit.

• When transferring data into or out of Azure Storage, you should use
transport-level encryption, such as HTTPS.

• SMB 3.0 encryption for Azure File shares provides wire encryption.

• Data is encrypted before being transferred into storage and

decrypted after being transferred out.

Encryption at Rest
Three Azure storage security features provide encryption of data that is “at rest” to ensure
data privacy, compliance, and data sovereignty.

• When you write data to Azure Storage, storage service encryption

automatically encrypts it.

• The feature of encryption at rest is also provided by client-side

encryption.

• Azure Disk Encryption for Linux VMs and Azure Disk Encryption for
Windows VMs allow you to encrypt the OS disk and data disks used
by an IaaS virtual machine.

Storage Analytics
For a storage account, Azure Storage Analytics provides logging and metrics data.
Storage Analytics records detailed information about successful and failed requests
to a storage service so that you can trace requests, analyze usage trends, and diagnose
storage account issues. You can monitor individual requests and diagnose storage
service problems using this information. Requests are logged based on best efforts.
Authenticated requests are logged in the following ways:
• Requests that were successful

• Requests that failed due to timeouts, throttling, network issues, or

authorization issues

54
Chapter 1 Get Started with Azure Security

• The success and failure of propositions that use a Shared Access

Signature (SAS)

• Analytical requests

Enabling Browser-Based Clients Using CORS

The user-agent sends extra headers to ensure that JavaScript code loaded from one
domain can access resources located in another using cross-origin resource sharing
(CORS). Afterward, the latter domain replies with extra headers that allow the original
domain to access its resources or deny access.
When you set the CORS rules for Azure storage services, a properly authenticated
request from a different domain will be evaluated to determine if it is allowed.

Azure Network Security Capabilities

This section highlights key features of Azure network security.
An Azure VNet is the fundamental building block for a private network. VNets
provide a secure communication channel between Azure resources, such as virtual
machines (VMs). VNets are like traditional data centers but have the advantage of
Azure’s infrastructure, such as scalability, availability, reliability, broad network access,
hybrid connectivity, segmentation, isolation, and security.
An Azure VNet is the representations of your own network in the cloud. The Azure
cloud is logically isolated and dedicated to your subscription. VNets can be used to
provision and manage virtual private networks (VPNs) in Azure. Alternatively, they can
be linked to other VNets in Azure or your on-premises IT infrastructure to create hybrid
or hybrid cross-premises solutions. You can link each VNet you make with another VNet
and an on-premises network if the CIDR blocks don’t overlap. The administrator can
also control VNet settings, and subnets can be segmented.
In Azure, resources communicate securely with each other, the Internet, and
on-premises networks. With a virtual network, it’s possible to use Azure resources to
communicate with the Internet, communicate between your own Azure resources,
communicate with on-premises resources, filter network traffic, route network traffic,
and integrate Azure services.

55
Chapter 1 Get Started with Azure Security

Azure Network Communication with the Internet

A VNet’s outbound communications are enabled by default for all resources. You can
share and manage an inbound connection to a resource by assigning a public IP address
or using a public load balancer.

Azure Communication Between Azure Resources

Azure resources are used in three main ways: by virtual network, VNet peering, and
virtual network service endpoint.
Azure VNets and Azure Kubernetes Service are also available for connections
between VMs and Azure resources, including the App Service environment.
Azure resources like Azure SQL databases and storage accounts can be accessed via
service endpoints. As soon as you create a VNet, your services and virtual machines will
be able to work together directly in the cloud.
The following methods are used by Azure resources to communicate securely with
each other:

• By a virtual network: Azure public virtual networks are used to deploy

virtual machines, as well as Azure App Service environments, Azure
Kubernetes Services (AKS), and Azure Virtual Machine Scale Sets.

• By VNet peering: Virtual networks can be connected, allowing

resources to communicate with another using virtual network
peering. Connecting virtual networks in different Azure regions is
possible.

• By a virtual network service endpoint: Directly connect your virtual

network server with Azure services, such as Azure Storage and Azure
SQL Database, so your virtual network can access their private
address space and identify. You can secure Azure service resources to
just a virtual network using service endpoints.

56
Chapter 1 Get Started with Azure Security

Azure Network Communication with the Private Cloud

Protect your data center by extending it securely. With Azure ExpressRoute, your on-
premises computers and networks can be connected to a virtual network via a point-to-site
VPN, site-to-site VPN, or Microsoft VPN. Connecting your on-premises computers and
network to a virtual network may be accomplished through any of the following options:

• Azure ExpressRoute: This establishes a connection between your

network and Azure via an ExpressRoute partner. It is a private
connection. Traffic does not go over the Internet.

• Point-to-site VPN: This is an Internet-based VPN between a virtual

network and a single computer in your network. Those who want
to establish connections to virtual networks must configure their
computers to do so. You can use this connection type if you’re a
first-time Azure user, work on a Proof of concept (POC), or are a
developer. A virtual network’s communication with your computer is
done over the Internet using an encrypted tunnel.

• Site-to-site VPN: A site-to-site VPN creates a virtual network

connection between your corporate VPN device and the Azure
VPN gateway. Access to a virtual network is enabled through this
connection type for any resource on-premises you authorize. An
encrypted tunnel connects your VPN device on-premises with the
Azure VPN gateway.

Filter Network Traffic

Using firewalls, gateways, proxies, and network address translation (NAT) services, you
can filter network traffic between subnets while maintaining network security. There are
two options for filtering network traffic between subnets.

• Network virtual appliances: Virtual network appliances perform

network functions such as firewalls, WAN optimization, or other
functions using virtual machines.
• Network security sets: Network security sets and application security
sets allow you to filter network traffic entering and leaving resources
by IP and protocol addresses, ports, and sources.

57
Chapter 1 Get Started with Azure Security

Route Network Traffic

Azure routes traffic between subnets, connected virtual networks, on-premises networks,
and the Internet. To override Azure’s default routes, implement one of these two options:

• Route tables: It is possible to create custom route tables with routes

that control where traffic is routed for each subnet.

• Border Gateway Protocol (BGP) routes: By connecting your virtual

network to your on-premises network using an Azure VPN Gateway
or ExpressRoute connection, you can propagate your on-premises
BGP routes to your virtual network.

Integrate Azure Services

Virtual machines or compute resources in an Azure virtual network can access Azure
services privately when they are integrated into the virtual network. Your virtual network
can be integrated into several ways with Azure services.

• You can virtualize the service by creating dedicated instances. The

services can then be accessed privately within the virtual network
and from the on-premises network.

• From your virtual network and on-premises networks, you can access
a specific service instance using Private Link.

• Similarly, it is possible to connect to the service through service

endpoints by building a virtual network. The virtual network can be
protected with service endpoints.

Other Network Services

The following are other Azure network services that help to strengthen Azure
networking:

• Azure Firewall: Azure Firewall protects your Azure VNet resources by

providing managed, cloud-based network security. You can create,
enforce, and log policies across subscriptions and virtual networks by
using Azure Firewall.

58
Chapter 1 Get Started with Azure Security

• Azure Bastion: Azure Bastion is a fully managed service that delivers

more secured and seamless Remote Desktop Protocol and SSH
access to VMs without any exposure to public IP addresses. It
provides the service instantly in your local or peered virtual network
to get support for all the VMs within it.

• Azure Peering Services: By using Azure Peering, customers can

connect to Microsoft cloud services such as Microsoft 365, Dynamics
365, SaaS services, Azure, and any other Microsoft service accessible
on the Internet.

• Azure DDoS Protection: Azure DDoS Protection provides

countermeasures for the most sophisticated DDoS attacks. You can
use the service to enhance the mitigation of DDoS attacks on your
virtual network resources and applications.

Customers that move their applications to the cloud face a

number of security and availability concerns due to DDoS attacks.
In a DDoS attack, the application’s resources are exhausted,
preventing legitimate users from accessing the application. The
attack can be targeted at any Internet-accessible endpoint.

• Azure Private Link: Azure Private Link lets you connect to Azure
PaaS services (Azure Storage and SQL Database) and Azure-hosted,
customer-owned, and partner services over a private network
connection.

• Virtual private network: the Internet makes it possible to connect

separate LANs while maintaining privacy. A VPN connects remote
systems as if they were on a local network, often for security reasons.

• Virtual Network NAT: Gateway NAT simplifies outbound-only

Internet connectivity for virtual networks. When configured
on a subnet, a static public IP address is used for all outbound
connections.
• ExpressRoute: You can extend your on-premises networks into the
Microsoft cloud with ExpressRoute over a private connection through
a connectivity provider.

59
Chapter 1 Get Started with Azure Security

• ExpressRoute circuits: You can deploy an ExpressRoute circuit either

through a connectivity provider or through ExpressRoute Direct. If
you want to use ExpressRoute with any combination of ExpressRoute
offerings, you must use an ExpressRoute circuit.

• ExpressRoute Direct: With ExpressRoute Direct, you can connect

directly to the global Microsoft network. It is available in 10 Gbps and
100 Gbps dedicated capacity. ExpressRoute Direct supports massive
data ingestion into services such as Cosmos DB, physical isolation
for regulated industries, and control over circuit distribution by
business unit.

• ExpressRoute FastPath: FastPath is an ExpressRoute circuit

configuration designed to improve the performance of data paths
from the on-premises network to the virtual network in Azure. By
enabling FastPath, network traffic is sent directly to virtual machines
in the virtual network, bypassing the host.

• ExpressRoute Gateway: The ExpressRoute virtual network gateway

allows you to exchange IP routes and route network traffic between
your Azure and on-premises networks. ExpressRoute requires you
to create a virtual network gateway to connect to virtual networks
in Azure.

• ExpressRoute Global Reach: ExpressRoute Global Reach lets you

connect your on-premises networks by linking circuits together. You
can establish connections between your branch offices and Microsoft
that allow them to exchange data directly if you have multiple circuits
linking them.

• ExpressRoute Monitor: ExpressRoute Monitor lets you view

ExpressRoute circuit metrics, resource logs, and alerts.

• Web Application Firewall: Azure WAF protects your web applications

against common exploits and vulnerabilities. Malicious attacks using
known vulnerabilities are increasingly targeting web applications.
Cross-site scripting attacks, for example, and SQL injection
are common.

60
Chapter 1 Get Started with Azure Security

• Azure Application Gateway: Azure Application Gateway manages

traffic to your web applications with a load balancer. It offers a variety
of load-balancing capabilities for Layer 7 as an Application Delivery
Controller (ADC) as a service.

• Azure Traffic Manager: Azure Traffic Manager is a DNS-based

network load balancer that provides high availability and
responsiveness while distributing traffic optimally to services across
global Azure regions.

• Azure Load Balancer: Azure Load Balancer provides high availability

and network performance to your applications. Incoming traffic
is distributed among healthy instances of services within a load-
balanced set using a layer 4 (TCP, UDP) load balancer.

Azure Compute Security Capabilities

The following are the key features in Azure compute security.

Azure Confidential Computing

As the final piece of the data protection puzzle, Azure confidential computing allows you
to protect your data at all times, including while it is at rest, while it is being transferred
over the network, or when it is in memory or being used. As well as being able to
cryptographically verify that the virtual machine you provision has booted securely and
is configured correctly, remote attestation allows you to unlock your data securely.
You can enable “lift-and-shift” scenarios of existing applications or control security
features completely. In IaaS, you can use AMD SEV-SNP virtual machines or Intel
Software Guard Extensions (SGX) virtual machines with confidential application
enclaves. Microsoft has several container-based PaaS options, including Azure
Kubernetes Service (AKS).

Anti-malware and Antivirus

As part of Azure IaaS, you can protect your virtual machines from malicious files, adware,
and other threats by using antimalware software from Microsoft, Symantec, Trend
Micro, McAfee, and Kaspersky. Microsoft Antimalware for Azure Cloud Services and

61
Chapter 1 Get Started with Azure Security

virtual machines helps protect your cloud services by identifying and removing viruses,
spyware, and other malicious software. Using Microsoft Defender for Cloud or Microsoft
Antimalware, Microsoft Antimalware can alert you when known malicious or unwanted
software attempts to install or run on your Azure systems.

Hardware Security Module

To improve security, encryption and authentication must be protected. In Azure Key
Vault, you can store your critical secrets and keys in hardware security modules (HSMs)
that meet FIPS 140-2 Level 2 standards. You can store your keys in Key Vault along with
any keys or secrets from your applications to simplify the management and security of
your critical secrets. Azure Active Directory manages permissions and access to these
protected items.

Virtual Machine Backup

With Azure Backup, you can protect your application data for free, with minimal
operating costs and no capital investment. Your virtual machines running Windows
and Linux can be protected from application errors and human error, which can lead to
security issues. Azure Backup protects your virtual machines from these errors and from
human errors.

Azure Site Recovery

You must identify how to keep your business continuity/disaster recovery (BCDR)
strategy up and running during planned and unplanned outages. Azure Site Recovery
makes your workloads and apps available if your primary location fails by orchestrating
replication, failover, and recovery.

SQL VM TDE
CLE and TDE are SQL server encryption features that require customers to manage and
store their cryptographic keys. Azure Key Vault (AKV) improves the security of these keys
and allows them to be managed in a highly available, secure environment. SQL Server
can use these keys through the Azure Key Vault connector.

62
Chapter 1 Get Started with Azure Security

For SQL Server in Azure VMs, you can use the Azure Key Vault Integration feature to
save time accessing Azure Key Vault from your on-premises SQL Server instance. The
configuration required for a SQL VM to access your key vault can be automated with a
few Azure PowerShell cmdlets.

VM Disk Encryption

Your IaaS virtual machine disks can be encrypted using Azure Disk Encryption for
Linux and Windows VMs. To offer volume encryption for the operating system and data
disks, it uses Windows BitLocker and Linux DM-Crypt. To manage and control the disk-
encryption keys and secrets of your Key Vault subscription, the solution is integrated
with Azure Key Vault. Your Azure storage account encrypts all data on virtual machine
disks at rest as part of the solution.

Virtual Networking
Virtual machines must have network connectivity in Azure to support that requirement.
To keep an Azure VNet, virtual machines must be connected to it. A VNet is a logical
construct built on the Azure network fabric. This ensures that other Azure customers
cannot access your deployments by isolating them from all other VNets.

Patch Updates
Using patch updates simplifies the process of finding and fixing potential problems and
simplifies the management of software updates by reducing the number of updates you
need to deploy in your enterprise and improving compliance monitoring.

Security Policy Management and Reporting

In addition to increasing visibility and control over your Azure resources’ security,
Defender for Cloud helps you prevent, detect, and respond to threats. Security
monitoring and policy management are integrated across your Azure subscriptions,
allowing you to detect threats that could otherwise go undetected. It works with a wide
range of security solutions.

63
Chapter 1 Get Started with Azure Security

Azure Identify Security Capabilities

Microsoft manages identify and access across its products and services using multiple
security practices and technologies.

Azure Active Directory (Azure AD)

Authentication by multifactor authentication and Conditional Access are some of the
features available with Azure Active Directory (Azure AD), part of Microsoft Entra.

• The multifactor authentication process requires users to use multiple

authentication methods, both on-premises and in the cloud. It
provides strong authentication while accommodating users through
simple sign-in options.

• With Microsoft Authenticator, you get multifactor authentication for

your Microsoft Azure Active Directory and Microsoft account and
support for wearables and fingerprint authentication.

Azure Active Directory External Identities

A highly secure digital experience with customized controls is available for partners,
customers, and anyone else outside your organization with Azure Active Directory
External Identities, part of Microsoft Entra. Manage access across an organization
seamlessly with one portal that combines external identities and user directories.

Azure Active Directory Domain Services

By using Azure Active Directory Domain Services (Azure AD DS), you can deploy,
maintain, and patch a domain controller without deploying, managing, or patching
managed domain services such as Windows Domain Join, group policy, and LDAP.

• Through password policy enforcement, long and complex passwords

are enforced, periodic password rotation is enforced, and accounts
are locked out after failed authentication attempts.

• Authentication via Azure Active Directory is supported by token-

based authentication.

64
Chapter 1 Get Started with Azure Security

• Users are given only the access they need to perform their job duties
when they use Azure RBAC based on their assigned roles. Azure
RBAC can be customized based on your organization’s risk tolerance
and business model.

• You can control user access to data centers and cloud platforms
by using integrated identify management (hybrid identify), which
creates a single user identify across both.

Azure Apps and Data Security Capabilities

By integrating Microsoft Active Directory with applications on-site and in the cloud,
Azure Active Directory secures data access and simplifies user and group management.
Developers can easily integrate policy-based identify management into their apps
thanks to its combination of core directory services, advanced identify governance,
security, and application access management. You can use the Azure Active Directory
Basic, Premium P1, and Premium P2 editions to enhance Azure Active Directory.

• With Cloud App Discovery, a premium feature in Azure

Active Directory, you can identify cloud applications that your
employees use.

• With Azure Active Directory Identify Protection, you can gain an

overview of risk detections and potential vulnerabilities that could
affect your organization’s identities from a consolidated view.

• By deploying Azure Active Directory Domain Services, you can join

Azure virtual machines to a domain without deploying domain
controllers. Users can access resources within the domain using their
corporate Active Directory credentials.

• Designed for consumer-facing applications, Azure Active Directory

B2C is a globally available, highly available identify management
service that can scale to hundreds of millions of identities and
integrate across mobile and web platforms. Customers can sign in to
all your apps using existing social media accounts or creating new
stand-alone credentials.

65
Chapter 1 Get Started with Azure Security

• Azure Active Directory B2B Collaboration is a secure partner

integration solution that supports cross-company relationships.
It enables partners to access your corporate applications and data
selectively using their self-managed identities.

• Integrating Azure Active Directory with Windows 10 devices allows

you to extend cloud capabilities to centralized management,
simplifying access to apps and resources and connecting users to
corporate or organizational clouds.

• The Azure Active Directory Application Proxy provides secure remote

access to on-premises web applications.

Overview of the NIST CSF

Cybersecurity threats exploit essential infrastructure systems’ increased complexity
and connectivity, putting the nation’s security, economy, and public safety and health
at risk. In the same way that financial and reputational risks affect a company’s bottom
line, cybersecurity risks can drive up costs and impact revenue. They can harm an
organization’s ability to innovate and gain and maintain customers. The management of
risk in an organization can be amplified by cybersecurity.
To better address cybersecurity risks, the Cybersecurity Enhancement Act updated
the National Institute of Standards and Technology (NIST) role to include identifying
and developing cybersecurity risk frameworks for voluntary use by critical infrastructure
owners and operators. The CEA states that NIST must identify a prioritized, flexible,
repeatable, performance-based, and cost-effective approach, including information
security measures and controls that owners and operators of critical infrastructure may
voluntarily adopt to help them identify, assess, and manage cyber risks.
Organizations should consider cybersecurity risks as part of their risk management
processes, using business drivers to guide cybersecurity activities.
The framework has three features: the framework core, the implementation tiers,
and the framework profiles.
The framework core comprises cybersecurity activities, desired outcomes, and
applicable reference standards across critical infrastructure sectors. From executive
to implementation/operations, the core provides industry standards, guidelines,
and practices for communicating cybersecurity activities and products across the
organization. Five concurrent and continuous functions comprise the framework

66
Chapter 1 Get Started with Azure Security

core—identifying, protecting, detecting, responding, and recovering. An organization’s

cybersecurity risk management life cycle can be viewed from a high-level, strategic
perspective when these functions are considered together. Based on the framework core,
key categories and subcategories are identified—discrete outcomes—for each function.
For each subcategory, NIST identifies relevant informative references such as standards,
guidelines, and practices.
The following are the five framework core functions. As a result, these functions
aren’t intended to form a serial path or lead to a static desired outcome. They should
be performed concurrently and continuously to create an operational culture that
addresses the dynamic cybersecurity risk.

• Identify: An organization needs to proactively understand

cybersecurity risks to people, systems, data, and processes via
the Identify function. When prioritizing and focusing efforts, it is
vital to be aware of the business context, the resources supporting
critical functions, and cybersecurity risks. This function includes
the following outcome categories: asset management, business
environment, governance, risk assessment, and risk management
strategies.

• Protect: The identify management and access control function

ensures potential cyberattacks are contained or limited. By
supporting the Protect function, critical services can be delivered
while limiting or containing the impact of a potential cyberattack.
It consists of several outcome categories: awareness and training,
data security, processes and procedures for information protection,
maintenance, and protective technology.

• Detect: Cybersecurity events can be discovered in real time through

the Detect function to identify cybersecurity events and develop and
implement appropriate activities. Anomalies and events, continuous
security monitoring, and detection processes are examples of
outcome categories within this function.
• Respond: In response to a detected cybersecurity incident, the
Respond function develops and implements appropriate responses
to contain the impact of the incident. Examples of outcome
categories are response planning, communication, analysis,
mitigation, and improvement.
67
Chapter 1 Get Started with Azure Security

• Recover: The Recovery function supports timely recovery to normal

operations during cybersecurity incidents by maintaining resilience
plans and restoring any capabilities or services impaired because
of a cybersecurity incident. Recovery planning, improvements, and
communications are examples of outcome categories within this
function.

An organization’s framework implementation tiers provide insights into how it views

and manages cybersecurity risk. Cybersecurity risk management practices are assessed
according to whether they exhibit the characteristics described in the framework (e.g.,
awareness of risks and threats, repeatability, and adaptability). Tiers are categorized
based on a company’s practices, ranging from partial to adaptive. These tiers are
progressing from informal, reactive responses to agile and risk-informed approaches.
When selecting tiers, organizations should consider their current risk management
practices, their threats, their legal and regulatory requirements, as well as their business
objectives, and organizational constraints.
The framework profiles represent the outcomes chosen by an organization based
on its business needs. A profile aligns standards, guidelines, and practices with the
framework core in a particular implementation scenario. A “current” profile can
be compared to a “target” profile (the “to be” state), and cybersecurity posture can
be identified as opportunity for improvement. Organizations can define a profile
by reviewing all categories and subcategories and determining which are most
important based on their business/mission drivers and risk assessments; categories
and subcategories can be added as appropriate. The current profile can support
prioritization and measuring progress toward the target profile by factoring in other
business needs, including cost-effectiveness and innovation. Self-assessments and
communication between organizations can be conducted using profiles.
As part of FedRAMP, cloud computing products and services are evaluated,
monitored, and authorized based on standardized procedures. The FedRAMP Joint
Authorization Board (JAB) has granted Azure and Azure Government the High
Provisional Authorization to Operate (P-ATO), which augments FedRAMP controls.
Using Azure FedRAMP High authorizations, customers are assured that FedRAMP audit
scope Azure services align with NIST CSF risk management practices.
Microsoft Azure cloud services have been attested to comply with NIST CSF risk
management practices according to NIST CSF, Version 1.0, dated February 12, 2014.
Azure NIST CSF control mapping demonstrates alignment between Azure FedRAMP

68
Chapter 1 Get Started with Azure Security

authorized services and CSF Core. Further, three supply chain risk management
subcategories are included in NIST CSF Draft Version 1.1.
In addition, Microsoft has developed a NIST CSF customer responsibility matrix
(CRM) that outlines all control requirements dependent on customer implementation
and shared responsibility controls and control implementation details for Microsoft-
owned controls. NIST CSF CRM can be downloaded from the Service Trust Portal
Blueprints section under NIST CSF Blueprints.
Azure Policy regulatory compliance built-in initiatives provide additional customer
assistance, mapping to the NIST SP 800-53 compliance domains and controls.

• Azure: Azure regulatory compliance built-in to NIST SP 800-53 Rev. 4

• Azure Government: A regulatory compliance initiative built into

Azure Government based on NIST SP 800-53 Rev. 4

Azure Policy provides built-in initiative definitions for regulatory compliance

based on responsibility: customer, Microsoft, and shared. Microsoft can use third-
party attestations and control implementation details to ensure control compliance
with NIST SP 800-53. Azure Policy definitions are associated with each NIST SP 800-53
control. Compliance with these controls can be assessed using Azure Policy; however,
compliance is only one part of the overall compliance picture. As an organizational
standard enforcer and compliance assessor, Azure Policy provides users with aggregated
view and drill-down capabilities.
Table 1-1 describes specific cybersecurity activities common to all critical
infrastructure sectors using functions, categories, subcategories, and informative
references. The framework core presentation format does not imply a particular order of
implementation or a degree of importance for categories, subcategories, and informative
references. The framework is not exhaustive but is extensible, enabling organizations,
sectors, and other entities to manage their cybersecurity risk efficiently and cost-
effectively using subcategories and informative references.
During the profile creation process, activities from the framework core can be
selected, and additional categories, subcategories, and informative references can be
added. During profile creation, these activities are selected based on the organizational
constraints, risk management processes, legal/regulatory requirements, and business/
mission objectives of an organization. Personal information is considered part of the
data or assets described in the categories when assessing security risks and protections.

69
Chapter 1 Get Started with Azure Security

Despite the similarities between the functions, categories, and subcategories of IT

and Industrial Control Systems (ICS), they operate in different operational environments
and require additional considerations. In addition to affecting the physical world
directly, ICS can also pose risks to people’s health and safety. Additionally, ICS has
unique performance and reliability requirements compared with IT, and cybersecurity
measures must consider safety and efficiency.
Functions and categories have unique alphabetic identifiers, according to Table 1-1,
which makes it easier for users to use the framework core.

Table 1-1. Function and Category Unique Identifiers

[Link] Function Category Unique Identifier Category

70
Chapter 1 Get Started with Azure Security

Table 1-1. (continued)

[Link] Function Category Unique Identifier Category

4 Respond [Link] Response Planning

[Link] Communications
[Link] Analysis
[Link] Mitigation
[Link] Improvements
5 Recover [Link] Recovery Planning
[Link] Improvements
[Link] Communications

Microsoft cyber offerings can meet many security functions described in these
frameworks. Microsoft cyber offerings can assist with five NIST CSF core functions
(Identify, Protect, Detect, Respond, and Recover).
Table 1-2 maps the NIST CSF core functions (Identify, Protect, Detect, Respond, and
Recover) to Azure Services.

71
Chapter 1 Get Started with Azure Security

Table 1-2. Function and Azure Services Mapping

Function Azure Services Mapping

Identify Azure AD
Azure AD Identify protection
Azure AD Privileged Identify Management
Azure Policy
Azure IOT Hub
Microsoft Intune
Azure Network Watcher
Azure Automation
Azure Information Protection
Service Map
Microsoft Threat Modeling Tool
Privileged Access Workstation
Microsoft Compliance Manager
Azure Security Center
Protect Azure Application Gateway
Azure WAF
Azure AD
Azure Firewall
Azure AD Identify Protection
Azure Advanced Threat Protection
Office ATP
Azure Key Vault
Azure DDoS
Azure VPN Gateway
Network Security Groups
Azure Bastion
Azure Encryption
(continued)

72
Chapter 1 Get Started with Azure Security

Table 1-2. (continued)

Function Azure Services Mapping

Detect Azure Firewall

Azure Monitor
Azure Intelligent Security Graph
Azure Sentinel
Azure Security Center
Microsoft for Cloud
Azure DDoS Protection
Azure Rights Management Service (RMS)
Microsoft Purview Information Protection
Azure Network Security Group (NSG)
Respond Azure AD Identify Protection
Azure Advanced Threat Protection
Office ATP
Azure Logic App
Microsoft Threat Experts
Recover Azure Backup
Azure Site Recovery

Summary
This chapter covered the fundamentals of cybersecurity, cloud computing, and
Microsoft Azure. It gave you a broad understanding of essential Microsoft Azure security
capabilities and insights into the NIST CSF.
In the next chapter of the book, you will learn about designing and deploying
security for infrastructure, data, and apps.

73
CHAPTER 2

Design and Deploy

Security for Infrastructure,
Data, and Applications
Cybersecurity is essential in protecting systems from malicious attacks and unauthorized
access. It also helps to ensure that data is kept safe and secure and that applications
remain available and reliable. Without proper cybersecurity measures in place,
organizations can be exposed to costly data breaches and other security incidents.
Cybersecurity should be a top priority for any organization, and companies should
invest in measures to detect and prevent security threats and vulnerabilities, as well as to
respond quickly and effectively when incidents occur.
Without appropriate cybersecurity measures, organizations can be left vulnerable
to malicious actors who can exploit their systems to access confidential information or
damage their networks. Investing in cybersecurity measures can help protect companies
from these threats, as well as the financial impacts of data breaches and other security
incidents, such as loss of customers, reputational damage, legal costs, and regulatory
fines. The first cybersecurity measures were introduced in 1972 with a research project
on ARPANET. (ARPANET was a precursor to the Internet and developed protocols for
remote computer networking.)
Cloud security is critical for protecting critical data and applications from cyber
threats. Cloud providers must have robust security measures in place to ensure the safety
of their customers’ data. Companies should also take steps to ensure their own data is
secure by implementing the proper security protocols.
Since cybersecurity is integrated into cloud platforms, customers often let their
guard down and take cloud security for granted. Microsoft Azure’s shared responsibility
model can help you overcome these challenges.

75
© Puthiyavan Udayakumar 2023
P. Udayakumar, Design and Deploy a Secure Azure Environment,
[Link]
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

With Azure’s built-in controls, data, networking, and app services, you can protect
your workloads quickly. In this chapter, you’ll read about strategically designing and
deploying security for infrastructure, data, and applications using the Microsoft cloud
security benchmarks.
By the end of this chapter, you will understand the following:

• Designing and deploying a strategy for securing infrastructure and

platform components

• Designing and deploying a strategy for securing identify

• Designing and deploying a strategy for securing apps and data

• Getting started with Microsoft SecOps

esign and Deploy a Strategy for Securing

D
Infrastructure Components
In this section, we’ll look at Microsoft Azure data centers. Microsoft Azure data centers
house a global network of computer servers.
The Microsoft Azure global infrastructure is divided into two major components:
physical infrastructure and connective network components. Physical data centers are
arranged into regions and connected through one of the largest interconnected networks
in the world.
The Microsoft Azure global network provides high availability, low latency,
scalability, and cutting-edge technology in a cloud infrastructure, all using the Azure
platform. This way, IP traffic never reaches the public Internet because all the data is
kept entirely in the trustworthy Microsoft network.
More than 200 cloud services are offered by Microsoft Azure to customers on a
24/7/365 basis, including enterprise services like Microsoft Azure, Microsoft 365, and
Microsoft Dynamics 365. These services are hosted on Microsoft’s cloud infrastructure,
which consists of globally distributed data centers, edge computing nodes, and service
operations centers. The extensive fiber footprint connects them to one of the world’s
largest global networks.

