Skip to content
BankyCode.com

Azure Protection And Security

Key Vault

Concept fully not clear how it is managed. will look into this later on.

Azure Key Vault helps you safeguard cryptographic keys and other secrets used by cloud apps and services. Secrets Management store and tightly control access to tokens, passwords, certificates, API keys, and other secrets Key Management create and control the encryption keys used to encrypt your data Certificate Management easily provision, manage, and deploy public and private SSL certificates for use with Azure and internal connected resources. Hardware Security Module secrets and keys can be protected either by software or FIPS 140-2 Level 2 validated HSMs

An HSM is a Hardware Security Module. Its a piece of hardware designed to store encryption keys. FOPS Federal Information Processing Standard (FIPS) 140-2 US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. HSM’s that are multi-tenant are FIPS 140-2 Compliant (multiple customers virtually isolated on an HSM) HSM’s that are single-tenant are FIPS 140-3 Compliant (single customer on a dedicated HSM)

Azure DDoS Protection

What is a DDoS (Distributed Denial of Service) Attack? A malicious attempt to disrupt normal traffic by flooding a website with large amounts of fake traffic.

Azure offers two tiers of DDoS Protection

DDoS Protection Basic

  • Free
  • Already turned on protect
  • Azure ‘s global network

DDoS Protection Standard

  • Starting at $2,994/month
  • Metrics, Alerts, Reporting
  • DDoS Expert Support
  • Application and Cost Protection SLAS

Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources.

Azure Firewall Features

Centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

  • Uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.
  • High availability is built in, no additional load balancers are required
  • Can configure during deployment to span multiple AZs for increased availability.
  • There’s no additional cost for a firewall deployed in an Availability Zone (AZ)
  • There are additional costs for inbound and outbound data transfers associated with AZs

Azure Information Protection (AIP)

Protects sensitive information such as emails and documents with encryption, restricted access and rights, and integrated security in Office apps

Azure Application Gateway

Application Gateway is a web-traffic load balancer (Layer 7 HTTP) that re-route traffic based on a set of rules. A Web Application Firewall (WAF) can be attached for additional protection on OSI Layer 7.

Azure Advanced Threat Protection (ATP)

What is IDS/IPS?

Intrusion Detection System and Intrusion Protection System A device or software application that monitors a network or systems for malicious activity or policy violations.

Azure Advanced Threat Protection (ATP)

is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Security Development Lifecycle (SDL)

Microsoft Security Development Lifecycle (SDL) is an industry-leading software security assurance process.

A Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in Microsoft software and culture.

Building security into each SDL phase of the development lifecycle helps you catch issues early, and it helps you reduce your development costs.

Azure Security — Policies

Azure Policy is a service you can use to create, assign, and manage policies. A policy allows you to enforce or control the properties of a resource Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as Policy Definitions.

Azure Role-Based Access Control (RBAC)

Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

Role Assignments the way you control access to resources A Role Assignment is consist of these three elements

  1. security principal
  2. role definition
  3. scope

A Security Principal represents the identities requesting access to an Azure resource such as:

User An individual who has a profile in Azure Active Directory

Group A set of users created in Azure Active Directory.

Service Principal A security identity used by applications or services to access specific Azure resources.

Managed identity An identity in Azure Active Directory that is automatically managed by Azure.

Scope is the set of resources that access for the Role Assignment applies to. Scope Access Controls at the Management, Subscription or Resource Group level.

A Role Definition is a collection of permissions.

A role definition lists the operations that can be performed, such as read, write, and delete. Roles can be high-level, like owner, or specific, like virtual machine reader.

Azure has built-in roles and you can define custom roles

Actions

  • Read
  • Grant
  • Create, Update, Delete

Roles

  • Owner
  • Contributor
  • Reader
  • User Access Administrator

These are the four fundamental built-in role

Lock resources

As an admin, you may need to lock a subscription, resource group, or resource to prevent other users from accidentally deleting or modifying critical resources.

In the Azure Portal you can set the following lock levels. CanNotDeIete (Delete) authorized users can still read and modify a resource, but they can’t delete the resource.

ReadOnIy (Read-only) authorized users can read a resource, but they can’t delete or update the resource