3 hours 51 minutes
Welcome back to Microsoft Azure Fundamentals.
This is Module nine. Security and Azure
in this module will first look at the shared security responsibility model in Azure.
Then we'll get an overview of Azure Security Center.
We'll also learn how we can manage users and access using Azure Active Directory.
We will explore the encryption options in Azure and learn about network protection,
and at the end, we'll take a quick look at Azure Advanced Threat Protection Service.
Let's get started
before we look at what services and tools are available in azure to secure your applications and data.
Let's take a look at the security responsibility in the cloud.
Let's start with how security is done in the traditional way, where each enterprise owns their own data center.
The first thing you need to think about is the physical security of the data center
restricting access to the building, installing surveillance equipment, hiring guards and so on.
Next, you need to make sure that the personnel that is working in the data center and the users of the equipment, like developers and I T administrators, comply with certain security policies and follow security procedures.
Those can be things like registering visitors, requiring valid identification documents for registration requiring strong passwords, et cetera.
The last thing is the digital security that deals with securing the digital infrastructure, like network segmentation, firewalls, application and user access and other things.
As you can see, ensuring the security of your own data center is no trivial job and requires a lot of expertise.
So how does this change in the cloud?
Well, when you use the cloud,
you don't maintain the data center, and Microsoft is fully responsible for physically securing the facilities, surveying the building and hiring physical security personnel.
Microsoft is solely responsible for the physical security of the data center.
Microsoft is also responsible for establishing policies and procedures when it pertains to the data center or the hardware infrastructure in it.
They're also responsible for any policies and procedures related to the azure platform itself.
However, you as a customer are responsible for establishing policies and procedures for your own applications and the data that they handle.
And last but not least, Microsoft is responsible for the digital security of the azure platform.
This includes ensuring the platform itself cannot be compromised, that the tenants residing on the platform are authenticated and authorized to use only their resources. That management a p I s are always available and so on.
But again, you as a customer are responsible for the digital security of your applications and the data they handle.
This means that you should ensure the users of your application are authenticated. Data is properly encrypted, and so on.
Now let's take a look at each layer in the application stack and specifically, who is responsible for security In each scenario
on premises, I asked pass and sass,
as we've already established
for the on premises deployments. The responsibility for security falls completely on you, the customer
starting with the physical security, going to the operating system and network security and ending with the data security and governance
you manage every security aspect,
as you may remember I asked, is the closest to the on premises model
in the eyes model. The cloud vendor is responsible for the physical security, but you, as the customer, have the responsibility of securing the rest, including the operating system, application and data.
You still need to think about applying security patches to the OS, run times and frameworks, properly configuring the network controls and so on.
In the past model, the responsibility shifts even more towards Microsoft.
Microsoft is fully responsible for the physical security and the operating system. Security and you as a customer share the responsibility for securing the network application and the identity infrastructure.
The rest of the stack is still your responsibility, though.
In the Saas model,
the majority of the security responsibility is handled by Microsoft.
You still share the responsibility for the identity infrastructure and you take care of the account and access managements and points and data. But
everything else is handled by Microsoft.
Microsoft applies a layered approach to security, known as defense in depth
defense. In depth is a strategy that employs a series of mechanisms to slow the advance of an attack targeted at acquiring unauthorized access to information.
It can be visualized as concentric circles, with the data to be secured at the very center
each layer provides protection. But if one is breached, the subsequent one is in place to prevent further exposure.
The data layer is the inner layer of the circle.
The owner of the data is responsible for the security of the data and is also responsible for controlling the access to it.
Quite often there are compliance and regulatory requirements that dictate the controls and processes that need to be in place to ensure confidentiality, integrity and availability of the data.
Things you can do it. This layer are ensure the data is encrypted at rest and in transit and restrict the access to data on a need to know basis.
The next layer is the application layer.
By integrating security in the application development life cycle
application owners can ensure that the application is secure by default.
Making security a required part of the application design will reduce the number of vulnerabilities introduced in the code.
Make sure the security is included in the application design code is free from known vulnerabilities, and secrets are taken out of the configuration files and stored in secure storage.
Securing the computing infrastructure ensures proper access controls and endpoint protections are in place.
Patching and updates are also integral parts of ensuring the compute infrastructure of your application
at the network layer. The goal is to limit the connectivity between systems to the minimum that is required.
By doing this, you can prevent lateral movement throughout the network.
Make sure you deny access by default and only allow ports and systems that you need to interact with
at the perimeter. You protect the access to your network from external Attackers.
Utilizing the firewalls functionality will allow you to identify and be alerted upon malicious activity against your network.
DDOS protection services filter large scale attacks before they even reach your endpoints.
The identity and access layer ensures that identities are not compromised.
Access is granted to authorized parties and activities are monitored.
Make sure that login attempts are logged, that the respective user is notified
that the user uses single signing for easier management and that they use multi factor authentication for stronger protection.
The physical layer is the first line of defense.
Its goal is to prevent unauthorized physical access to the assets and to not allow the bypassing of the other security measures.
In the next video, we'll take an in depth look at the tools and services as your offers to implement the security