76
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

To provide a trustworthy online experience for customers and partners worldwide,

the data centers that power the Microsoft cloud offerings focus on high reliability,
operational excellence, environmental sustainability, and cost-effectiveness. In addition,
Microsoft regularly conducts internal and third-party security audits of its data centers.
Its cloud services are trusted by the world’s most highly regulated organizations.
With the most comprehensive set of compliance offerings available from any
cloud service provider, Microsoft infrastructure and cloud services meet its customers’
strict privacy and security requirements. By providing the most comprehensive set of
compliance offerings available to any cloud service provider, Microsoft helps customers
comply with national, regional, and industry-specific regulations governing the
collection and use of individuals’ data.
Besides meeting ISO, HIPAA, FedRAMP, and SOC standards, Microsoft’s cloud
infrastructure and offerings meet country-specific standards such as Australia’s IRAP, the
UK’s G-Cloud, and Singapore’s MTCS. Rigorous, third-party audits verify its adherence
to the strict security controls these standards mandate, and the Microsoft Service Trust
Portal provides audit reports for data center infrastructure and cloud services.
Microsoft Azure operates in data centers built and managed by Microsoft. To ensure
security and reliability, Microsoft operations staff members manage, monitor, and
administer the data centers, which comply with essential industry standards, such as
ISO/IEC 27001:2013 and NIST SP 800-53. These employees have years of experience
delivering 24/7 continuity of the world’s most extensive online services.

Azure Data Centers and Network

The Microsoft Cloud Infrastructure and Operations (MCIO) team manages the physical
infrastructure and data centers of all Microsoft online services. In addition to managing
and supporting internal perimeter network devices (such as edge routers and data
center routers), the MCIO is also responsible for managing and maintaining physical and
environmental controls within the data centers. In addition, the MCIO is accountable
for setting up the data center racks with a bare minimum of server hardware. There is no
direct interaction between Azure data centers and customers.
Cloud-scale traffic can be handled effectively by a data center network, which is a
modified version of a Clos network. The network is constructed with many commodity
devices to minimize the impact of individual hardware failure. Separate power and
cooling domains are located in different physical locations to reduce the impact of

77
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

environmental events. All network devices are running on the control plane in the OSI
model’s layer 3 routing mode, eradicating the historical traffic loop issue. With Equal-
Cost Multi-Path (ECMP) routing, all paths between diverse tiers are active to provide
high redundancy and bandwidth.
Combined with multiple primary and secondary DNS server clusters, Azure Domain
Name Service (DNS) infrastructure provides fault tolerance on an internal and external
level. Additionally, Azure network security controls, such as NetScaler, protect Azure
DNS services from distributed denial-of-service (DDoS) attacks.
The Microsoft network, which connects Microsoft data centers and customers
globally over 165,000 miles, is one of the largest backbone networks in the world.
At the time of writing, an excellent cloud experience is delivered through Microsoft’s
global network (WAN). With a global network of Microsoft data centers distributed
across 61 Azure regions and edge nodes strategically placed worldwide, Microsoft can
meet any demand with availability, capacity, and flexibility.
Figure 2-1 shows the Microsoft global network.

Figure 2-1. Microsoft global network

78
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

A secondary and primary DNS server hierarchy resolves Azure customer domain
names in multiple data centers. Azure DNS servers are located in various data centers.
Usually, the domain names are resolved to [Link] addresses, which wrap the
virtual IP (VIP) address for the customer’s service. Microsoft load balancers translate the
VIP to an internal dedicated IP (DIP) address for Azure tenants.
Azure is hosted in geographically dispersed data centers within the United States
and is built on the latest routing platforms that implement scalable, robust architectural
standards.

• Traffic engineering based on Multiprotocol Label Switching (MPLS)

provides efficient link utilization and graceful service degradation in
the event of an outage.

• A “need plus one” (N+1) redundancy architecture is used when

implementing networks.

• In addition to redundantly connecting properties with more than

1,200 Internet service providers globally at multiple peering points,
data centers are served by dedicated, high-bandwidth network
circuits. With this connection, the edge capacity is more than 2,000
gigabytes per second (Gbps).

Because Microsoft owns its network circuits between data centers, these attributes
help Azure achieve 99.9+ percent network availability without needing traditional third-
party Internet service providers.
A Microsoft Azure network Internet traffic flow policy directs traffic to the nearest
regional data centers for Azure production networks. All Azure production data
centers share the same network architecture and hardware, so the following traffic flow
description applies consistently.
As soon as Azure Internet traffic is routed to the nearest data center, a connection
is established between Azure nodes and customer-instantiated VMs. Network
infrastructure devices serve as boundary points for ingress and egress filters at the access
and edge locations. These routers isolate traffic between Azure nodes and customer-
instantiated VMs. Filtering unwanted network traffic and limiting traffic speed is possible
using a tiered access control list (ACL) on these routers. In addition to allowing only IP
addresses that Microsoft approves, distribution routers provide anti-spoofing and ACLs
for TCP connections.

79
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

In addition to performing network address translation (NAT) from Internet-routable

IP addresses to Azure internal IP addresses, external load-balancing devices are located
behind the access routers. Additionally, the devices route packets to valid production
internal IP addresses and ports. They serve as a protection mechanism to keep the
internal production network address space from being exposed.
All traffic transmitted to a customer’s web browser, including sign-in and afterward,
is encrypted with Hypertext Transfer Protocol Secure (HTTPS). The use of TLS v1.2
enables a secure tunnel for traffic to flow through. Access and core router ACLs ensure
that the source of the traffic is consistent with what is expected.
The significant difference between this and traditional security architecture is
that it does not require dedicated hardware firewalls, specialized intrusion detection
and prevention systems, or other security appliances before connecting to Azure’s
production environment. In contrast to what customers would expect in Azure,
Azure does not employ these hardware firewalls. Security features, including firewall
capabilities, are almost exclusively built into the Azure environment’s software.
Within the Azure environment, several core security and firewall features reflect a
defense-in-depth strategy, including host-based software firewalls.
As a relational database service, Azure SQL Database provides customers with the
robust security features they expect from a relational database service. SQL Database has
its security capabilities to protect customer data and provide robust security features.
The controls inherited from Azure are built upon these capabilities.
Data center regions are accessible across the world, so customers can deploy
applications anywhere in the world.
There are dedicated regional low-latency networks connecting data centers within
a latency-defined perimeter. There are regions with different pricing and service
availability for Microsoft 365 and Dynamics 365, as opposed to geographies for Microsoft
365 and Dynamics 365.
Availability zones provide resiliency and options for high availability, and data center
failures can be prevented by implementing availability zones.
For added resilience, high availability, and confidence that data traversing between
availability zones is always encrypted, Azure availability zones, consisting of at least
three zones, allow customers to spread their infrastructure and applications across
discrete and dispersed data centers.

80
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Microsoft evaluates each availability zones’ placement using more than 30 viability
and risk-based criteria, identifying both significant individual risks and collective
and shared risks between availability zones without compromising their low-latency
perimeter.
Every country in which Microsoft operates a data center region has an Azure
availability zone.

Azure Data Center Physical Security

Across more than 100 highly secure facilities worldwide, Azure hosts thousands of online
services.
As the infrastructure is designed to bring applications closer to users worldwide,
it preserves data residency and offers customers comprehensive compliance and
resilience options. Azure is available in 140 countries and regions around the world.
Data centers are connected through a massive and resilient network to form regions.
All Azure traffic within a region or between regions is protected by default by content
distribution, load balancing, redundancy, and data-link layer encryption. Azure offers
more global regions than any other cloud provider, so you can deploy applications
wherever needed.
Azure regions are organized into geopolitical regions. Geopolitical regions ensure
that data residency, sovereignty, compliance, and resilience requirements are met.
Microsoft Azure’s shared responsibility model can help you overcome these
challenges. The dedicated, high-capacity network infrastructure enables customers with
specific data residency and compliance requirements to keep their data and applications
close to the source. Azure geographies are fault tolerant to withstand Azure region
failure.
Within an Azure region, availability zones are physically separated.
You can run mission-critical applications with high availability and low-latency
replication in availability zones. Availability zones comprise one or more data centers
with independent power, cooling, and networking.
Microsoft designed, built, and operates data centers in a way that strictly restricts
access to data storage areas. Microsoft’s goal is to help secure the data centers containing
your data, as it understands the importance of protecting your data. Dedicated to
maintaining state-of-the-art physical security, Microsoft has an entire division devoted
to designing, deploying, and managing Azure’s physical data center facilities.

81
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

To reduce the impact of unauthorized access to data center resources and

information hosted within DC, Microsoft adopts a layered approach to physical
security. The Microsoft data centers have multiple layers of protection: access approval
at the facility’s perimeter, the building’s perimeter, the building’s interior, and the data
center’s floor.

Azure Infrastructure Availability

As part of Microsoft’s commitment to high availability, the company monitors and
responds to incidents, provides service support, and helps with backup failover. It is one
of the largest networks in the world. Microsoft has geographically distributed operations
centers operating 24/7/365. A fiber-optic and content distribution network connects
data centers and edge nodes to ensure high performance and reliability.
Data is kept in two locations by Azure. You can choose where your backup site is; in
the primary location, three copies of your data are continuously maintained.
Active databases are monitored every five minutes to determine their health and
status. Azure ensures that a database accesses the Internet via an Internet gateway,
maintaining database availability.
By providing connectivity endpoints, Azure delivers highly scalable and durable
storage. Applications can therefore access the storage service directly. The storage
service processes incoming requests efficiently and with transactional integrity.

Cloud Security Shared Responsibility Model

Cloud security is an essential consideration for any organization that stores data in
the cloud. It is important to ensure that the cloud provider has the necessary security
measures in place to protect data from potential threats such as hackers and malware.
Additionally, organizations should also have their own security strategies in place to
further protect their data.
In an enterprise, security is your responsibility in a traditional data center model
across all areas of your operation, including your applications, servers, user controls, and
even the security of your building. By taking on many operational burdens, including
security, your cloud provider provides valuable relief to your teams. Regarding public
clouds such as Azure, cloud security is defined as a shared responsibility model, and
security ownership must be clearly understood, with each party maintaining complete

82
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

control over those assets, processes, and functions they own. Working with your cloud
provider and sharing some security responsibilities can help you maintain a secure
environment with less operational overhead.
Security responsibilities shift as organizations move workloads to Azure cloud-based
infrastructure from their on-premises data centers. As a result, you (as an organization)
are now solely responsible for all security aspects, as you would be in a traditional
environment. All cloud providers, including Microsoft’s competitors such as AWS and
GCP, follow the cloud security shared responsibility model.
As you evaluate and consider public cloud services such as Microsoft Azure, you
must know the shared responsibility model, which security tasks the cloud service
provider is responsible for, and which are your responsibility as the consumer.
Depending on the Azure service model, your security responsibility differs. The
following is a high-level summary:

• All aspects of security and operations are the customer’s

responsibility for on-premises solutions.

• The platform vendor should manage the elements such as buildings,

servers, networking hardware, and the hypervisor for IaaS solutions.

• Operating systems, networks, applications, identities, clients, and

data are the customer’s responsibilities or are shared with them.

• IaaS solutions build on IaaS deployments, and the provider manages

and secures the network controls, but applications, identify, clients,
and data are still the customer’s responsibility.

• A vendor provides the application for SaaS solutions and abstracts

customers from the underlying components. However, the customer
is still responsible for ensuring that data is classified correctly and is
managing endpoint devices and users.

In the case of an IaaS service like Azure Virtual Machines, you have more security
responsibilities to take care of. For example, you need to patch the operating system of
your virtual machines hosted on Azure.
With an IaaS service model, for capabilities such as virtual machines, storage,
and networking, it is the customer’s responsibility to configure and protect the stored
and transmitted data. When using an IaaS-based solution, data classification must
be considered at all layers of the solution. Figure 2-2 shows a logical view of the cloud
security shared responsibility.
83
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Customer Managed Logical Infrastructure

(Cloud Deployment : IaaS)

Spectrum of information and data

End –User devices, Accounts and Identities

Shared- responsibility varies by type

Identify & Directory Infra
(Shared)

Applications

Virtual machines / Virtual Network and

Data
Containers/ Workloads Connectivity

Microsoft Managed

Compute Network Storage

Figure 2-2. Cloud deployment: IaaS with cloud security shared responsibility view

A PaaS such as Azure App Service has fewer security responsibilities than a
traditional service. You’re not responsible for patching the operating system used by
the service. However, you’re still responsible for configuring the service and controlling
access to it.
In PaaS solutions, the customers’ responsibility for data classification and
management should be recognized during the planning process. To ensure data
protection, customers must configure and establish a process for protecting both the
data and the solution. Azure Rights Management (ARM) services provide customer data
protection capabilities and integrate into many Microsoft SaaS products. Figure 2-3
shows the cloud security shared responsibility from a PaaS logical view.

84
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Customer Managed Logical Infrastructure

(Cloud Deployment : PaaS)

Spectrum of information and data

End –User devices, Accounts and Identities

Shared responsibility
(Cloud Deployment : PaaS)
Identify & Directory Infra
(Shared)

Virtual Network and

Applications
(Shared)
Connectivity
(Shared)

Microsoft Managed
Virtual machines /
Containers/ Workloads

Compute Network Storage

Figure 2-3. Cloud deployment: PaaS with cloud security shared

responsibility view

With a SaaS service like Azure Search, you have even fewer security responsibilities,
but you should still control access to your data.
In SaaS solutions like Office 365 and Dynamics 365, customer data can be protected
with features such as Office Lockbox and data loss prevention. Still, customers must
ultimately configure, classify, and manage these solutions to meet their unique
compliance and security requirements. Figure 2-4 shows the cloud security shared
responsibility from a SaaS logical view.

85
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Customer Managed Logical Infrastructure

(Cloud Deployment : SaaS)

Spectrum of information and data

End –User devices, Accounts and Identities

Shared responsibility
(Cloud Deployment : SaaS)
Identify & Directory Infra
(Shared)

Microsoft Managed
Applications
(Shared)

Virtual machines / Virtual Network and

Containers/ Workloads Connectivity
(Shared)

Compute Network Storage

Figure 2-4. Cloud deployment: SaaS with cloud security shared

responsibility view

F oundation of Cloud Infrastructure and

Endpoint Security
A cloud security team provides security protections, detective functions, and response
procedures for infrastructure and network components used by enterprise applications
and users.
Data centers enabled by software-defined technologies are aiding in the security of
infrastructure and endpoints in several ways, including the following:

• Inventory and configuration error discovery for cloud-hosted assets

is much more reliable since they are all immediately visible (versus a
physical data center).
• Vulnerability management has become an integral part of managing
overall security posture.

86
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• The addition of container technologies should be managed and

secured by infrastructure and network teams as this technology is
widely adopted throughout the organization.

• Security agent consolidation and tool simplification will reduce

maintenance and performance overhead for security agents
and tools.

• Allow-listing of applications and internal network filtering is

becoming more accessible and easier to implement on cloud-hosted
servers (using machine learning rule sets).

• Cloud-based software-defined data centers are much easier to

manage with automated templates for configuring infrastructure and
security. Azure Blueprints are an example.

• For privileged access on servers and endpoints, just in time (JIT) and
just enough access (JEA) enable the practical application of least
privilege principles.

• Since endpoint devices are increasingly available for purchase or

choice, user experience becomes increasingly critical.

• In addition to ensuring that all endpoint devices, including

traditional PCs and mobile devices, are managed securely, unified
endpoint management provides critical device integrity signals for
zero-trust access control.

• With the shift to cloud application architectures, network security

architectures and controls are somewhat diminished, but they
remain a primary security measure.

Securing Virtual Machines

Virtual machines can be used to deploy a variety of computing solutions in an agile way
with Azure. With Azure BizTalk Services, you can deploy any workload and language on
nearly any operating system, including Microsoft Windows, Linux, Microsoft SQL Server,
Oracle, IBM, SAP, and Microsoft BizTalk Services.

87
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

With Azure virtual machines, you don’t need to buy and maintain physical hardware
to run them. In highly secure data centers, your data is protected and safe so that you can
build and deploy your applications with peace of mind.
The Azure platform enables you to build security-enhanced, compliant solutions
that do the following:

• Make sure your virtual machines are protected from viruses

and malware

• Protect sensitive information by encrypting it

• Ensure the security of network traffic

• Detect and identify threats

• Comply with regulations

Antimalware
You can use antimalware software from Microsoft, Symantec, Trend Micro, McAfee,
and Kaspersky to protect your virtual machines from malicious files, adware, and other
threats. You can deploy, configure, and maintain antimalware solutions remotely using
Azure PowerShell, the Azure Portal, and the command line.

Protect Sensitive Data

Microsoft monitors your data 24/7 and has built data centers to safeguard your data and
services from unauthorized access. It also offers industry-leading encryption solutions
from CloudLink and Trend Micro for your virtual machines and their data for extra
protection. A transparent data encryption feature is also available in Microsoft SQL
Server for real-time application security.

Organize Your Keys and Secrets with Key Vault

You can simplify management and security by storing your critical secrets and keys
in Azure Key Vault. Key Vault stores your keys in hardware security modules (HSMs)
certified to FIPS 140-2 Level 2. In Key Vault, you can store your SQL Server encryption
keys, CloudLink SecureVM keys, and any other keys or secrets you have created. You can
manage permissions and access to these protected items through Azure Active Directory.
88
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

irtual Machine Disks for Linux and Windows Can

V
Be Encrypted
Using Azure Disk Encryption, you can encrypt your virtual machine disks with keys
and policies that you control in Azure Key Vault, meeting organizational security and
compliance requirements. In Azure Disk Encryption, you can encrypt both your virtual
machine’s boot and data disks. You can protect your disk encryption keys, manage
access policies, and audit the usage of your keys with Key Vault.
Azure Key Vault is available for both Linux and Windows operating systems. In Azure
Storage accounts, all the data on your virtual machine disks are encrypted at rest using
industry-standard encryption technology. Microsoft BitLocker Drive Encryption is used
for Azure Disk Encryption for Windows, while dm-crypt is used for Linux.
Azure Disk Encryption (premium storage tier) does not support virtual machines
with DS-Series storage.

Build More Compliant Solutions

As an authorized partner with Federal Information Security Modernization Act (FISMA),
Federal Risk and Authorization Management Program (FedRAMP), HIPAA, PCI DSS
Level 1, and other critical compliance programs, Azure Virtual Machines is certified to
comply with these requirements, allowing your Azure applications to meet compliance
requirements and your business to comply with domestic and international regulatory
requirements.

Shield Network Traffic from Threats

You can create a highly secure VPN connection between your virtual machines using
Azure Virtual Network or bypass the Internet completely with Azure ExpressRoute.
As well as isolating network traffic between applications, Virtual Network allows you
to control the configuration of your network, including subnets and preferred DNS
addresses. Secure your endpoints with access control controls and deploy a web
application firewall with aiScaler, Alert Logic, Barracuda Networks, Check Point, and
Cohesive Networks from the Azure Marketplace.

89
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Securing Containers
An application runs in a container in a lightweight, isolated silo on the host system.
On top of the kernel of the host operating system (which can be viewed as the buried
plumbing of the OS), containers contain only apps and lightweight APIs and services
from the operating system. Containers share the kernel of the host operating system,
but their access is limited. Instead, the container gets an isolated—and sometimes
virtualized—view of the system. The container can, for example, access a virtualized
version of the file system and registry, but the changes affect only it and are discarded
when it stops. The container can mount persistent storage, such as Azure Disks or file
shares (including Azure Files) to save data.
The kernel is the base of a container, but it does not provide all of the APIs and
services an app needs to run—most of these are provided by system files (libraries)
executed in user mode above the kernel. The container needs a copy of these user-mode
system files packaged into a base image because it is isolated from the host’s user-mode
environment. As the foundation for your container, the base image provides operating
system services not provided by the kernel.
Containers are easy to deploy and start fast because they utilize fewer resources (for
example, they do not require an entire operating system).
The concept of a container group is similar to a pod in Kubernetes, a collection of
containers scheduled on the same machine. The containers in a container group share a
lifecycle, resources, local network, and storage volumes.

Use a Private Registry

An image container is built from an image stored in a repository. These repositories may
belong to a public registry, such as Docker Hub, or they may belong to a private registry.
The Docker Trusted Registry, an example of a private registry, can be installed on-
premises or in a virtual private cloud. Azure Container Registry, for example, can also be
used as a private container registry service in the cloud.

90
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Publicly Available Container Image Does Not

A
Guarantee Security
Each software layer in container images might have a vulnerability. It is advisable to store
and retrieve images from a private registry, such as Azure Container Registry or Docker
Trusted Registry, to help reduce the threat of attacks. Through Azure Active Directory,
Azure Container Registry provides a managed private registry and service principal–
based authentication. Users can be granted read-only (pull), write-only (push), and
other permissions based on their role.

Monitor and Scan Container Images

To identify potential vulnerabilities, utilize solutions that scan container images in a
private registry. Understanding how each solution detects threats is critical to choosing
the right solution.
Azure Container Registry can be integrated with Microsoft Defender for Cloud
to scan all Linux images pushed to a registry automatically. Qualys, a scanning tool
integrated into Microsoft Defender for Cloud, detects image vulnerabilities, classifies
them, and provides remediation advice.
Through Azure Marketplace, you can also find solutions such as Twistlock and Aqua
Security for security monitoring and image scanning.

Protect Credentials
As containers are distributed across several clusters and Azure regions, credentials such
as passwords or tokens for logging in or accessing APIs must be secured. Only privileged
users should be able to access these containers in transit and at rest. Inventory all
credential secrets and then require developers to use tools designed to manage secrets
for container platforms. Ensure your solution includes the following:

• Encrypted databases

• TLS encryption for secret data in transit

• Azure role-based access control (RBAC)

91
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Containerized applications can be protected with Azure Key Vault’s encryption keys
and secrets (such as certificates, connections, and passwords). Secure access to your
key vaults so only authorized applications and users can access them since this data is
sensitive and business-critical.

Securing Hosts
You must lock down the host machines where your applications run. Installing updates,
using jump boxes to only access servers, and following Microsoft Defender for Cloud
recommendations are great ways to keep your hosts secure.
An endpoint system interacts directly with users. Devices made up of computers,
laptops, smartphones, tablets, and other computing devices need to be protected against
security attacks on the networked systems of an organization.
Microsoft Defender for Cloud provides tools for hardening your network, securing
your services, and maintaining your security posture.
Use Microsoft Antimalware or an endpoint protection solution from a Microsoft
partner to help identify and remove viruses, spyware, and other malicious software.
Security Center reports antimalware status on the “Endpoint protection issues”
blade after integrating your antimalware solution with Microsoft Defender for Cloud.
You can plan to address any identified issues by using the information provided by
the Security Center, such as detected threats and insufficient protection.
Providing RDP/SSH connectivity directly to your virtual machines via TLS in the
Azure Portal, Azure Bastion is a fully platform-managed PaaS service you provision
inside your virtual network. Azure Bastion doesn’t require a public IP address to connect
to your virtual machines.
All VMs in a virtual network that Bastion is a part of are connected securely using
RDP and SSH.
Azure Bastion protects your VM from disclosing RDP/SSH ports to the outside world
while providing secure access using RDP/SSH. With Azure Bastion, you connect to the
VM straight from the Azure Portal.
To have a secured host, you need to ensure the following security components
are contained on the device Trusted Platform Module (TPM) 2.0, BitLocker Drive
Encryption, UEFI Secure Boot, Drivers, and Firmware Distributed through Windows
Update, Virtualization and HVCI Enabled, Drivers and Apps HVCI-Ready, Windows
Hello, DMA I/O Protection, System Guard, and Modern Standby.

92
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Securing Networks
Protect your information technology assets by controlling traffic that originates in Azure,
traffic to and from Azure, and traffic between on-premises and Azure resources. In the
absence of security measures, attackers can, for example, scan public IP ranges to gain
access. Proper network security controls can deliver defense-in-depth components that
detect, control, and prevent attackers who acquire access to your cloud deployments.
As in your on-premises network, Azure virtual networks are similar to LANs. They
allow you to place all your virtual machines on a single private IP address space. By
placing Azure virtual machines (VMs) and appliances on Azure virtual networks, you
can connect them to other networked devices. Connect virtual network interface cards
(NICs) to a virtual network to allow TCP/IP-based communications between network-
enabled devices. Employees can access a company’s resources from anywhere, on
various devices and apps, making perimeter security controls irrelevant.
A virtual network access control system limits connectivity to and from specific
devices and subnets. Access controls allow or deny connections to your virtual machines
and services based on your decisions about allowing or denying connections. Network
access controls limit access to your virtual machines and services to approved users and
devices.
Microsoft Defender for Cloud can manage the network security groups (NSGs)
on virtual machines and protect access to the virtual machine until a user with the
authorized Azure role-based access control Azure RBAC permissions requests access.
With Azure Firewall, you get a fully stateful, highly available, unrestricted cloud
scalability firewall security service that provides threat protection for your Azure cloud
workloads.
The following are key strategies to be adopted:

• Align the network segmentation with the overall enterprise

segmentation strategy by segmenting your network footprint and
creating secure communication paths between segments.

• Develop security controls to identify and permit or deny traffic,

access requests, and application communication between segments.

• Azure Front Door, Application Gateway, Azure Firewall, and Azure

DDoS Protection protect all public endpoints.

93
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Protect critical workloads from DDoS attacks with Azure DDoS

Protection.

• Virtual machines can stay private and secure online using Azure
Virtual Network NAT (NAT gateway).

• Interconnect application tiers (north-south) and subnets (east-west).

• Cover from data exfiltration attacks via a defense-in-depth strategy

with management at each layer.

Microsoft Cloud Security Benchmark for Network Security

Various aspects of network security contribute to the security and protection of
networks, including securing virtual networks, establishing private connections,
controlling and mitigating external attacks, and securing DNS.
Figure 2-5 provides high-level insights into the Microsoft cloud security benchmark.

Fundamental Network security principle Azure Network Security Services

Deploy Network Segmentation Adopt Azure Virtual Network (vNet)

Protect cloud native services with network security

Adopt Azure Private Link
controls

Implement Firewall at edge of the enterprise network Deploy Azure Firewall and Virtual network traffic routing

Implement intrusion detection/protection system Adopt Azure Firewall with IDPS / Defender for endpoint

Implement DDOS Protection Adopt Azure DDOS Protection

Implement Web Application Firewall Adopt Azure WAF

Adopt Networking Hardening via Defender for Cloud/ Azure

Follow Simplicity in Network Security Configuration
Firewall Manager

In general disable unused services Azure Sentinel insecure protocol workbook

Have a private connectivity between on-premises and

Azure Azure VPN/ Virtual Network Peering

Implement DNS Security Azure DNS / Azure Private DNS /Defender for DNS

Figure 2-5. Microsoft cloud security benchmark for network security

94
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Deploy Network Segmentation

Implement your enterprise segmentation strategy in your virtual network deployment
and isolate any workload that could pose a higher risk to the organization.
Examples of high-risk workloads include the following:

• Sensitive data was stored or processed by an application.

• Public or external users can access external network-facing

applications.

• An application has insecure architecture or vulnerabilities that are

difficult to fix.

Enhance your enterprise segmentation strategy by restricting or monitoring traffic

between internal resources. This highly secure “deny by default, permit by exception”
approach determines the traffic’s ports, protocols, source, and destination IP addresses
for specific, well-defined applications (such as a three-tier app). If you have many
applications and endpoints interacting, blocking traffic may not scale well, and you may
only be able to monitor traffic.
As a fundamental segmentation approach in Azure, Microsoft suggests creating
a virtual network (VNet) so resources such as VMs can be deployed within a network
boundary within the VNet. To more precisely segment the network, you can deploy
subnetworks for smaller subnetworks within a VNet.
Azure network engineers can restrict or monitor traffic by port, protocol, source IP
address, or destination IP address using NSGs.
Organizations can also use application security groups (ASGs) to simplify complex
configurations. Defining a policy based on explicit IP addresses in NSGs and ASGs
enables you to configure network security as a natural extension of an application’s
structure, allowing you to group virtual machines and define network security policies
based on those groups.

rotect Cloud Native Services with Network

P
Security Controls
Secure cloud services by setting up a private access point and disabling or restricting
public network access.
When implementing Private Link, the private connection will not be routed through
the public network for all Azure resources that support it.
95
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

VNet integration for certain services allows you to create a private access point by
restricting the VNET.
The service native network ACL rules can also be configured to block access from
public networks, such as Azure SQL.
For Azure VMs, unless there is an assertive use case, you should avoid allocating
public IPs/subnets straight to the VM NIC interface but utilize gateway or load balancer
services as the front end for entry by the public network.

Implement a Firewall at the Edge of the

Enterprise Network
Firewalls can be used to filter network traffic from and to external networks, as well as
between internal segments to support a segmentation strategy. When you need network
traffic to go through a network appliance for security control reasons, use custom routes
for your subnet to override the system route.
Be sure to block known bad IP addresses and high-risk protocols, like remote
management (such as RDP and SSH) and intranet access (such as SMB and Kerberos).
For example, URL filtering can be managed centrally using hub-spoke
configurations.
Utilize Azure Firewall to control application-layer traffic (such as URL filtering)
and centrally manage many enterprise segments or spokes (in a hub-and-spoke
configuration).
Creating user-defined routes (UDRs) may be necessary if your network topology is
complex, such as a hub-spoke configuration. For example, Azure Firewall or a virtual
network appliance can be used to redirect egress Internet traffic through a UDR.

Implement Intrusion Detection/Protection System

Ensure your network intrusion detection and intrusion prevention system (IDS/IPS)
provides high-quality alerts to your SIEM solution anytime there is network or payload
traffic to or from your workload.
A host-based IDS/IPS or endpoint detection and response (EDR) solution coupled
with a network-based IDS/IPS provides a deeper level of detection and prevention at the
host level.

96
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Using Azure Firewall’s IDPS capability, you can detect and block traffic from and to
known malicious IP addresses and domains.
VM-level IDS/IPS can be combined with network-level IDS/IPS for a more
comprehensive host-level detection and prevention capability. One example of this is
Microsoft Defender for Endpoint.

