Module 4: General Security & Network Security in Microsoft Azure

by
Contents hide
1 INTRODUCTION – General Security & Network Security in Microsoft Azure
2 KNOWLEDGE CHECK 1
3 KNOWLEDGE CHECK 2
4 TEST PREP
5 CONCLUSION – General Security & Network Security in Microsoft Azure
Spread the love

INTRODUCTION – General Security & Network Security in Microsoft Azure

Learn how to augment the security of workloads with Azure, hosted on-site or in the cloud. Azure will become your companion on virtual exploration through several in-built services designed to keep your network safe, secure, and trusted. In the end, acquire skills to implement solid security measures on your infrastructure.

Learning Objectives:

  • Improve your Security Posture: Use Azure Security Center to enhance defense against threats.
  • Collect and act on security data: Leverage Azure Sentinel to collect and analyze data from multiple sources.
  • Safeguard Sensitive Data: Securely store and manage passwords, encryption keys, and other secrets using Azure Key Vault.
  • Host Azure VMs on dedicated physical servers: Manage physical servers for Azure Dedicated Host for Windows and Linux VMs.
  • Comprehend the Defense-in-Depth: Understand the many different layers that comprise defense in depth security.
  • Control network traffic: Azure Firewall creates policies with rules that allow or deny traffic through the Azure firewall.
  • Filter Traffic: Define Network Security Groups (NSG) for controlling traffic coming to and through Azure resources in a virtual network.
  • DDoS Attacks: Protect your resources with Azure DDoS Protection against Distributed Denial of Service attacks.

KNOWLEDGE CHECK 1

1. Many Azure services include built-in security features however Azure also has specific tools to assist with securing your environment. Which of the following would be the simplest way to monitor your resources and perform automatic security assessments to identify potential vulnerabilities?

  • Azure Security Center (CORRECT)
  • Azure Key Vault
  • Azure Sentinel

Correct: Azure Security Center is that monitoring service which gives you the rather clear visibility into the security posture within your services-the services that can be delivered on premise or via Azure. It does provide an anlysis and management of the security, and recommends possible improvements for the resources to be secure against the potential threats.

2. Your company has migrated to Azure Cloud services. Management wants to implement security that will limit the applications that can run on certain virtual machines. Which of the following approaches provide such a solution?

  • Administrators periodically review what applications are running on each VMs by creating and running PowerShell scripts.
  • Implement an application control rule in Azure Security Center. (CORRECT)
  • Connect the virtual machines to Azure Sentinel.

Correct: With the Azure Security Center, you define an allowed application list that runs only your authorized applications on your resources. It also detects and helps block any form of malware that would be installing itself onto your Virtual Machines (VMs) thus providing additional security to your environment because it prevents harmful software from executing.

3. Your company has recently migrated to Azure cloud services. Azure has various reporting and monitoring tools built in. What is the simplest tool to use to create a single report that will show all security information to be collected from all the monitoring tools?

  • Secure Score
  • Azure Sentinel (CORRECT)
  • Azure Key Vault

Correct: Azure Sentinel is Microsoft’s solution in cloud-based SIEM. It allows you to collect, analyze, and respond to security data from multiple sources spread across your environment. Centralized and correlated with each other, the data creates insights, detects threats, and takes actions to protect your resources.

4. Your company had recently migrated to Azure cloud services and management are concerned that sensitive information such as passwords, encryption keys, and certificates will not be as secure as they were when operating an on-premises environment. What solution can you implement to allay these concerns?

  • Implement Azure Sentinel.
  • Configure a secure VM and store the Passwords and certificates in a shared folder.
  • Implement Azure Key Vault. (CORRECT)

Correct: This is a service from a central cloud for key vaults; it functions to securely store and manage all the secrets of your applications such as passwords, API keys, and encryption keys all in one central repository. It ensures that this sensitive information is made securely accessible through an access control and logging mechanism that helps in protecting secrets and also endeavor to know who accesses the secrets.

