AZ-900T01

Module 03:
Security, privacy,
compliance, and trust
Lesson 01: Learning objectives
Module 3 – Learning objectives
• Understand and describe how to secure network connectivity in Microsoft
Azure.
• Understand and describe core Azure identity services.
• Understand and describe security tools and features.
• Understand and describe Azure governance methodologies.
• Understand and describe monitoring and reporting in Azure.
• Understand and describe privacy, compliance, and data protection
standards in Azure.
Lesson 02: Securing network connectivity in Azure
Azure Firewall
Stateful, managed, Firewall as a Service (FaaS) that grants/ denies server
access based on originating IP address, to protect network resources.

Azure Firewall features :

 applies inbound and outbound traffic filtering rules.
 built-in high availability.
 unrestricted cloud scalability.
 uses Azure Monitor logging.
Network security groups (NSGs)
Filters network traffic to, and from, Azure resources on Azure Virtual
Networks.

Network security group features :

 set inbound and outbound rules to filter by source and destination
IP address, port, and protocol.
 add multiple rules, as needed, within subscription limits.
 Azure applies default, baseline, security rules to new NSGs.
 override default rules with new, higher priority, rules.
Lesson 03: Core Azure identity services
Authentication and authorization
Two concepts are fundamental to understanding identity and access.

Authentication
 identifies the person or service
seeking access to a resource.
 requests legitimate access
credentials.
 basis for creating secure identity and
access control principles.
Authorization
 determines an authenticated person’s
or service’s level of access.
 defines which data they can access,
and what they can do with it.
Azure Active Directory (AD)
Microsoft Azure’s cloud-based identity and access management service.

Services provided by Azure AD include :

 authentication (employees sign-in to access resources)
 single sign-on (SSO)
 application management
 Business to Business (B2B) and Business to
Customer (B2C) identity services
Azure Multi-Factor Authentication
Provides additional security for your identities by requiring two or more
elements for full authentication. These elements fall into three categories:
 Something you know:
 Something you possess:
 Something you are:
Lesson 04: Security tools and features
Azure Security Center
A monitoring service that provides threat protection across all your
Azure, and on-premises, services.

Azure Security Center features :

 provides security recommendations based on your
configurations, resources, and networks.
 monitors security settings across your on-premises and
cloud workloads.
 automatically applies your security policies to any new
services you provision.
Azure Key Vault
Stores application secrets in a centralized cloud location, to securely control
access permissions, and access logging.

Use Azure Key Vault for :

 secrets management.
 key management.
 certificate management.
 storing secrets backed by hardware security modules
(HSMs).
Azure Information Protection (AIP)
Classifies and protects documents, and emails, by applying labels.

AIP labels can be applied :

 automatically using rules and conditions defined by

administrators.
 manually, by users.
 by combining automatic and manual methods, guided by
recommendations.
Lesson 05: Azure governance methodologies
Azure Policy
Stay compliant with your corporate standards and service level
agreements (SLAs) by using policy definitions to enforce rules and effects
for your Azure resources.

Azure Policy features :

 evaluates and identifies Azure resources that do not
comply with your policies.
 provides built-in policy and initiative definitions, under
categories such as Storage, Networking, Compute,
Security Center, and Monitoring.
Role-based access control (RBAC)
Fine-grained access management control over your Azure resources.
Available to all Azure subscribers, at no additional cost.

Example uses of Azure RBAC :

• Grant specific access rights to particular users for
certain jobs. One user can manage VMs, while
another manages virtual networks.
• Allocate particular database types to certain
database administration groups.
Locks
Protect your Azure resources from accidental deletion or modification .

Manage locks at subscription, resource group, or individual resource levels

within Azure Portal.

User Actions
Lock Types Read Update Delete
CanNotDelete Yes Yes No
ReadOnly Yes No No
Lesson 06: Monitoring and reporting in Azure
Azure Monitor
Collect, analyze, and act on telemetry from cloud and on-premises
environments, to maximize your applications’ availability and
performance.
• starts collecting data as soon as you create an Azure
subscription and add resources.
• Activity Logs record all resource creation and modification
events.
• Metrics measure resource performance and consumption.
• add an Azure monitor agent to collect operational data for a
resource.
Monitoring applications and services
Integrate Azure Monitor with other Azure services to improve your data
monitoring capabilities, and gain better insights into your operations.
Use variants of Azure Monitor for resources (containers, virtual
Analyze
machines, etc.), with Azure Application Insights for applications.
Azure Alerts can respond proactively to critical conditions
Respond identified in your monitor data, and use Auto-scale with Azure
Monitor Metrics.
Use Azure Monitor data to create interactive visualizations,
Visualize
charts, and tables with Power BI.
Integrate Azure Monitor with other systems to build customized
Integrate
solutions to suit your needs and requirements.
Lesson 07: Privacy, compliance and data protection
standards in Azure
Microsoft privacy statement
Provides openness and honesty about how Microsoft handles the user data
collected from its products and services.

The Microsoft privacy statement explains :

• which data Microsoft process,
• how Microsoft processes it,
• and for what purposes.

Review Microsoft's Privacy Statement at :

microsoft.com/privacystatement
Azure Government services
Meets the security and compliance needs of US federal agencies, state and
local governments, and their solution providers.
Azure Government :
• separate instance of Azure.
• physically isolated from non-US government
deployments.
• accessible only to screened, authorized personnel.

Examples of compliant standards : FedRAMP, NIST 800.171 (DIB), ITAR,

IRS 1075, DoD L2, L4 & L5, and CJIS.
Lesson 08: Module 3 review questions
Module 3 review questions
1. There has been an attack on your public-facing website. The application's
resources have been overwhelmed and exhausted, and are now
unavailable to users. What service should you use to prevent this type of
attack?
2. Azure AD is capable of providing which services?
3. Where can you obtain details about the personal data Microsoft
processes, how Microsoft processes it, and for what purposes?