Implement DDOS Protection

Your network and applications can be protected from attacks with distributed denial-of-
service (DDoS) protection.
In Azure, DDoS Protection Basic automatically protects the underlying platform
infrastructure (such as Azure DNS) and does not require user configuration.
To protect resources exposed to public networks, enable the DDoS standard
protection plan on your VNet for higher-level protection from application layer (layer 7)
attacks such as HTTP.

Implement Web Application Firewall

Ensure your web applications and APIs are protected from application-specific attacks
using a web application firewall (WAF).
Azure Application Gateway, Front Door, and Content Delivery Network (CDN)
provide WAF capabilities to protect applications, services, and APIs from application-
layer attacks.
Depending on your needs and threat landscape, you can set your WAF in “detection”
or “prevention” mode.
You can choose one of the built-in rulesets, such as the OWASP Top 10
vulnerabilities, and customize it based on your application’s needs.

Follow Simplicity in Network Security Configuration

You can manage network security using tools that simplify, centralize, and enhance the
process. Implement and manage virtual networks, NSG rules, and Azure Firewall rules
more efficiently with these features:

• Virtual networks can be grouped, configured, deployed, and

managed across regions and subscriptions using Azure Virtual
Network Manager.
97
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Microsoft Defender can recommend NSG hardening rules for cloud

adaptive network hardening based on threat intelligence and traffic
analysis results.

• The Azure Firewall Manager ARM (Azure Resource Manager)

templates simplify the implementation of firewall rules and network
security groups.

In General, Disable Unused Services

Implement compensatory controls if disabling insecure services and protocols is not
possible. Detect and disable insecure protocols, services, and applications at the OS and
application layers.
To identify insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/
NTLMv1, wDigest, Unsigned LDAP Binds, and weak ciphers in Kerberos, use Microsoft
Sentinel’s built-in Insecure Protocol Workbook. Disable insecure services and protocols
that fail to meet the appropriate security standards.

Note If disabling insecure services or protocols is unattainable, use

compensating controls such as stopping resource access to reduce the attack
surface via Azure security services such as network security groups, Azure
Firewall, or Azure Web Application Firewall.

ave a Private Connectivity Between On-Premises

H
and Azure
Colocation environments, such as cloud service providers’ data centers and on-premises
infrastructure, can be made more secure using private connections.
Connect your on-premises site or end-user device to the Azure virtual network using
a VPN for lightweight site-to-site or point-to-site connectivity.
Colocation environments can benefit from enterprise-level high-performance
connectivity through Azure ExpressRoute (or virtual WAN).
When integrating two or more Azure virtual networks, use virtual network peering.
Network traffic flows between peered virtual networks are private, as is network traffic
placed on the Azure global backbone network.

98
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Implement DNS Security

Security configurations for DNS should protect against the following threats:

• Ensure your cloud environment uses authoritative and recursive

DNS services to ensure clients (operating systems and applications)
receive the correct results.

• To isolate the private network’s DNS resolution process from the

public network’s DNS resolution process, separate the public and
private DNS resolution processes.

• DNS security strategies should also protect against common attacks

such as dangling DNS, DNS amplification attacks, DNS poisoning,
and spoofing.

When setting up recursive DNS in a workload, such as an OS or an app, use Azure

recursive DNS or an external DNS server you trust.
You can use Azure Private DNS to set up a private DNS zone and run the DNS
resolution process within the virtual network. You can use a custom DNS to restrict the
DNS resolution process only to allow trusted resolutions for your clients.
Using Microsoft Defender for DNS can expose your workload or DNS service to the
following security threats:

• Data exfiltration from your Azure resources using DNS tunneling

• Malware communicating with a command-and-control server

• Communication with malicious domains such as phishing and

crypto mining

• DNS attacks in communication with malicious DNS resolvers

Adopt Microsoft Defender for App Service to detect dangling DNS records if you
decommission an App Service website without dragging its custom domain from your
DNS registrar.

Securing Storage
Regardless of location, every organization has data that needs to be protected at rest, in
transit, and within applications. Azure provides security features to protect your data.

99
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

A data sovereignty concept holds that information stored in binary digital form
is subject to the laws of the country or region in which it is located after it has been
converted and stored. A significant concern around data sovereignty is enforcing privacy
regulations and preventing foreign governments from subpoenaing data stored in
foreign countries or regions.
In Azure, customer data might be replicated within a specified geographic area for
improved data durability during a major data center disaster. In some cases, it will not be
replicated outside it.

Deploy Shared Access Signatures

To keep your data safe, you should never share storage account keys with external
third-party applications. If these apps need access to your data, they must secure their
connections without using storage account keys.
A shared access signature (SAS) can be attached to a URI to be used with untrusted
clients. A shared access signature contains a security token. Using a shared access
signature, you can delegate access to storage objects and specify constraints, including
permissions and time ranges.
Customers can upload pictures to Blob storage using a shared access signature
token, and web applications can also read those pictures if they have permission. In both
cases, you only grant the application the necessary access to perform the task.

Govern Azure AD Storage Authentication

Azure Storage supports the authorization of blob data requests using Azure Active
Directory (Azure AD) and shared keys and access signatures. Through Azure AD, you
can grant permissions to a security principal, a user, a group, or an application service
principal by using Azure RBAC. Azure AD authenticates the security principle and
returns an OAuth 2.0 token, which can then be used to authorize a request to the Blob
service.

100
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Azure Storage Encryption for Data at Rest

By persisting your data to the cloud, Azure Storage automatically encrypts it, protecting
your data and helping you meet your organization’s compliance and security
obligations. Azure Storage encryption is similar to BitLocker encryption on Windows,
and 256-bit AES encryption is used to encrypt and decrypt data transparently. Azure
Storage encryption is compliant with FIPS 140-2.
To use Azure Storage encryption, your code or applications do not need to be
modified. Because your data is secured by default, you can’t disable it.
No matter which redundancy option a storage account uses (standard or premium),
all copies are encrypted. All Azure Storage resources, including blobs, disks, files,
queues, and tables, are encrypted, as are all copies of a storage account. Metadata for
objects can also be encrypted.
It is free to encrypt Azure Storage. Azure Storage encryption does not affect
performance.

Securing Endpoints
To ensure servers and client endpoints are protected and to constantly assess their
security posture to ensure they are up-to-date, a security strategy needs to be established
along with tools for obtaining enterprise-wide visibility into attack dynamics.
Microsoft Windows Client and Windows Server are designed to be secure, but many
organizations prefer more control over their security configurations. Microsoft shows
how to configure various security features in security baselines to assist organizations in
navigating many controls.
Security baselines are preconfigured Windows settings that help you apply and
enforce granular security settings recommended by the relevant security teams.
Intune allows you to create a security baseline profile composed of multiple device
configuration profiles, which can be customized to enforce only the settings and values
you need.
To increase flexibility and reduce costs, Microsoft recommends implementing an
industry-standard, widely known, and well-tested configuration, such as Microsoft
security baselines.
Understanding the operating system for which the security baseline is to be applied
is the first step in choosing the appropriate security baseline. Windows clients and
servers come in many versions, and you may need multiple baselines to address the
101
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

requirements of each operating system in a heterogeneous environment. You can choose

which tool to use to deploy these baselines once you have an inventory of the operating
systems and their versions.
Enterprise security administrators can use a set of tools called the Security
Compliance Toolkit (SCT) to download, analyze, test, edit, and store Microsoft-
recommended security configuration baselines for Windows and other Microsoft
products. Using the SCT, administrators can efficiently manage Group Policy Objects
(GPOs) for their enterprises.
It lets administrators compare their current GPOs with Microsoft-recommended
GPO baselines or other baselines, edit them, and store them in GPO backup files for use
in Active Directory and local policies.
There are also security baselines for Windows and Linux servers under Azure
Security Benchmark (ASB). The ASB has guidance for OS hardening, resulting in security
baseline documents.
In October 2022, Microsoft rebranded the Azure Security Benchmark (ASB) as
Microsoft Cloud Security Benchmark. This new benchmark is in public preview when
writing this book.
However, if your security baseline focuses on configuring the endpoint (Windows
Client), you can use Intune to automate the deployment and configuration. With Intune
capabilities, users and devices can be securely protected by quickly deploying Windows
security baselines. Intune allows you to deploy security baselines to groups of users or
devices, and these settings apply to Windows 10/11 as well. It automatically activates
BitLocker for removable drives, requires a password to unlock a device, disables basic
authentication, and more with the MDM security baseline. Customize the baseline to
apply the necessary settings if a default value does not work for your environment.
You need to understand the default values in the baselines you use and modify each
baseline to fit your organization’s needs. Baselines can include the same settings but use
different default values.
It’s important to stress that Microsoft Intune security baselines do not align with
CIS or NIST standards. While Microsoft consults with organizations, such as CIS, when
compiling security recommendations, Microsoft baselines differ from CIS-compliant.
In creating these baselines, Microsoft’s security team consulted enterprise customers
and external agencies, including the Department of Defense (DoD), the National
Institute of Standards and Technology (NIST), and others. These organizations share
Microsoft’s recommendations and baselines, as well as their suggestions that are

102
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

similar to Microsoft’s. Microsoft created equivalent MDM recommendations of these

group policy baselines as MDM expanded into the cloud. Microsoft Intune provides
compliance reports on users, groups, and devices that follow (or do not follow) these
additional baselines.
Let’s do a deep dive into the Microsoft cloud security benchmark.
The Azure and cloud service provider platforms release new services and features
daily, developers publish new cloud applications built on these platforms, and attackers
are constantly looking for new ways to exploit misconfigured resources. Developers and
the cloud move fast, and attackers move fast as well.

• What measures do you take to ensure your cloud deployments

are secure?

• What are the differences between cloud security practices and those
used by on-premises systems?

• Do you monitor your workload across multiple cloud platforms to

ensure consistency?

As stated by Microsoft, security benchmarks can help you secure cloud deployments
quickly. Using a comprehensive security best-practice framework provided by cloud
service providers, you can select specific security configuration settings in your cloud
environment and monitor these settings from a single perspective.
The Microsoft cloud security benchmark (MCSB) includes a series of high-impact
security recommendations to help you secure cloud services in a single or multicloud
environment. These recommendations include the following:

• Controls for security: These recommendations can be applied

irrespective of your cloud workloads. They include a list of
stakeholders typically planning, approving, or implementing the
benchmark.

• Cloud service baselines: These provide recommendations for the

security configuration of individual cloud services. Only Azure
service baselines are currently available.

103
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

icrosoft Cloud Security Benchmark

M
for Endpoint Security
The Microsoft cloud security benchmark for endpoint security contains three essential
recommendations: using endpoint detection and response (EDR) controls for endpoints
in cloud environments, using anti-malware services, and making sure anti-malware
software and signatures are updated.
Figure 2-6 provides some high-level insights into the Microsoft cloud security
benchmark.

Fundamental security principle Azure Security Services

Adopt Endpoint Detection and Response

(EDR)

Deploy modern anti-malware software • Microsoft Defender for Cloud

• Microsoft Defender for Servers
• Microsoft defender for endpoints
• (Optional) Integrate with SIEM

Have a release parodic recycle for anti-

malware software and signatures

Figure 2-6. Microsoft cloud security benchmark for endpoint security

Adopt Endpoint Detection and Response (EDR)

Microsoft recommends EDR capabilities be enabled for VMs and that SIEM and security
operations processes be integrated.
Microsoft Defender can provide EDR capability for advanced threats for servers
(with Microsoft Defender for Endpoint integrated). Integrate your SIEM solution, such as
Microsoft Sentinel, with Microsoft Defender for Cloud to deploy Microsoft Defender for
Servers for your endpoints.
Windows and Linux servers running on Microsoft Azure, Amazon Web Services
(AWS), Google Cloud Platform (GCP), or on-premises are protected by Microsoft
Defender for Servers.

104
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

You can defend against advanced threats by monitoring, detecting, investigating,

and responding to them with Microsoft Defender for Endpoint. To deliver EDR and
other threat protection features, Microsoft Defender for Servers integrates with Microsoft
Defender for Endpoint. At the time of writing this book, Microsoft Defender for Cloud
is free for the first 30 days, and any usage beyond 30 days will be automatically charged
based on the use and services adopted.

Deploy Modern Anti-malware Software

In Azure ARC-configured virtual machines and on-premises machines running
Microsoft Defender for Cloud, the software can automatically identify and report the
status of the endpoint protection solution.
Windows servers 2016 and higher come with Microsoft Defender Antivirus as
their default antimalware solution. In Windows Server 2012 R2, enable System Center
Endpoint Protection (SCEP) using the Microsoft Antimalware extension. For Linux
virtual machines, use Microsoft Defender for Endpoint on Linux.
Antimalware solutions can be discovered and assessed using Microsoft Defender for
Cloud for Windows and Linux.
You can also consider Defender for Storage, another choice that detects malware
uploaded to Azure Storage accounts using Defender for Storage.

ave a Release Parodic Recycle for Anti-Malware

H
Software and Signatures
T3o keep endpoints up-to-date with the latest signatures, Microsoft recommends using
Microsof3t Defender for Cloud. Microsoft Antimalware for Windows and Microsoft
Defender for Endpoint for Linux will automatically update signatures and engines.

Securing Backup and Recovery

Using Azure Backup, you can back up and recover your data from the cloud in a
straightforward, secure, and cost-effective manner.
Azure Backup allows protecting your crucial business systems and backup data
against a ransomware attack by deploying defensive measures and offering tools that
shield your enterprise from each step attackers take to compromise your systems.

105
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Backups are stored in a Recovery Services vault with built-in management of

recovery points to protect your VMs from unintended data destruction. Backups are
isolated and independent. Scaling and configuration are simple, backups are optimized,
and quick reinstallation is possible.
A snapshot of the production workload is taken during backup and transferred to the
Recovery Services vault with no impact on production workloads.

icrosoft Cloud Security Benchmark for Backup

M
and Recovery
Azure backup and Recovery Strategy should aim to manage to ensure that data and
configuration backups at the various service tiers are performed, verified, and protected.
Figure 2-7 provides high-level insights into the Microsoft cloud security benchmark
specific to backup and recovery.

Fundamental security principle Azure Security Services

Deploy scheduled automated backups

Safeguard backup and recovery

• Azure Backup
• Adopt Azure Key Vault

Monitor backups

Periodically Test backups

Figure 2-7. Microsoft cloud security benchmark for backup

Deploy Scheduled Automated Backups

You should ensure backups of business-critical resources are enforced through policies
during resource creation or as part of existing resource creation.

106
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

On Azure Backup–supported resources, Azure Backup can be enabled, and the

backup source can be Azure VMs, SQL Server, HANA databases, Azure PostgreSQL
databases, File Shares, Blobs, or Disks with the desired frequency and retention period.
Backup on Azure VMs can be enabled automatically with Azure Policy.
You can use the native backup capabilities the resource or service provides if Azure
Backup doen’t support in taking backup of the services or resource. For example, Azure
Key Vault provides native backup capabilities.
If your resources/services do not support Azure Backup or do not have native backup
capabilities, you can create your own backup and disaster recovery mechanism. Without
native backup capability on your resources/services, you can create a disaster recovery
mechanism.

• Data stored in Azure Storage blobs can be preserved, retrieved, and

restored anytime.

• Service configuration settings can usually be exported to Azure

Resource Manager templates.

Safeguard Backup and Recovery

It is imperative to protect backup data and operations against data exfiltration, data
compromise, ransomware/malware, and malicious insiders. Data encryption and user
and network access controls should be employed at rest and in transit.
To secure critical Azure Backup operations (such as deleting, changing retention,
and updating backup configuration), use multifactor authentication and Azure
RBAC. Create private endpoints in your Azure Virtual Network for backup and
restoration of data from your Recovery Services vaults by using Azure RBAC.
256-bit AES encryption is automatically applied to backup data for Azure Backup
resources. As an alternative, you can encrypt backups with a customer-managed key.
Be sure this customer-managed key in Azure Key Vault is also included in the backup
scope. Azure Key Vault offers soft delete and purge protection so that keys cannot be
accidentally or maliciously deleted if you use customer-managed vital options. Azure
Backup provides encryption at rest based on the passphrase you supply.
Backup data should be protected against accidental or malicious deletion due to
ransomware attacks or attempts to encrypt or alter backup data.

107
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

When Azure Backup supports it, you can enable soft delete to ensure that data is not
lost during recovery for up to 14 days following an unauthorized deletion. You can also
use multifactor authentication with a PIN. Enable georedundant storage or cross-region
recovery to ensure backup data can be restored if a disaster occurs in the primary region.
Zone-redundant storage (ZRS) will provide restorable backups in the event of zone
failures.

Note If you use the resource’s native backup feature or backup services other
than Azure Backup, refer to the Microsoft cloud security benchmark (and service
baselines) to implement these controls.

Monitor Backups
Compliance with the defined backup policy and standard should be ensured for all
business-critical protectable resources.
For Azure Backup supported resources, Backup Center helps you centrally govern
your backup estate. Use Azure Policies for Backup to audit and enforce such controls.
Ensure critical backup operations (deleting, changing retention, updating the backup
configuration) are monitored and audited and alerts are set up. Monitor backup health,
receive alerts for critical backup incidents, and audit user-triggered vault actions.
Note: Use built-in policies (Azure Policy) where appropriate to guarantee that your
Azure resources are configured for Backup.

Periodically Test Backups

Test the recovery of your backup data periodically to ensure that the backup
configuration and availability meet the recovery requirements defined in the recovery
time objective (RPO) and recovery point objective (RTO).
Periodically test your backups for data recovery to ensure they meet the recovery
requirements defined in the RTO and RPO.
You may need to determine your backup recovery test strategy, including the test
area, commonness, and techniques, as performing the full recovery test each time can
be challenging.

108
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Design and Deploy a Strategy for Securing Identify

Using Azure Identify and Access Management solutions, you can secure access to
your resources and protect your applications and data from malicious login attempts.
Protect credentials with risk-based access controls, identify protection tools, and robust
authentication options—without disrupting business operations.
Consider the following three critical services in your securing identify:

• Azure Active Directory (Azure AD) provides identify and access

management for cloud and hybrid environments.

• Azure Active Directory External Identities manage consumer

identities and access in the cloud.

• Virtual machines in Azure can be joined to a domain without

deploying domain controllers using Azure Active Directory Domain
Services.

Microsoft’s Azure Active Directory

Azure AD is a cloud-based identify and directory service for multitenants. In addition
to providing single sign-on (SSO) access to thousands of cloud SaaS applications, Azure
AD is an affordable and easy-to-use solution for IT administrators to give employees and
business partners.
The Azure AD identify management solution makes it easy for developers to
integrate their applications with a world-class solution.
A full range of identify management features is also included in Azure AD, including
multifactor authentication, device registration, self-service password management,
self-service group management, privileged account management, role-based access
control, application usage monitoring, auditing and security monitoring, and alerting.
Cloud-based applications can be secured, IT processes can be streamlined, costs can be
reduced, and compliance goals can be met.
Additionally, Azure AD can be integrated with an existing Windows Server Active
Directory, enabling organizations to manage SaaS access from their existing on-premises
identify investments.

109
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

There are four editions of Azure Active Directory: Free, Microsoft 365 Apps, Premium
P1, and Premium P2. As part of an Azure subscription, the Free edition is included.
Azure and Microsoft 365 subscribers may purchase Azure Active Directory Premium
P1 and P2 online through a Microsoft Enterprise Agreement, Open Volume License
Program, or Cloud Solution Providers program.

• Azure Active Directory Free: Manage users and groups, synchronize

on-premises directories, generate basic reports, and provide single
sign-on across Azure, Microsoft 365, and many popular SaaS apps.

• Azure Active Directory Microsoft 365 Apps: This edition is part of

Microsoft Office 365. In addition to the Free features, this edition
provides Identify and Access Management for Microsoft 365 apps
including branding, MFA, group access management, and self-
service password reset for cloud users.

• With Microsoft Active Directory Premium P1: Hybrid users can

access both on-premises and cloud resources and its free features.
Additionally, it offers advanced administration features, including
dynamic groups, self-service group management, Microsoft Identify
Manager (on-premises identify management suite), and cloud write-
back capabilities, allowing users on-premises to reset their passwords
themselves.

• Azure Active Directory Premium P2: P2 provides Conditional Access

to your apps and critical company data based on risk-based identify
protection and Free and P1 features. In addition to providing just-
in-time access to resources, privileged identify management enables
administrators to discover, restrict, and monitor their access.

Authentication Choices
Organizations wanting to move their apps to the cloud must choose the correct
authentication method. Don’t take this decision lightly for these reasons:
• This is the first decision for an organization looking to move to
the cloud.

110
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• It controls access to all cloud data and resources. The authentication

method is critical to an organization’s presence in the cloud.

• Azure AD’s advanced security and user experience features are built
on this foundation.

An organization needs an identify control plane that strengthens its security and
keeps its cloud apps safe from intruders in the new cloud world. Authentication is the
new control plane of IT security. Thus, authentication is the company’s access guard in
the cloud.
The foundation of cloud access is authentication when Azure AD hybrid identify
is your new control plane. Choosing the correct authentication method for Azure AD
hybrid identify is crucial. Using Azure AD Connect, which also provides cloud users,
implement the authentication method configured.
For hybrid identify solutions, Azure AD supports the following authentication
methods.

Cloud Authentication
With cloud authentication, you can choose one of two options: either Azure AD manages
user sign-in or you can enable seamless single sign-on (SSO) so that users don’t have to
reenter their credentials every time they sign in.

• A simple method of enabling authentication for on-premises

directory objects in Azure AD is synchronizing password hashes.
Users can use the same username and password on-premises
without deploying additional infrastructure. No matter the
authentication method used to access Azure AD, some premium
features, such as Domain Services and Identify Protection, require
synchronization of password hashes.

• Using a software agent on one or more on-premises servers,

Azure AD Pass-through Authentication provides simple password
validation for Azure AD authentication services. Using the server,
users are validated directly with your on-premises Active Directory,
so passwords are not validated in the cloud.

An organization might use this authentication method to immediately enforce

password policies, sign-in hours, or user account states.
111
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Federated Authentication
To validate the password of an Azure AD user, federated authentication transfers the
authentication process to a trusted authentication system, such as Active Directory
Federation Services (AD FS) on-premises.
The authentication system, such as smartcard-based or multifactor authentication
by third parties, can provide advanced authentication requirements.
Three essential tasks can be accomplished using Azure Identify Protection.

• Risks associated with identify can be detected and remedied

automatically.

• You can utilize the portal data to investigate risks.

• Data from risk detection can be exported to third-party utilities for

further analysis.

Azure AD Identify Protection

With Identify Protection, Microsoft takes the learnings from its position in organizations
with Azure AD, in the consumer space with Microsoft Accounts, and in gaming with
Xbox and uses them to protect your users. To identify and protect customers from
threats, Microsoft analyzes 6.5 trillion signals every day.
Risk detection is triggered by suspicious actions associated with an Azure AD
Identify Protection user account. Based on your organization’s enforced policies, the
signals generated by Identify Protection can be fed into tools such as Conditional Access
to make access decisions or fed back into a SIEM tool for further investigation.
Identify Protection provides organizations with powerful resources to respond
quickly to suspicious activities.

Azure AD Privileged Identify Protection

It is possible to give users just-in-time access and just-enough access to the most
important resources in your organization with Azure Active Directory Privileged Identify
Management (PIM).

112
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

With Azure Active Directory, you can manage, control, and monitor access to
essential resources within your organization using Privileged Identify Management
(PIM). These resources include Azure AD, Azure, and Microsoft Online Services like
Microsoft 365 and Microsoft Intune.
Azure Active Directory Privileged Identify Management (PIM) needs Azure AD
Premium P2 licenses
Privileged Identify Management provides time-based and approval-based role
activation to mitigate the risks of excessive, unnecessary, or misused access permissions
on resources that you care about.
The following are key use cases Azure AD PIM provides solutions for.
Information or resources that are secure should be accessible to the fewest people
possible since this reduces the chance of unauthorized disclosure.

• Malicious actors gain access.

• An authorized user inadvertently impacts a sensitive resource.

As a result, users can use Azure AD, Azure, Microsoft 365, or SaaS apps to perform
privileged operations. Organizations can provide users with just-in-time privileged
access to Azure and Azure AD resources, which allows them to monitor what those users
are doing.

Microsoft Cloud Security Benchmark for Identify

Microsoft Cloud Security Benchmark for Identify Management security controls are used
to establish a secure identify and access control system, including the use of single sign-
on, strong authentication, managed identities (and service principals) for applications,
Conditional Access, and monitoring for anomalies in accounts.
Figure 2-8 provides high-level insights into the Microsoft cloud security benchmark
specific to identify.

113
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Fundamental Identify security principle Azure Identify Security Services

Identify and authenticate users using a centralized

system

Authentication and identify systems need to be

protected

Automate and secure application identify

management

Servers and services must be authenticated

Access applications using single sign-on (SSO) Azure Active Directory (Azure AD)
• SSO
• Passwordless
Ensure strong authentication controls are in place • Multi-factor authentication
• Conditional Access Policies
Resource access can be restricted based on conditions

Ensure that credentials and secrets are not exposed

Existing applications can be accessed securely by users

Figure 2-8. Microsoft cloud security benchmark for Azure identify

Identify and Authenticate Users Using

a Centralized System
Use a centralized identify and authentication system to manage the identities and
authentications of your organization’s cloud and noncloud resources.
Your organization will benefit from standardized identify and authentication policies
governed by Azure AD.

• Identify and authentication policies governed by Azure Active

Directory can be used to protect Microsoft Cloud resources,
including Azure Storage, Azure Virtual Machines (Windows and
Linux), Azure Key Vault, and PaaS and SaaS applications.

• Resources that belong to your organization include Azure

applications, third-party applications running on your corporate
network, and SaaS apps belonging to third parties.

• To ensure a consistent and centrally managed identify strategy,

synchronize Active Directory identities with Azure AD.

114
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Note It is best to migrate on-premises Active Directory–based applications

to Azure AD as soon as it is technically feasible. This can be done via Azure
AD Enterprise Directory, a business-to-business configuration, or business-to-
consumer configuration.

Authentication and Identify Systems Need to Be Protected

Ensure that your organization’s cloud security practice prioritizes identify and
authentication. Common security controls include the following:

• Accounts and roles with privileged access should be restricted.

• All privileged access should require strong authentication.

• High-risk activities should be monitored and audited.

Azure AD Identify Secure Score evaluates Azure AD identify security posture and
allows you to remediate gaps in security and configuration.

• Don’t use too many administrative roles.

• Make sure the user risk policy is enabled.

• A global administrator should be nominated by more than one

organization.

• Block legacy authentication.

• For secure access, ensure that all users can complete multifactor
authentication.

• For administrative roles, MFA should be required.

• Self-service password reset is available.

• Keep your passwords up-to-date.

• A sign-in risk policy should be enabled.

• Users should not be allowed to grant consent to unmanaged
applications.

115
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Note Active Directory and third-party services, as well as operating systems,

networks, and databases, should be configured in accordance with published best
practices.

Automate and Secure Application Identify Management

Use managed application identities rather than creating human accounts when applying
code and accessing resources. As a result of managed application identities, credentials
are less exposed and are rotated automatically to ensure identify security.
Microsoft Azure AD authentication can be used with Azure managed identities to
access Azure services and resources. The platform manages, rotates, and protects managed
identify credentials, so they aren’t hard-coded in source code or configuration files.
Service principals without managed identities can be created using Azure
AD. Certificate credentials are recommended for service principals; client secrets are
recommended for services without managed identities.

Servers and Services Must Be Authenticated

Connect to trusted servers and services by authenticating them from your client side.
An authentication protocol most commonly used for servers is Transport Layer Security
(TLS). The client (often the browser or client device) verifies the server by verifying that a
trusted authority issued the server’s certificate.

Note Server and client authentication can be mutual.

The default authentication method for many Azure services is TLS. If the service
supports a TLS enable/disable switch, ensure that it is always enabled so that the server/
service authentication can be supported. The handshake stage of your client application
should also verify the identify of the server/service (by confirming the certificate issued
by a trusted certificate authority).

Note Some API management and API gateway services support TLS mutual
authentication.

116
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Access Applications Using Single Sign-On (SSO)

SSO simplifies the authentication process for cloud services and on-premises resources,
including applications and data. SSO simplifies the authentication process for cloud
services and on-premises resources, including applications and data.
Reduce the need for duplicate accounts by using Azure AD SSO for workload
application (customer-facing) access. In addition to managing identify and access to
Azure resources (management plane including CLI, PowerShell, and the Azure Portal),
Azure AD also manages cloud apps and on-premises applications.
As well as enterprise identities and external identities from trusted third parties and
the public, Azure AD supports single sign-on for enterprise identities.

Ensure Strong Authentication Controls Are in Place

Secure all resource access through your centralized identify management system by
implementing strong authentication controls (strong passwordless or multifactor
authentication). Password credentials alone are insecure and cannot withstand popular
attack methods, so they are considered legacy authentication.
Configure administrators and privileged users first to ensure the highest level of
strong authentication, and then roll out the appropriate strong authentication policy to
all users.
Ensure password complexity requirements are followed if legacy password-based
authentication is required for legacy applications and scenarios.
Azure AD supports strong authentication controls through passwordless methods
and multifactor authentication (MFA).

• As a default authentication method, use passwordless authentication.

Microsoft Authenticator app phone sign-in, Windows Hello for
Business, and FIDO 2Keys are all available for passwordless
authentication. In addition, customers can use on-premises
authentication methods such as smart cards to log in.

• Authenticate users with multiple factors based on their sign-in

conditions and risk factors. Azure MFA can be enabled for all users,
selected users, or per user based on their sign-in conditions and risk
factors.

117
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Azure AD legacy password-based authentication has a default baseline password

policy for cloud-only accounts (users created directly in Azure). Hybrid accounts (users
whose accounts are based on Active Directory on-premises) have the same password
policies as those for on-premises users.
When you set up the service, it would be helpful if you disabled or changed the
default IDs and passwords.

Resource Access Can Be Restricted Based on Conditions

A zero-trust access model requires explicitly validating trusted signals to grant or deny
access to resources. Strong authentication of user accounts, behavioral analytics of user
accounts, device trustworthiness, member or group membership, location, etc., should
all be validated.
You can use Azure AD Conditional Access to restrict access based on user-defined
conditions, such as requiring users to use MFA if they log in from a certain IP range (or
device). You can control access to your organization’s apps using Azure AD Conditional
Access based on specific conditions.
Consider the following common use cases when defining the Azure AD Conditional
Access criteria:

• Users with administrative roles should be required to use multifactor

authentication.

