Part 1 SC 900 Course

Show video

Hello everyone welcome to IT professional  learning for Security Compliance and identity   Fundament course. My name is Zoran I'm Senior  Solution Architect and Senior Technical Trainer.   This course provide a fundamental knowledge  of security compliance and identity concept   and related cloud-based Microsoft  solution and Technologies.   This course is intended for those who want to  learn how Microsoft security compliance and   identity solution can spend across solution area  to provide a holistic and end-to-end solution.   Also this course will help you to prepare  a successful pass security compliance and   identity fundamentals SC 900 exam. This security  900 course deals more with Theory than practice.   The knowledge from this course will help you  to determinate the direction of your future   interest and learning about Cloud security as  well as your overall security Cloud Journey.   This course is first in the series of courses  on security in Azure Cloud environment   if you want to deeply learn how to design  and apply Security in Azure Cloud environment   several courses from this series are available  security 200 Microsoft Security operation   analysis security 300 Microsoft identity  and access administrator security 400 makes   it information protection administrator and  security 100 Microsoft cyber security architect   all those courses should give you knowledge to  successfully pass the certification exam and   also ability to successfully Implement all Cloud  security solution in your Azure Cloud environment   in order to successfully follow and  understand this security 900 course   you should have general knowledge of network and  cloud computing concept General I.T knowledge or  

any general experience working in an IT  environment and general understanding of   Microsoft Azure and Microsoft 365. if you don't  have this knowledge I strongly recommended that   you first take a z900 Azure fundamental course  or similar course such as az104 for administrator   the free version of az900 azure fundamental  course will be available on this port if you still with me let's get started what we  will learn in this course this course is divided   into in four segments for segments is describe  the concept of security compliance and identity   which has two modules second segment is describe  the capability of Microsoft Azure active directory   part of Microsoft intra which has four modules the  third segment in this course is described of the   capability of Microsoft security solution which  also has four modules and the segment number four   describe the capabilities of Microsoft  compliance solution which has six nodules   during this course I will go through the multiple  demo environments to show you some of the solution   directly on the portal such as Azure active  directory user setting Azure active directory   Self Service password reset Azure active directory  conditional access Azure network security groups   actually dependent for cloud micro Sentinel  Microsoft Defender for cloud apps Microsoft 365   different dependent portal service trust portal  access purview compliance portal sensitivity   lab larger policies etc etc at the end of each  segment we will do a short review to see what   we learned in this segment but first let me  say a letter about Cloud Security in general   make a overview of cloud security why Cloud  security is important what are the sum of   the cloud security challenges what type of cloud  Security Solutions are available Etc today we are   more connected than ever Cloud security is a broad  set of the Technologies policies applications that   are applied to the different online IPS Services  application and other data against cyber security   threat and malicious activities my cloud offers  exciting opportunity for organizations to suppress   the capability of on-premise environment it's  also present a new cyber security challenge   for networking managing securing Cloud  access at each critical stage of your Cloud   transformation Journey you need to Security  Management to stay ahead of advanced trend   integrating Cloud into your existing Enterprise  security program is not just about adding a few   more controls or Point Solutions it requires  an assessment of your resources and business   needs to develop a Fresh Approach to  your culture and Cloud security strategy   question is was the cloud security Cloud security  is a collection of the procedures and Technologies   designed to address external and  internal threats to business security   organizations need Cloud security as their move  on to their digital transformation strategies   and incorporate cloud-based tools and  services as a part of their infrastructure   the terms digital transformation and Cloud  migration have been used regularly in Enterprise   while both phases can means different things  the different organizations it is driven by   the common denominator the need of change as  Enterprise Embrace those Concepts and move   to the optimizing their operational approach new  challenges arise when balancing productivity level   levels and security while more modern technology  help organization Advanced capabilities outside   the confines of the on-premise infrastructure  transitioning primarily to the cloud-based   environment can have several implications if not  done securely starting the right balance requires   an understanding of the how modern Enterprise  can benefit from use of the interconnected Cloud   technology while deploying best cloud security  practices why is cloud security important   in modern Enterprises this has been a growing  transition to the