5. Your company is planning to migrate to Azure cloud services however because of their type of business they are obliged to follow regulatory compliance that requires them to be the only customer using the physical machine that will host their virtual machines in the cloud. How can your company migrate to the cloud while still remaining compliant?

  • Configure the VM’s to run on Azure Dedicated Host (CORRECT)
  • Configure the network so that the company’s VMs are isolated from other VM’s running on the same host in the datacenters.
  • They cannot, these specific systems will need to remain and operate on-premises only.

Correct: Virtual Machines (VMs) of Azure by default run on shared hardware that is under the management of Microsoft. Even though the hardware may be shared, workloads lying on different VMs are independent from those of other Azure customers. On the contrary, some organizations have provisions in their compliance requirement for exclusive physical access to the physical machine for their virtual machines. In such cases, Azure Dedicated Host provides dedicated physical servers to host your Azure VMs, ensuring only your organization uses the physical machine on which Windows and Linux virtual machines are hosted, thus providing greater control and compliance over them as well.

KNOWLEDGE CHECK 2

1. Malicious attackers can try to overwhelm the resources of a network by sending large volumes of packets to a targeted host on the network. Which of the following Azure offerings would be most suitable in detecting this form of attack?

  • Network security groups
  • Azure Firewall
  • Azure DDoS Protection (CORRECT)

Correct: Protection against DDoS attains safety for your Azure resources against Distributed Denial-of-Service (DDoS) attacks. The aim of a DDoS attack is to overwhelm an application’s resources, causing it to be sluggish and eventually unresponsive to its valid users. Azure DDoS Protection identifies and prevents such attacks from affecting the applications you are using, keeping them available and responsive at all costs.

2. True or False

Azure Firewall provides Network Address Translation (NAT) rules that can define destination IP addresses and ports to translate inbound requests.

  • True (CORRECT)
  • False

Correct: Also, Azure Firewall uses NAT rules besides destination IP address and port definitions for inbound request translation. These rules control and manage how external traffic is directed to the resources, ensuring that only legitimate traffic reaches appropriate destinations while protecting the network.

3. What service tiers are available to DDoS Protection?

Select all options that apply.

  • Basic (CORRECT)
  • Enhanced
  • Standard (CORRECT)

Correct: The Basic service level is enabled for free by default as part of your Azure subscription. It continuously monitors traffic and provides live protection against frequent attack patterns at the network level, applying the same defenses as used by Microsoft’s online services. By incorporating global routing through Azure’s global network, this tier ensures that the Azure infrastructure protects against the worst DDoS attacks and possible mitigation through multiple regions instead of impacting your services.

Correct: These specialized Azure Virtual Network resources are enhanced with advanced mitigation capabilities at the Standard service tier. Apart from the regular traffic monitoring and real-time mitigation of most common network-level attacks, the Standard tier provides advanced protection, which helps maintain the availability and security of your Azure resources during larger or more sophisticated DDoS attacks.

4. Having recently migrated to Azure cloud services you need to implement a solution that will allow the filtering of network traffic to and from Azure resources within an Azure Virtual Network. Which of the following services would be most suitable to solve this problem?

  • DDoS protection
  • Azure Firewall
  • Network Security Groups (CORRECT)

Correct: An NSG, or Network Security Group, lets you filter the network traffic to Azure resources in an Azure Virual Network. It is like an internal firewall, which permits or denies traffic to your resources based on rules that you create, giving you the power to allow or block specific addresses, ports, or protocols.

5. What is the simplest way for a company to implement a policy that will restrict VMs from being able to communicate with each other?

  • Limit access by implementing DDoS protection.
  • Use Network Security Groups to create a rule that prevents access from another VM on the same network. (CORRECT)
  • Place each VM on a separate virtual network.

Correct: With the Network Security Group (NSG) rule, you are able to filter network traffic directed both to and from a resource depending on its source IP address or destination IP address, port, and protocol. Through defining rules, you restrict the accessibility in and out of your Azure resources, such that it brings in authorized traffic and rejects potentially harmful incoming.