• For Azure management tasks, multifactor authentication is required.

• Use legacy authentication protocols to block sign-ins.

• Registration for Azure AD multifactor authentication requires trusted

locations.

• Access from specific locations can be blocked or granted.

• Prevent risky sign-in behaviors.

• Require organization-managed devices for specific applications.

Note A granular authentication session management can also be used via Azure
AD Conditional Access policy for management such as sign-in commonness and
continuous browser session.

118
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Ensure That Credentials and Secrets Are Not Exposed

Credentials and secrets should be handled securely by application developers:

• Code and configuration files should not contain credentials and

secrets.

• To store credentials and secrets, use a Key Vault or secure key store
service.

• Look for credentials in source code.

Secure software development life cycles (SDLCs) and DevOps security processes are
often used to govern and enforce this.
Rather than embedding credentials and secrets into code and configuration files,
ensure they are stored securely, such as Azure Key Vault.
Your code management platform should be Azure DevOps and GitHub.

• Identify credentials within the code using Azure DevOps Credential

Scanner.

• When scanning GitHub code for credentials or other secrets, use the
native secret scanning feature.

A managed identify can securely access Azure Key Vault through Azure Functions,
Azure Apps, and VMs.
The Azure Key Vault rotates secrets automatically for services that are supported. If
secrets cannot be rotated automatically, they should be rotated periodically and purged
when no longer needed.

Existing Applications Can Be Accessed Securely by Users

Consider cloud access security brokers (CASBs), application proxies, or SSO solutions
to govern the access to non-native and on-premise applications using legacy
authentication. These solutions provide the following benefits:

• Enforce a strong centralized authentication

• End-user activities that pose a risk should be monitored and
controlled

119
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Risky legacy application activities should be monitored and

remedied

• Detect and prevent sensitive data transmission

Protect your on-premises and non-native cloud applications using legacy

authentication by connecting them to do the following:

• Azure AD Application Proxy combined with header-based

authentication for publishing legacy on-premises applications to
remote users with SSO. At the same time, Azure AD Conditional
Access explicitly validates the trustworthiness of remote users and
devices. You can use a third-party software-defined perimeter (SDP)
solution if needed.

• To monitor and block access to unapproved third-party SaaS

applications, Microsoft Defender for Cloud Apps is used as a CASB.

• Third parties provide networks and application delivery controllers.

Note VPNs are commonly used to access legacy applications; they usually have
a limited level of session monitoring and a little group of access control.

icrosoft Cloud Security Benchmark for

M
Privileged Access
A range of controls against deliberate and unintentional risk protects your privileged
access model, administrative accounts, and workstations.
Figure 2-9 provides high-level insights into the Microsoft cloud security benchmark
specific to privileged access.

120
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Fundamental Privileged Access security principle Azure Privileged Access Security Services

Ensure that highly privileged and administrative users

are separated and limited

Permissions and accounts should not be granted

standing access

Lifecycle management of identities and entitlements

Reconcile user access regularly

Emergency access should be set up

Azure Active Directory (Azure AD)
• PIM
Workstations with privileged access should be used • PAW
• RBAC
Use the least privilege principle (just enough
administration)

Specify access method for cloud provider support

Figure 2-9. Microsoft cloud security benchmark for privileged access

Your cloud’s control, management, and data/workload planes should be designed to

limit the number of privileged or administrative accounts.

E nsure That Highly Privileged and Administrative Users

Are Separated and Limited
Identities and access are managed by Azure Active Directory. Since users assigned to
these two roles can delegate administrator roles, Azure AD has two critical built-in roles:
Global Administrator and Privileged Role Administrator. With these privileges, users can
read and modify all of the resources in your Azure environment directly or indirectly.

• The global administrator/company administrator role allows users to

access all Azure AD administrative features and services.

• With this role, users can manage roles within Azure AD and within
Azure AD Privileged Identify Management (PIM). In addition, they
can manage all aspects of PIM and administrative units within AD.

121
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Additionally, Azure has built-in roles that can be critical for privileged access at the
resource level outside of Azure AD.

• Owners can assign roles in Azure RBAC and manage all resources.

• Manages all resources but does not permit assigning roles in Azure
RBAC, managing assignments in Azure Blueprints, or sharing image
galleries.

• Manage user access to Azure resources with User Access

Administrator.

Note Custom roles in Azure AD or resources with specific privileged permissions

may have other essential roles that must be governed.

It is also essential to restrict privileged accounts with administrative access to your

critical business assets in other management, identify, and security systems, including
Active Directory Domain Controllers (DCs), security tools, and system management
tools installed on business-critical systems. Attackers can immediately weaponize
these management and security systems to compromise critical business assets once
compromised.

ermissions and Accounts Should Not Be Granted

P
Standing Access
Assign privileged access to the different resource tiers using just-in-time (JIT)
mechanisms instead of standing privileges.
With Azure AD Privileged Identify Management, you can access Azure resources and
Azure AD just in time. In JIT, users receive temporary permissions for privileged tasks,
so malicious or unauthorized users cannot gain access after the permissions expire. PIM
can also generate security alerts if suspicious or unsafe activity occurs in your Azure AD
organization. Access is granted only when users need it.
JIT for VM access from Microsoft Defender for Cloud lets you control inbound traffic
to your sensitive VM management ports.

122
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Life-Cycle Management of Identities and Entitlements

Ensure the identify and access life cycle is managed through an automated process
or technical control, including requests, reviews, approvals, provisioning, and
deprovisioning.
Azure AD entitlement management allows you to automate access request
workflows for Azure resource groups. Workflows for Azure resource groups can manage
access assignments, reviews, expirations, and dual or multistage approval processes.

Reconcile User Access Regularly

Regularly review privileged account entitlements. Ensure the accounts can administer
control planes, management planes, and workloads.
Examine all privileged accounts and access entitlements in Azure, including Azure
tenants, Azure services, VMs, IaaS, and CI/CD processes.
Review Azure AD roles, Azure resource access roles, group memberships, and
enterprise application access with Azure AD access reviews. Azure AD reporting can also
help find stale accounts that have not been used for a period of time.
Additionally, administrator accounts that are stale or improperly configured can be
identified by Azure AD Privileged Identify Management if an excessive number of them
are created for a specific role.

Emergency Access Should Be Set Up

Establish emergency access to your cloud infrastructure (such as your identify and
access management system) to avoid being shut out in an emergency.
Although emergency access accounts should be used only rarely and can cause
severe damage to the organization if compromised, their availability is also crucial for
the few scenarios when they are required.
Whenever normal administrative accounts cannot be used, create an emergency
access account (e.g., with a Global Administrator role) to prevent being locked out of
your Azure AD organization. When an emergency or “break glass” scenario occurs where
normal administrative accounts cannot be used, emergency access accounts are highly
privileged and should not be assigned to specific individuals.

123
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

It is important to keep all credentials (such as passwords, certificates, and smart

cards) secure and available only to individuals who need them for emergency access.
Using dual controls (e.g., splitting the credential into two pieces and giving them to
two separate individuals) can also enhance the security of this process. Monitor the
logs of sign-ins and audits to ensure emergency access accounts are used only when
authorized.

Workstations with Privileged Access Should Be Used

Admins, developers, and operators of critical services require secure, isolated
workstations. Private access workstations (PAWs) can be deployed on-premises or in
Azure using Azure Active Directory, Microsoft Defender, and Microsoft Intune. A secure
configuration, including strong authentication, software and hardware baselines, and
restricted logical and network access, should be enforced centrally by the PAW.
As another option, Azure Bastion is a fully platform-managed solution that can be
provisioned directly within your virtual network. With Azure Bastion, you can connect
directly from your browser to your virtual machines via RDP/SSH.

se the Least Privilege Principle (Just-Enough

U
Administration)
Implement features like role-based access control (RBAC) to manage resource access
at a fine-grained level by following the just-enough administration (least privilege)
principle.
Manage Azure resource access using Azure RBAC. Users can be assigned roles,
service principals can be grouped, and identities can be managed. You can inventory
and query the built-in roles for specific resources through tools such as Azure CLI, Azure
PowerShell, and the Azure Portal.
When you assign Azure RBAC privileges to resources, they should always be
limited to the role requirements. Azure AD Privileged Identify Management (PIM) will
complement just-in-time (JIT) with limited privileges, and those privileges should
be reviewed periodically. In addition to specifying the time-length (time-bound-
assignment) condition in role assignment, you can also set the end and start dates for a
user to activate or use the role.

124
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Note Create custom roles only when necessary, as Azure built-in roles can be
used to assign permissions.

Specify Access Method for Cloud Provider Support

Request and approve vendor support requests and temporary access to your data via a
secure channel through an approval process and access path.
You can review and approve or reject each Microsoft data access request using
Customer Lockbox when Microsoft needs access to your data for support.

esign and Deploy a Strategy for Securing Apps

D
and Data
Many services in Azure can assist you in securing your application in the cloud, which
is one of the most important aspects of any application. Fortunately, Azure offers many
services to help you secure your application in the cloud. You can implement Azure
services and activities at each stage of your software development life cycle to develop
more secure code and deploy a more secure cloud application.
The following resources can be used for developing and deploying secure
applications on Azure:

• Microsoft Security Development Lifecycle (SDL): Using SDL,

developers can build more secure software while reducing
development costs and meeting security compliance requirements.

For more info, see: [Link]

securityengineering/sdl/

• Open Web Application Security Project (OWASP): An online

community of web application security experts, OWASP publishes
free articles, methodologies, documentation, tools, and technologies.
For more info, see: [Link]

125
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Pushing left, like boss: To create more secure code,

developers should complete different application security
activities outlined in [Link].

For more info, see: [Link]

like-a-boss-part-1/

• Microsoft identify platform: Microsoft’s identify platform evolved

from Azure AD’s identify service and developer platform. It has an
authentication service, open-source libraries, application registration
and configuration, complete developer documentation, code
samples, and other developer resources. OAuth 2.0 and OpenID
Connect are industry-standard protocols that the Microsoft identify
platform supports.

For more info, see: [Link]

active-directory/develop/

• Security best practices for Azure solutions: Use Azure security best
practices to design, deploy, and manage cloud solutions using
security best practices.

For more info, see: [Link]

resources/security-best-practices-for-azure-solutions/

• Security and compliance blueprints on Azure: Complying with

stringent regulations and standards can be complex, but Azure
Security and Compliance Blueprints help.

For more info, see: [Link]

governance/blueprints/samples/azure-security-benchmark-
foundation/

An essential part of the design phase is establishing best practices for the design and
functionality of the project as well as performing risk analyses to mitigate security and
privacy risks.
You can minimize the chances of security flaws and use secure design concepts
when you have security requirements. When an application has been released, a security
flaw can allow a user to perform malicious or unexpected actions due to an oversight in
its design.

126
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

It would be best to consider applying layers of security during the development

phase. What happens if an attacker gets past your web application firewall? You will need
another security control to prevent this from happening.
With this in mind, the following are vital controls to consider:

• Use software frameworks and secure coding libraries.

• Conduct a vulnerability scan.

• When designing an application, use threat modeling.

• Keep your attack surface as small as possible.

• Identify identify as the primary security perimeter.

• For important transactions, require reauthentication.

• Ensure the security of keys, credentials, and other secrets by using a

key management solution.

• Make sure sensitive data is protected.

• Make sure fail-safe measures are in place.

• Ensure that errors and exceptions are handled correctly.

• Use alerts and logging.

• Modernize.

The following sections break these rules down.

oftware Frameworks and Secure Coding Libraries

S
Should Be Used
When developing software, you should use a software framework with embedded
security and a secure coding library. Instead of creating security controls from scratch,
developers can use existing, proven features (encryption, input sanitation, output
encoding, keys, connection strings, etc.). Design and implementation flaws can be
prevented this way.

127
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Use the latest version of your framework and all security features available.
Developing cloud applications on any platform or language is possible with Microsoft’s
comprehensive development tools. You can choose from various SDKs depending on the
language you prefer. A full-featured integrated development environment (IDE) and the
editor can be used with Azure support and advanced debugging capabilities.

Conduct a Vulnerability Scan

A continuous inventory of your client- and server-side components and their dependencies
is essential to preventing vulnerabilities. New vulnerabilities and updated software versions
are released continuously. Monitor, triage, and update your libraries and details continually.

When Designing an Application, Use Threat Modeling

Threat modeling aims to identify potential security threats to your business and
application so that proper mitigations can be implemented. It is recommended that
teams use threat modeling during the design phase when resolving potential issues is
relatively simple and cost-effective. Your total development costs can be significantly
reduced by using threat modeling during the design phase.
The SDL Threat Modeling Tool was designed with nonsecurity experts in mind. This
tool guides developers through creating and analyzing threat models clearly and concisely.

Keep Your Attack Surface as Small as Possible

As the name implies, an attack surface is a sum of where potential vulnerabilities might
occur. This paper discusses how an application can be protected from attacks. Removing
unused code and resources from your application can quickly reduce your attack
surface. The smaller your application, the smaller it is.

Identify Identify as the Primary Security Perimeter

As you design cloud applications, you must change your security perimeter focus from a
network-centric approach to an identify-centric one. Most on-premises security designs
use the network as the primary security pivot, as it was historically the primary security
perimeter on-premises. Consider identify as the immediate security perimeter for cloud
applications.
128
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

F or Important Transactions, Reauthentication Should

Be Required
The current standard for authentication and authorization is two-factor authentication,
which avoids the security vulnerabilities inherent in usernames and passwords. A
multifactor authentication method for access to Azure management interfaces (Azure
Portal/remote PowerShell) and customer-facing services should be designed and
configured.

E nsure the Security of Keys, Credentials, and Other

Secrets by Using a Key Management Solution
Losing keys and credentials is a common problem; the only thing worse than losing
them is having an unauthorized party gain access to them. Attackers can use automated
and manual techniques to find keys and secrets stored in code repositories like GitHub.
Don’t put keys and secrets in these public code repositories or on any other server.
The best way to manage your keys, certificates, secrets, and connection strings is to
use a centralized solution with hardware security modules (HSM). Azure offers an HSM
in the cloud with Azure Key Vault.

Make Sure Sensitive Data Is Protected

To design your app with data security in mind, it is important to classify your data and
identify your data protection needs. Developers can determine the risks associated with
stored data by categorizing it by sensitivity and business impact.

Make Sure Fail-Safe Measures Are in Place

During execution, your application must be able to handle errors consistently, and it
must catch all errors and either fail-safe or close when they occur.
Errors should also be logged with sufficient user context to identify malicious or
suspicious behavior. Logs should be retained for enough time to allow delayed forensic
analysis. Logs should be in a format easily consumed by log management solutions.
Make sure security-related errors are notified. By logging and monitoring insufficiently,
attackers can continue to attack systems and maintain persistence.

129
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Ensure That Errors and Exceptions Are Handled Correctly

For a system to be reliable and secure, it must be able to handle errors and exceptions
correctly. Error and exception handling are essential parts of defensive coding. When
errors are made in error handling, they can lead to security vulnerabilities, such as leaks
of information to attackers and the ability to learn more about your platform.

Alerts and Logging Should Be Used

Ensure you log security issues for security investigations and trigger alerts so that people
are informed of problems immediately. Logging and auditing should be enabled on all
components, and audit logs should record user context and identify all critical events.

Modernize
DevOps team models, rapid release cadences, and cloud services and APIs are all being
reshaped simultaneously as the application development process undergoes rapid
changes. To understand these changes, see how the cloud changes security relationships
and responsibilities.
In addition to modernizing antiquated development models, DevSecOps can be
viewed as securing applications and development processes. DevSecOps drives such
changes as the following:

• Since application development is evolving rapidly, traditional

approaches to scanning and reporting still need to be available.
Security is integrated, not outside approval. Legacy approaches
can keep up with releases only by grinding development to a halt,
resulting in delays in time-to-market, developer underutilization,
and a growing backlog of issues.

• During application development processes, shift left to engage

security earlier to fix issues faster, cheaper, and more effectively. If
you wait until after the cake has been baked, it is hard to change it.
• Security practices must be integrated seamlessly to prevent
unhealthy friction in development workflows and continuous
integration/continuous deployment (CI/CD) processes.

130
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Security must provide high-quality findings and guidance that

help developers fix issues quickly and avoid false positives.

• A shared culture shared values, and shared goals and

accountabilities should result from a converged culture among
security, development, and operations roles.

• Implement an agile security approach that starts with minimum

viable security for applications (and for developing processes) and
continuously improves it.

• Simplify development processes by integrating cloud-native

infrastructure and security features.

• Ensure that open-source software (OSS) and third-party components

are updated and bug-fixed and take a zero-trust approach to them.

• As developer services, sometimes called platform as a service (PaaS)

services, and applications change in composition, developers,
operations, and security team members will constantly learn new
technologies.

• Application security programmatically to ensure continuous

improvement of agile approaches.

Microsoft Cloud Security Benchmark for DevOps

Generally, DevOps security focuses on the security engineering and operations involved
in DevOps processes, including the deployment of critical security checks (such as static
application security testing and vulnerability management) before deployment to ensure
the security of the entire DevOps process; threat modeling and software supply security
are also covered.
Figure 2-10 provides high-level insights into the Microsoft cloud security benchmark
specific to DevOps.

131
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Fundamental DevOps security principle Azure Privileged Access Security Services

Analyze threats

Ensure the security of the software supply chain

Infrastructure for DevOps that is secure

• Application threat analysis
DevOps pipeline should include static application (including STRIDE +
security testing questionnaire based method)
• Azure DevOps Marketplace –
Dynamic application security testing should be supply chain security
incorporated into the DevOps pipeline • GitHub
• Azure DevOps pipeline
DevOps lifecycle security is enforced

Monitoring and logging should be enabled in DevOps

Figure 2-10. Microsoft cloud security benchmark for DevOps

Analyze Threats
Ensure your threat modeling serves the following purposes:

• Identify threats and enumerate mitigating controls.

• In the runtime production stage, secure your applications and

services.

• Threat modeling should at least consider the following aspects to

secure build, test, and deployment artifacts, pipelines, and tooling
environments:

• Make sure the threat modeling satisfies the application’s security

requirements.

• Ensure you analyze the upstream and downstream connections

outside your application scope and the application components
and data connections.

• Determine which of your application components, data

connections, and upstream and downstream services are at risk
of potential threats and attack vectors.

132
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Assess the appropriate security controls that can mitigate the

threats mentioned and identify any gaps in those controls (e.g.,
security vulnerabilities) that may need to be addressed.

• Identify the vulnerabilities and design controls that can

mitigate them.

The following are the high-level recommendations for Microsoft Azure:

• You can drive your threat modeling process with tools like the
Microsoft threat modeling tool with the embedded Azure threat
model template.

• Using the STRIDE model, identify the appropriate controls and

enumerate the internal and external threats.

• Incorporate threats in DevOps processes, such as malicious

code injection through an insecure artifacts repository that is
misconfigured for access control.

To identify threats, at the least, you should use a questionnaire-based threat

modeling process if your organization does not have access to a threat modeling tool.
If your application or threat landscape undergoes a significant security-impact
change, update the threat modeling or analysis results.

Ensure the Security of the Software Supply Chain

Your enterprise needs to ensure that it is SDLC or process includes security controls
to govern the in-house and third-party software components that depend on your
application (proprietary and open-source). Prevent vulnerable or malicious components
from being integrated and deployed into the environment by defining gate criteria.
The following aspects should be included in software supply chain security controls
at the least:

• Determine the dependencies for the development phase, build,

integrate, and deploy the service/resource in a software bill of
materials (SBOM).

• Ensure in-house and third-party software components are accounted

for when there is a known vulnerability and a fix is available.

133
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Static and dynamic application testing can be used to identify

unknown vulnerabilities in software components.

• If direct mitigation is unavailable, well defined security elements to

compensate controls for mitigating the vulnerabilities. Mitigation
approaches may include local and upstream source code fixes,
feature exclusions, and compensating controls.

You may need to learn how secure it is when you use closed-source third-party
components in your production environment. The impact of malicious activity or
a vulnerability associated with the element can be minimized by adding additional
security controls such as access control, network isolation, and endpoint security.
Here is some Azure guidance: Ensure the software supply chain is secure using the
following capabilities or tools provided by GitHub Advanced Security or by GitHub
native features. Through Advisory Database, find all your project’s dependencies and
vulnerabilities by scanning, inventorying, and identifying them.

• Use Dependabot to ensure that the vulnerable dependency is

tracked and remediated and provide your repository automatically
keeps up with the latest releases of the packages and applications it
depends on.

• Use the GitHub native code scanning capability to scan the source
code when sourcing the code from external sources.

• Use Microsoft Defender for Cloud to integrate vulnerability

assessment for your container image in the CI/CD workflow.

Azure DevOps can be extended with third-party extensions to inventory, analyze,

and remediate third-party software components and their vulnerabilities.

Infrastructure for DevOps That Is Secure

Incorporate security best practices into the DevOps pipeline and infrastructure across
environments, including build, test, and production stages, such as the following controls:
• A repository for storing source code, built packages, images, project
artifacts, and business data

• CI/CD pipeline hosting servers, tools, and services

• Configuration of CI/CD pipelines

134
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

The following controls should be prioritized in your DevOps infrastructure security

controls for the Microsoft cloud security benchmark:

• Protect artifacts and underlying environments to prevent

malicious code from being inserted into CI/CD pipelines. Identify
any misconfiguration in the core areas of Azure DevOps, such
as Organization, Projects, Users, Pipelines (Build & Release),
Connections, or Build Agent, in your CI/CD pipeline, including open
access, weak authentication, insecure connection setup, etc. Use
similar controls to secure GitHub’s Organization permissions.

• Consistent deployment of DevOps infrastructure across development

projects is essential. With Microsoft Defender for Cloud (such
as Compliance Dashboard, Azure Policy, or Cloud Posture
Management) or your own compliance monitoring tools, you can
monitor compliance across your DevOps infrastructure at scale.

• Make sure CI/CD tools, Azure AD, and native services are configured
with access permissions and entitlement policies to ensure that
changes to pipelines are authorized.

• Just-in-time access to Azure-managed identities can prevent

permanent “standing” privileges from being granted to human
accounts, such as developers and testers.

• Code and scripts used in CI/CD workflow jobs should not contain
keys, credentials, or secrets. Store them in key stores or Azure Key
Vaults instead.

• For self-hosted build/deployment agents, your environment should

be secured by following Microsoft Cloud Security Benchmark
controls such as network security, posture and vulnerability
management, and endpoint security.

To enable governance, compliance, operational auditing, and risk auditing for your
DevOps infrastructure, refer to the Logging and Threat Detection and DS-7 Posture and
Vulnerability Management sections.

135
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

evOps Pipeline Should Include Static Application

D
Security Testing
Test static, fuzzy, interactive, and mobile applications as part of the CI/CD workflow with
gating controls. Depending on the test results, gates can be set so vulnerable packages
are not committed, built into the packages, or deployed to production.
The Azure DevOps Pipeline and GitHub can integrate with tools such as Checkmarx,
Fortify, Veracode, SonarQube and much more into your CI/CD workflow to automatically
scan and analyze your source code.

• Perform source code analysis using GitHub CodeQL.

• Analyze binary files on Windows and Linux with Microsoft BinSkim.

• For credential scanning in the source code, Azure DevOps Credential

Scanner (Microsoft Security DevOps extension) and GitHub native
secret scanning are used.

ynamic Application Security Testing Should

D
Be Incorporated Into the DevOps Pipeline
Including dynamic application security testing (DAST) as a gating control in the CI/CD
workflow is important, because it prevents vulnerabilities from being incorporated into
packages or deployed into production.
DAST should be integrated into your pipeline so the runtime application can be
tested automatically within your CI/CD pipeline through Azure DevOps or GitHub.
Automated penetration testing (and manual validation) should also be implemented.
CI/CD workflows can be integrated with third-party DAST tools via Azure DevOps
Pipeline or GitHub.

DevOps Life-Cycle Security Is Enforced

Through development, testing, and deployment, ensure the workload is securely
managed. The Microsoft cloud security benchmark can be used by evaluating controls
(such as network security, identify management, privileged access, etc.) that can be set
as guardrails by default or shifted left before deployment. Ensure your DevOps process
includes these controls:

136
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Automate deployment using Azure or third-party tooling for the CI/

CD workflow, infrastructure management (infrastructure as code),
and testing to reduce human error and attack surfaces.

• Prevent malicious manipulation of virtual machines, container

images, and other artifacts.

• Perform a SAST and DAST scan on the workload artifacts before CI/
CD deployment (e.g., container images, dependencies, SASTs, etc.).

• Use threat detection and vulnerability assessment capabilities

continuously in the production environment.

Here is some guidance for Azure virtual machines:

• Use the Azure Shared Image Gallery to share and control access
to your custom images with your users, service principals, or AD
groups. Make sure only authorized users can access your custom
images using Azure RBAC.

• Create custom images, Azure Resource Manager templates, and

Azure Policy guest configurations to define the secure configuration
baselines for the VMs to eliminate unnecessary credentials,
permissions, and packages.

Here is some Azure container services guidance:

• Create your private container registry using Azure Container Registry

(ACR). With Azure RBAC, you can configure restricted access so only
authorized accounts and services can access the containers.

• You can use Microsoft Defender for Azure Containers to assess the
vulnerability of the images within your private Azure Container
Registry. You can also use Microsoft Defender for Cloud to integrate
container image scanning into your continuous integration and
delivery process.

In Azure serverless services, adopt similar controls to ensure that security controls
are shifted to the pre-deployment stage.

137
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Monitoring and Logging Should Be Enabled in DevOps

Ensure your logging and monitoring scope includes nonproduction environments and
CI/CD workflow elements used in DevOps (and any other development process). If not
adequately monitored, vulnerabilities and threats targeting these environments can
pose significant risks to your production environment. To identify deviations in the CI/
CD workflow jobs, monitoring the events from the build, test, and deployment workflows
is essential.
To implement your logging and monitoring controls for workloads, follow the
Microsoft cloud security benchmark for logging and threat detection.
Ensure audit logging is enabled and configured in nonproduction and CI/CD tooling
environments (such as Azure DevOps and GitHub).
To identify any exception results in the CI/CD jobs, the Azure DevOps and GitHub
CI/CD events should also be monitored.
To ensure security incidents are correctly monitored and handled, ingesting these
logs and events into Microsoft Sentinel or other SIEM tools is recommended.

Getting Started with Microsoft SecOps

Let’s get started with the basics of security operation strategy.
A security operations center (SOC) aims to address organizational and technological
security challenges. SOC analysts manage and improve security across the three pillars
of an organization: people, processes, and technology.
A SOC can be a team within your organization or outsourced to a third-party
specializing in managed detection and response.
Although SOC is used interchangeably to describe in-house and outsourced teams,
the correct abbreviation for outsourced teams is SOC as a service (SOCaaS). Since this
article is primarily about SOCaaS, we’ll refer to both as a SOC.
Organizations rely on specialized IT security teams to monitor and respond to
cybersecurity events in real-time, whether in-house or outsourced. A SOC is sometimes
called an information security operations center (ISOC).
In addition, SOCs select, operate, maintain, and analyze threat data to improve the
security posture of organizations.
In most small or midsize data centers, a centralized facility will continuously
monitor network performance and security controls. Network operations centers (or
similar terms) are also known as security operations centers. Security personnel and
138
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

administrators typically have access to live and historical feeds from security devices and
agents placed throughout the IT environment. Security operations centers will receive
logs and reports from DLP, anti-malware, SIEM/SEM/SIM, firewalls, and IDS/IPS for
analysis and real-time response.
The SOC can be physically located within the data center. The security operations
center of an enterprise with many branches and offices may be operated remotely,
allowing remote monitoring. Third parties, meaning vendors with the tools, knowledge,
and personnel to provide security as a core competency, can often handle security
operations and continuous monitoring.
Organizations can sometimes synchronize their security tools, practices, and
responses to security incidents when a SOC is operated or outsourced. By improving
preventative measures and security policies, detecting security threats more quickly,
and responding more effectively and efficiently to them, security threats can usually be
reduced. Furthermore, SOCs can simplify and strengthen compliance with industry,
national, and international privacy laws.
Traditionally, you had to keep track of each level. The good news about cloud
providers is that they are responsible for intrusion detection and response in their areas
of responsibility, just like other controls. A provider breach could affect you, in which
case you will be notified and may have to perform response and recovery activities
specific to the services you use. However, in most cases, all your detection, response, and
recovery activities will be in the areas marked by consumer responsibility.
Depending on the service and deployment model, the cloud provider will have
a security operations center overseeing the various cloud data centers, underlying
infrastructure, platforms, and applications. However, cloud customers may also have
their security operations monitoring their users and accounts. The provider and
customer may share responsibilities and activities for detection, reporting, investigation,
and response actions; all of these must be included in the contract.
SOC teams vary according to the organization’s size and the industry, but most
share similar roles and responsibilities. Typically, a SOC is a centralized function that
monitors and improves an organization’s cybersecurity posture by preventing, detecting,
analyzing, and responding to cybersecurity incidents.
As far as cybersecurity is concerned, prevention always outweighs reaction. A SOC
monitors the network around the clock rather than responding to threats as they occur.
Detecting malicious activities and preventing them before they cause damage is possible
with the SOC team.

