Forum

SC-900 - Module 1 D...
 
Notifications
Clear all

SC-900 - Module 1 Describe the concepts of security, compliance, and identity

2 Posts
1 Users
0 Likes
2,676 Views
taichi
Posts: 106
Topic starter
(@taichi)
Member
Joined: 2 years ago

 

Describe security and compliance concepts and methodologies

 

Describe the Zero-Trust methodology

Zero Trust assumes everything is on an open and untrusted network, even resources behind the firewalls of the corporate network. The Zero Trust model operates on the principle of “trust no one, verify everything.

Attackers’ ability to bypass conventional access controls is ending any illusion that traditional security strategies are sufficient. By no longer trusting the integrity of the corporate network, security is strengthened.

In practice, this means that we no longer assume that a password is sufficient to validate a user so we add multi-factor authentication to provide additional checks. Instead of granting access to all devices on the corporate network, users are allowed access only to the specific applications or data that they need.

Zero Trust guiding principles

The Zero Trust model has three principles which guide and underpin how security is implemented. These are: verify explicitly, least privilege access, and assume breach.

  • Verify explicitly. Always authenticate and authorize based on the available data points, including user identity, location, device, service or workload, data classification, and anomalies.

  • Least privileged access. Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.

  • Assume breach. Segment access by network, user, devices, and application. Use encryption to protect data, and use analytics to get visibility, detect threats, and improve your security.

Six foundational pillars

In the Zero Trust model, all elements work together to provide end-to-end security. These six elements are the foundational pillars of the Zero Trust model:

  • Identities may be users, services, or devices. When an identity attempts to access a resource, it must be verified with strong authentication, and follow least privilege access principles.

  • Devices create a large attack surface as data flows from devices to on-premises workloads and the cloud. Monitoring devices for health and compliance is an important aspect of security.

  • Applications are the way that data is consumed. This includes discovering all applications being used, sometimes called Shadow IT because not all applications are managed centrally. This pillar also includes managing permissions and access.

  • Data should be classified, labeled, and encrypted based on its attributes. Security efforts are ultimately about protecting data, and ensuring it remains safe when it leaves devices, applications, infrastructure, and networks that the organization controls.

  • Infrastructure, whether on-premises or cloud based, represents a threat vector. To improve security, you assess for version, configuration, and JIT access, and use telemetry to detect attacks and anomalies. This allows you to automatically block or flag risky behavior and take protective actions.

  • Networks should be segmented, including deeper in-network micro segmentation. Also, real-time threat protection, end-to-end encryption, monitoring, and analytics should be employed.

The Zero Trust model

These six foundational pillars work together with the Zero Trust model to enforce organization security policies.

Refer to An introduction to the Zero Trust methodology for a video recap on the pillars of the Zero Trust model.

 

Describe the shared responsibility model

The shared responsibility model identifies which security tasks are handled by the cloud provider, and which security tasks are handled by you, the customer.

In organizations running only on-premises hardware and software, the organization is 100 percent responsible for implementing security and compliance. With cloud-based services, that responsibility is shared between the customer and the cloud provider.

The responsibilities vary depending on where the workload is hosted:

  • Software as a Service (SaaS)

  • Platform as a Service (PaaS)

  • Infrastructure as a Service (IaaS)

  • On-premises datacenter (On-prem)

The shared responsibility model makes responsibilities clear. When organizations move data to the cloud, some responsibilities transfer to the cloud provider and some to the customer organization.

The following diagram illustrates the areas of responsibility between the customer and the cloud provider, according to where data is held.

The Shared responsibility model responsibilities by type

The Beginner's Guide to Azure Security

On-premises datacenters

In an on-premises datacenter, you have responsibility for everything from physical security to encrypting sensitive data.

Infrastructure as a Service (IaaS)

Of all cloud services, IaaS requires the most management by the cloud customer. With IaaS, you're using the cloud provider’s computing infrastructure. The cloud customer isn't responsible for the physical components, such as computers and the network, or the physical security of the datacenter. However, the cloud customer still has responsibility for software components such as operating systems, network controls, applications, and protecting data.

Platform as a Service (PaaS)

PaaS provides an environment for building, testing, and deploying software applications. The goal of PaaS is to help you create an application quickly without managing the underlying infrastructure. With PaaS, the cloud provider manages the hardware and operating systems, and the customer is responsible for applications and data.