cloud-based environment and   the infrastructure as a service platform as a  service or software as a service Computing modules   the dynamic nature of this management  especially in scaling Services can bring   another challenges to the Enterprise then  adequately resourcing their environment   those as a service modules give the organization  ability to offload many of the time-consuming it   related tasks as company continue to migrate to  the cloud understanding the security requirements   for keeping data safe has became very critical  why is the party cloud computing providers may   take on the management of infrastructure the  responsibility of the data as a security and   the accountability doesn't necessarily shift  along with it by default most Cloud provided   followed by security practices and take active  steps to protect Integrity of their servers   however organization needs to need they are only  consideration when protecting data application   or workload running on a cloud security  threats had became more advanced as digital   landscape continue to involve this threats  explicitly Target cloud computing providers   uh you know to do an organization lack of  visibility of the data access enrollment   without taking active steps to improve their  Cloud security organizations can face significant   governance and compliance risks when managing  client information regardless where is the storage   Cloud security should be an important topic of  discuss regardless of the size of your Enterprise   Cloud infrastructure supports near all aspects of  the modern Computing in all industry and across   multiple ventricles however this list of cloud  adaption is the dependent of the depending in   the place adequate count measures to defend  against modern Cyber attack regardless of   the better your organization operates in a  public private or hybrid Cloud environment   Cloud Security Solutions and best practices are  necessity to ensure your business continuity   what are the some Cloud security challenges lack  of visibility it's easy to lose track on how   your data is being accessed and by whom since many  cloud services are accessed outside from corporate   Network entered parties multi-tenancy public Cloud  environment has a multiple client infrastructure   under the same umbrella so is it possible your  hosted Services can get compromised by malicious   attackers as a collateral damage when targeting  other businesses access management and Shadow ID   while Enterprise may be able to successfully  manage and restrict access point across   on-premises systems administrating the same  level of the Restriction can be challenged   in Cloud environment this can be dangerous for  organization that don't deploy bring your own   device policies and analog filtered access to the  cloud services from any device or geolocations   compliance Regulatory Compliance management is  oftentimes a source of confusion for Enterprise   using public or hybrid Cloud deployments overall  Cloud accountability for data privacy and security   still rest with the Enterprise and have you  realize on the third party solution to manage   disk components to list the casket compliance  issue misconfiguration this configured access   accounted for 68 86 percent for each records  making inadvertent inside a key issue for cloud   computing in our environments what uh type of  cloud security solution are available Azure   offers a lot of solution but lots of Nations  on them so like identity and access management   identity and access management tools and services  allows the Enterprises to deploy policy to even   enforcement protocol for all the users attempting  to us both on premise and cloud-based Services   functionality of identity access management is  to create digital identities for all users so   there can be actively monitored and restricted  when necessary during all the the interactions   end-to-end protection like Microsoft Defender for  cloud Microsoft Defender for cloud apps GitHub   Advanced security Microsoft entrap permission  management Azure network security micro Defender   external attack surface management etc. etc. Data  loss prevention data Loss Prevention Services   offers a set of tools and services designed to  ensure that security of regulated cloud data   DLS prevention Solutions use a combination of  remediation alerts data encryptions and other   preventative measures to protect all stored  data whether they are addressed or in transit   security information like Azure Sentinel  which provides a comprehensive orchestration   orchestration solution that automate track  monitoring detection and response in cloud-based   environment using the artificial intelligence  driven Technologies to correlate log data across   multiple platform and digital assets security  information and event management technology   give it teams ability to successfully apply  the network security protocols while be able   to quickly react to any Potential Threat we  will talk more about this during this course   now let's start with the first section describe  the concept of security compliance and identity   uh module 1 described the  security and compliance concept   and we will describe the shared responsibility  and defense in-depth security modules   describe the zero trust modules describe the  concept of encryption and hashing describe some   basic compliance concept this is basic knowledge  that has a be validate through the existing Cloud   security standard and best practices but first how  can we understand security and compliance concept   security and compliance are the interconnected  but different from each other in a few key ways   security