139
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

When SOC analysts witness something suspicious, they assemble as many details as
possible for a deeper analysis.
An analyst performs a threat analysis at the investigation stage to determine
whether and to what extent a threat has penetrated the system. By viewing the network
and operations of the organization from an attacker’s perspective, the security analyst
searches for crucial indicators and vulnerabilities before they can be exploited.
By identifying and triaging various security incidents, the analyst understands
how attacks unfold and how to respond before things get out of hand. The SOC analyst
incorporates the most up-to-date global threat intelligence for a successful triage,
including details on attacker tools, methods, and movements.
The SOC team coordinates a response following the investigation. Immediately after
an incident’s confirmation, the SOC isolates endpoints, terminates harmful processes,
prevents them from executing, deletes files, etc.
The SOC works to restore systems and recover data after an incident. To counter
ransomware attacks, you may need to wipe and restart endpoints, reconfigure systems,
or deploy viable backups to circumvent the ransomware.
The IT environment does not have durable security controls. For a control to
be considered complete (and the associated risk to be permanently mitigated), it
cannot be purchased, implemented, and regarded as complete. You must monitor IT
resources continuously to ensure that controls are adequate, operating as intended,
and addressing the risks or vulnerabilities they are supposed to mitigate. Furthermore,
new or emerging threats or hazards must be monitored continuously to ensure they are
handled appropriately.
The key difference between NOCs and SOCs is that NOCs monitor the network
proactively for issues that could slow traffic and respond to outages when necessary.
In addition to monitoring the network and other environments, a SOC is looking for
evidence of cyberattacks. NOCs and SOCs need to coordinate activities to prevent
network performance disruptions. Some organizations house their SOC within their
NOCs to encourage collaboration.
SOC teams use real-time security monitoring to identify potential threats on servers,
devices, databases, network applications, websites, and other systems. Additionally,
they do proactive security work by staying on top of the latest threats and identifying
and addressing system or process vulnerabilities before attackers can exploit them. If
a successful attack occurs, the SOC team is responsible for removing the threat and
restoring backups and systems.

140
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

An IT environment could be protected for a particular period if the study was

successful or did not show significant results under older security paradigms. It is
recommended that continuous monitoring be used in accordance with current industry
guidance and best practices. It is a central principle of protecting an IT environment
that NIST (in the Risk Management Framework), ISO (in the 27000 series of IT security
standards), and the CIS (formerly SANS Top 20 security controls guidance) emphasize
continuous monitoring.
In general, traditional environments categorize SOC activities and responsibilities
into three categories.

• Category 1: Preparation, planning, and prevention

• Category 2: Monitoring, detection, and response

• Category 3: Recovery, refinement, and compliance

Let’s understand in depth each of the categories.

Category 1: Preparation, Planning, and Prevention

The following list is focused on the majority of the organization.

• Asset Inventory: Data center protection includes application,

database, server, cloud service, and endpoint protection, along with
security tools (firewalls, antivirus/anti-malware/anti-ransomware
tools, monitoring software, etc.). Asset discovery solutions are often
used to do this.

• Regular maintenance and preparation: The SOC performs preventive

maintenance, including software patches and upgrades, firewalls,
allow lists and blocklists, and security policies and procedures to
maximize the effectiveness of security tools. The SOC may develop
backup policies and procedures to ensure business continuity in data
breaches, ransomware attacks, or other cybersecurity incidents.

• Incident response planning: An organization’s SOC develops its

incident response plan, which defines activities, responsibilities,
and metrics for assessing response effectiveness during a threat or
incident.

141
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Continuous testing: A SOC team performs comprehensive

assessments to determine the risks and costs associated with each
resource. Penetration tests are also conducted to simulate specific
attacks on a system. Based on the results of these tests, the team
remediates or refines applications, security policies, and best
practices.

• Staying current: SOC must keep up-to-date with the latest security
solutions and technologies and threat intelligence as well as news
and information on cyberattacks and their perpetrators gathered
from social media, industry sources, and the dark web.

Category 2: Monitoring, Detection, and Response

The following list is focused on the majority of the organization:

• Continuous, around-the-clock security monitoring: The SOC monitors

all IT infrastructure 24/7/365 for signs of known exploits and
suspicious activity, including applications, servers, system software,
computing devices, cloud workloads, and the network.

• Security information and event management: SIEM has been the core
monitoring, detection, and response technology for many SOCs. To
identify potential threats, SIEM monitors and aggregates real-time
alerts and telemetry from software and hardware on the network.
A recent development is the adoption of XDR technology, which
provides detailed telemetry and monitoring and can automatically
detect and respond to incidents.

• Log management: Every networking event generates log data that

needs to be collected and analyzed; log management is an essential
subset of monitoring. Most IT departments contain log data, but
their analysis determines regular activity and identifies anomalies
that indicate suspicious activity. Many hackers take advantage of
companies not constantly analyzing log data, enabling their malware
and viruses to run undetected for long periods. SIEM solutions
generally include log management capabilities.

142
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Threat detection: After sorting the noise from the signals, the SOC
team triages threats by severity based on the indications of actual
cyber threats and hacker exploits. Artificial intelligence (AI) is
incorporated into modern SIEM solutions to automate these
processes and to detect suspicious activity more accurately over time.
• Incident response: The SOC responds to threats or actual incidents to
limit the damage. Actions can include the following:
• An investigation of the incident’s root cause is necessary to
determine the technical vulnerabilities that allowed hackers to
gain access to the system, as well as other factors (such as poor
password hygiene or a lack of enforcement of policies) that
contributed to the attack.
• Endpoints that have been compromised should be shut down or
disconnected from the network.
• Isolating and rerouting compromised network traffic.
• Apps or processes that are compromised should be paused or
stopped.
• Files that are damaged or infected should be deleted.
• Running antivirus or anti-malware software.
• Internally and externally decommissioning passwords.

In addition to automating and accelerating these responses, many SOCs can use
XDR solutions.

Category 3: Recovery, Refinement, and Compliance

The following list is focused on the majority of the organization:

• Recovery and remediation: The SOC eradicates a threat once an

incident has been contained and then works to restore the impacted
assets to their original state (e.g., wiping, restoring, and reconnecting
disks, end-user devices, and other endpoints; restoring network
traffic; restarting applications and processes). In a ransomware attack
or data breach, recovery may require switching to backup systems
and resetting passwords.
143
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

• Post-mortem and refinement: As part of the incident response plan,

the SOC may choose to update processes and policies, choose new
cybersecurity tools, or revise the incident response plan to prevent
a recurrence. In addition to assessing whether the incident has
revealed a new or changing cybersecurity trend, the SOC team may
also determine how to prepare for it.

• Compliance management: The SOC ensures all applications,

systems, and security tools and processes comply with data privacy
regulations. This includes the GDPR, the CCPA, and Payment
Card Industry Data Security Standard (PCI DSS). SOCs ensure that
regulations notify users, regulators, law enforcement, and other
parties after an incident and retain critical incident data for evidence
and auditing.

In summary, the SOC team monitors detect, contains, and remediates IT threats
across applications, devices, systems, networks, and locations. To determine whether
a threat is active, what the impact is, and what measures are needed, SOC teams use
various technologies and processes (e.g., indicators, artifacts, and other evidence)
in conjunction with the latest threat intelligence (e.g., indicators, artifacts, and other
evidence). The increasing frequency and severity of incidents have altered the roles and
responsibilities of security operations centers.
SOCs help organizations prevent cyberattacks by combining people, tools, and
processes. Among its functions are inventorying assets and technology, routine
maintenance, continuous monitoring, threat detection, threat intelligence, log
management, incident response, recovery and remediation, root-cause investigations,
security refinement, and compliance management, all of which contribute to achieving
its goals.
By unifying defenders, threat detection tools, and security processes, a strong SOC
helps organizations manage security more efficiently and effectively. With a SOC,
companies can manage compliance better, respond faster to threats, and improve
security processes.

144
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Microsoft SOC Function for Azure Cloud

Detecting, prioritizing, and potentially triaging attacks is the responsibility of the security
operation team. By eliminating false positives and focusing on actual attacks, the central
SecOps team reduces the time it takes to remedy actual attacks. Communication,
investigation, and hunting activities must be aligned with the application team so that
false positives are eliminated, and actual attacks are focused on.
Microsoft defines that SOC functions need to address three critical objectives:
incident management, incident preparation, and threat intelligence. Let’s take a high-
level view of each one of them.

• Incident management: Protect the environment from active attacks,

including the following:

• Responding to detected attacks in a reactive manner

• Identifying attacks that proactively slipped through traditional

threat detections

• Coordinating legal, communications, and other business

implications of security incidents

• Incident preparation: The organization should undertake preparation

for future attacks. It is a broader set of activities designed to build
muscle memory and context at all levels of the organization. As
a result of this strategy, people will be better prepared to handle
significant attacks, and insights will be gained on improving security
processes.

• Threat intelligence: Providing security operations, security teams,

business leadership stakeholders, and security leadership with threat
intelligence collected processed, and disseminated solution.

It is critical for security operations teams to focus on essential outcomes to achieve

these outcomes. It is common for SecOps teams to break the outcome into subteams in
larger organizations.
Now, let us explore each level. Let us start with Tier 0.
Tier 0 is the ultimate efficiency to automate and optimize your security posture
through SOC Automation. Detection and remediation of threats can be sped up with
SOC automation.

145
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

You manage threats and vulnerabilities, respond to incidents, and automate security
operations. Automating processes allows them to be handled automatically, such as
scanning for vulnerabilities or searching for logs or resolving well known attacks.
Tier 1 is a security incident’s first point of contact. In triage, alerts are generated by
automation, and tools are processed at high volumes. Most of the common incident
types are resolved within the team through triage. A tier 2 incident should be escalated if
it is more complex or has not been seen before.
In Tier 2, the SOC should focus on incidents requiring further investigation, often
requiring data points from various sources to be correlated. Tier 2 investigates escalated
issues to provide repeatable solutions, so Tier 1 can address similar problems in the
future. A business-critical system alert will also be handled by Tier 2, which will reflect
the severity of the risk and the need for immediate action.
In Tier 3, the SOC should focus primarily on proactively hunting for highly
sophisticated attack processes and developing guidance for the broader teams for
maturing security controls. Tier 3 provides forensic analysis and response support for
significant incidents.

Microsoft Azure Security Operations Center

In cloud security operations (SecOps), active attacks on enterprise assets are detected,
responded to, and recovered from.
Security operations teams (SOCs, SecOps, and Security Operations Centers) detect,
prioritize, and potentially triage attacks in real time. The SecOps team eliminates false
positives and reduces the time to remediate actual incidents by monitoring security-
related telemetry data and investigating security breaches. Whenever possible,
communication, investigation, and hunting activities should be coordinated with the
team working on the application.
SecOps should mature as follows:

• Responding reactively to tool-detected attacks

• Detecting attacks before they slip through reactive detections by

being proactive

146
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

Generally, these are the best practices to follow when conducting security
operations:

• Operate according to the NIST Cybersecurity Framework (CSF).

• Detect: Analyze the system for adversaries.

• Respond: Investigate the situation quickly to determine whether

it’s a false alarm or an actual attack.

• Recover: Assure that the workload is secure, reliable, and

available during and after an attack.

• Alerts must be acknowledged quickly. Defenders must not ignore a

detected adversary while triaging false positives.

• Reduce the opportunities for an adversary to conduct an attack and

reach sensitive systems by reducing the time it takes to remediate a
detected adversary.

• Make security investments in systems with high intrinsic value, such

as administrator accounts.

• Detect adversaries proactively as your system matures. This will

reduce the time a more sophisticated adversary can operate in the
environment.

SecOps Tools
An Azure SOC team can use SecOps tools to investigate and remediate incidents.
A cloud-based SIEM solution is one of the most important tools in a SOC. It
aggregates data from multiple security solutions and log files to detect emerging threats,
expedite an incident response, and keep up with attackers.
With SOAR, recurring and predictable enrichment, response, and remediation tasks
can be automated, allowing more time and resources for investigations and hunting.
Microsoft Sentinel is a SIEM tool for enterprise-wide log monitoring. With Microsoft
Sentinel, you can easily integrate any product or service in your environment with
Microsoft Sentinel’s playbooks and connectors for security orchestration, automation,
and response (SOAR).

147
Chapter 2 Design and Deploy Security for Infrastructure, Data, and Applications

By integrating security products and data into simplified solutions, XDR provides
holistic, optimized security through software as a service. Multicloud and hybrid
environments require organizations to use these solutions to address evolving
threats and complex security challenges proactively and efficiently. Unlike systems
like endpoint detection and response (EDR), XDR covers a broader range of security
products, including endpoints, servers, cloud applications, and emails, all protected
with XDR. As a result, XDR provides visibility, analytics, correlated alerts, and automated
responses to protect data and combat threats by combining prevention, detection,
investigation, and response.
You can also use Microsoft Defender for Cloud to respond to an alert using a security
playbook. The Microsoft Defender software provides an end-to-end solution for threat
detection and response on-prem, in the cloud, and other clouds across your Microsoft
estate. Cloud telemetry and on-premises telemetry must be collected, analyzed, and
responded to with comprehensive monitoring solutions.
Or, you can use Azure Monitor to create Azure application and service event logs.
With Azure Monitor, you can aggregate all the data from your system into one platform.
It combines data from multiple Azure subscriptions and tenants and hosts data for other
Azure services.
You can use an Azure NSG to monitor network activity or use Azure Information
Protection to protect sensitive data, such as emails, documents, and files, outside of your
organization.

Summary
In this chapter, you read about methods to design and deploy a strategy for securing
infrastructure and platform components, design and deploy a strategy for securing
identify, and design and deploy a strategy for securing apps and data. You also learned
about Microsoft SecOps.
In the next chapter of the book, you will read about designing and deploying identify
solutions in alignment with the NIST CSF.

148
CHAPTER 3

Design and Deploy

an Identify Solution
Throughout history, people, organizations, and governments have fallen victim
to cyberattacks. Cybersecurity, cyberattacks, cybercriminals, and more have been
frequently discussed in the IT and business world. You’ll need a basic understanding of
these concepts to protect yourself and those around you.
Microsoft Cybersecurity NIST Identify is an identification and authentication
framework designed to help organizations secure their data and systems. It enables
organizations to create a secure identify ecosystem and protect against malicious
actors, and it also provides guidance on best practices for authentication and identify
management.
Microsoft Cybersecurity NIST Identify creates a secure and trusted identify
environment that is reliable and easy to use. It also helps organizations protect
their networks and data from unauthorized access and provides consistent security
requirements and policies. This allows organizations to meet compliance and regulatory
standards while increasing productivity and user experience. It also reduces operational
costs and improves the organization’s overall security posture.
Microsoft Cybersecurity NIST Identify also provides a comprehensive dashboard
to monitor the system’s performance, allowing organizations to identify and address
any potential security issues quickly and efficiently. Additionally, it supports multiple
authentication methods, allowing organizations to customize their authentication
process easily.
Microsoft Cybersecurity NIST Identify also supports automated compliance
reporting, allowing organizations to easily demonstrate compliance with industry
standards. This assures organizations that their security measures are up-to-date
and effective. It also puts less burden on IT staff, freeing them up to focus on more
critical tasks.

149
© Puthiyavan Udayakumar 2023
P. Udayakumar, Design and Deploy a Secure Azure Environment,
[Link]
Chapter 3 Design and Deploy an Identify Solution

This chapter provides the fundamentals of Microsoft Cybersecurity NIST Identify.

By the end of this chapter, you should be able to understand the following:

• Azure identify security services

• [Link]: Asset Management

• [Link]: Business Environment

• [Link]: Governance

• [Link]: Risk Assessment

Introduction to NIST Identify

In this section, let’s get started by understanding what NIST Identify is.
The Identify function assists in developing an organizational understanding of
managing cybersecurity risk to systems, people, assets, data, and capabilities.
An organization’s understanding of managing cybersecurity risk to systems, people,
assets, data, and capabilities can be developed through the Identify function. An
organization’s risk management strategy and business needs can be aligned with the
business context, the resources supporting critical functions, and the cybersecurity risks
related to these functions.
Within this function, there are the following outcomes categories:

• Establishing the basis of an asset management program by

identifying and evaluating physical and software assets in the
organization

• Establishing the organization’s place in the critical infrastructure

sector and its role in the supply chain must be identified.

• Identifying policies and legal and regulatory requirements regarding

cybersecurity capability within the organization to define the
Governance program.

• Assessing the risk associated with an organization’s assets, threats,

and risk response activities

• Establishing the organization’s risk tolerances and developing a risk

management strategy

150
Chapter 3 Design and Deploy an Identify Solution

• Identifying a supply chain risk management strategy, which includes

priorities, constraints, risk tolerances, and assumptions used to
support risk determinations associated with handling supply
chain risks

The activities in the Identify function are critical for effectively using the NIST
CSF framework. Develop an organizational understanding of cybersecurity risk to
systems, people, assets, data, and capabilities. Based on its risk management strategy
and business needs, an organization can prioritize its cybersecurity efforts based on
understanding the business context, the resources supporting critical functions, and
the cybersecurity risks. The outcome categories included in this function are Asset
Management, Business Environment, Governance, Risk Assessment, Risk Management
Strategy, and Supply Chain Risk Management. Figure 3-1 depicts the classification.

IDENTIFY (ID)

Supply Chain Risk

Asset Management Business Governance Risk Assessment Risk Management
Management
([Link]) Environment ([Link]) ([Link]) ([Link]) Strategy ([Link])
([Link])

Figure 3-1. NIST Identify categories

Asset Management ([Link])

Asset management is the process of managing and preserving the value of an asset
over its life cycle. It involves assessing and understanding the risks associated with an
asset, monitoring its performance, and taking corrective action when necessary. Asset
management helps to optimize the utilization of resources and maximize returns. It
helps ensure that assets are properly maintained and updated and that any potential
risks are identified and mitigated. It is important to have an effective asset management
system in place to ensure that resources are used efficiently and risks are minimized.
This will help to maximize returns and ensure the long-term success of the organization.
Asset management tracks and manages the hardware, software, and other physical
assets used in an organization’s cloud infrastructure. It is essential for maintaining an
effective cybersecurity strategy since it helps to identify and monitor the security risks
associated with each asset.

151
Chapter 3 Design and Deploy an Identify Solution

Asset management enables organizations to identify potential threats and take

the necessary steps to mitigate them. It also helps organizations identify areas where
additional security measures can be implemented. By comprehensively understanding
their assets, organizations can ensure that their IT infrastructure remains secure.
Asset management provides organizations with visibility into their IT infrastructure
and an understanding of its use. It allows organizations to identify and categorize their
assets and track them over time to detect any infrastructure changes. This visibility
helps organizations identify potential vulnerabilities and take steps to mitigate the risks
associated with them.
Asset management also helps organizations identify areas where additional security
measures can be implemented, allowing them to protect their assets from potential
threats proactively.
Organizations identify and manage the data, personnel, devices, systems, and
facilities appropriate to their relative importance to business objectives and risk
management plans. Figure 3-2 depicts the Identify categories.

IDENTIFY (ID)

Asset Management
([Link])

Resource
classification,
All stakeholders
A physical inventory The organization The flow of data and criticality, and
A catalog of external (suppliers, customers,
of the organization's inventories its software communication within business value are
information systems is partners) are given
devices and systems is platforms and an organization is used to prioritize
created cybersecurity roles
conducted. applications mapped resources (e.g.,
and responsibilities
devices, hardware,
data, and software)

Enable data
classification, secure Define roles and
Maintain
Discover, map and privileged access, responsibilities (e.g.
Inventory devices and Inventory of Platform accountability of
monitor various data and the ability to related to privileged
systems and Applications users’ access and
flows manage, control, and access)
usage of SaaS apps.
monitor access to across Azure
Azure

Figure 3-2. NIST Identify asset management categories

The NIST control statement recommends the following:

• A system component inventory should be developed and

documented that

• Ensures that the system is accurately reflected

152
Chapter 3 Design and Deploy an Identify Solution

• The entire system is included

• Components that are assigned to other systems are not

duplicated in this accounting

• Tracks and reports at the appropriate level of granularity

• Information necessary to achieve effective system component

accountability

• Update the inventory of system components

Azure Mapping for Asset Management ([Link])

Microsoft Azure asset management capabilities via various services and products
enables organizations to manage their assets and resources more efficiently. It provides
a centralized platform to track, monitor, and manage assets, as well as insights into their
performance. It also helps to reduce costs and maximize productivity.
A key component of asset management is the implementation of controls for
securing Azure resources, including recommendations about permissions for security
personnel, access to asset inventory, and managing approvals for services and resources
(inventory, tracking, and correcting).
Security posture can be accurately assessed only by identifying a system’s assets and
value. Assets include tangible elements such as information or equipment and abstract
ones such as reputation. It is essential to quantify the impact of these assets. Every
organization must identify its digital assets and determine what level of protection they
require.
Here are the Microsoft Azure guidelines for asset management:

• Discover all your cloud resources by querying your asset inventory.

Tagging and grouping your assets according to their service nature,
location, or other characteristics will help you organize them
logically. Maintain a continuously updated asset inventory for your
security organization. By aggregating security insights and risks
centrally, you can ensure your security organization can monitor
risks to cloud assets.

• Audit and restrict user access to cloud services to ensure only

approved cloud services can be used.

153
Chapter 3 Design and Deploy an Identify Solution

• Maintain security attributes and configurations of assets throughout

their life cycles.

• Your cloud assets should be protected from accidental or malicious

modifications by limiting access to asset management features.

• Create an allow list and block unauthorized software from executing

in your environment by ensuring that only authorized software is
executed.

Let’s now to explore the Azure NIST Identify mapping for asset management and
Microsoft’s outlined responsibility classification among Microsoft and customers, which
matches up with cloud security shared responsibility models.
Figure 3-3 depicts the subcategories of Azure mapping against the Identify module of
the NIST CSF.

Azure Asset
Management ([Link])

[Link]-1 [Link]-2 [Link]-3 [Link]-4 [Link]-5 [Link]-6

Microsoft Defender Microsoft Defender Azure Information Azure AD Privilege Azure Privilege
Service Map
for Cloud for Cloud Protection (AIP) Identify Management Access Management

Azure AD Registered Microsoft Intune Azure Network

Devices Watcher

IoT Hub – Device Azure Network

Identify Registry Security Group

Azure loT HUB

Figure 3-3. NIST Identify asset management categories and subcategories

As part of the Azure cloud shared responsibility model, the NIST CSF security
functions are provided in Table 3-1 with respect to [Link].

154
Table 3-1. [Link] Responsibility Matrix
Category Subcategory Informative Responsibility Customer Microsoft Azure
References Responsibility Responsibility

Asset Management [Link]-1: A physical NIST SP Shared All external information Microsoft Azure maintains
([Link]): Data, inventory of the 800-53 Rev. 4 systems interconnected an inventory of information
personnel, organization’s CM-8 with the Azure subscription system components.
devices, systems, devices and must be catalogued Keeping the inventory up to
and facilities systems is and documented by the date with new installations
that enable the conducted. customer. and decommissioning of
organization to devices is done with an
meet its business inventory database system,
objectives are which keeps it accurate
identified and and up to date. A security
group must establish
Chapter 3

managed in
accordance with standards based on which
the risk strategy of assets are classified. The
the organization. inventory must identify the
owner, current location, and
classification of each asset.
All asset types are
kept up-to-date with
new installations and
decommissionings.
(continued)

155
Design and Deploy an Identify Solution
Table 3-1. (continued)

156
Category Subcategory Informative Responsibility Customer Microsoft Azure
Chapter 3

References Responsibility Responsibility

[Link]-2: NIST SP Shared Customers are responsible As part of maintaining

The organization 800-53 for identifying and fleet health, Microsoft
inventories its Rev. 4 CM-8 inventorying applications Azure maintains a list
software platforms and platforms critical to of information system
and applications their business objectives. components, including
A Microsoft Azure software platforms and
subscription may include applications.
the following: an operating
system, an application, or
software, but customers
Design and Deploy an Identify Solution

are still responsible for

inventorying these items.
[Link]-3: The NIST SP Shared Customers are To protect internal data
flow of data and 800-53 Rev. responsible for managing flows, Microsoft Azure
communication within 4 AC-4, CA-3, communication and data employs and enforces
an organization is CA-9, PL-8 between their applications approved authorizations
mapped and between them and to control information flow
external systems. The both within the system and
customer is responsible between interconnected
for authorizing connections systems and encrypt all
to external and internal data in transit.
information systems
and documenting these
connections.
[Link]-4: A catalog of NIST SP Customer All external information N/A
external information 800-53 Rev. 4 systems interconnected
Chapter 3

systems is created AC-20, SA-9 with the Azure subscription

must be catalogued
and documented by the
customer.
(continued)

157
Design and Deploy an Identify Solution
Table 3-1. (continued)

158
Category Subcategory Informative Responsibility Customer Microsoft Azure
Chapter 3

References Responsibility Responsibility

[Link]-5: NIST SP Customer The customer prioritizes N/A

Resource 800-53 Rev. resources (such as
classification, 4 CP-2, RA-2, hardware, devices, data,
criticality, and SA-14 time, and software)
business value are according to their
used to prioritize classification, criticality,
resources (e.g., and business value. The
devices, hardware, customer will define the
data, and software) priority of Microsoft Azure
based on the criteria listed,
Design and Deploy an Identify Solution

but it will be listed as a

resource.
[Link]-6: All NIST SP Customer Customers are responsible N/A
stakeholders 800-53 Rev. for identifying cybersecurity
(suppliers, customers, 4 CP-2, PS-7, roles and responsibilities
partners) are given PM-11 within their companies.
cybersecurity roles
and responsibilities
Chapter 3 Design and Deploy an Identify Solution

Microsoft Defender for Cloud

Microsoft Defender for Cloud is a cloud-native cybersecurity platform that provides
advanced protection for cloud workloads, data, applications, and networks. It
offers threat detection and protection against advanced persistent threats, zero-day
vulnerabilities, and automated incident response capabilities.
Microsoft Defender for Cloud is a cloud-native application protection platform
(CNAPP), it offers tools and practices to secure cloud-based applications against cyber
threatsCyber threats and vulnerabilitiesVulnerabilities. As part of Microsoft Defender for
Cloud is a cloud-native application protection platform (CNAPP), you will be able to do
the following:

• You can unify security management at the code level across

multicloud and multi-pipeline environments with development
security operations (DevSecOps).

• CSPM provides actionable guidance on how to prevent breaches in

the cloud.

• Workloads such as virtual machines, containers, storage, databases,

and other workloads can be protected with a cloud workload
protection platform (CWPP).

Developer security operations, or DevSecOps, are incorporated into DevSecOps

with Defender for Cloud. From a single location, you can protect your code management
environments and pipelines and monitor your development environments’ security
posture. There is currently a Defender for DevOps included in Defender for Cloud.
These are the key capabilities of Microsoft Defender for Cloud:

• Improve your cloud security posture proactively with free continuous

assessment, benchmarks, and Azure, AWS, and Google Cloud
recommendations.

• Utilize contextual threat analysis to prioritize remediation of critical

risks. Discover high-priority risks by analyzing attack paths.

• With insights from industry-leading security intelligence, secure

virtual machines, containers, databases, and storage.

• Scan with an agentless or agent-based approach for flexibility and

comprehensive workload protection.

159
Chapter 3 Design and Deploy an Identify Solution

• Visualize DevOps security posture across multi-cloud and multi-

pipeline environments.

• Gain visibility into DevOps inventory, application code, and

configuration security posture.

• Remediate critical code issues faster by prioritizing and providing

remediation guidance natively in developer tools.

• Our controls are mapped to major regulatory industry benchmarks

for multicloud security compliance by default.

Security awareness is required at the code, infrastructure, and runtime levels of

today’s applications to ensure they are hardened against attacks. Configuring and
deploying your cloud and on-premises resources correctly is critical to ensuring their
security. You can secure your environment using Defender for Cloud recommendations.
With Defender for Cloud, you can access free Foundational CSPM capabilities. By
enabling paid Defender plans, you can also enable advanced CSPM capabilities. Taking
proactive measures to protect your workload from threats requires implementing
security practices. By recommending the proper security controls for your workload,
cloud workload protection (CWP) surfaces workload-specific recommendations.

What Is a Hybrid Cloud? Organizations can use a hybrid cloud to orchestrate,

manage, and port their applications across public, private, and on-premises
infrastructures. It creates a unified, flexible, distributed computing environment
where traditional or cloud-native workloads can be scaled according to the most
appropriate computing model. Using multiple providers of public cloud services as
part of a hybrid multicloud is called a hybrid multicloud.

Security alerts immediately inform you of the nature and severity of threats to
your environment so you can prepare to respond. After you identify a threat in your
environment, you need to respond to limit the risk to your resources quickly.
In a hybrid and multicloud environment, you need to protect your resources.
Microsoft Defender for Cloud, Microsoft Entra Permissions Management, Azure Network
Security, GitHub Advanced Security, and Microsoft Defender External Attack Surface
Management work together to provide comprehensive cloud security.

160
Chapter 3 Design and Deploy an Identify Solution

For protection against attacks that exploit today’s multicloud, multiplatform

environment, combine the breadth of a security information and event management
(SIEM) solution with the depth of extended detection and response (XDR). As part of
Microsoft’s SIEM and XDR solution, Microsoft Defender for Cloud is a key component.
Figure 3-4 shows Microsoft Azure for Defender.

Figure 3-4. Microsoft Defender for Cloud

Asset Inventory
An IT asset inventory is a systematic process of gathering, recording, and maintaining
information about all an organization’s hardware and software IT assets. This process
helps ensure that IT resources are used efficiently and that all assets are accounted for
and properly maintained.
A security posture view of your connected resources is available on the asset
inventory page of Microsoft Defender for Cloud. Regular security checks by Defender
for Cloud identify potential security issues and provide actionable recommendations. A
security posture can be improved by resolving functional requests.
As part of Defender for Cloud’s asset inventory, you can query Defender for Cloud’s
security posture across multiple subscriptions using Azure Resource Graph (ARG).
ARG provides efficient resource exploration and scalable querying capabilities. It
allows users to explore resources efficiently and to query them in a scalable manner.
Cross-referencing Defender for Cloud data with other resource properties can
quickly provide deep insights using Kusto Query Language (KQL).

161
Chapter 3 Design and Deploy an Identify Solution

Software Inventory
Defender for Cloud’s Software Inventory helps organizations better manage, track, and
secure their software assets. It provides a secure, centralized repository to store, track
and report on software inventory. It also helps organizations ensure compliance with
software licensing regulations.
One of these paid solutions is required to access the software inventory:

• The Defender Cloud Security Posture Management (CSPM) offers

agentless machine scanning.

• Defender for Servers P2 provides agentless machine scanning.

• Microsoft Offers Integration capability for Microsoft Defender for

Endpoints with Microsoft Defender for Servers.

You can access the software inventory if you have already enabled Microsoft
Defender for Endpoints and Microsoft Defender for Servers integrations.
Here are the key Microsoft Defender for cloud identify capabilities:

• Malware can be identified even if antimalware solutions fail to

detect it.

• Ensure that licensed software is used following local security policies.

• Identify applications that are outdated or unsupported.

• Find out what software is running on your machines that your

organization has banned.
• Apps that access sensitive data should be closely monitored.