TEST PREP

1. Your company is considering moving to Azure cloud services; however, management wants assurances. Features such as Security Reporting, similar to their existing on-premises SIEM solution need to be available. Which of the following features can be implemented that will provide a cloud-based SIEM solution?

  • Configure a secure VM and store the Passwords and certificates in a shared folder.
  • Implement Azure Key Vault.
  • Implement Azure Sentinel. (CORRECT)

Correct: Azure Sentinel is Microsoft’s cloud-based SIEM solution and can combine and report on security data from different sources.

2. Tailwind Traders has recently migrated to Azure cloud services. Azure includes various built-in reporting and monitoring tools. What is the simplest tool to use to view groups of related security recommendations showing the percentage of security controls that the company currently satisfies?

  • Azure Sentinel
  • Secure Score (CORRECT)
  • Azure Key Vault

Correct: Secure score is a metric based on security controls, expressed as groups of associated security recommendations. The score is determined by the percentage of security controls implemented and met. The more the security controls you meet, the more secure score you have, therefore signifying a strong-security posture in your Azure environment.

3. Many Azure services include built-in security features however Azure also has specific tools to assist with securing your environment. Which of the following would be the simplest way to centrally manage your passwords and certificates in a single, central location?

  • Azure Key Vault (CORRECT)
  • Azure Security Center
  • Azure Sentinel

Correct: Azure Key Vault is thus a centralized cloud service by which sensitive information, particularly application secrets, passwords, certificates, and encryption keys, can be securely stored and managed centrally. It secures access via access control mechanisms and provides logging facilities to trace those who access the secrets for confidentiality and integrity of your data.

4. Having recently migrated to Azure cloud services, you need to implement a solution that will allow the monitoring of incoming and outgoing network traffic and, determine whether to allow or block specific traffic based on a defined set of security rules. Which of the following services would be most suitable to solve this problem?

  • Network Security Groups
  • Azure Firewall (CORRECT)
  • DDoS protection

Correct: Azure Firewall is a network security service that monitors and controls network traffic coming from and going to your organization’s network. The traffic is allowed or blocked depending on a set of defined security rules. This filters the traffic to your Azure resources and keeps unauthorized traffic from gaining access to legitimate ones.

5. Which of the following services allows for the configuration of application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet?

  • DDoS Protection
  • Network Security Groups
  • Azure Firewall (CORRECT)

Correct: Azure Firewall allows the configuration of application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.

6. Which of the following do you think are features that should be offered by a security service? Select all options that apply.

  • Automatically apply required security settings (CORRECT)
  • Creates user roles
  • Just-in-time access control (CORRECT)
  • Detect attacks (CORRECT)

Correct: Using security services, you can secure various configurations and customize them.

Correct: Easily manage access control with a security service.

Correct: An attack can be identified by any security service.

7. What do you think are the benefits of using Key Vault? Select all options that apply.

  • Just-in-time access control
  • Centralized application secrets (CORRECT)
  • Access monitoring and access control (CORRECT)
  • Integration with other Azure services (CORRECT)

Correct: Minimizes the chance of secrets getting out without intention.

Correct: You can also track as well as manage accessibility to the secrets present in your application.

Correct: Moreover, the Key Vault may be attached to other Azure services.

8. A dedicated host is a solution to regulatory compliance that requires some organizations to be the only customer using the physical machine that hosts their virtual machines. 

  • True (CORRECT)
  • False

Correct: A dedicated host would solely assign a physical server to a tenant within an Azure datacentre. Azure Dedicated Host provides dedicated physical servers to host an organization’s VMs for Windows as well as Linux.

CONCLUSION – General Security & Network Security in Microsoft Azure

Thus, this module empowers you with knowledge and skills that will allow you to effectively safeguard workloads across both cloud and premise applications using Azure. These will develop in you an understanding of the Azure services, which protect your network making the network secure and trusted so that you will come up with robust security strategies within your organization.

Leave a Comment