refers to the system and controls that  our company Implement to protect its assess   and compliance refers to meeting the standards  that a third party has set in advance as best   practices or legal requirements there are a number  of the standards that are specifically designed   to help companies create secure IIT systems as  well as Labs like HIPAA for example that have   been passed to ensure that companies are doing  their due diligence to protect sensitive data   while your organization May automatically  adopt few security measures to help   protect your business data compliance  offers strategy to bring your self into   alignment with industry best practices and  to make sure that you following the law organizations face many challenges with securing  their data centers including recruiting keeping   secure expert using many security tools and  keeping peace with volume and complexity of   the threats as Computing environments boom from  the customer Control Data Center to the cloud   the responsibility of security is also shift  security of the operational environment is   now a concern shared by the cloud provider and  customer by shifting responsibility to azure   organizations can get more security coverage which  allows them to move security resources and budget   allocation to other business priorities to ensure  that the prepare security control are provided a   careful evaluation of the security and Technology  Choice became necessary first things to understand   about Cloud security is that different scope of  responsibility exists depending of the kind of   service you use for example if you use Virtual  Machine in Azure which provides infrastructure   as a services Microsoft will be responsible for  helping secure physical Network physical storage   and neutralization platform which includes  updates virtualization costs but you will   take the care of helping secure your virtual  Network and public endpoint and updating the   guest operating system of your virtual machine  etc. but for all Cloud deployment types you own   your data and integrities you are responsible  for helping secure your data and identities   and the cloud components you control which vary by  service type you use regardless of the deployment   type you always retain responsibility for the  data endpoints accounts and access management depends in depth defense in depth is a strategy  that utilizes a series of mechanisms and prevent   unauthorized access to data the purpose  of Defense in the app is to protect and   prevent information from begin stolen by  individuals not authorized to access it   the common principles used to define  security pasture are confidentiality integrity and availability confidentiality  principle of last privilege restrict access   to information only to individuals explicitly  Grant access this information includes the   protection of user passwords remote access  certificates and email content etc. integrity  

the prevention of unauthorized changing  to information of the rest or in transit   a common approach used in data transmission is for  the sender to create a unique fingerprint of the   data using one-way hashing algorithm the hash is  sent to the receiver along the data latest hash is   recalculated and compared to the original by the  receiver to ensure that the data wasn't lost or   modified in the transit and availability ensure  service are available to authorized user only   denial of service attack are prevalent  cows of the loss of availability to users   defense in depth can be visualized as a set of  the layers with data to be secured at the center   each layer provides the protection so that if one  layer is Branched a subsequent layer is already   in place to prevent for example in the diagram  physical security is the first line of defense   to protect Computing Hardware in data  center identity and assess control access   to infrastructure and change control perimeter  layer use distribute DDOS protection to filter   large-scale attacks before dark and cause  denial of services for end users networking   level limits Communications between resources  throughout the segmentation and access control   compute layer secure success to Virtual machines  and application layer ensure applications are   secure and free of vulnerabilities zero  trust is it security module that eliminate   traditional idea of the trust to protect Network  application in or data this is the contrast to   the traditional perimeter security module  which presumes that bad actors are always   on the untrusted side of the network and  trusted user are always on trusted side   with zero trust those assumptions are nullified  and all users are presumed to be untrust   according to Forest research zero trust solution  must ensure that only known a lot of traffic or   legitim application communication is allowed  by segmenting and enabling layer 7 policy   also leverage a last privilege access strategy and  strictly enforce Access Control inspect and log   all traffic otherwise it can be very simple for an  attacker to gain access to the company's Network   those principles maybe stay forward to  implement in an Enterprise Network but how   do they play to the cloud your implementation  must inspect all traffic for all application or   it is not truly delivered zero trust  zero trust module will stay to never   assume trust but instead continuously  validate Trust determination components   includes a identity provider device directory  policy Evolution service and access proxy   immigrating to zero trust security module provides  for us simultaneously Implement of security over   conventional network-based approach and to  