Security¶

Storage security: data encryption, client encryption, key vaults
Network security: VPN, Network Security Groups
Identity/Access control: RBAC, MFA, password policies
Monitoring practices: Storage Analytics, and security logs
Security Center is a service that monitors, recommends, use ML to detect/block malware
- Policies and compliance
- Hygiene: actionable items for each resource type
- Free tier only provides assessment and recommendations v/s Standard tier
- Azure SQL Transparent Data Encryption TDE should be turned on only in the resource groups where it's needed.
OpenID Connect is used for user authentication
Azure Key Vault can be used to store keys, secrets and certificates
- Key Vault must exist in the same region as the resources being protected
Forced Tunneling forces all network traffic through VPN (can't have direct access to internet)
Privileged Identity Management PIM: Best practice: use temporary admin

RBAC¶

Access keys based access for users not in AD -- typically applications
- two access keys, primary and secondary are provisioned.
- secondary access key is used to regenerate primary should it be compromised
Shared Access Signature (SAS) is a temporary, restricted access to a non-customer
- is a URI that can be generated with specific permissions, services, duration and IP
CORS rules can be specified for access to all storage services for cross-domain requests
Azure Information Protection allows labeling, either manually or rule-based, web-based documents
- Use Azure Data Flow for tracking, preventing misuse of sensitive information
Advanced Threat Protection ATP is cloud based solution towards malicious insider threats
- ATP Sensor is installed on domain controllers
- ATP Service runs on Azure cloud and ATP Portal provides UI to monitor, investigate etc

Uses allow model, permission from multiple roles add up
Can act on a single user or a group, and single resource or resource group
Use resource lock (delete or read-only) to prevent accidental modification or deletion of resources

using Azure AD, which is OAuth OpenID Connect
- Azure user account is belongs to an Azure AD
- Azure AD can be synced with customer's Active Directory Domain Service
has multiple AD instances, each one is called tenant
- all accounts are stored in Azure AD tenant
Organization 1:M subscriptions 1:M licenses 1:1 Users
A subscription allows use of Azure service
- Subscriptions are grouped into Organization (typically identified by its DNS)
- resources are associated with a subscription,
- has multiple licenses
A license allows a user to use a service
A tenant is a specific instance of Azure AD containing accounts and groups
- For SaaS, a tenant is a regional location that provides services
  - E.g. Corp X is tenant at European Region
- For PaaS or IaaS VM, tenant can be anywhere in the world
- subscriptions have trust relationship with tenant
- Only resources for one tenant are viewable at a time. Must switch tenant to view

Identity is something that can be authenticated. It can be people or services
Account is data associated with Identity, e.g. an account on Azure AD
Principal is an Identity acting with certain roles or claims
Service Principal is an Identity used by a service that holds claims and roles

In-transit (SSL) and at-rest
- Storage Service Encryption SSE used for storage services
- Disk Encryption used for VM VHD
- Transparent Data Encryption TDE protects SQL Database and Azure Data Warehouse is enabled by default

Azure Firewall is used for inbound non-HTTP/S and all outbound network traffic
DDOS protection levels are Basic or Standard
- Basic DDOS protection is free that monitors large amount of traffic and blocks it
- Standard DDOS protection is adaptive and offers Volumetric, Protocol, Resource Layer attacks
Use Network Security Group to limit and isolate network traffic within Virtual Network