Microsoft Azure Security Technologies Certification and Beyond: AZ-500 exam (2021)

Preview (16 of 526 Pages)

100%

Purchase to unlock

Loading page image...

Microsoft AzureSecurity TechnologiesCertification andBeyondGain practical skills to secure your Azureenvironment and pass the AZ-500 examDavid OkeyodeBIRMINGHAM—MUMBAI

Loading page image...

Microsoft Azure Security TechnologiesCertification and BeyondCopyright © 2021 Packt PublishingAll rights reserved. No part of this book may be reproduced, stored in a retrieval system,or transmitted in any form or by any means, without the prior written permission of thepublisher, except in the case of brief quotations embedded in critical articles or reviews.Every effort has been made in the preparation of this book to ensure the accuracy of theinformation presented. However, the information contained in this book is sold withoutwarranty, either express or implied. Neither the author, nor Packt Publishing or its dealers anddistributors, will be held liable for any damages caused or alleged to have been caused directlyor indirectly by this book.Packt Publishing has endeavored to provide trademark information about all of the companiesand products mentioned in this book by the appropriate use of capitals. However, PacktPublishing cannot guarantee the accuracy of this information.Group Product Manager: Wilson DsouzaPublishing Product Manager: Vijin BorichaSenior Editor: Athikho Sapuni RishanaContent Development Editor: Sayali PingaleTechnical Editor: Shruthi ShettyCopy Editor: Safis EditingProject Coordinator: Neil DmelloProofreader: Safis EditingIndexer: Tejal Daruwale SoniProduction Designer: Nilesh MohiteFirst published: September 2021Production reference: 1070921Published by Packt Publishing Ltd.Livery Place35 Livery StreetBirminghamB3 2PB, UK.978-1-80056-265-3www.packt.com

Loading page image...

I am grateful to many people who have helped and supported me throughthe process of writing this book. To my wife and best friend, Brenda Tao. Tomy parents, who taught me everything I know (Jacob and Hope Okeyode).And to the three best sisters and encouragers in the world (Pemi, Elizabeth,and Esther). I love you all.– David Okeyode

Loading page image...

ContributorsAbout the authorDavid Okeyodeis a cloud security architect at the Prisma cloud speedboat at Palo AltoNetworks. Before that, he was an independent consultant helping companies securetheir cloud environments through private expert-level training and assessments. Heholds 15 professional certifications across the Azure and AWS platforms, including theAzure Security Engineer, Azure DevOps, and AWS Security Specialist certifications. Hehas also authored two cloud computing courses for the popular cybersecurity trainingplatform Cybrary.David has over a decade of experience in cybersecurity (consultancy, design, andimplementation) and over 6 years of experience as a trainer. He has worked withorganizations of different sizes, from start-ups to major enterprises to governmentorganizations.David has developed multiple vulnerable-by-design automation templates that can beused to practice cloud penetration testing techniques. He regularly speaks about cloudsecurity at major industry events, such as Microsoft Future Decoded and the EuropeanInformation Security Summit.David is married to a lovely girl who makes the best banana cake in the world. They lovetraveling the world together and intend to do missions in Asia very soon!

Loading page image...

About the reviewersDharam Chhatbaris a seasoned information security professional who has more than 11years of experience in various verticals of InfoSec, delivering impactful and high-qualityrisk-reduction work. He has helped secure many banks and retail firms and is currentlyworking at a top Fortune 500 company. He holds a master's degree, is a fervent learner,and has earned several global certifications, such as CISSP, GSLC (GIAC), CCSP, CSSLP,GMOB, and some related to the cloud, such as Azure (AZ500), GCP (PCSE), and AWS(SAA). His key competencies include vulnerability management, application security,cloud security, VA/PT, and managing teams/vendors. He has also reviewed the bookCISSP (ISC)² Certification Practice Exams and Testsby Ted Jordan.I would like to thank my parents, Bina and Jagdish; my wife, Chaital;and my sister, Hina, for their continued support and encouragement witheverything that I do and for motivating me to always achieve my ambitions.Rod Trentis a security CSA for Microsoft and an Azure Sentinel global SME helpingcustomers migrate from existing SIEMs to Azure Sentinel to achieve the promise of bettersecurity through improved efficiency without compromise.Rod is a husband, dad, and recently a first-time grandfather. He spends his spare time(if such a thing does truly exist) simultaneously watching episodes ofThe Six MillionDollar Manand writing KQL queries.

Loading page image...

Table of ContentsPrefaceSection 1: Implement Identity and AccessSecurity for Azure1Introduction to Azure SecurityTechnical requirements4Shared responsibility model4Setting up a practice environment6Create a free trial Azure subscription7Summary11Questions12Further reading122Understanding Azure ADWhat Azure AD is not(what is Azure AD?)14Azure AD versus on-premises AD14Azure AD – an identity provider forMicrosoft cloud services14Azure AD – an identity provider formodern applications16Modern authentication protocols17Hands-on exercise – review your AzureAD tenant18Hands-on exercise – add a customdomain to Azure AD (optional)21Azure AD editions24Hands-on exercise – sign up for anAzure AD Premium P2 trial25Azure AD object management28Azure AD users28Azure AD groups29Azure AD and Azure RBAC roles30Service principals31Hands-on exercise – Azure AD usercreation and group management31Hands-on exercise – Azure ADrole assignment39

Loading page image...

viii Table of ContentsSummary44Questions44Further reading453Azure AD Hybrid IdentityTechnical requirements48Implementing Azure ADhybrid identity48Azure AD Connect48Preparing for Azure AD Connectinstallation49Hands-on exercise – deploying anAzure VM hosting an AD domaincontroller50Hands-on exercise – preparing forAzure AD Connect deployment59Selecting a hybrid identityauthentication method65Federation67Pass-Through Authentication (PTA)69Azure AD Connect deployment options70Hands-on exercise – deploying AzureAD Connect PHS71Implementing passwordwriteback85Summary86Questions86Further reading874Azure AD Identity SecurityTechnical requirements90Implementing Azure ADPassword Protection90Hands-on exercise – Configuring thecustom banned password list featureof Azure AD Password Protection93Securing Azure AD userswith multi-factorauthentication (MFA)101Hands-on exercise – Enabling MFAby changing user state102Implementing conditionalaccess policies108Conditional access – How policiesare evaluated111Conditional access best practices112Hands-on exercise – Implementingconditional access113Protecting identities with AzureAD Identity Protection122Identity protection – risk categories122Identity protection – detection types125Identity protection – risk levels125Identity protection – policies126

Loading page image...

Table of Contents ixExercise – Implementing Azure ADIdentity Protection128Summary137Question137Further reading1375Azure AD Identity GovernanceTechnical requirements140Protecting privileged accessusing Azure AD PrivilegedIdentity Management (PIM)140What is Azure AD PIM?140How does Azure AD PIM work?141Exercise – Azure AD PrivilegedIdentity Management142Configuring PIM access reviews154Exercise – Create an access reviewand review PIM auditing features155Summary162Questions163Further reading163Section 2: Implement Azure PlatformProtection6Implementing Perimeter SecurityTechnical requirements168Securing the Azure virtualnetwork perimeter168Implementing AzureDistributed Denial of Service(DDoS) Protection169Hands-on exercise – provisioningresources for the exercises inChapters 6 and 7171Hands-on exercise – implementing theAzure DDoS protection Standard178Implementing Azure Firewall183Hands-on exercise – implementingAzure Firewall184Implementing a WebApplication Firewall (WAF)in Azure200Application Gateway WAF200Front Door WAF201Hands-on exercise – configuringa WAF on Azure Application Gateway202Summary214Questions214Further reading215

Loading page image...

x Table of Contents7Implementing Network SecurityTechnical requirements218Implementing virtual networksegmentation218Implementing NSGs218Implementing ASGs220Hands-on exercise – ConfiguringNSGs and ASGs221Implementing platformservice network security230Firewall for PaaS services(and firewall exceptions)231Service endpoints232Hands-on exercise: Configuring afirewall and service endpoints ona storage account233Securing Azure networkhybrid connectivity242Implementing Azure Bastion243Hands-on exercise: ConfiguringAzure Bastion244Hands-on exercise: Cleaningup resources248Summary249Question250Further reading2508Implementing Host SecurityTechnical requirements252Hands-on exercise – provisioningresources for this chapter's exercises252Using hardened baselineVM images256Protecting VMs from virusesand malware258Hands-on exercise deploying theMicrosoft Antimalware extensionfor Azure260Implementing system updatemanagement for VMs263Hands-on exercise – implementingAzure Automation UpdateManagement264Implementing vulnerabilityassessment for VMs269Encrypting VM disks withAzure Disk Encryption271Hands-on exercise – implementingAzure Disk Encryption272Securing management portswith JIT VM access280Hands-on exercise – enabling JITVM access282Summary289Questions289Further reading290

Loading page image...

Table of Contents xi9Implementing Container SecurityTechnical requirements292An overview ofcontainerization in Azure292Hands-on exercise – providingresources for the chapterexercises295Introducing ACR299ACR pricing tiers300ACR security best practices300Configuring service firewall rulesfor ACR301Restricting access using aprivate endpoint303Using Azure AD RBAC for secureauthentication and access control304Implementing container imagevulnerability and compliance scanning306Hands-on exercise – securing ACR307Introducing AKS319Understanding the AKS architecture319AKS security best practices320Limiting access to the API serverusing authorized IP address ranges320Implementing a private AKS clusterusing a private endpoint322Controlling access to cluster resourcesusing Kubernetes RBAC and Azure AD323Regularly upgrading the clustercontrol plane324Regularly applying OS updates toworker nodes326Implementing pod-managed identities327Cleaning up the resources336Summary336Questions336Further reading337Section 3: Secure Storage, Applications,and Data10Implementing Storage SecurityTechnical requirements342Azure Storage overview342Azure Blob service hierarchy343Azure Files service hierarchy344Implementing encryptionat rest344Implementing encryptionin transit348Hands-on exercise – provisioning astorage account with encryption intransit enforced349

Loading page image...

xii Table of ContentsConfiguring storage accountauthorization358Protect access to the Storageaccount keys359Grant limited access to using SharedAccess Signatures (SAS)360Implementing storage account keymanagement with Key Vault362Disabling key-based authorizationoptions364Disabling anonymous(unauthenticated) Blob access365Implementing Azure AD authorizationfor the Blob service367Implementing ADDS or Azure ADDSauthentication for Azure Files367Hands-on exercise – configuringstorage account access controls368Implementing Azure Defenderfor Storage379Cleaning up resources379Summary380Question380Further reading38011Implementing Database SecurityTechnical requirements382Database options in Azure382Azure SQL deployment options383Implementing defense indepth for Azure SQL384Protecting Azure SQL againstunauthorized networkconnections385Implementing IP firewall rules386Implementing server-levelfirewall rules386Implementing database-levelfirewall rules387Implementing Azure SQLprivate endpoints388Hands-on exercise – provisioningresources for chapter exercises389Hands-on exercise – implementingnetwork access control396Protecting Azure SQL againstunauthorized user access401Hands-on exercise – implementingAzure AD authenticationand authorization402Protecting Azure SQLagainst vulnerabilities409Enabling Azure SQL database auditing410Implementing Azure Defender for SQL410Protecting Azure SQL againstdata leakage and theft(database encryption)412Implementing Transparent DataEncryption (TDE) – encryption at rest412Implementing encryption in transit413Implementing Azure SQL DatabaseAlways Encrypted414Hands-on exercise – implementingAlways Encrypted415

Loading page image...

Table of Contents xiiiCleaning up resources419Summary419Question419Further reading42012Implementing Secrets, Keys, and Certificate Managementwith Key VaultTechnical requirements422Introducing Azure Key Vault422Understanding secrets, keys,and certificates423Understanding Key Vaultpricing tiers424Managing access to Key Vault425Hands-on exercise – managing accessto Key Vault resources428Protecting Key Vault resources439Hands-on exercise – protecting KeyVault resources441Cleaning up resources444Summary444Question445Further reading44513Azure Cloud Governance and Security OperationsTechnical requirements448Implementing Azure cloudgovernance448Understanding management groups448Understanding Azure Policy450Understanding Azure RBAC455Hands-on exercise – implementingmanagement groups and Azure Policy460Understanding logging andmonitoring464Azure Service Health464Azure Monitor465Log Analytics470Addressing cloud securitychallenges with Security Center471Cloud Security Posture Management472Cloud Compliance Posture Management472Threat protection474Managing security operationswith Azure Sentinel475Data collection476Detecting threats478Investigating incidents478Responding to incidents478Hands-on exercise – implementingAzure Sentinel478Cleaning up resources485Summary485Questions486Further reading486

Loading page image...

xiv Table of ContentsAssessmentsChapter 1 – Introduction toAzure Security489Chapter 2 – UnderstandingAzure AD489Chapter 3 – Azure AD HybridIdentity490Chapter 4 – Azure AD IdentitySecurity490Chapter 5 – Azure AD IdentityGovernance490Chapter 6 – ImplementingPerimeter Security490Chapter 7 – ImplementingNetwork Security491Chapter 8 – ImplementingHost Security491Chapter 9 – ImplementingContainer Security491Chapter 10 – ImplementingStorage Security491Chapter 11 – ImplementingDatabase Security491Chapter 12 – ImplementSecrets, Keys, and CertificateManagement with Key Vault492Chapter 13 – Azure CloudGovernance and SecurityOperations492Other Books You May EnjoyIndex

Preview Mode

This document has 526 pages. Sign in to access the full document!

Report

Study Now!

Document Details

Related Documents

Designing and Implementing Cloud-native Applications Using Microsoft Azure Cosmos DB: Study Companion for the DP-420 Exam (2023)

Microsoft Azure Architect Technologies Study Companion: Exam AZ-300 and AZ-303 (2020)

MCE Microsoft Certified Expert Cybersecurity Architect Study Guide: Exam SC-100 (2023)

Microsoft Azure AI Fundamentals Certification Companion: AI-900 Exam (2023)

Renewal assessment for Microsoft Certified: Azure Practice Exam with Answers (40 Solved Questions)

Exam Ref AZ-304 Microsoft Azure Architect Design Certification and Beyond (2021)

Azure Data Scientist Associate Certification Guide: DP-100 exam (2021)

MCA Microsoft Certified Associate Azure Security Engineer Study Guide: Exam AZ-500 (2022)

MCA Microsoft Certified Associate Azure Administrator Study Guide: Exam AZ-104 (2022)

Study Guide Exam 1Z0-816 and Exam 1Z0-817 (2020)

Company

Explore

Study Tools