Software as a Service (SaaS)

SaaS is hosted and managed by the cloud provider, for the customer. It's usually licensed through a monthly or annual subscription. Microsoft 365, Skype, and Dynamics 365 are all examples of SaaS software. SaaS requires the least amount of management by the cloud customer. The cloud provider is responsible for managing everything except data, devices, accounts, and identities.

For all cloud deployment types you, the cloud customer, own your data and identities. You're responsible for protecting the security of your data and identities, and on-premises resources.

In summary, responsibilities always retained by the customer organization include:

  • Information and data

  • Devices (mobile and PCs)

  • Accounts and identities

The benefit of the shared responsibility model is that organizations are clear about their responsibilities, and those of the cloud provider.

 

 

Describe defense in depth

Defense in depth uses a layered approach to security, rather than relying on a single perimeter. A defense in-depth strategy uses a series of mechanisms to slow the advance of an attack. Each layer provides protection so that, if one layer is breached, a subsequent layer will prevent an attacker getting unauthorized access to data.

Example layers of security might include:

  • Physical security such as limiting access to a datacenter to only authorized personnel.

  • Identity and access security controls, such as multi-factor authentication or condition-based access, to control access to infrastructure and change control.

  • Perimeter security including distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.

  • Network security, such as network segmentation and network access controls, to limit communication between resources.

  • Compute layer security such as securing access to virtual machines either on-premises or in the cloud by closing certain ports.

  • Application layer security to ensure applications are secure and free of security vulnerabilities.

  • Data layer security including controls to manage access to business and customer data and encryption to protect data.

Defense in depth uses multiple layers of security to protect sensitive data

Defence in Depth | Cloudarchitecture.io

Confidentiality, Integrity, Availability (CIA)

Confidentiality, Integrity, Availability, or CIA, is a way to think about security trade-offs. This isn't a Microsoft model, but is common to all security professionals.

Confidentiality, Integrity, Availability (CIA)

Confidentiality refers to the need to keep confidential sensitive data such as customer information, passwords, or financial data. You can encrypt data to keep it confidential, but then you also need to keep the encryption keys confidential. Confidentiality is the most visible part of security; we can clearly see need for sensitive data, keys, passwords, and other secrets to be kept confidential.

Integrity refers to keeping data or messages correct. When you send an email message, you want to be sure that the message received is the same as the message you sent. When you store data in a database, you want to be sure that the data you retrieve is the same as the data you stored. Encrypting data keeps it confidential, but you must then be able to decrypt it so that it's the same as before it was encrypted. Integrity is about having confidence that data hasn't been tampered with or altered.

Availability refers to making data available to those who need it. It's important to the organization to keep customer data secure, but at the same time it must also be available to employees who deal with customers. While it might be more secure to store the data in an encrypted format, employees need access to decrypted data.

While all sides of the CIA model are important, they also represent trade-offs that need to be made.

Describe common threats

There are different types of security threats. Some aim to steal data, some aim to extort money, and others to disrupt normal operations, such as a denial of service attack. This topic looks at some of the common threats.

Data breach

A data breach is when data is stolen, and this includes personal data. Personal data means any information related to an individual that can be used to identify them directly or indirectly.

Common security threats that can result in a breach of personal data include phishing, spear phishing, tech support scams, SQL injection, and malware designed to steal passwords or bank details.

Dictionary attack

A dictionary attack is a type of identity attack where a hacker attempts to steal an identity by trying a large number of known passwords. Each password is automatically tested against a known username. Dictionary attacks are also known as brute force attacks.

Ransomware

Malware is the term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can give attackers unauthorized access, which allows them to use system resources, lock you out of your computer, and ask for ransom.

Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims, usually in the form of cryptocurrencies, in exchange for the decryption key.

Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.

Disruptive attacks

A Distributed Denial of Service (DDoS) attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Other common threats include coin miners, rootkits, trojans, worms, and exploits and exploit kits. Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that the device reports about itself.

Trojans are a common type of malware which can’t spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them. Trojans often use the same file names as real and legitimate apps so it's easy to accidentally download a trojan thinking that it is legitimate.

A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities.

Exploits take advantage of vulnerabilities in software. A vulnerability is a weakness in your software that malware uses to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards and infect your device.

These examples are just a few of the threats commonly seen. This is a continually evolving area and new threats emerge all the time.

 

Describe encryption and hashing

One way to mitigate against common cybersecurity threats is to encrypt sensitive or valuable data. Encryption is the process of making data unreadable and unusable to unauthorized viewers. To use or read encrypted data, it must be decrypted, which requires the use of a secret key.