• Rapidly changing workloads like virtual machines, SQL, and AKS

require identifying security vulnerabilities quickly, especially those
that can be exploited.

• Detect identify/access-based attacks on virtual machines, containers,

Azure Storage, Key Vault, and Resource Manager (privilege
escalation, credential access, initial access).

162
Chapter 3 Design and Deploy an Identify Solution

How to Enable It
Whenever you turn on a Defender plan, monitoring extensions are automatically
deployed to collect data from your resources. It is necessary to enable the Defender plans
that cover each workload that you want to protect in order to get Defender for Cloud’s
full protections. The following is the process to turn on Microsoft Defender for Cloud:

1. Log in to the Azure Portal.

2. You can search for and choose Microsoft Defender for Cloud.
3. In the Defender for Cloud menu, choose “Environment settings.”

4. Choose the subscription or workspace you want to protect.

5. Click “Enable all” to enable all Defender for Cloud plans.

6. Click Save.

Azure AD Registered Devices

Microsoft Entra, which is a new family of solutions for multicloud identify and access
management, includes Azure AD.
Azure AD registered devices are used for single sign-on authentication to access
cloud applications. This feature enables users to connect to their corporate environment
from any device securely. It also simplifies the management of user access rights. This
helps ensure the corporate environment’s security while providing users with a seamless
experience when accessing cloud applications. It also allows IT admins to manage user
access rights and permissions easily.
Furthermore, this feature provides end-to-end encryption, allowing secure
communication and data transfer while keeping corporate data safe. It also offers two-
factor authentication, which adds an extra layer of security to the user authentication
process. This helps protect corporate data from cyber threats and unauthorized access. It
also increases the overall security of the corporate network. This helps protect corporate
data from cyber threats and unauthorized access and provides peace of mind to users.
It also helps reduce IT costs by eliminating the need for manual user authentication
processes.
Additionally, two-factor authentication can significantly reduce the risk of data
breaches and ensure that only authorized personnel can access sensitive information.
This helps to ensure compliance with data privacy regulations and enhances the security
163
Chapter 3 Design and Deploy an Identify Solution

of the company’s network. This can help protect the company’s reputation, credibility,
and financial assets. It also helps protect the personal data of employees and customers.
In addition, two-factor authentication can help protect the company from costly legal
fees and penalties.
Figure 3-5 depicts the Azure AD registered devices screen.

Figure 3-5. Azure AD registered devices

Windows 10 or newer devices with Azure AD registered accounts are signed in with
a Microsoft account. For access to organizational resources, these devices have an Azure
AD account. Azure AD accounts and Conditional Access policies applied to device
identities can limit access to resources within an organization.
By using mobile device management (MDM) tools like Microsoft Intune,
administrators can further secure and control these Azure AD-registered devices. By
implementing MDM, organizations can enforce policies such as requiring encrypted
storage and complex passwords and keeping their security software up-to-date.
Using the Windows 10 or Windows 11 Settings menu, you can manually register
Azure AD when accessing a work application for the first time.
A primary refresh token (PRT) is issued to registered and joined devices, which can
serve as a primary authentication artifact and a multifactor authentication artifact in
some cases. Attackers can register their devices, use PRTs to access business data, steal
PRT-based tokens from legitimate user devices, or find misconfigurations in Azure Active
Directory controls. Administrators initiate and control the hybrid Azure AD joining
process, reducing attack methods.

164
Chapter 3 Design and Deploy an Identify Solution

Identify-based attacks do not commonly target devices, but they can be used to
fool security controls or impersonate users. Devices can have one of four relationships
with Azure AD as Unregistered, Azure Active Directory (Azure AD) registered, Azure AD
joined, and Hybrid Azure AD joined.
Keep an eye on your devices so that bad actors cannot access your infrastructure
through them.

• Registration and integration with Azure AD

• Devices accessing noncompliant applications

• The retrieval of BitLocker keys

• Administrator roles for devices

• Logging on to virtual machines

Azure AD audit logs can be viewed and downloaded as CSV or JSON files from
the Azure Portal. A variety of tools can be integrated with Azure AD logs via the Azure
Portal, including Microsoft Sentinel, Sigma rules, Azure Monitor, Azure Event Hubs, and
Microsoft Defender for Cloud Apps. You can also secure workload identities with Identify
Protection Preview, enabling improved monitoring and alerting.

How to Enable It
In addition to domain join, group policy, LDAP, and Kerberos/NTLM authentication,
Azure Active Directory Domain Services (Azure AD DS) is fully compatible with
Windows Server Active Directory. Azure AD DS integrates with your existing Azure AD
tenant, so you don’t have to deploy, manage, and patch domain controllers yourself.
Using this integration, users can log in using corporate credentials, and you can secure
access to resources using existing groups and user accounts.
It is important to define a unique namespace for an Azure AD DS managed domain
when you create one. A replica set is a deployment of two Windows Server domain
controllers (DCs) into your selected Azure region.
You will need to complete the following steps to launch the Enable Azure AD
Domain Services wizard:
1. Log in to the Azure Portal.

2. Choose “Create a resource” from the Azure Portal menu or the

Home page.

165
Chapter 3 Design and Deploy an Identify Solution

3. Choose Azure AD Domain Services from the search suggestions

after entering Domain Services in the search bar.

4. Select Enable Azure AD Domain Services from the Azure AD

Domain Services page.

5. Choose the Azure Subscription in which you want to create the

managed domain.

6. Select the resource group to which the managed domain belongs.

Create a new resource group or select an existing one.

IoT Hub Identify Registry

IoT Hub Identify Registry is a secure cloud-based service used to create, manage, and
store the identities of Internet-connected devices. It keeps track of device metadata such
as name, type, and capabilities to make it easier to manage many devices. It also allows
developers to set up and control access control policies easily.

What Is IOT? The Internet of Things (IoT) is a network of physical devices,

vehicles, home appliances, and other items embedded with electronics, software,
sensors, actuators, and network connectivity, which enable these objects to collect
and exchange data. This data is then used to automate processes and make better
decisions. This technology has the potential to revolutionize how we interact with
our environment and how businesses operate. It can automate processes, increase
efficiency, and reduce costs. IoT also enables companies to gain valuable insights
from data collected from connected devices.

IoT Hub Identify Registry helps developers securely manage device identities,
enabling them to control access to the devices and their data securely. It also helps
reduce the complexity of managing large, connected devices. It also provides a secure
way to manage device certificates and allows for the revocation of certificates when
needed. IoT Hub Identify Registry is designed to simplify the process of managing device
identities and access control policies, allowing developers to quickly and securely set up
and manage many connected devices. IoT Hub Identify Registry also provides a secure

166
Chapter 3 Design and Deploy an Identify Solution

way to store device data, ensuring it is accessible only to authenticated users. It also
enables device authentication and authorization, allowing developers to control access
to their devices and manage user permissions.
IoT Hub Identify Registry also provides tools for monitoring device activity and
managing device updates, making it easier for developers to manage connected devices.
It also enables users to configure devices easily, allowing them to control how they
interact with each other.
IoT Hub Identify Registry also provides secure storage of device credentials, which
helps to protect user data and prevent unauthorized access. IoT Hub Identify Registry
helps maintain a secure and reliable network of connected devices, ensuring that
data is protected and that devices can communicate securely with each other. It also
helps to reduce the time and effort required to manage and maintain devices, allowing
developers to focus on the development process.
Device and back-end developers can build robust device management solutions
with Azure IoT Hub thanks to its features and extensibility model. Sensors and
microcontrollers with limited functionality can be paired with robust gateways that
route communications for groups of devices. In addition, IoT operators’ use cases and
requirements vary widely by industry. Despite this variation, device management with
IoT Hub can accommodate a wide range of end users and devices.
Identities of devices and modules connected to IoT hubs are stored in identify
registries. IoT hubs require that devices and modules have entries in their identify
registries before they can connect. Credentials stored in the identify registry must also be
used to authenticate devices or modules with the IoT hub.
A case-sensitive requirement for the device or module ID is stored in the identify
registry.
REST-capable identify resources are collected in the identify registry at a high level.
The IoT Hub creates per-device resources when you add an entry to the identify registry,
such as the queue for cloud-to-device messages.
When you need to use the identify registry, do the following:

1. Connect your IoT hub to devices or modules.

2. Access your hub’s device and module-facing endpoints per device

or module.

167
Chapter 3 Design and Deploy an Identify Solution

There are several operations available through the IoT Hub identify registry.

• Identify creation for devices and modules.

• Identify updates for devices or modules.

• IDs of devices or modules can be retrieved.

• The identify of a device or module can be deleted.

• A maximum of 1,000 identities can be listed.

• Azure blob storage for device identities.

• The Azure blob storage can be used to import device identities.

Microsoft Intune
Microsoft Intune is a cloud-based service that helps organizations to manage their
mobile devices and apps. It enables administrators to set up device policies and
restrictions, manage applications, and control access to corporate resources. It also
provides users with a secure and productive experience on their devices.

What Is MDM and MAM? Mobile device management (MDM) is a technology

that allows IT administrators to manage, secure, and monitor mobile devices
within the organization. Mobile application management (MAM) is a technology
that allows IT administrators to control and manage the applications used on
mobile devices. MDM and MAM together provide a comprehensive solution for
organizations to manage and secure their mobile devices and applications. This
helps organizations ensure that their data is secure and that devices are used in
accordance with the organization’s policies.

Microsoft Intune also helps organizations to protect their data and ensure
compliance with security and privacy regulations. Intune makes managing and
securing mobile devices, apps, and corporate data easier. It also helps to ensure that
only approved apps are installed on company-owned mobile devices. Intune provides
detailed reports and analytics about device usage for greater visibility and control.
Intune helps ensure that devices and apps are updated with the latest security patches.

168
Chapter 3 Design and Deploy an Identify Solution

This helps to lower the risk of unauthorized access to company data, malicious code
execution, and other security threats. It also helps organizations meet regulatory
compliance requirements and enforce data protection policies across devices.
Intune also provides secure access to corporate resources, such as email and other
applications, while ensuring that corporate data remains safe. It also allows for remote
lock and wipe of devices if they are lost or stolen. Finally, it helps to enforce security
policies, such as requiring a secure password or biometric authentication.
Organizations are challenged to manage the devices to access organization resources
as they support hybrid and remote workers. Collaborating across locations, working
from anywhere, and securely connecting to these resources are essential for employees
and students. Data must be protected, access managed, and support provided from
anywhere by administrators.
With Microsoft Intune, you can manage your endpoints from the cloud. Mobile
devices, desktop computers, and virtual endpoints can all be managed with it, including
user access and app and device management.
Figure 3-6 shows the Microsoft Intune interface.

Figure 3-6. Microsoft Intune admin center

169
Chapter 3 Design and Deploy an Identify Solution

On both company-owned and user-owned devices, access and data can be

protected. Additionally, Intune offers compliance and reporting features that support
zero-trust security. Any endpoint management strategy and solution must manage and
protect user identities. User accounts and groups control access to your organization’s
resources.
Users’ identities must be secured and protected from malicious intent, as well as
account membership, authorization, and authentication. Microsoft Intune can handle
all of these tasks. User identities can be managed through Intune policies, including
security and authentication.
As part of Intune’s identify and permission management, Azure Active Directory
is used. Intune’s admin center provides a central place for managing endpoints. In
addition to managing endpoints, endpoint management solutions include device
management. Organizers manage more devices, including laptops, tablets, mobile
phones, and wearables. It can be a huge undertaking if you need assistance figuring out
where to begin.
Therefore, let’s take a look at Microsoft Intune. It is a cloud-based service that
can control devices through policies, including security policies. Managing devices
and protecting their data is a top priority for any organization. Devices that access
your organization’s company-owned and personally owned resources are included in
this task.
For device storage and permissions, Intune uses Azure Active Directory. A central
location for managing endpoints is the Microsoft Intune admin center.
Endpoint management strategies and solutions must manage and protect apps and
their data. Public retail apps are usually available for users to download, and they may
be able to access organization data through these apps. Organizations also have private
and line-of-business apps they need to deploy and manage and ensure their data is kept
within the organization.
Intune can make app management easier. The cloud-based Microsoft Intune can
manage a wide range of apps. Apps that access your organization’s resources can be
deployed, configured, protected, and updated using Intune.
Client devices running Android, iOS/iPadOS, macOS, and Windows are supported by
Microsoft Intune. Therefore, you can manage apps across multiple devices using Intune.

170
Chapter 3 Design and Deploy an Identify Solution

How to Enable It
With Microsoft Intune, you have easy access to mobile device management and client
app management from the cloud. It ensures secure productivity across all of your
devices, including Windows, iOS, macOS, and Android.

• Device enrollment and configuration.

• You can upload and distribute your apps.

• Data protection for your organization.

• ConfigMgr-enrolled cloud-enabled computers.

• Make sure your deployments are monitored and troubleshooted.

Prior to signing up for Intune, check if you already have a Microsoft Online Services,
Enterprise Agreement, or equivalent volume licensing agreement. Microsoft volume
licensing agreements or Microsoft Azure services subscriptions like Microsoft 365
typically include a work or school account.
For your organization, you can sign up for a new account if you already have a work
or school account.
The following is the process to get started:

1. Log in to the Azure Portal.

After signing up for Intune, you can manage the service using any device with a
supported browser.
By default, Azure AD requires you to have one of these permissions: Global
Administrator or Intune Service Administrator.
Allowing users with other permissions to administer the service

Azure Service Map

Azure Service Map helps customers to gain insights into their physical and virtual
networks. It provides visibility into the relationships between applications, processes,
and network infrastructure, enabling customers to identify and understand how their
applications are connected. It also helps customers to detect and troubleshoot network
issues. Service Map helps customers identify and address security threats such as open
ports or weak authentication methods.

171
Chapter 3 Design and Deploy an Identify Solution

Azure Monitor The Azure Monitor is critical for monitoring our services. It

collects and analyzes two fundamental types of data: metrics and logs. Monitoring
in Azure consists of three key types of data: metrics, activity logs, and resource
logs. Without raw information from services, systems, and applications, you cannot
analyze insights and issues.

Furthermore, it can be used to identify resources that can be optimized, helping

customers reduce their cloud costs. Service Maps can also monitor network
performance, assisting customers in quickly identifying and resolving performance
issues. It can be used to gather insights into network usage, allowing customers to make
informed decisions about their network infrastructure. Service Maps can also be used for
security, helping customers detect and respond to threats.
Additionally, it can be used to troubleshoot customer issues, helping them quickly
identify and resolve any problems. Service Maps can also be used to optimize network
performance, as customers can use them to identify areas of over-utilization and
congestion. This allows them to adjust and increase the speed and reliability of their
network. Service Map can also be used for compliance and audit purposes, helping
customers ensure their network operates within local regulations.
Service Maps can also be used to detect security threats, such as malicious activity
or cyberattacks, by providing insights into network traffic patterns. Finally, the Service
Maps service can troubleshoot network issues and diagnose problems quickly.
A feature of Azure Monitor is called Service Map. Service Map maps the
communication between services on Windows and Linux systems using Service Map.
Your servers are interconnected systems that provide critical services with Service Map.
Across any TCP-connected architecture, Service Map displays connections between
servers, processes, and latency. Installation of an agent is the only configuration
required.
Figure 3-7 depicts the Map tab via Azure Monitor in the Azure Portal.

172
Chapter 3 Design and Deploy an Identify Solution

Figure 3-7. Azure Monitor’s Maps tab

Service Map creates a standard reference map by automatically mapping

dependencies across your servers, processes, and third-party services. All TCP
dependencies are discovered and mapped. Managed systems attempt to make failed
network connections using Service Map. A server misconfiguration, a service outage, or
a network problem could be identified using this information.
Service Map helps eliminate the guesswork of problem isolation by showing you how
systems are connected and affect each other. Along with identifying failed connections,
it helps identify misconfigured load balancers, surprising or excessive load on critical
services, and rogue clients, such as developer machines talking to production systems.
Using integrated workflows with change tracking, you can also see whether a change
event on a back-end machine or service explains the root cause of an incident.
On the server where they are installed, Service Map agents collect information about
all TCP-connected processes. Additionally, they collect information about inbound and
outbound connections.
You can visualize the dependencies between machines or groups that have Service
Map agents in the left pane by selecting them from the list. There is a focus on a specific
machine in machine dependency maps. A direct TCP client or server of that machine is
shown. A machine group map shows the dependencies between sets of servers.

173
Chapter 3 Design and Deploy an Identify Solution

On the map, you can expand machines to show running process groups and
processes with active network connections. Agentless front-end machines are connected
to the focus machine via the left side of their processes. A server port group is created
when a focus machine connects to a back-end machine without an agent. Other
connections to the same port number are also included in this group.
Service Map shows dependency information for the last 30 minutes by default. Using
the time controls at the upper left, you can view historical dependencies for a time range
of up to one hour. If you want to see what they looked like before or after an incident,
for example. Paid workspaces store Service Map data for 30 days, while free workspaces
store it for 7 days.
A process group consists of processes associated with the same product or service.
Expanding a machine node will display stand-alone processes as well as groups of
processes. The connection to a process within a process group is marked as failed if it
fails either inbound or outbound.
Rather than just seeing maps of one server, machine groups allow you to see maps
of multiple servers. Multitier applications and server clusters can be visualized this way.
Each server is assigned a name and a group is created by the user. After that, you can
choose to view all the processes and connections of the group. The group can also be
viewed with only the processes and connections pertaining to its members.

How to Enable It
The Azure Monitor can collect data from multiple sources, including your application,
the platform, the operating systems, and the services it uses.
As soon as you create an Azure resource that supports metrics, this data is collected
and sent into the Azure Monitor metrics data store by the Azure platform.
Almost all Azure resources emit metrics every minute, but a few metrics are emitted
every five minutes.
You can export metrics to a third-party service for longer retention periods. Azure
Monitor’s metrics data store retains metrics for 93 days for free.

Azure Network Watcher and Network Security Group

Azure Network Watcher is a service that provides network monitoring and diagnostics
for Azure virtual networks. It gives users visibility into their network performance,
security, and network topology.

174
Chapter 3 Design and Deploy an Identify Solution

Azure Network Watcher can help detect, diagnose, and resolve network issues
quickly and efficiently. It also provides powerful analytics to help improve network
performance. It helps assess network security, troubleshoot network issues, and
optimize network performance. Network Watcher is an invaluable resource for Azure
users, as it helps keep their networks running smoothly and securely. It is an essential
tool for managing and optimizing Azure networks.
Azure Network Watcher offers advanced monitoring and analytics capabilities.
It can detect suspicious activity, alert users to potential security threats, and identify
and troubleshoot network issues. Network Watcher also provides insights into traffic
patterns and performance metrics that can help Azure users optimize their networks
for maximum efficiency. It is an invaluable tool for managing and protecting Azure
networks.
Azure Network Watcher is easy to use and helps users quickly detect and respond to
security threats. It also reduces the need for manual intervention, making it an efficient
and cost-effective solution for managing Azure networks.
Azure Network Watcher provides tools for monitoring, diagnosing, viewing metrics,
and enabling or disabling logs for Azure virtual networks. As an infrastructure-as-a-
service (IaaS) product, Network Watcher monitors and fixes the network health of virtual
machines (VMs), virtual networks (VNets), application gateways, load balancers, etc.
Virtual machines, fully qualified domain names (FQDNs), uniform resource
identifiers (URIs), and IPv4 addresses can all be used as endpoints. Monitoring
communication between the VM and the endpoint regularly provides information on
reachability, latency, and changes in the network topology. For example, you might
have a database server VM communicating with a web server VM. Someone in your
organization may change the web server, database server VM, or subnet without your
knowledge.
The connection troubleshooting feature informs you of unreachable endpoints. VMs
may experience DNS name resolution problems, CPU problems, memory problems,
firewall issues, hop types of custom routes, or security rules for the VM or subnet.
Figure 3-8 depicts the Network Watcher.

175
Chapter 3 Design and Deploy an Identify Solution

Figure 3-8. Azure Network Watcher

Furthermore, the connection monitor displays the minimum, average, and

maximum latency observed over time. You may reduce the latency for a connection
by moving your Azure resources to different Azure regions after learning the latency
for a connection. Instead of monitoring the connection over time as you would with a
connected monitor, you can use connection troubleshooting if you would rather test the
connection at a specific point in time.
You can monitor network performance between different points in your network
infrastructure with Network Performance Monitor, a cloud-based hybrid network
monitoring solution. As well as monitoring network connectivity to application
and service endpoints, Azure ExpressRoute’s performance can also be monitored.
Traditional network monitoring methods cannot detect traffic blackholing, routing
errors, and network performance issues. When a threshold for a network link is
breached, the solution generates alerts and notifies you. Furthermore, it ensures the
timely detection of network performance problems and pinpoints the source of the
problem to a specific device or network segment.
Adding resources to a virtual network can make it difficult to understand how they
are related and what resources are in the network. Topology allows you to visualize the
resources in a virtual network and their relationships.

176
Chapter 3 Design and Deploy an Identify Solution

VM network interfaces are protected by network security groups (NSGs).

An NSG is a network-level firewall that controls traffic in and out of a virtual network.
It allows you to create rules that filter traffic based on port, protocol, and source and
destination IP addresses. This helps to protect against malicious activity and ensure that
only the desired traffic has access to the network. NSGs can be used to segment traffic
within a virtual network, allowing for greater control over data flow. This ensures that
only the necessary traffic is allowed in and out, helping to protect the network from
malicious activity.
Additionally, the rules can be configured to allow for different levels of access based
on the type of traffic, ensuring that only the desired traffic is allowed into the network. By
setting up rules within the NSGs, administrators can control the traffic flow within the
network and keep it secure. This will enable them to block traffic from malicious sources
and limit access to only authorized ones. Additionally, the rules within an NSG can be
configured to prioritize certain types of traffic over others, ensuring that the most critical
traffic is given priority and passes through the network quickly and securely.
An NSG protects the organization’s digital assets from cyber security threats. They
develop and implement security policies, procedures, and technologies to ensure the
safety of the network. They also investigate and respond to security incidents. The NSG
monitors traffic to detect suspicious activities and potential threats. They regularly
review system logs and assess vulnerabilities to identify and address security risks. They
also provide training and guidance to users on security best practices and advice on
security strategies. They ensure that all security systems are up-to-date and working
correctly. Finally, they work closely with other IT teams to ensure the network’s security.
You can log the IP address, port number, protocol, and whether traffic was approved
or denied using the NSG flow log capability. Power BI and traffic analytics are tools you
can use to analyze logs. Data written to NSG flow logs can be visualized using traffic
analytics.
Various Azure networking resources can be configured to log diagnostic information,
including network security groups, public IP addresses, load balancers, virtual network
gateways, and application gateways. Any existing network resource that generates
a diagnostic log can be enabled and disabled using the diagnostic logs capability.
Microsoft Power BI and Azure Monitor logs can be used to view diagnostic logs.

177
Chapter 3 Design and Deploy an Identify Solution

How to Enable It
You must have an existing Network Watcher instance or enable Network Watcher in each
region where you have NSGs that you want to analyze traffic for. The traffic analytics
feature can be enabled for any region where NSGs are hosted.
A network security group must be created before NSG flow logging can be enabled. If
you don’t have one, create one.
You will need to complete the following steps to turn on Network Watcher:
1. Log in to the Azure Portal.

2. Go to Network Watcher and then choose NSG Flow.

Azure Information Protection

You can securely share sensitive data outside your company, such as emails, documents,
and documents. With Azure Information Protection, you can enhance data protection
no matter where it’s stored or who it’s shared with—with easy classification, embedded
labels, and permissions. You can also track and revoke access if needed, as well as detect
any unauthorized access attempts. Azure Information Protection is designed to keep
your data secure, no matter where it is or who it’s shared with. It ensures that only the
right people have access to the right data.
Azure Information Protection is a data classification and protection solution that
helps organizations securely share data with their customers and partners. It uses
encryption, identify, and access management to identify, classify, and protect sensitive
data. The solution enables organizations to classify and protect data based on its
sensitivity and relevance to the organization and its stakeholders.
Azure Information Protection also provides detailed reporting and auditing
capabilities, allowing organizations to monitor and track data usage, detect anomalies,
and ensure compliance with regulatory requirements. It also provides the ability to
revoke access to shared data at any time. It also provides granular control over who can
access the data, ensuring only authorized users can access it.
Azure Information Protection helps organizations maintain data security and protect
sensitive information from unauthorized access. It enables organizations to control
their data and monitor its usage. It also helps organizations to comply with data privacy
regulations by providing a secure environment to store, process, and access data. This, in
turn, allows organizations to protect their data and reduce the risk of data breaches.

178
Chapter 3 Design and Deploy an Identify Solution

Azure Information Protection also provides an extra layer of security by encrypting

data stored in the cloud. It also uses machine learning to identify and classify sensitive
data, making it easier for organizations to manage and protect their data.
Azure Information Protection (AIP) is part of Microsoft Purview Information
Protection, previously known as Microsoft Information Protection (MIP). Regardless of
where sensitive information lives or travels, Microsoft Purview Information Protection
helps you discover, classify, protect, and govern it.
Azure Information Protection offers the following:

• Data sensitivity can be classified, labeled, and protected using

policies. Azure Information Protection provides fully automatic, user-
driven, and recommendation-based classification.

• Protect your data no matter where it’s stored or with whom it’s shared
by adding classification and protection information.

• Ensure that shared data is being tracked and revoked as needed.

Monitoring, analyzing, and reasoning over data can be done with
powerful logging and reporting tools.

• Ensure that your co-workers, customers, and partners have access

to your data safely. Allow users to view and edit files but not print
or forward them. Define who can access data and what they can do
with it.

• You can secure the data you’re working on with one click in Microsoft
Office and most typical applications. A recommended classification
notification in the product assists users in making the right decisions.

• Whether your data is stored on-premises or in the cloud, we can help

protect it. Bring your own key (BYOK) and hold your own key (HYOK)
are two ways to manage encryption keys.

AIP classifies and protects information by applying labels to documents and emails.
The AIP client must be installed on all machines you want to use AIP features. A plan for
classifying, labeling, and protecting information using the Azure Information Protection
scanner or client would be helpful.
AIP uses Azure Rights Management (Azure RMS) to protect your data. It can be
used with other Microsoft Azure applications and services, such as Office 365 and
Azure Active Directory, as well as with your applications and other information security

179
Chapter 3 Design and Deploy an Identify Solution

solutions. Azure RMS supports cloud and on-premises solutions. Using Azure RMS, you
can encrypt, identify, and authorize users. In the same way as AIP labels, Azure RMS
ensures that your content is protected even when it is shared, regardless of where the
documents or emails are located.
You can restrict data access to users within your organization once the Azure Rights
Management service is activated. Apply more restrictive controls to new templates by
configuring your protection settings. The Azure Rights Management templates can be
used with applications and services that support the service.

How to Enable It
Azure Information Protection requires that your organization have a service plan that
includes Azure Rights Management.
All users in your organization can apply protection to their documents and emails
when the protection service has been activated, and all users can open (consume)
protected documents and emails. Alternatively, you can use onboarding controls to
phase out the deployment of information protection if you prefer.
PowerShell is now the only way to activate or deactivate Azure RMS.

1. Configure and manage the protection service by installing the

AIPService module.

2. Connect-AIPService should be run from a PowerShell session, and

you should provide the Global Administrator account details for
your Azure Information Protection tenant when prompted.

3. You can check whether the protection service is active by running

Get-AIPService. If the status is Enabled, the service is active; if it is
Disabled, the service is deactivated.

4. Activate the service by running Enable-AIPService.

180
Chapter 3 Design and Deploy an Identify Solution

Azure AD Privilege Identify Management

Azure AD Privilege Identify Management is a cloud-based service that helps
organizations manage access to privileged accounts and resources. It provides
visibility into who has access to what and additional security features like multifactor
authentication and Conditional Access policies.

Importance of Privilege Identify Management Privilege Identify Management

helps organizations protect their data and systems from malicious actors. It allows
organizations to create and enforce privileges for users and applications, ensuring
that only authorized personnel can access sensitive data and resources. This helps
organizations maintain compliance with data privacy regulations and minimize the
risk of a security breach.

AD Privilege Identify Management allows organizations to reduce the risk of

unauthorized access to privileged accounts, improve audibility, and maintain
compliance with various regulations. Azure AD Privilege Identify Management also
provides detailed reporting capabilities to give organizations further insights into their
privileged access.
Azure AD Privilege Identify Management uses an automated, policy-driven
approach to secure and manage privileged accounts, which helps to ensure that only
authorized users can access the accounts. This helps reduce the risk of malicious
actors gaining access to the accounts and makes it easier to audit and keep track of who
has access to the accounts. Additionally, the detailed reporting capabilities provide
organizations with greater visibility into the access granted to privileged accounts, which
helps to maintain compliance with various regulations.
AD Privilege Identify Management helps ensure that only the right people have
access to the accounts and that access is used appropriately. Additionally, it can help to
detect potential suspicious activity and security breaches. This, in turn, reduces the risk
of a data breach, providing organizations with peace of mind.
Furthermore, it can help organizations identify weaknesses in their security
policies and make necessary changes. This can help protect an organization’s data
and reputation and reduce its liability. Regular monitoring of access can also help
organizations comply with data privacy regulations.

181
Chapter 3 Design and Deploy an Identify Solution

The Privileged Identify Management (PIM) service works with Azure AD to allow
you to manage, control, and monitor access to vital resources within your organization.
Azure AD, Azure, and other Microsoft Online Services, such as Microsoft 365 or
Microsoft Intune, are among these resources.
A company wants to limit the number of people who have access to secure
information or resources because that reduces the risk of the following:

• Malicious actors gaining access

• Authorized users using sensitive resources inadvertently

It is still necessary for users to perform privileged operations within Azure AD, Azure,
Microsoft 365, or SaaS apps. By granting just-in-time access to Azure and Azure AD
resources, organizations can keep tabs on how their privileged users use them.
Privileged Identify Management provides time-based and approval-based role
activation to mitigate the risk of excessive, unnecessary, or misused access permissions
on resources you care about. Privileged Identify Management provides the following key
features:

• Azure AD and Azure resources can be accessed just-in-time.

• By assigning start and end dates to resources, you can limit access to
resources for a defined time bound.

• Activating privileged roles requires approval.

• To activate any role, multifactor authentication must be enabled.

• Use it to understand why users activate can be accomplished by

using justification.

