What does the Zero Trust Model mean?
Never assume trust; always continually validate trust.
What has been a driving factor of Zero Trust?
Bring
... [Show More] Your Own Device (BYOD).
What is Defence in Depth?
A strategy that employs a series of mechanisms to slow advancement of attacks aimed at acquiring unauthorised access to information.
What are the common principles that help define a security posture?
Confidentiality, Integrity, Availability.
How does confidentiality define security posture?
Use the principle of least privilege to restrict access to information only individuals explicitly granted access.
How does integrity define security posture?
Prevent unauthorised changes to information at rest or in transit by uniquely fingerprinting data using a one-way hash.
How does availability define security posture?
Ensure that services are available to authorised users especially in response to a DoS or natural disaster.
What are the 7 Layers of Defence in Depth?
Data, Application, Compute, Network, Perimeter, Identity and Access, Physical Security
Which defence in depth layers are applicable to the Confidentiality principles?
Network, Physical Security
Which defence in depth layers are applicable to the Integrity principles?
Data, Application, Identity and Access
Which defence in depth layers are applicable to the Availability principles?
Compute, Perimeter
Who is responsible for ensuring data is properly secure?
Those who store and control access to it.
What often dictates the security controls and processes that ensure the CIA of data?
Regulatory requirements
What security controls can be applied at the Application layer?
Ensuring security and free of vulnerabilities, Storing sensitive application secrets in a secure storage medium, Making security a design requirement for app development.
What security controls can be applied at the Compute layer?
Secure access to virtual machines, Implement endpoint protection and keep systems patched and current.
What security controls can be applied at the Network layer?
Limit communication between resources through segmentation and access controls, deny by default, restrict inbound internet access and limit outbound where appropriate, implement secure connectivity to on-premises networks.
What security controls can be applied at the Perimeter layer?
Use distributed denial-of-service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users, Use perimeter firewalls to identify and alert on malicious attacks against your network.
What security controls can be applied at the Identity and Access layer?
Control access to infrastructure, Use SSO and multifactor authentication, Audit events and changes.
Which datacentres have no shared responsibilites?
On-prem.
Regardless of computing model, which responsibilities are always owned by the customer?
Data, endpoints, accounts, access management
Regardless of computing model, which responsibilities are always owned by the cloud provider?
Physical hosts, Physical Network, Physical datacenter.
Which additional responsibilities lie with the customer in an IaaS environment, excluding the three core ones?
Identity and directory infrastructure, Application, Network controls, Operating System
Which responsibilities are shared in a PaaS model?
Identity and directory infrastructure, Application, Network controls
Which additional responsibilities lie with the cloud provider in a PaaS model, excluding the three core ones?
Operating Systems
Which responsibilities are shared in a SaaS model?
Identity and directory infrastructure.
Which additional responsibilities lie with the cloud provider in a SaaS model, excluding the three core ones?
Application, Network controls, Operating system.
What is single-sign on (SSO)?
Users need to remember only one ID and one password which is tied to a single identity representing a user.
What is Azure Active Directory (AD)?
A cloud-based identity service, with built-in synchronisation for on-prem Active Directory instances.
What are the core Azure AD services?
Authentication, SSO, Application Management, B2B, B2C, Device Management
What is Azure AD Connect?
A single tool to provide an easy deployment experience for synchronization and sign-in.
What service exists for using SSO in Azure?
Azure AD for SSO
What service exists for synchronizing on-premises directories with Azure Active Directory?
Azure AD Connect
Other than synchronization, what can Azure AD Connect do?
Provide the newest capabilities and replace older versions of identity integration tools such as DirSync and Azure AD Sync.
What is an example use case of Azure AD connect?
Use for synchronizing groups, user accounts, and password stored in on-premises Active Directory to Azure AD.
What is an example use case of Azure AD for SSO?
Use to automatically sign in users from on-premesis domain-joined computers.
What is Multi-factor authentication?
Requiring two or more elements for full authentication.
What are the three elements of authentication?
Something you know, Something you have, Something you are.
Which services have MFA capabilities built in?
Azure AD, Microsoft 365
What is conditional access?
Adding additional requirements before full authentication can be granted.
Which service provides Conditional Access?
Azure AD
What is Azure AD Application Proxy?
Allows users to access an application remotely without any code changes.
What are the two components of Azure AD Application Proxy?
A connector agent that sits on a Windows server within your corporate network, an external endpoint either the MyApps portal or an external URL.
What is Azure AD B2C?
An identity management service built on the foundation of Azure AD enabling you to Customise and control how customers sign up, sign in, and manage their profiles when using your applications.
What is Role-Based Access Control (RBAC)?
Access control policies that use roles to map security principles to collections of access permissions.
Where can I view and change access permissions?
In the Access Control (IAM) panel for the resource in Azure Portal.
What does an allow model mean for RBAC?
RBAC allows you to perform specific actions, such as read, write and delete.
If you are given two role assignments, which role takes priority?
Neither - All the permissions are allowed on both roles.
What are some best practices for RBAC?
Segregate duties within your team and grant lowest access needed, use resource locks to ensure critical resources aren't modified or deleted.
Which Azure service can be used to implement RBAC to secure all resource access management?
Azure Resource Manager API
What scopes in Azure are available for applying RBAC?
Resource, Resource groups, Subscriptions, Management Groups
What is Azure AD Privileged Identity Management (PIM)
A paid-for offering that provides oversight of role assignments, self-service, and just-in-time (JIT) role activation. [Show Less]