There are two top-level types of encryption: symmetric and asymmetric. Symmetric encryption uses the same key to encrypt and decrypt the data. Asymmetric encryption uses a public key and private key pair. Either key can encrypt data, but a single key can’t be used to decrypt encrypted data. To decrypt, you need a paired key. Asymmetric encryption is used for things like Transport Layer Security (TLS), such as the HTTPS protocol, and data signing. Encryption may protect data at rest, or in transit.

the concepts of symmetric and asymmetric encryption

Encryption at rest

Data at rest is the data that's stored on a physical device, such as a server. It may be stored in a database or a storage account but, regardless of where it's stored, encryption of data at rest ensures the data is unreadable without the keys and secrets needed to decrypt it.

If an attacker obtained a hard drive with encrypted data and didn't have access to the encryption keys, they would be unable to read the data.

Encryption in transit

Data in transit is the data moving from one location to another, such as across the internet or through a private network. Secure transfer can be handled by several different layers. It could be done by encrypting the data at the application layer before sending it over a network. HTTPS is an example of encryption in transit.

Encrypting data in transit protects it from outside observers and provides a mechanism to transmit data while limiting the risk of exposure.

Hashing

Hashing uses an algorithm to convert the original text to a unique fixed-length hash value. Each time the same text is hashed using the same algorithm, the same hash value is produced. That hash can then be used as a unique identifier of its associated data.

Hashing is different to encryption in that it doesn't use keys, and the hashed value isn't then decrypted back to the original.

Hashing is used to store passwords. When a user enters their password, the same algorithm that created the stored hash creates a hash of the entered password. This is compared to the stored hashed version of the password. If they match, the user has entered their password correctly. A hashed password is more secure than storing plain text passwords, but hashing algorithms are also known to hackers. Because hash functions are deterministic (the same input produces the same output), hackers can use brute-force dictionary attacks by hashing the passwords. For every matched hash, they know the actual password. To mitigate this risk, passwords are often “salted”. This refers to adding a fixed-length random value to the input of hash functions to create unique hashes for every input. As hackers can't know the salt value, the hashed passwords are more secure.

the concept of hashing

 

Describe the cloud adoption framework

Microsoft Cloud Adoption Framework for Azure consists of documentation, implementation guidance, best practices, and tools designed to help businesses to implement strategies necessary to succeed in the cloud. The Cloud Adoption Framework has been carefully designed based on cloud adoption best practices from Microsoft employees, customers, and partners. It provides a proven and consistent methodology for implementing cloud technologies.

Understand the lifecycle

Each of the following steps is part of the cloud adoption lifecycle.

The Cloud Adoption Lifecycle diagram.
  1. Strategy: Define business justification and expected outcomes of adoption.

  2. Plan: Align actionable adoption plans to business outcomes.

  3. Ready: Prepare the cloud environment for the planned changes.

  4. Adopt

    • Migrate: Migrate and modernize existing workloads.

    • Innovate: Develop new cloud-native or hybrid solutions.

  5. Govern: Govern the environment and workloads.

  6. Manage: Operations management for cloud and hybrid solutions.

Refer to The Cloud Adoption Framework, for a video overview of the cloud adoption lifecycle.

When your enterprise's digital transformation involves the cloud, understanding these fundamental concepts will help you during each step of the process.

 

Knowledge check

Multiple choice

Item 1. An organization has deployed Microsoft 365 applications to all employees. Who is responsible for the security of the personal data relating to these employees?

Multiple choice

Item 2. Which of the following measures might an organization implement as part of the defense in-depth security methodology?

Multiple choice

Item 3. The human resources organization want to ensure that stored employee data is encrypted. Which security mechanism would they use?

Multiple choice

Item 4. An organization is moving their IT infrastructure to the cloud. They want to know how to create and implement business and technology strategies in a way that will help them succeed in the cloud. What guidance can they use to help them transition to the cloud?

 
 

Summary and resources

In this lesson, you have learned about some important security concepts and methodologies. You have learned about the Zero Trust methodology, and how the guiding principles of verify explicitly, least privilege access, and assume breach strengthens security. You learned how the six foundational elements of identity, devices, applications, data, infrastructure, and networks are used in the Zero Trust model.

This lesson also looked at the shared responsibility model, which considers who is responsible for what as organizations migrate their workloads to the cloud. You learned about the Microsoft Cloud Adoption Framework. You also learned about defense in depth, and how the security principles of confidentiality, integrity, and availability help to guide security decisions.

Finally, you learned about common cybersecurity threats including threats to business and personal data and how to protect your data.