• PIM activates privileged roles and receive notifications.

• PIM makes sure roles are still needed by conducting access reviews.

• Internal or external audit history can be downloaded.

• PIM protects the last active role assignment for Global Administrators
and Privileged Role Administrators.
Upon setting up Privileged Identify Management, you’ll see the Tasks, Manage, and
Activity options in the navigation menu on the left. Administrators can choose between
managing Azure AD roles, Azure resource roles, or PIM for groups. You will see the
appropriate options depending on what you want to manage.
182
Chapter 3 Design and Deploy an Identify Solution

Users can only manage assignments for other administrators with the privileged
role of Administrator or Global Administrator role in Privileged Identify Management.
Privileged Identify Management also allows the Global Administrators, Security
Administrators, Global Readers, and Security Readers roles to view Azure AD roles.
Subscription administrators can manage assignments for Azure resource roles,
resource owners, or resource user access administrators in Privileged Identify
Management. Assignments to Azure resource roles in Privileged Identify Management
are not accessible by default to Privileged Role Administrators, Security Administrators,
or Security Readers.

How to Enable It
Licenses required for Privileged Identify Management include Azure AD Premium P2
and Enterprise Mobility + Security (EMS) E5.
With PIM, roles can be activated based on time and approval, reducing the chances
of excessive, unnecessary, or misused access permissions. These resources include
Microsoft Azure Active Directory (Azure AD), Azure, and Microsoft Online Services like
Microsoft 365 or Microsoft Intune.
You will need to complete the following steps to turn on Azure PIM:

1. Log in to the Azure Portal.

2. Choose “All services” and locate the Azure AD Privileged Identify

Management service.

3. Click Privileged Identify Management QuickStart.

Privilege Access Management

Privileged access management (PAM) is an identify security solution that monitors,
detects, and prevents unauthorized access to critical resources to protect organizations
from cyber threats. As a result of a combination of people, processes, and technology,

183
Chapter 3 Design and Deploy an Identify Solution

PAM provides visibility into who is using privileged accounts and what they are doing.
Additional layers of protection mitigate data breaches by threat actors by limiting the
number of users with access to administrative functions.

Privilege Access Management Privilege Access Management ensures that only

authorized users can access an organization’s critical resources while protecting
those resources from malicious actors. It also allows organizations to monitor and
audit user access, ensuring compliance with all applicable regulations. Privilege
Access Management also helps to detect and prevent unauthorized access
attempts and any attempts to misuse privileged access. It also provides a secure
platform for users to access and manage critical resources without compromising
security.

Privilege Access Management also simplifies the process of monitoring user

activities and helps organizations comply with security policies. It can be used to
automatically revoke access when users leave the organization or change roles, ensuring
that access is always secure. It also helps detect and respond to potential threats quickly,
making it easier for organizations to protect their data and maintain their security
posture. Azure Privilege Access Management is an essential tool for organizations
looking to secure their data and maintain compliance.
It is also cost-effective and easy to deploy, making it a great tool for organizations
of any size. Azure Privilege Access Management is a powerful tool for keeping
organizations secure and compliant. In addition, Azure Privilege Access Management
provides peace of mind with its comprehensive security and compliance features.
Using PAM, organizations can prevent unauthorized access to critical resources by
monitoring, detecting, and preventing privileged access. It is possible to track who uses
privileged accounts and what they do while logged in with PAM by combining people,
processes, and technology. Limiting the number of users with access to administrative
functions is essential, as this increases the system’s security while adding additional
layers of protection mitigates the risk of data breaches.
PAM solutions identify the people, processes, and technology requiring privileged
access and define their policies. Account creation, amendments, and deletion should be
automated in your PAM solution (for example, automated password management and
multifactor authentication). Your PAM solution should continuously monitor sessions to
identify anomalies and investigate them.
184
Chapter 3 Design and Deploy an Identify Solution

Credential theft prevention and compliance are two primary uses of privileged
access management.
For example, say an attacker steals a user’s login information to access their account.
The ability to log in allows them to access organizational data and install malware on
devices. All admin identities and accounts can be accessed just-in-time and just enough
with PAM solutions.
Protecting sensitive data, such as payment or health information, may require a
least-privilege policy if your organization must comply with compliance standards.
Using a PAM solution, you can generate reports showing which data is accessed by
which users.
In addition, users may be automatically created, provisioned, and decommissioned,
privileged accounts can be monitored, remote access can be secured, and third-party
access can be controlled. PAM solutions can also manage DevOps projects, devices (the
Internet of Things), and cloud environments.
Cybersecurity threats can cause serious and extensive damage to organizations when
privileged access is misused. Keeping ahead of this risk is easier with a PAM solution.

• Ensure critical resources are accessible just-in-time.

• Passwords can be replaced with encrypted gateways for secure

remote access.

• Support investigative audits by monitoring privileged sessions.

• Identify an unusual privileged activity that could harm your

organization.

• To audit compliance, capture events related to privileged accounts.

• Produce reports on the action and access of privileged users.

• Implement password security for DevOps.

Privileged accounts pose a significant risk to your organization because humans

control them. As a result of PAM, security teams can identify malicious activities
resulting from privilege abuse and take immediate actions to remediate the risks. A PAM
solution can provide employees only the access they need.

185
Chapter 3 Design and Deploy an Identify Solution

Your organization can also benefit from a PAM solution by identifying malicious
activities linked to privilege abuse.

• Keep security breaches to a minimum. PAM solutions help limit the

impact of violations if they do occur.

• Threat actors need fewer entry points and pathways. People,

processes, and applications have limited privileges to protect
themselves from internal and external threats.

• You can defend against malware attacks. Remove excessive privileges

if malware gains a foothold.

• You can make the environment more audit-friendly. Monitor

and detect suspicious activity with activity logs to achieve a
comprehensive security and risk management strategy.

How to Enable It
For your organization’s security and risk mitigation, you should follow best practices
when planning for and implementing a PAM solution.

• Implement multifactor authentication: Adding multifactor

authentication to the sign-in process ensures that users are
authenticated through another verified device when accessing
accounts or apps.

• Automate your security: You can improve your security environment

by automating it, for example, by restricting privileges and preventing
unsafe or unauthorized actions when a threat is detected.

• Remove endpoint users: It is essential to remove unnecessary

endpoint users from local admin groups on IT Windows
workstations. Threat actors can use these accounts to leap between
workstations, steal other credentials, and elevate their privileges to
move through the network.

• Establish baselines and monitor variations: Knowing the baseline

for acceptable activity in your system helps you spot deviations that
may compromise your system. Looking at privileged access activity
lets you see who is doing what in the design and how privileged
passwords are used.
186
Chapter 3 Design and Deploy an Identify Solution

• Equip just-in-time access: Applying the least-privilege principle to

every system and network is essential. This will help you segment
systems and networks according to levels of trust, needs, and
privileges.

• Get rid of perpetual privileged access: Instead of perpetual privileged

access, consider temporary just-in-time access and just-enough
access, ensuring that users only need such access for a limited time.

• Use activity-based access control: The gap between privileges granted

and those users should be minimized by granting privileges only to
resources a person uses.

It would be best if you had the plan to get started with privileged access
management.

• You should be able to see all privileges used by humans and

workloads using your PAM solution. Once you have this visibility, you
should remove default admin accounts and apply the least privilege
principle.

• Stay current on privileged access and control privilege elevation

to prevent it from getting out of hand and compromising your
organization’s cybersecurity.

• Establish policies that define acceptable behavior for privileged users

and identify any actions that violate those policies. Monitor and audit
privileged activities.

• With automated PAM solutions, you can scale across millions of

users, assets, and privileged accounts to improve your security
and compliance. You can automate discovery, management, and
monitoring to simplify your administration.

Depending on your IT department, you can use your PAM solution immediately and
then gradually add modules to increase functionality and help you meet compliance
requirements.

187
Chapter 3 Design and Deploy an Identify Solution

Business Environment ([Link])

Cybersecurity roles, responsibilities, and risk management decisions are informed by
understanding the organization’s mission, objectives, stakeholders, and activities.
Let’s now to explore the Azure NIST Identify mapping for a business environment
and Microsoft’s outlined responsibility classification among Microsoft and customers,
which is in line with the cloud security shared responsibility models.
Figure 3-9 depicts the subcategories of the Azure mapping against the Identify
module of the NIST CSF.

IDENTIFY (ID)

Business Environment.
([Link])

Communication and identification of the organization's The resilience requirements for critical services are
role in the supply chain established

Establish and communicate roles of organizational users,

and centrally store and manage this information (along Reliability
with their privileges).

Azure Privilege Access

Azure reliability by design
Workstation

Figure 3-9. NIST Identify business environment

As part of the Azure cloud shared responsibility model, the NIST Cybersecurity
Framework security functions are provided in Table 3-2 with respect to [Link].

188
Table 3-2. Business Environment Responsibility Matrix
Category Subcategory Informative Responsibility Customer Responsibility Microsoft Azure
References Responsibility

Business [Link]-1: NIST SP 800-53 Rev. 4 Customer Supply chain roles must be N/A
Environment (ID. Communication CP-2, SA-12 identified, documented, and
BE): Defining and identification communicated by customers.
cybersecurity of the
roles and organization’s role
responsibilities in the supply chain
and managing
risks is
based on the
organization’s
Chapter 3

mission,
objectives,
stakeholders,
and activities.
(continued)

189
Design and Deploy an Identify Solution
Table 3-2. (continued)

190
Category Subcategory Informative Responsibility Customer Responsibility Microsoft Azure
Chapter 3

References Responsibility

[Link]-2: A NIST SP 800-53 Rev. Customer The customer must identify, N/A
description of the 4 PM-8 document, and communicate all
organization’s critical infrastructure used by the
role in critical system. The customer’s critical
infrastructure and infrastructure includes but is not
its industry sector limited to Virtual Machines hosted
is provided by Azure subscriptions and virtual
networks connecting Azure Virtual
Machines.
Design and Deploy an Identify Solution

[Link]-3: NIST SP 800-53 Rev. 4 Customer Organization missions and business N/A
Establishing and PM-11, SA-14 objectives must be identified,
communicating documented, and communicated by
organizational the customer.
mission,
objectives, and
activities
[Link]-4: NIST SP 800-53 Rev. Customer A critical service provider N/A
Delivering critical 4 CP-8, PE-9, PE-11, must identify, document, and
services requires PM-8, SA-14 communicate dependencies.
dependencies and
critical functions.
[Link]-5: The NIST SP 800-53 Rev. 4 Customer The customer must identify and N/A
resilience CP-2, CP-11, SA-14 document resilience requirements
requirements for for all operating states to ensure
critical services the delivery of critical services.
are established The customer is responsible for
enabling and documenting many
services related to system resiliency
(e.g., alternate processing location,
alternate storage location) despite
Chapter 3

Microsoft Azure facilitating many

solutions.

191
Design and Deploy an Identify Solution
Chapter 3 Design and Deploy an Identify Solution

Privilege Access Workstation

Administrators, developers, and critical service operators require secure, isolated
workstations for their security. Privileged access workstations should be kept up-to-date
with the latest security patches and protections. They should also be monitored and
audited regularly to detect and address any vulnerabilities quickly. Access to privileged
workstations should be strictly limited and monitored, and any changes to the system
should be documented and approved. Finally, privileged workstations should be
regularly tested for vulnerabilities and integrity.
Privilege Access Workstation is a security solution designed to protect privileged
accounts from potential threats. It provides advanced security protection and
continuous monitoring to help protect against malicious attacks. It also helps reduce the
risk of data breaches and other security incidents.

Importance of Privilege Access Workstation PAWs are physical or virtual

systems that access privileged accounts. These systems are isolated from other
networks and must be closely monitored to prevent unauthorized access. PAWs are
a crucial part of any organization’s cybersecurity strategy, and they allow privileged
users to access sensitive networks and data without risk of compromise. As a
result, PAWs have become an essential tool for protecting an organization’s data
and systems from malicious actors.

A PAW can be deployed on-premises or in Azure using Azure Active Directory,

Microsoft Defender, or Microsoft Intune. Secure configuration, including strong
authentication, software and hardware baselines, and restricted logical and network
access, should be managed centrally in the PAW. Regular monitoring and auditing
should be done to ensure the PAW is secure and compliant with security policies. Any
detected violations should be documented and addressed immediately. Furthermore,
all users should be trained in the importance of security and the proper usage of the
PAW. Security policies should be reviewed periodically, and any changes should be
applied immediately. Systems and applications should be regularly patched to ensure
the latest security updates are used. Access to the PAW should be revoked for any users
who no longer require it.

192
Chapter 3 Design and Deploy an Identify Solution

Additionally, Azure Bastion can be provisioned within your virtual network as a fully
platform-managed service that allows direct RDP/SSH access from the Azure portal.
This service provides secure, seamless connectivity to virtual machines over the Internet
without exposing the virtual machine to public IP addresses. Azure Bastion is also highly
available, with built-in redundancy to protect against service outages. This makes it
an excellent choice for organizations that need secure remote access to their virtual
machines. Azure Bastion is also easily configurable and requires minimal maintenance.
It provides an additional layer of security by securely connecting users to their virtual
machines through the Azure Portal, utilizing encryption protocols such as SSL/TLS. It
also helps protect against malicious attacks by ensuring that virtual machines are not
exposed to public IP addresses. It also offers secure access to virtual machines for users
with limited privileges, as it does not require them to have administrative credentials.
This allows organizations to grant secure access to users without sacrificing security.

Microsoft Azure Bastion

Azure Bastion is designed to protect your virtual machines by providing private
and secure access from the public Internet without exposing your virtual machines
directly to the internet. It provides secure access to your virtual machines by using
SSL encryption with no exposure of the private IP address. Additionally, it provides an
easy-to-use web-based interface, allowing users to easily access their virtual machines
without configuring any additional software or hardware. It also provides other security
measures such as IP allow listing and two-factor authentication, ensuring that only
authorized users can access your virtual machines. It also allows for easy management of
user access permissions.
Furthermore, it allows for automated backups and disaster recovery, ensuring that all
data is secure and easily recoverable in an emergency. Additionally, it provides granular
control over user access, allowing for faster access management. It also provides detailed
audit logs to monitor user activity and detect any suspicious activity. This makes it an
ideal solution for businesses looking to ensure their data is secure and readily available.
By using a Bastion host, you’ll be protected from port scanning, malware, and other
threats targeting your VMs. It’s not necessary to harden each one separately.
You can eliminate the need to manually deploy your own jump box by using Azure
Bastion. It’s cost-effective because it charges on a per-hour basis, plus charges for
sending data out of the platform.

193
Chapter 3 Design and Deploy an Identify Solution

Azure Reliability by Design

The reliability of Azure helps keep businesses running smoothly, offering a 99.9 percent
uptime guarantee on its services. It also provides proactive monitoring, backup, and data
recovery capabilities that help ensure data is secure and available. Additionally, it offers
disaster recovery solutions to help protect against potential outages.
“Azure reliability by design” is a set of technologies and best practices integrated into
the development process to ensure that cloud applications and services are reliable and
resilient. This includes the use of automation, monitoring, and proactive management
of the system. This allows Azure to provide a reliable and secure environment for its
customers. In addition, it also helps customers to reduce the cost and complexity of
managing their cloud environment.

The Importance of Reliability Cloud system reliability by design is an approach

that focuses on making reliability a fundamental component of the cloud system
from the very beginning of the development process. It includes techniques such
as fault-tolerant design, redundancy, and error recovery. These techniques increase
the reliability of the system, ensuring that it is able to handle any potential issues.
This approach ensures that the system is built with reliability in mind from the
ground up, rather than attempting to add reliability features onto an existing
system. This helps to minimize the amount of time and resources needed to ensure
the system is reliable, resulting in a more cost-effective and efficient system.

Reliability ensures that your application can meet your customers’ expectations. You
can provide the availability of your workloads and the ability to recover from failures at
any scale by architecting resiliency into your application framework.
Reliability is built by doing the following:

• Creating a highly available architecture

• Recuperating from events such as data loss, significant downtime, or

ransomware incidents

194
Chapter 3 Design and Deploy an Identify Solution

There are many built-in resilience features in Azure.

• You can automatically replicate data across availability zones

and regions using Azure Storage, Azure SQL Database, or Azure
Cosmos DB.

• Azure-managed disks are automatically placed in different storage

scale units to limit the effects of hardware failures.

• An availability set consists of several fault domains for virtual

machines (VMs). Fault domains consist of VMs with a standard
power source and network switch. Physical hardware failures,
network outages, and power outages can be minimized by spreading
VMs across fault domains.

In addition, high availability needs to be balanced with high resiliency, low latency,
and low cost. It is equally important for applications to recover from failures (resiliency).
Multitenant environments such as Azure are highly distributed and prone to failure.
By anticipating failures from particular elements to entire Azure regions, you can design
a solution in a resilient way to enhance reliability. The concept of reliability is subjective.
For an application to be suitably reliable, it must echo the business requirements
covering it.
To mitigate issues impacting application reliability, you must first detect them.
Reliability issues can be detected and predicted by monitoring the application’s
operation compared to its healthy state. Taking swift and remedial action is possible with
monitoring.
A system that self-heals can deal with failures automatically. Predefined remediation
protocols are used to handle failures, and these protocols connect to failure modes
within the solution. To achieve this level of maturity, the system must be monitored and
automated to a high degree. Aiming to maximize reliability should be the goal of self-
healing from the start.
Azure services offer a wide range of cloud-native services to support reliability such
as Azure Front Door, Azure Traffic Manager, Azure Load Balancer, Azure Virtual Network
NAT, Service Fabric, Kubernetes Service (AKS), and Azure Site Recovery.
During the architectural phase, Microsoft recommends implementing practices that
meet your business requirements, identifying failure points, and minimizing the scope of
failures.

195
Chapter 3 Design and Deploy an Identify Solution

Reliability by design means the following:

• Establish recovery and availability targets that meet the needs of the
business: SLAs are availability targets that represent a commitment to
performance and availability. To define reliability targets, it is crucial
to understand each component’s service level agreement (SLA). In
a disaster, recovery targets determine the duration of the workload’s
unavailability and the amount of data that can be lost. Identify critical
scenarios and target reports for the application. Penalties, such as
finance charges, may apply if an SLA is not met. The consequences of
not moving availability targets should be fully understood.

• Platforms and applications must meet your reliability requirements:

Designing application and data platform resiliency and availability
are essential to securing overall application reliability.

• Promote availability by configuring connection paths: For improving

Azure service reliability and connection availability, Microsoft
recommends the following:

• Use a global load balancer for traffic distribution and failover

across regions.

• Ensure there are redundant connections from different locations

for cross-premises connectivity (ExpressRoute or VPN).

• To ensure connectivity over alternative paths, simulate a

failure path.

• Eradicate all single points of failure from the data path between
on-premises and Azure.

• To improve reliability and reduce costs, use availability zones where

possible: When failure scenarios affect regional data centers, zone-
aware services can help improve availability and reliability. They can
also deploy gateway instances across zones for enhanced reliability
and availability during delinquency strategies concerning a regional
data center.

196
Chapter 3 Design and Deploy an Identify Solution

• Build a resilient application architecture: A critical application

scenario or function should be able to operate even when affected
by regional or zonal failures of services or components. Application
operations may encounter diminished functionality or degraded
arrangement during an outage.

• Understand the consequences of not meeting service level agreements:

Early in the design process, FMA incorporates resilience into
applications. Using it will allow you to identify the types of failures
your application might experience, their potential effects, and
possible recovery strategies. With its help, you can identify how
your application might fail, its potential effects, and what recovery
strategies you can use in the event of a failure. The single point of
failure is a fault point in an application that would bring it down if
it were to fail. When a single component fails, an application will be
unavailable, presenting a significant risk. Are every fault point and
fault mode identified? In an application architecture, fault points
represent elements that may fail, while fault modes represent how
fault points may fall. All fault points and ways must be apprehended
and operationalized to confirm an application is resilient to end-to-
end failures.

• Build resilience in the system by identifying possible failure points:

Dependencies play a critical role in the functionality and availability
of an application. Strong dependencies will affect overall availability,
whereas weak dependencies may affect only specific features. An
application can be classified as strong or weak based on its ability to
continue functioning even without its dependencies.

• Assure applications can work in the lack of their dependencies: The

cloud application must be able to scale as usage changes. Design the
application so that it automatically responds to changes in load when
they occur. Uphold scaling limits in mind during design so you can
grow smoothly in the future.

197
Chapter 3 Design and Deploy an Identify Solution

Governance ([Link])
Cybersecurity governance establishes and enforces policies, standards, and procedures
designed to protect your organization’s digital assets and information systems.
It is an integral part of any organization’s risk management strategy and helps to
ensure compliance with relevant regulations. It is essential to have a comprehensive
cybersecurity governance program in place to protect the organization from cyber-
attacks, data breaches, and other security incidents. Regular program reviews are
essential to ensure its effectiveness and compliance with industry standards. Regular
training of staff is also essential to ensure they are aware of the latest security protocols
and best practices.
Additionally, organizations should invest in the latest cybersecurity technologies
to further protect their data and systems. Organizations should also regularly update
their security policies to reflect the latest threats and risks. Regular audits should also
be conducted to identify potential risks or vulnerabilities. Finally, organizations should
ensure all employees know their responsibilities and adhere to security policies.
The policies, procedures, and processes to control and monitor the community’s
regulatory, legal, risk, ecological, and operational requirements are understood and
inform cybersecurity risk management.
Let’s now explore the Azure NIST Identify mapping for governance and Microsoft’s
outlined responsibility classification among Microsoft and customers, which is in line
with the cloud security shared responsibility models.
Figure 3-10 depicts the NIST Identify mapping for governance.

198
Chapter 3 Design and Deploy an Identify Solution

IDENTIFY (ID)

Governance
([Link])

Information security roles & responsibilities are coordinated and

aligned with internal roles and external partners

Azure – Shared Responsibility

Microsoft Incident Response and Shared

Responsibility

Microsoft and General Data Protection Regulation

(GDPR)

Microsoft Compliance Manager

Azure Policy

Figure 3-10. NIST Identify governance

As part of the Azure cloud shared responsibility model, the NIST CSF security
functions are provided in Table 3-3 with respect to [Link].

199
Table 3-3. [Link] Responsibility Matrix

200
Category Subcategory Informative Responsibility Customer Responsibility Microsoft Azure
Chapter 3

References Responsibility

Governance (ID. [Link]-1: The NIST SP 800-53 Shared Organizations are responsible As part of Microsoft
GV): Organizational organization Rev. 4 -1 controls for establishing information Azure Compliance,
policies, procedures, establishes an from all families security policies and all Azure assets are
and processes govern information security procedures to manage and subject to the Microsoft
the management of policy. monitor regulatory, legal, Security Policy. Among
cybersecurity risks, risk, environmental, and the items included in
including regulations, operational requirements the policy are the roles
legal requirements, and inform themselves about and requirements of
risk management, cybersecurity risks. applicable personnel,
environmental the scope covering
Design and Deploy an Identify Solution

management, properties and services,

and operational and the roles and
management. responsibilities of those
involved.
[Link]-2: NIST SP 800-53 Customer The customer is responsible N/A
Coordination Rev. 4 PM-1, for identifying and
and alignment PS-7 documenting information
of information security roles and
security roles and responsibilities. Microsoft
responsibilities Azure positions must align
with internal and with internal roles under the
external partners customer’s internal policies.
[Link]-3: NIST SP 800-53 Customer The customer must develop, N/A
Understanding Rev. 4 -1 controls document, and disseminate
and managing from all families regulatory and legal
cybersecurity legal (except PM-1) requirements concerning
and regulatory cybersecurity.
obligations, such
as privacy and civil
liberties
[Link]-4: Risk NIST SP 800-53 Customer The customer is responsible N/A
management Rev. 4 PM-9, for developing, documenting,
and governance PM-11 and disseminating
processes address cybersecurity risk
cybersecurity management policies and
issues procedures.
Chapter 3

201
Design and Deploy an Identify Solution
Chapter 3 Design and Deploy an Identify Solution

Microsoft Incident Response and Shared Responsibility

Microsoft provides tools and services to help customers detect, investigate, and respond
to security incidents. Customers have a shared responsibility to ensure the security and
compliance of their environment. Microsoft provides guidance and recommended best
practices to help customers meet security objectives. Regularly monitoring security logs
and analytics can help customers detect suspicious activity and take action quickly.
Customers should also ensure they have the appropriate personnel and processes in
place to respond to security incidents should they arise. Microsoft supports customers in
all security aspects, from training to incident response. Microsoft also offers a wide range
of security products, such as its Azure Security Center, to help customers protect their
data and systems.
Additionally, Microsoft provides security awareness training to help customers stay
up-to-date with the latest security threats. Microsoft also provides security consulting
services to help customers identify, assess, and mitigate risks. The company also offers
a variety of tools and services to help customers detect, investigate, and respond to
security incidents. Finally, Microsoft works closely with customers to help them develop
secure development practices.

Key Points Microsoft Incident Response provides an array of services to help

organizations respond to security incidents. These services include incident
analysis, malware investigation and analysis, and forensic analysis. Microsoft also
provides a wide range of resources for incident response teams. Microsoft also
offers specialized consulting services and training for incident response teams
to help them develop the skills and knowledge needed to effectively respond
to security incidents. In addition, Microsoft provides guidance on detecting,
investigating, and responding to security incidents. Microsoft also offers a range of
tools and services to help incident response teams investigate and analyze security
incidents. These tools and services include digital forensics, threat intelligence, and
advanced analytics.

Incident response is primarily a reactive practice in the security operations (SecOps)

discipline, and it consists of investigating and remediating active attacks on your
organization.

202
Chapter 3 Design and Deploy an Identify Solution

As a measure of how well security operations can reduce organizational risk, the
incident response directly impacts the mean time to acknowledge (MTTA) and mean
time to remediate (MTTR). For incident response teams to reduce risk, good working
relationships between threat hunters, intelligence, and incident management teams (if
present) are crucial.
In SecOps, the system’s security assurances are maintained and restored when live
adversaries attack it. The NIST CSF describes how to detect, respond, and recover well.

• The SecOps team must detect adversaries in the network, who are
often incentivized to remain hidden, enabling them to achieve their
objectives unhindered. In the enterprise activity logs, this can be
done proactively or in response to an alert of suspicious activity.

• As soon as SecOps detects a potential adversary action or campaign,

they should investigate whether an actual attack is underway (a
true positive) or a false alarm (a false positive). They should also
enumerate the purpose and scope of the adversary operation.

• SecOps is ultimately responsible for preserving and restoring

business services (confidence, integrity, and availability) following
an attack.

The biggest security risk is from human attack operators (of varying skill levels) for
most organizations. Anti-malware products built with signature and machine learning
approaches have significantly reduced the risk of automated/repeated attacks for most
organizations. Despite this, there are notable exceptions, such as WannaCrypt and
NotPetya, which moved faster than these defenses.
Because of their adaptability, human attack operators are challenging to counter
(instead of automated/repeated logic), but they also operate at the same rate of speed as
defenders.
A security operations center (SOC) is crucial in limiting an attacker’s time and access
to valuable systems and data. A malicious attacker can continue conducting attack
operations and gaining access to sensitive systems for as long as they remain in the
environment.

203
Chapter 3 Design and Deploy an Identify Solution

Microsoft and General Data Protection Regulation

General Data Protection Regulation (GDPR) is a regulation in the European Union that
requires organizations to protect the personal data of their customers and employees.
The GDPR Advisory Board comprises experts from law, technology, and data
protection who can provide guidance and advice on how to best comply with the GDPR.

What Is GDPR? Privacy and security laws are stricter in the EU under the GDPR
than elsewhere. Even though it was drafted and passed by the EU, it imposes
obligations on any organization that targets or collects information about European
citizens. GDPR came into effect on May 25, 2018. If a company violates its privacy
and security standards, harsh fines will be imposed, reaching millions.

The GDPR Toolkit is designed to give customers the information they need to
understand their data protection obligations. At the same time, the training and certification
programs offer customers the skills to manage their data effectively in compliance with
the GDPR. The GDPR Advisory Board is there to provide an expert, impartial perspective
on the GDPR. At the same time, the Toolkit and training programs are designed to
ensure customers are fully informed and equipped to comply with the regulations. This
combination of expert insights and practical, hands-on education gives customers the
information and skills they need to manage their data in line with the GDPR properly.
Microsoft has ensured its products and services comply with GDPR standards. It
has implemented various measures, such as data encryption, to protect personal data.
Microsoft has also provided tools to help organizations understand and manage their
data. It has also established a data protection officer role to monitor compliance with
GDPR. Microsoft has also conducted audits to ensure its products and services meet
GDPR requirements. They have also proactively guided customers on how to comply
with GDPR. Finally, Microsoft has set up a GDPR Compliant Center to help customers
with GDPR compliance.
Microsoft also offers a GDPR Assessment Toolkit to help organizations assess and
prepare for GDPR. It has also launched a GDPR Compliance Toolkit to help customers
understand how to manage their data in compliance with the GDPR.

204
Chapter 3 Design and Deploy an Identify Solution

Microsoft Compliance Manager

The Microsoft Compliance Manager helps organizations ensure their operations
comply with applicable laws, regulations, and industry standards. It provides an
integrated platform for managing and monitoring compliance processes and tools for
helping organizations detect and respond to potential compliance risks. Compliance
Manager also offers real-time reporting and analytics capabilities to help organizations
identify gaps in their compliance posture. It can also be integrated with other Microsoft
solutions, such as Office 365 and Dynamics 365.
On the Compliance Manager overview page, you can see your current compliance
score, what needs improvement, and take action to improve it (see Figure 3-11). As
you complete improvement actions to comply with regulations, standards, or policies,
Compliance Manager awards you points that are combined into an overall compliance
score. Your score is affected differently by each action based on its potential risks, and
you can prioritize which actions to focus on based on your compliance score.
Microsoft 365 Compliance Manager calculates your initial score based on the
Microsoft 365 data protection baseline. The baseline includes key regulations and
standards for data protection.

205
Chapter 3 Design and Deploy an Identify Solution

Figure 3-11. Compliance Manager

Azure Policy
Azure Policy helps organizations to define and enforce standards and practices at scale.
It enables customers to define policy rules that are applied to Azure resources to ensure
compliance with company standards and service level agreements. It also provides
visibility into their cloud environment and helps to detect and remediate noncompliant
resources. Azure Policy also helps organizations to quickly identify and respond to
security threats in their cloud environment. It helps to enforce security best practices
and ensure that resources are compliant with industry regulations.
Additionally, Azure Policy helps to reduce operational costs and helps organizations
to optimize their cloud usage. Azure Policy helps to automate the process of ensuring
compliance and security, allowing organizations to focus on other tasks and projects. It
also provides organizations with the ability to audit and monitor their cloud resources in
real-time. This visibility into their environment allows organizations to quickly identify

206
Chapter 3 Design and Deploy an Identify Solution

any gaps in security or compliance, as well as potential areas of improvement. This

makes it easier to take corrective action and mitigate any potential risks. It also enables
organizations to automate the process of responding to any risks, ensuring that their
cloud environment stays secure and compliant. This helps to reduce the time and effort
required for managing their cloud environment, freeing up valuable resources for other
projects.
Additionally, organizations can take advantage of the scalability of the cloud to quickly
respond to changing business needs and optimize their cloud environment for cost
efficiency. This helps to ensure that organizations are able to maximize the value of their
cloud investments. Automated cloud management tools can help organizations to achieve
these goals by automating and optimizing cloud operations, providing visibility into their
cloud usage, and enabling organizations to manage their cloud costs more effectively.

Risk Assessment ([Link])

In general, risk assessment evaluates the potential risks associated with a particular
activity or project. It involves identifying and analyzing potential risks, determining the
likelihood of their occurrence, and developing strategies to manage or mitigate them.
Risk assessment helps organizations make informed decisions by understanding the
risks associated with a certain activity or project. It also helps organizations develop
strategies to reduce risks and ensure that the activity or project is conducted safely and
efficiently. This allows organizations to save time and money by avoiding potential
risks and problems before they occur. Risk assessment also helps organizations better
understand their operations and the environment they operate in. This, in turn,
allows organizations to make informed decisions and take proactive steps to identify
and mitigate potential risks. Risk assessment also helps organizations build a strong
safety culture and promote a safe working environment for employees. This also helps
organizations to stay compliant with safety regulations, build trust with stakeholders,
and improve their reputation in the marketplace.

Risk Assessment for Microsoft Azure

A risk assessment includes an analysis of the security, compliance, and privacy controls
used by Microsoft Azure. The evaluation also includes a review of the architecture,
operational processes, and customer-specific configurations. Finally, it evaluates the

207
Chapter 3 Design and Deploy an Identify Solution

effectiveness of the security controls and recommends any necessary changes. Microsoft
Azure also provides security recommendations to customers based on the assessment.
Customers can use these recommendations to improve the security of their cloud
environment. The evaluation also gives customers visibility into their security posture
and compliance with industry standards. This gives customers confidence that their
cloud environment is secure and compliant. It also allows customers to adjust and
ensure that their security controls are up to date. This helps customers reduce the risk of
a security breach and data loss, as well as protect their and customers’ data. Ultimately,
this allows customers to gain trust and maintain a good reputation.
Let’s now explore the Azure NIST Identify mapping for risk assessment and
Microsoft’s outlined responsibility classification among Microsoft and customers, which
is in line with the cloud security shared responsibility models.
Figure 3-12 depicts the NIST Identify category for risk assessment.

IDENTIFY (ID)

Risk Assessment.
([Link])

Identification and documentation of Information-sharing forums and The threat landscape is identified and In order to determine risk, threats,
asset vulnerabilities sources provide threat and documented, both internally and vulnerabilities, likelihoods, and impacts
vulnerability information externally are taken into account

Vulnerability Assessment
in Azure Security Center Microsoft Threat
Microsoft Sentinel
Modeling Tool Cybersecurity
AD Risk Assessment Operations Services

Microsoft Threat
PAW Management

Azure Monitor

Figure 3-12. NIST Identify risk assessment

As part of the Azure cloud shared responsibility model, the NIST CSF security
functions are provided in Table 3-4 with respect to [Link])

208
Table 3-4. [Link] Responsibility Matrix
Category Subcategory Informative Responsibility Customer Microsoft Azure Responsibility
References Responsibility

Risk [Link]-1: The NIST SP 800-53 Shared As a customer, you Microsoft Azure documents reflect any
Assessment vulnerability Rev. 4 CA-2, are responsible security issues or vulnerabilities identified
([Link]): of assets is CA-7, CA-8, for continuously or remediated as part of continuous
Organizations identified and RA-3, RA-5, analyzing your monitoring. Using the vulnerability
know the documented SA-5, SA-11, system assets (e.g., scanning processes, Microsoft Azure tracks
cybersecurity SI-2, SI-4, SI-5 customer applications, vulnerabilities through closure. In addition
risks to their databases, and to maintaining, securing, managing, and
operations operating systems) storing information system and asset
(including for vulnerabilities. documentation, Microsoft Azure service
mission, It is the customer’s teams also keep a detailed record of
responsibility known vulnerabilities.
Chapter 3

functions,
image, and to document
reputation), vulnerabilities once
assets, and they are identified.
personnel.
(continued)

209
Design and Deploy an Identify Solution
Table 3-4. (continued)

210
Category Subcategory Informative Responsibility Customer Microsoft Azure Responsibility
Chapter 3

References Responsibility

[Link]-2: NIST SP 800-53 Shared The National Several external communications, including
Information Rev. 4 PM-15, PM- Vulnerability the United States Computer Emergency
on cyber 16, SI-5 Database (NVD), an Readiness Team (US-CERT) and the
threats and updated database National Information Security Agency
vulnerabilities of vulnerabilities (NVD), provide Microsoft Azure with cyber
is obtained maintained by the threat intelligence and vulnerabilities for all
from National Institute asset types. Microsoft Azure’s Management
information of Standards and Portal or a 24-hour dedicated phone line is
sharing forums Technology (NIST), is available for reporting security incidents at
and sources one example of cyber any time. In addition, Azure disseminates
Design and Deploy an Identify Solution

threat intelligence. alerts received from vendor websites

and other third-party services (Internet
Security System, US-CERT advisories,
and alerts) throughout the organization.
In addition to addressing notifications and
disseminating security alerts (e.g., emails,
RSS feeds) received directly from external
organizations (US-CERT) other than the
Services Operation Center or Microsoft
Support, Microsoft Azure Security also
addresses notifications received directly
from external organizations (US-CERT).
[Link]-3: It is NIST SP 800-53 Shared Internal and external Microsoft conducts and documents internal
necessary to Rev. 4 RA-3, SI-5, threats must be and external threats to Microsoft Azure
identify and PM-12, PM-16 identified and and the information it processes, stores, or
document documented by the transmits to mitigate threats to Microsoft
internal as well customer. Azure. The probability and magnitude of
as external harm resulting from unauthorized access,
threats use, disclosure, disruption, modification, or
destruction are included.
[Link]-4: A NIST SP 800-53 Customer Customers must N/A
business Rev. 4 RA-2, RA-3, identify and document
impact and PM-9, PM-11, the potential business
likelihood SA-14 impact and likelihood
analysis is of such events.
conducted
Chapter 3

(continued)

211
Design and Deploy an Identify Solution
Table 3-4. (continued)

212
Category Subcategory Informative Responsibility Customer Microsoft Azure Responsibility
Chapter 3

References Responsibility

[Link]-5: NIST SP 800-53 Shared Based on the identified Microsoft Azure determines risk by
A threat’s Rev. 4 RA-2, RA-3, vulnerabilities, periodically assessing its environment
vulnerability, PM-16 threats, and business and updating its policies and procedures.
its likelihood, impacts, the customer This is necessary to ensure compliance
and its impact determines risk. with changing regulations, contractual
are used to requirements, business processes,
determine a technical requirements, and operational
risk’s level requirements. Threats, vulnerabilities,
likelihoods, and impacts influence risk.
These factors include, but are not limited
Design and Deploy an Identify Solution

to, the likelihood and magnitude of harm

that could occur if Microsoft Azure and
the information it processes, stores, or
transmits were accessed, used, disclosed,
disrupted, modified, or destroyed by an
unauthorized party. The risk of failure is
assessed annually or as necessary.
[Link]-6: NIST SP 800-53 Shared Risks are identified Azure’s Cloud+Enterprise (C+E) Security
Identifying and Rev. 4 PM-4, PM-9 and prioritized by team prioritizes responses to identified
prioritizing risk the customer based risks. Security-related information
responses on organizationally- generated by assessments and monitoring,
defined risk such as vulnerability scan results and
tolerances. recurring control testing, is correlated
and analyzed by the Microsoft Azure
Continuous Monitoring team, which scans
the Microsoft Azure environment monthly
and analyzes it.
Depending on the risk level, Azure
prioritizes and mitigates all vulnerabilities
based on actionability (i.e., requiring
remediation), risk reduction, false positivity,
Chapter 3

or risk acceptance.

213
Design and Deploy an Identify Solution
Chapter 3 Design and Deploy an Identify Solution

ulnerability Assessments in Microsoft Defender

V
for Cloud
Vulnerability assessments identify and assess security weaknesses in an organization’s
information systems. These assessments help organizations prioritize their security
efforts and identify areas to reduce risk.
Vulnerability assessments should be conducted regularly to keep up with the
changing security landscape and new threats. Organizations should also implement
measures to mitigate the risks identified in the assessments. Furthermore, organizations
should develop a plan of action for addressing the identified weaknesses and regularly
track their progress to ensure that the vulnerabilities are addressed effectively. Regular
reviews should also be conducted to identify and address any new vulnerabilities.
Security breaches should be reported to the relevant authorities, and the
organization should ensure that similar incidents do not happen. Security policies
should be updated regularly to reflect the latest trends and technologies. Regular
training should be provided to employees to ensure they know the organization’s
security policies. Employees should also be encouraged to report suspicious activity or
security threats. Additionally, organizations should regularly monitor their systems to
identify any security vulnerabilities. Security systems should also be tested periodically
to ensure they are working correctly.

Qualys Integration with Defender for Cloud Qualys powers the vulnerability
scanner included with Microsoft Defender for Cloud. Qualys’ scanner is one of the
leading tools for the real-time identification of vulnerabilities, and it’s available only
with Microsoft Defender for Servers. You don’t need a Qualys license or even a
Qualys account; everything is handled seamlessly inside Defender for Cloud.

Organizations should also invest in the latest security technologies to protect their
systems from cyber threats and should develop a disaster recovery plan to quickly and
effectively respond to any security incidents.
Microsoft Defender for Cloud’s vulnerability assessment is a security tool that
helps protect your cloud infrastructure from cyber threats. It scans for vulnerabilities
and provides detailed reports so you can identify and fix any potential security issues.

214
Chapter 3 Design and Deploy an Identify Solution

It helps to keep your data safe and secure. It also helps to identify malicious activities
and suspicious behavior on your network. It can be used to monitor and detect any
unauthorized access to your cloud infrastructure.
Figure 3-13 depicts the Microsoft Defender vulnerability management capabilities.

Microsoft Defender Vulnerability

Management

Remediation & Tracking Risk-based intelligent prioritization

Continuous discovery and monitoring

Figure 3-13. Microsoft Defender vulnerability management capabilities

Additionally, Microsoft Defender continuously monitors your cloud infrastructure for

security threats. It detects any suspicious activities, such as data exfiltration, and can help
to prevent data breaches. Microsoft Defender also provides visibility into the activities
of privileged users, allowing administrators to monitor and detect any malicious or
suspicious activity. In addition, it provides a secure platform for data storage and retrieval,
ensuring data integrity and privacy. It also provides detailed insights into your cloud
infrastructure, allowing you to identify any weak points and take preventive measures.
Microsoft Defender enables administrators to set granular access control policies
for privileged users, ensuring that only authorized users can access sensitive data.
Furthermore, its advanced analytics capabilities allow administrators to detect abnormal
activities and take corrective measures quickly. Its secure data storage and retrieval
capabilities also help protect data from unauthorized access and maintain its integrity.
Moreover, Microsoft Defender offers automated patching for applications and systems,
ensuring that all security vulnerabilities are addressed promptly. This helps to ensure
that the system is secure from potential threats.

215
Chapter 3 Design and Deploy an Identify Solution

Microsoft Defender also provides real-time threat detection and response

capabilities. This helps identify and immediately respond to potential security threats,
ensuring that data and systems remain secure. Additionally, automated patching helps
to ensure that any new security vulnerabilities are addressed quickly and effectively
before malicious actors can exploit them.
Microsoft Defender also has various features to protect user data, such as data
encryption, secure password storage, and two-factor authentication. These features
ensure user data is kept safe, even if a threat successfully penetrates the system’s
defenses. Additionally, the automated patching feature helps to ensure that any newly
discovered security vulnerabilities are addressed quickly and effectively before malicious
actors can exploit them.
While devices are not connected to the corporate network, Defender vulnerability
management’s built-in agentless scanners continuously monitor and detect risk.
With consolidated inventories, you can monitor and assess your organization’s
assets, including software applications, digital certificates, hardware and firmware, and
browser extensions, in real time.
You can assess your cyber exposure using advanced vulnerability and configuration
assessment tools, including the following:

• Assessment of security baselines: Create customizable baseline profiles

for measuring risk compliance against established benchmarks,
such as the Center for Internet Security (CIS) and Security Technical
Implementation Guides (STIG).

• Visibility into software and vulnerabilities: You can get an overview of

the organization’s software inventory and software changes such as
installations, uninstallations, and patches.

• Network Share Assessment: A network share assessment provides

actionable recommendations for securing vulnerable internal
network shares.

• Authenticated scan for Windows: You can scan unmanaged Windows

devices regularly for software vulnerabilities using Microsoft
Defender Vulnerability Management credentials to access the
devices remotely.

216
Chapter 3 Design and Deploy an Identify Solution

• Threat analytics and event timelines: An understanding and

prioritization of vulnerabilities can be achieved through threat
analytics and event timelines.

• Browser extensions assessment: You can assess the browser extensions

installed on different browsers in your organization. You can view
information on each extension’s permissions and level of risk.

• Digital certificates assessment: You can check the digital certificates

installed across your organization on a central certificate inventory
page. You can identify certificates before they expire and identify
potential vulnerabilities due to weak signature algorithms.

• Hardware and firmware assessment: You can view a list of available

hardware and firmware in your organization organized by system
models, processors, and BIOS. Each view includes details such as the
vendor’s name, the number of weaknesses, threats insights, and the
number of exposed devices.

By leveraging Microsoft’s threat intelligence, breach likelihood predictions, business

contexts, and device assessments, Defender Vulnerability Management can quickly
prioritize your organization’s greatest vulnerabilities. You can quickly resolve the most
critical vulnerabilities by providing a single view of prioritized recommendations from
multiple security feeds, along with necessary details such as related CVEs and exposed
devices. Prioritization that is based on risk does the following:

• Focuses on emerging threats: It dynamically prioritizes security

recommendations based on vulnerabilities currently exploited
in the wild and emerging threats that pose the greatest threat to
organizations.

• Identify active breaches: It correlates vulnerability management and

EDR insights to prioritize vulnerabilities exploited during active
breaches.

• High-value assets are protected: Exposed devices with business-

critical applications, confidential data, or high-value users are
identified.

217
Chapter 3 Design and Deploy an Identify Solution

AD Risk Management

AD risk management focuses on understanding, managing, and mitigating the risks
associated with digital assets. It involves identifying, assessing, and controlling risks
to prevent potential losses and maximize the return on investments. It also includes
developing strategies to handle cyber security threats. This is done using a combination
of technical, administrative, and physical measures. It is also essential to review and
update risk management policies regularly.
Continuous monitoring of digital assets is also essential to ensure the organization’s
security. This helps to identify potential risks and vulnerabilities and take the necessary
steps to remediate them promptly. Through these strategies, organizations can control
access to their data, detect suspicious activities, and respond quickly in case of a
breach. Additionally, staff members must maintain awareness and education to protect
the organization’s data and assets. It also helps to ensure that the organization’s risk
management strategies are practical and up-to-date. Regular risk assessments are
essential to ensure the security of the organization. Implementing the latest technology
and solutions is necessary to protect the organization’s data and assets. Regular data
backups should also be performed to ensure data is not lost during a data breach.
Security policies should be reviewed and updated regularly to ensure they align with
current best practices.
Necessary security measures should also be implemented to protect the
organization’s data and assets. Finally, staff members should be trained to recognize
and respond to security threats. This will help to reduce the risk of a data breach, as
the organization will have an up-to-date copy of its data. Regularly reviewing and
updating security policies will also ensure they align with the latest security measures
and industry standards. Training staff members to recognize and respond to potential
security threats will also help further protect the organization’s data and assets.

Design and Implementation of Active Directory

Users and administrators can find and use directory information using Active Directory’s
structured data store, which uses a hierarchical logical structure to organize directory
information.
Network objects are stored in hierarchical directories, which are hierarchical
structures. Directory services, such as Active Directory Domain Services (AD DS),
provide methods for storing directory data and making it accessible to network

218
Chapter 3 Design and Deploy an Identify Solution

administrators and users. Data about user accounts, such as names, passwords,
telephone numbers, etc., is stored by AD DS and can be accessed by other authorized
users on the same network.
Administrators and users can easily find and use information about network objects
with Active Directory. The directory information is organized logically and hierarchically
based on a structured data store.
Typically, Active Directory objects consist of servers, volumes, printers, and user and
computer accounts that can be shared across networks.
Authentication and access control to Active Directory objects are integrated into
security. Network administrators can manage directory data and organization across
their network with a single network logon, and authorized users can access network
resources anywhere. Even the most complex networks can be managed easily using
policy-based administration.
You can use Windows Server AD DS in your environment by deploying a centralized,
delegated administrative model and enabling SSO. To create an AD DS deployment
strategy that meets your organization’s needs, you must identify the deployment tasks
and the current environment of your organization. Once the tasks and environment
are identified, you can create a customized plan to deploy AD DS successfully. This
plan should include a timeline and steps to ensure a successful deployment. Finally,
the plan should be tested and evaluated before being implemented. After the plan is
implemented, it should be monitored and adjusted as needed. Regular maintenance and
troubleshooting should be completed to ensure continued success. Finally, user training
should be provided to ensure the successful use of the new system.
A scalable, secure, and manageable infrastructure can be created with AD DS in
Windows Server, simplifying user and resource management. Managing your network
infrastructure, including branch offices, Microsoft Exchange Server, and multiple forests,
is possible with AD DS.
The AD DS deployment process involves three phases: the design phase, the
deployment phase, and the operation phase. As part of the design phase, the design
team creates the logical structure for AD DS that best meets the needs of each
department within the organization that will use the directory service. Following
approval of the design, the deployment team tests it in a lab environment and then
implements it in a production environment. The deployment team performs testing
during deployment, which may impact the design phase. Once the deployment is
complete, the operations team maintains the directory service.

219
Chapter 3 Design and Deploy an Identify Solution

Microsoft Sentinel
Microsoft Sentinel is a cloud-native security information and event management
(SIEM) platform from Microsoft. It provides real-time monitoring, threat detection, and
response capabilities. Sentinel enables organizations to quickly detect, investigate and
respond to advanced threats. It uses machine learning to detect organizational threats
and provides visualizations that help analysts quickly prioritize and analyze threats. The
Microsoft Sentinel service is a paid subscription.
Microsoft Sentinel also provides automated response capabilities to help
organizations respond quickly to incidents. Sentinel also offers APIs to integrate with
existing security tools, making it easier to leverage existing investments. It also provides
detailed logging and reporting to help organizations detect emerging threats and
optimize their security posture. Sentinel’s AI-driven analytics engine helps organizations
detect and respond to threats faster and more effectively, reducing the time and effort
required to investigate and respond to incidents. This allows organizations to focus more
on their core competencies and helps ensure their systems’ security.
Microsoft Sentinel’s automated threat detection and response capabilities help
organizations stay ahead of the ever-evolving cyber threats and protect their data and
systems. It also helps organizations improve their visibility into their security posture
and compliance with security regulations. This can save organizations time and money,
as they don’t have to dedicate resources to manual threat detection and response.
Sentinel’s AI-driven security solutions are also highly intuitive and can be quickly
and easily deployed. This helps to reduce the time and costs associated with training
and onboarding, allowing organizations to focus on the more essential aspects of their
security posture. In addition, Sentinel’s AI-driven security solutions are designed to scale
with an organization’s changing needs, providing the flexibility they need to stay ahead
of threats. This allows organizations to quickly adapt to new threats and rapidly respond
to evolving security needs. Sentinel’s AI-driven security solutions are reliable and
cost-effective, making them the perfect choice for any organization looking to protect
its assets.
Connecting your data sources is the first step in onboarding Microsoft Sentinel.
Sentinel provides real-time integration with Microsoft solutions out of the box with
many connectors available. Some of these connectors include the following:

220
Chapter 3 Design and Deploy an Identify Solution

• You can use Microsoft Defender for Cloud, Microsoft Defender for
IoT, as well as Microsoft 365 Defender.

• You can get Azure services such as Azure Active Directory, Azure
Activity, Azure Storage, Azure Key Vault, and Azure Kubernetes.

Using Microsoft Sentinel, you can connect your data sources via common event
format, Syslog, or REST-API, as well as the broader security and application ecosystem.
You can use data connectors to start ingesting data into Microsoft Sentinel once you
have onboarded it into your workspace. You can integrate Microsoft services in real-time
using Microsoft Sentinel’s out-of-the-box connectors. For example, the Microsoft 365
Defender connector integrates data from Office 365, Azure Active Directory (Azure AD),
Microsoft Defender for Identify, and Microsoft Defender for Cloud Apps as a service-to-
service connector.

How to Enable It
You enable Microsoft Sentinel and configure data connectors to monitor and protect
your environment. In addition to connecting your data sources using data connectors,
you can select from a gallery of expertly designed workbooks that surface insights based
on your data. You can easily customize these workbooks according to your needs.
Microsoft products have many connectors, such as the Microsoft 365 Defender
service-to-service connector. You can also set up built-in connectors for non-Microsoft
products, such as Syslog or Common Event Format (CEF).
The Microsoft Sentinel service is a paid service that requires an active Azure
subscription and a Log Analytics workspace. You will need to complete the following
steps in order to turn on Microsoft Sentinel.

1. Log in to the Azure Portal.

2. Under search services and locate the Microsoft Sentinel services.

3. Choose Add Workspace.

4. You can use multiple workspaces for Microsoft Sentinel, but the
data is isolated to one. You can select a workspace to use or create
a new one. Installing Microsoft Sentinel on the default workspaces
created by Microsoft Defender for Cloud is impossible.

5. Choose Add Sentinel.

221
Chapter 3 Design and Deploy an Identify Solution

Microsoft Threat Modeling Tool

The Threat Modeling Tool is a crucial Microsoft Security Development Lifecycle
(SDL) element. Software architects can significantly reduce the total development
cost by identifying and resolving potential security issues early. In addition, Microsoft
designed the tool to make threat modeling easier for nonsecurity experts by providing
clear guidance on creating and analyzing threat models. Using the Threat Modeling
Tool, engineers can quickly identify and address security issues, reducing the risk of
compromise and the impact of any potential attack. This allows developers to create
more secure software while reducing development costs.
The Threat Modeling Tool is a powerful tool that protects user data, guards
against cyber attacks, and promotes secure software development. It is an essential
tool for any software development team looking to keep their applications secure. It
can help developers identify potential security risks, quickly identify and fix security
vulnerabilities, and ensure their applications meet security standards.
Furthermore, it can be done in an efficient, cost-effective manner. The Threat
Modeling Tool provides a systematic approach to security testing tailored to the specific
application being developed. It allows developers to review the security architecture
of their applications and identify potential threats and vulnerabilities. It also guides
mitigating those risks and provides best practices on secure coding. Additionally, it allows
teams to quickly identify and address security issues before they become costly problems.
The tool also helps ensure the application complies with industry regulations and
standards. It is an invaluable tool for any development team building secure applications.
Anyone who knows how their system works and is familiar with information security
can use threat modeling.
Using this technique, you can create a data-flow diagram and analyze it for potential
threats in four different phases.
• Design: The design of your system begins with capturing all of the
requirements. It is the design phase where you gather the most data
about what you will build and what you will use to make it.

• Break: You can analyze the data-flow diagram and find potential
security issues using a threat-modeling framework. The break phase
involves using the data-flow diagram to identify potential threats
against your system. A threat-modeling framework is then used to
find the most common threats and ways to defend against them.

222
Chapter 3 Design and Deploy an Identify Solution

• Fix: You can choose the proper security controls for each issue.
STRIDE threats are mapped to different security controls with
different functions and types, and in this stage, their fate is decided.

• Verify: Verify requirements are met, issues are found, and security
controls are in place. It ensures that assumptions are validated,
requirements are met, and security controls are implemented before
the system is deployed as part of the threat-modeling process.

Identifying vulnerabilities and recommending strategies to reduce risk early in the

development life cycle is an effective way to secure systems, applications, networks, and
services.

Microsoft Threat Management

Microsoft Threat Management is a comprehensive security solution that enables
organizations to detect, investigate, and respond to threats. It helps to protect against
malware, phishing attacks, and other malicious activities. It also offers data loss
prevention and protection from advanced persistent threats.
Microsoft Threat Management provides an end-to-end security solution that enables
organizations to respond quickly to t

Design Deploy Secure Azure

Загружено:

Design Deploy Secure Azure

Загружено:

Design and Deploy

ISBN-13 (pbk): 978-1-4842-9677-6 ISBN-13 (electronic): 978-1-4842-9678-3

Copyright © 2023 by Puthiyavan Udayakumar

About the Technical Reviewer��������������������������������������������������������������������������������xix

Chapter 1: Get Started with Azure Security�������������������������������������������������������������� 1

Authentication and Authorization in Azure App Service��������������������������������������������������������� 52

Azure Active Directory External Identities����������������������������������������������������������������������������� 64

Chapter 2: Design and Deploy Security for Infrastructure, Data,

Implement Intrusion Detection/Protection System���������������������������������������������������������������� 96

Authentication and Identify Systems Need to Be Protected������������������������������������������������ 115

Chapter 3: Design and Deploy an Identify Solution���������������������������������������������� 149

Chapter 4: Design and Deploy a Protect Solution: Part 1������������������������������������� 229

Chapter 5: Design and Deploy a Protect Solution: Part 2������������������������������������� 281

Chapter 6: Design and Deploy a Protect Solution: Part 3������������������������������������� 367

Chapter 7: Design and Deploy a Detect Solution�������������������������������������������������� 457

Chapter 8: Design and Deploy a Respond Solution����������������������������������������������� 541

Chapter 9: Design and Deploy a Recovery Solution���������������������������������������������� 607

Azure Backup for Azure Kubernetes Service����������������������������������������������������������������������� 649

Chapter 1: Get Started with Azure Security

• Getting started with cloud computing and Azure

• Microsoft Azure security capabilities

• The foundation of the NIST CSF

• Designing and deploying a strategy for securing infrastructure and

• Designing and deploying a strategy for securing identify

• Designing and deploying a strategy for securing apps and data

• Getting started with Microsoft SecOps

By the end of this chapter, you will have a comprehensive understanding of

Chapter 3: Design and Deploy an Identify Solution

• Introduction to Azure identify security services

• Asset Management ([Link])

• Business Environment ([Link])

• Risk Assessment ([Link])

Chapter 4: Design and Deploy a Protect Solution – Part 01

• Introduction to Azure protect security services

• [Link]: Identify Management, Authentication and Access Control

• [Link]: Awareness and Training

Chapter 5: Design and Deploy a Protect Solution – Part 02

• [Link]: Data Security

Chapter 6: Design and Deploy a Protect Solution – Part 03

• [Link]: Protective Technology

Chapter 7: Design and Deploy a Detect Solution

• Introduction to Azure detect security services

• [Link]: Anomalies and Events

• [Link]: Security Continuous Monitoring

• DE. DP: Detection Processes

Chapter 8: Design and Deploy Respond Solution

• Introduction to Azure respond security services

• [Link]: Response Planning

Chapter 9: Design and Deploy Recover Solution

• Introduction to NIST recovery

• Azure Recovery Services Mapping

• Azure Site Recovery

Get Started with

• Getting started with cloud computing and Azure

• Microsoft Azure security capabilities

• Foundation of the NIST CSF

• Protect sensitive data: One of the main reasons to invest in

• Comply with regulations: Many industries have regulations that

• Maintain customer trust: Customers expect organizations to keep

• Prevent business disruption: Cyberattacks can disrupt business

• Stay ahead of evolving threats: Cybersecurity threats are constantly

What Is a Cybersecurity Attack?

SolarWinds Cyberattack (2020): In late 2020, a large-scale, sophisticated supply chain

• The Melissa virus

• The 2007 Estonia cyberattack

• A cyberattack on Sony’s PlayStation Network

• The 2014 cyberattack on Yahoo

• Ukraine’s power grid attack

Why Are Cyberattacks Executed?

A Closer Look at Cybersecurity

accomplish every cybersecurity objective. For analysts to develop controls capable

Cybersecurity Risk Analysis

• A vulnerability is a weakness in a device, system, application,

• When it comes to cybersecurity, a threat is any outside force that

• There must be a combination of a threat and a vulnerability to pose a

are not built to withstand the extreme movements present during

About the Technical Reviewer��xix

Chapter 1: Get Started with Azure Security�� 1

Authentication and Authorization in Azure App Service�� 52

Azure Active Directory External Identities�� 64

Implement Intrusion Detection/Protection System�� 96

Authentication and Identify Systems Need to Be Protected�� 115

Chapter 3: Design and Deploy an Identify Solution�� 149

Chapter 4: Design and Deploy a Protect Solution: Part 1�� 229

Chapter 5: Design and Deploy a Protect Solution: Part 2�� 281

Chapter 6: Design and Deploy a Protect Solution: Part 3�� 367

Chapter 7: Design and Deploy a Detect Solution�� 457

Chapter 8: Design and Deploy a Respond Solution�� 541

Chapter 9: Design and Deploy a Recovery Solution�� 607

Azure Backup for Azure Kubernetes Service�� 649

What Is a Cybersecurity Attack?

Why Are Cyberattacks Executed?

A Closer Look at Cybersecurity

Cybersecurity Risk Analysis

• Brute force: Attackers may try to access your organization in a brute-

Known Mitigation Strategies

Authentication and Authorization

Threats to Network Security

Threats to Application Security

Applications with Untrustworthy Origins

Vulnerabilities in Embedded Applications