better enables users that they are need access   zero trust module required signals to  inform decisions policy to make access   decision and enforcement capabilities  to implement those decisions efficiently   zero trust module has three principles  which guide how security is implemented   those are verify explicitly last  privilege access and assume branches   verify explicitly allows authenticate and  authorized based on the available data points   including user identity location devices services  or workload data classification anomalies etc.   last privilege access limit to user access uh  implementing just the time and just enough access   assume branches segment accessed by the network  using devices and application use encryption to   protect data and use analytics to get visibility  detect threats and improve your security   zero trust also also serves as a  end-to-end strategy based on the   six foundational pillars identities verify  all identity with strong Authentication   devices it's important to get visibility  into all devices accessing your network   application this includes being able to discover  Shadow I.T and the ability to control access to   application and monitor access with real-time  Analytics Network this includes encryption   on all your communication limiting assets  by the policy and the network segmentation   infrastructure this includes uh employing  real-time threat detection automatically   detecting blocking and flagging a risk and  employee last privileged access principle   in data this includes being able to classify label  and encrypt data whenever it leaves or travel one way to mitigate against common cyber security  threats is to encrypt sensitive or variable data   encryption is a process of making data  unreadable and unusable to unauthorized viewers   to use or read encrypted data it must be  decrypted with required to use a secret key   encryption at rest what is the encryption address  that's the data does the storage on the physical   device such as server uh it may be stored in  database or storage account in the cloud but   regardless of where is the storage encryption of  data addressed ensures that the data unreadable   without the key and secrets needed to decorate it  if an attacker obtaining hard drive with encrypted   data and didn't have access to encryption  keys that would be unable to read this data   encryption in transit data in transit is the data  moving from one location to another such as across   the internet or through the private Network secure  transfer can be handled by the several different   layers it could be done by encrypting the data  at the application layer before sending over the   network https is an example of encryption in  transit scripting data in transit to protect   it from outside observers and provides mechanism  to transmit data by limiting risk of an exposure   encryption for data in use common use case  for encryption data is used involves secure   data in non-persistent storage such as Ram or  CPU caches etc. this can be achieved through   the technology that create an unclean think  like security bugs that protects the data and   keeps data encrypted while CPU processing this  data there are two type levels of encryptions   a symmetric and asymmetric symmetric encryption  is used the same key to encrypt and decrypt data   asymmetric encryption use the public key and  private key pair either key can encrypt data but   a single key cannot be used to decrypt encrypt  the data to decrypt you need to pair it key   asymmetric encryption used for things  like transport layer security TLS   such as a HTTP protocol in data signing for  asymmetric encryption is usually usually used   publicly key infrastructure or PKA which has own  hierarchy starting with the root certification   server to ensure certification server ensure  server will issue certificate with the public key   until private key will stay only  available for the certificate owner hash function is a mathematical function all our  algorithm that simply takes a variable number of   characters called the message and converts into  string with fixed number of the characters called   hash value all or simple hash hashing is useful to  ensure authenticity of the piece of data and that   has not be temporary even since Small Change in  the message will create an entirely different hash   functions are the basic tools of modern  cryptography that are used in to authenticate   transaction messages digital signature etc. data  can be compared to the hash value to determinate  

integrity usually data is hashed on the certain  time and hash value as protected on some way   at a later time data can be hashed again and  compared to the protected value if the hash   value match the data has not been altered if the  value do not match the data has to be corrupted   for this system to work to protect hash must be  encrypted or keep secret from all untrusted party   previously we talk about encryption which is a  reversible process but hashing is not main purpose   of hashing is to check the Integrity of the data  where is the main purpose of encryption is secure   data by converting into an unreadable format  password hashing is a key step to protect your   user on backend but is not unmistakable because  hash is making a consistent way that means that   is predictable and can be beaten by additional  attack or rainbow table tag etc. South ink   is the act of the adding the series of random  characters to the password before going to   the hashing function unfortunately Azure ad  do not support hash assaulting until today once a company is on the cloud it should be  concerned with how the cloud provides help company   remain in compliance with the laws such as Europe  General data protection regulation or HIPAA in U.S   this is these discussion should start from very  beginning rather than after the cloud service is   established government agency and Industry groups  had issued a regulation to help protect and govern   use of data from personal and financial  information to data protection and privacy   organization can be accountable for meeting  dozens of regulations to be compliant   some of the important important Concepts in  turn that related to data compliance are data   residency data sovereignty and data privacy  did the residency when it came to compliance   daily residency regulations govern the physical  location where data can be stored and how will be   transferred processed or accessed internationally  this regulation can differ significantly depending   of jurisdiction data severity another important  consideration is data severity the concept of   the data particularly personal data is subject to  the love and regulation of the countries or region   where is the physically collected or processed  scan add layer of complexity when it came to   compliance when the same piece of data can be  collected in one location stored in another   location process instill another search making  it subject to Labs from the different country or   regions data privacy providing notice and being  transparent about the collection processing use   and sharing a personal data are fundamental  principles of privacy loves and regulations   personal data means information related to  identifying natural person privacy lives expanded   this definition to any data that is directed  linked or indirectly linkable back to the person   organizations organizations are subject to and  must operate consistent with a multitude Labs   regulations goes cause of conduct into industry  specific standard compliance Center government   data privacy Etc now let's move to the module  2 describe identity concept we will briefly   discuss about understanding the differences  between our dedication and authorization   describe the concept of identity as a security  perimeter and describe identity related services   but first generally what and who is the identity  anything that can be authenticated it can be   user application or services that require  authentication everyone and every devices has   an identity that can be used to access resources  identity is the way in which people and things are   identified on your corporate Network and in the  cloud being certain about who or what accessing   your organization data and other resources that's  the fundamental party of securing your environment   Authentication is a process of the  proving that you are who you say you are   this is achieved by the verification of identity  on the person or device it's sometimes shortened   to alt n Microsoft identity platform use open  ID connect protocol for handling Authentication   authorization authorization is act granting and  authenticated party permission to do something   is to specify what data you are allowed to access  what you can do with this data authorization in   sometimes shortened to our Z Microsoft identity  platform use all out two point protocol for   handling authorization difference between  authorization in authentication authorization   simple Means versus authentication is processes to  verifying who someone is where is authorization is   a process of verifying for specific specific  application files or data user can access ensuring secure identity and mobile access  is top and action convenience explicitly   at the internet scale can be adapting task  for ID Executives Enterprise Master worker   defined the line between Enterprise control and  grained access or permission to the individuals   the result is that the identities became new  security perimeter only identity can buff enable   organizations to secure resources while giving  end users convenience and easy of use approach   Enterprise security needs to adopt a new reality  the security perimeter can no longer be viewed as   on-premise Network it's now extends to the SAS SAS  applications for business critical workload that   may be hosted outside of your corporate Network  extending also a personal devices for employers   using to access to corporate resources we call  this bring your own device or by working from home   extending also to unmanaged devices  used by the partners or customers   when interacting with corporate data  or collaborating with your employees   and also extending to iot devices installed  through your corporate Network and inside the   customer location four pillars of identity  are Administration authorization auditing   uh Administration is about creation and management  of identity for users devices and services   as an administrator you manage how and under what  circumstances characteristic of identities can   change by creating update or delete Authentication  authentication people are tell the story on how   much Assurance for particular identity is enough  uh authorization authorization pillar is about   processing incoming identity data to determinate  the level of access and the person or service has   within an application of services that has access  and auditing POS is about tracking who those what   when and how and also auditing include in deep  reporting alerts and governance of identities modern authentication is an umbrella term for  authentication and authorization matter between   clients such as your laptop phone server like  website or application etc. at the center of the  

modern authentication is the role of your identity  provider and identity provider creates meetings   and manages identity information by authoring  authentication authorization and auditing services   with the modern authentication all services  including all authentication services are supplied   by the central identity provider information  that's used to authenticate a user with server is   stored and managed centrally by identity provider  with a central identity provider organization   can establish authentication and authorization  policy monitor user Behavior identify suspicious   activities and reduce malicious adapter I mean  the identity which can be user or application   has been verified the identity provider issues a  security token that the client sends to the server   the server validates security token through  its trust relationship with identity provider   by using security token and information that's  contained with it the user or application access   required resources on the server Microsoft Azure  active directory is an example of cloud-based   identity provider other exactly through  the Twitter Google Amazon LinkedIn GitHub   Etc there are also single signal capability  does the fundamental capability of any identity   provider in the modern authentication with  supporting single sign-on I've been single   sign-on user logs in one and then credential is  used to access multiple application or resources   when you set up a single sign-on between multiple  identity providers it's called Simple Federation to avoid any confusion with the Windows Server  active directory that you may already be familiar   Within understand that the Azure active directory  is not the Windows Server active directory running   on your virtual machine or on your premise Azure  active directory is not a replacement for Windows   Server active directory if you already have  on-premise active directory domain system   directory can be extended to the cloud using  directory integration capabilities of azure   active directory in those scenarios users  and groups in on-premise active directory are   synchronized to Azure active directory using the  tools such as Azure active directory sync ad-sync   this has the benefits for user being able to  authenticate against Windows Server active   directory when assessing on-premise applications  and resources and automating against Azure active   directory when assessing cloud-based applications  Azure active directory is different from artist   directory domain Services Azure active directory  is the primary and identity solution and design   for internet-based application by using  HTTP https Communications because Azure   active directory is HTTP https based it cannot  be queried through the ldap instead Azure active   directory use rest API over HTTP and https also  it does not use Kerberos authentication instead   it use httpa and https protocols such as saml  Windows service Federation and open ID connect   for authentication and or out for authorization  there is also uh no organization units Azure   active directory using and group are created  in flat structure in Azure active directory Federation is collection of the domains that  have established trust the level of trust may   vary but typically includes authentication  and almost always include authorization   typical Federation may include the numbers of  organizations that have established trust for   shared access to set up the resources you  can Federate your on-premise environment   with the interactive directory and use this  Federation for authentication and authorization   designing method ensure that all the users  authentication occurs on-prems and this method   allows the administrator to implement  more rigorous level of access control   many organizations many organizations use active  directory Federation service to provide civil   sign-on um establishing relation between two  different domain we call Trust relationship   this trust is not always bidirectional  but you can establish bidirectional uh   trust relationship previously they  call this two-way trust relationship   this concludes the first section of this course  before we move on the section two let's give a   quick overview of what we learned so  far just a few segments to stay fit   considering shared responsibility module on Azure  cloud we can conclude that your organizations is   still fully responsible for account identities  related to your employees and your information   and data regardless of where your workload is  hosted on is pass or SAS until Azure is fully   responsible for a physical data center Network and  hosts in other words for underlying infrastructure   you learn to if you want to ensure that the story  data is encrypted you should use encryption at   rest because encryption in transit is intended  for data that travels over the network and not   for data on the storage and also hash is not used  for encryption because hash does not encrypt data   in terms of compliance concept we learned  among other things does the concept of   data severity refers to data particularly  personal data which is subject to the loves   and regulation of the country or region in  which is physically collected hold or proceed you have learned that the advantage of the single  sign on is a great benefit for all the users   because the users sign in once and can access many  applications or resources we also learned that   the relationship allowing Federated services to  access resources we call this trust relationship   we also learned that authentication is  a process verifying that user or device   is who they are say they are and authorization  determinate what it can do with certain resources

2023-04-16

Show video