Now that you’ve completed this lesson, you should be able to:

  • Describe the Zero Trust and shared responsibility models.

  • Describe common security threats and ways to protect through the defense in-depth security model.

  • Describe the concepts of encryption and hashing.

  • Describe the cloud adoption framework.

Learn more

To learn more about the topics discussed in this lesson, see:

 

1 Reply
taichi
Posts: 106
Topic starter
(@taichi)
Member
Joined: 2 years ago
 

Introduction

Everyone, and every device, has an identity that can be used to gain access to resources. Identity is the way in which people and things are identified on your corporate network, and in the cloud. Being certain about who or what is accessing your organization’s data and other resources is a fundamental part of securing your environment. This is known as identity and access management and is made up of two key steps: authenticating and authorizing identities.

After completing this lesson, you'll be able to:

  • Describe the concept of identity as a security perimeter.

  • Describe the difference between authentication and authorization.

  • Describe the concepts associated with identity-related services.

 

Common identity attacks

Some of the most common types of security threats that organizations face today are identity attacks. Identity attacks are designed to steal the credentials used to validate or authenticate that someone or something is who they claim to be. The result is identity theft.

Password based attacks

Password based attacks include password spray attacks and brute force attacks. A password spray attack attempts to match a username against a list of weak passwords.

Brute force attacks try many passwords against one or more accounts, sometimes using dictionaries of commonly used passwords. When a user has assigned a weak password to their account, the hacker will find a match, and gain access to that account.

Password spray attackProtecting your organization against password spray attacks - Microsoft  Security Blog

Phishing

A phishing attack is when a hacker sends an email that appears to come from a reputable source. The email contains a credible story, such as a security breach, instructing the user to sign in and change their password. Instead of going to a legitimate website, the user is directed to the scammer’s website where they enter their username and password. The hacker has now captured the user’s identity, and their password.

Although many phishing scam emails are badly written and easy to identify, when users are busy or tired, they make mistakes and are more easily deceived. As hackers become more sophisticated, their phishing emails become more difficult to identify.

Spear phishing

A spear phishing scam is a variant on phishing. Hackers build databases of information about users, which can be used to create highly credible emails. The email may appear to come from someone in your organization who is requesting information. Although careful scrutiny might uncover the fraud, users might not read it carefully enough and send the requested information or log in to the web site before they realize the fraud. It is called spear phishing because it is highly targeted.

To protect against all types of identity attacks, robust identity security and monitoring are needed. Risk detections in Azure AD Identity Protection include any identified suspicious actions related to user accounts.

There are two types of risk: user risk and sign-in risk. User risk represents the probability that a given identity or account is compromised. Sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner.

 

Identity as the primary security perimeter

Digital collaboration has changed. Your employees and partners now expect to be able to collaborate and access organizational resources from anywhere, on any device, and without impacting their productivity. In addition, there has been an acceleration in the number of people working from home.

Enterprise security needs to adapt to this new reality. The security perimeter can no longer be viewed as the on-premises network, it now extends to:

  • SaaS applications for business-critical workloads that may be hosted outside the corporate network.

  • The personal devices that employees are using to access corporate resources (BYOD or bring your own device) while working from home.

  • The unmanaged devices used by partners or customers when interacting with corporate data or collaborating with employees

  • IoT devices installed throughout your corporate network and inside customer locations.

The traditional perimeter-based security model is no longer enough. Identity has become the new security perimeter that enables organizations to secure their assets.

But what do we mean by an identity? An identity is how someone or something can be verified and authenticated to be who they say they are. An identity may be associated with a user, an application, a device, or something else.

Identity is the new security perimeterDefining Identity as the primary security perimeter - Testprep Training

Four pillars of identity

Identity is a concept that spans an entire environment, so organizations need to think about identity broadly. There are four fundamental pillars of identity that organizations need to consider when creating an identity infrastructure, which is the collection of processes, technologies, and policies for managing digital identities and controlling how identities can be used to access resources.

  • Administration. Administration is about the creation and management of identities for users, devices, and services. As an administrator you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted).

  • Authentication. The authentication pillar tells the story of how much assurance for a particular identity is enough. In other words, how much does an IT system need to know about an identity in order to have sufficient proof that they really are who they say they are? It involves the act of challenging a party for legitimate credentials. Authentication is sometimes shortened to AuthN.

  • Authorization. The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application/service that it wants to access. Authorization is sometimes shortened to AuthZ.

  • Auditing. The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.

Addressing each of these four pillars is key to a comprehensive and robust identity and access control solution.

Modern authentication and the role of the identity provider

Modern authentication is an umbrella term for authentication and authorization methods between a client, such as your laptop or phone, and a server, such as a website or application. At the center of modern authentication is the role of the identity provider. An identity provider creates, maintains, and manages identity information while providing authentication, authorization, and auditing services.

With modern authentication, all services, including all authentication services, are provided by a central identity provider. The information that is used to authenticate the user with the server is stored and managed centrally by the identity provider.

With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks.

For information about modern authentication and how it works with a central identity provider watch Azure Active Directory: Authentication fundamentals - The basics.

In a client-server scenario using modern authentication (as described in the video), the client communicates with the identity provider by providing an identity which can be authenticated. Once the identity (which can be a user or an application) has been verified, the identity provider issues a security token which the client sends to the server. The server validates the security token through its trust relationship with the identity provider. By using the security token and the information that is contained within the token, the user or application can gain access to the required resources on the server. In this scenario, the token and the information contained in the token is stored and managed by the identity provider. The centralized identity provider is providing the authentication service.

Microsoft Azure Active Directory is an example of a cloud-based identity provider. Other examples of identity providers include Twitter, Google, Amazon, LinkedIn, and GitHub.

Single sign-on

Another fundamental capability of an identity provider and “modern authentication” is the support for single sign-on (SSO). With SSO, the user logs in once and that credential is used to access multiple applications or resources. When you set up single sign-on to work between multiple identity providers, it is called federation.

 

The concept of Federated Services

Federation enables the access of services across organizational or domain boundaries by establishing trust relationships between the respective domain’s identity provider. With federation, there is no need for a user to maintain a different username and password when accessing resources in other domains.

Federated identification

Explain the concept of Federated Services - Testprep Training Tutorials

The simplified way to think about this federation scenario is as follows:

  • The website uses the authentication services of Identity Provider A (IdP-A).

  • The user authenticates with Identity Provider B (IdP-B).

  • IdP-A has a trust relationship configured with IdP-B.

  • When the user’s credentials are passed to the website, the website trusts the user and allows access.

With federation, trust is not always bi-directional. Although IdP-A may trust IdP-B and allow the user in domain B to access the website in domain A, the opposite is not true, unless that trust relationship is configured.

A common example of federation in practice is when a user logs into a third-party site with their social media account, such as Twitter. In this scenario, Twitter is an identity provider, and the third-party site may be using a different identity provider, such as Azure AD. There is a trust relationship between Azure AD and Twitter.

 

The concept of directory services and Active Directory

In the context of a computer network, a directory is a hierarchical structure that stores information about objects on the network. A directory service stores directory data and makes this data available to network users, administrators, services, and applications.

Active Directory (AD) is a set of directory services developed by Microsoft as part of Windows 2000 for on-premises domain-based networks. The best-known Active Directory service is Active Directory Domain Services (AD DS). It stores information about members of the domain, including devices and users, verifies their credentials, and defines their access rights. A server running AD DS is a domain controller (DC).

AD DS is a central component in organizations with on-premises IT infrastructure. AD DS gives organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user. AD DS does not, however, natively support mobile devices, SaaS applications, or line-of-business apps that require modern authentication methods.

The growth of cloud services, SaaS applications, personal devices being used at work, has resulted in the need for modern authentication, and an evolution of Active Directory-based identity solutions.

Azure Active Directory is the next evolution of identity and access management solutions by providing organizations with an Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises. In this course we will focus on Azure AD, Microsoft’s cloud-based identity provider.

To learn more visit Compare Active Directory to Azure Active Directory.

 

Knowledge check

Multiple choice

Item 1. What type of security risk does a phishing scam pose?

Multiple choice

Item 2. What is a benefit of single sign-on?

Multiple choice

Item 3. Which relationship allows federated services to gain access to resources?

Multiple choice

Item 4. Authentication is the process of doing what?

 
 

Summary and resources

In this lesson, you've learned about some common identity security threats and basic identity concepts. You learned about identity as the new security perimeter, and authentication, authorization, and the role of Active Directory. You also looked at the concept of federated services to access resources that belong to another organization.

Now that you’ve completed this lesson, you should be able to:

  • Describe the concept of identity as a security perimeter.

  • Describe the difference between authentication and authorization.

  • Describe the concepts associated with identity-related services.

Learn more

For more information on the topics covered in this lesson, see:

 
Reply
Share:
%d bloggers like this: