Hello everyone welcome to IT professional learning for Security Compliance and identity Fundament course. My name is Zoran I'm Senior Solution Architect and Senior Technical Trainer. This course provide a fundamental knowledge of security compliance and identity concept and related cloud-based Microsoft solution and Technologies. This course is intended for those who want to learn how Microsoft security compliance and identity solution can spend across solution area to provide a holistic and end-to-end solution. Also this course will help you to prepare a successful pass security compliance and identity fundamentals SC 900 exam. This security 900 course deals more with Theory than practice. The knowledge from this course will help you to determinate the direction of your future interest and learning about Cloud security as well as your overall security Cloud Journey. This course is first in the series of courses on security in Azure Cloud environment if you want to deeply learn how to design and apply Security in Azure Cloud environment several courses from this series are available security 200 Microsoft Security operation analysis security 300 Microsoft identity and access administrator security 400 makes it information protection administrator and security 100 Microsoft cyber security architect all those courses should give you knowledge to successfully pass the certification exam and also ability to successfully Implement all Cloud security solution in your Azure Cloud environment in order to successfully follow and understand this security 900 course you should have general knowledge of network and cloud computing concept General I.T knowledge or
any general experience working in an IT environment and general understanding of Microsoft Azure and Microsoft 365. if you don't have this knowledge I strongly recommended that you first take a z900 Azure fundamental course or similar course such as az104 for administrator the free version of az900 azure fundamental course will be available on this port if you still with me let's get started what we will learn in this course this course is divided into in four segments for segments is describe the concept of security compliance and identity which has two modules second segment is describe the capability of Microsoft Azure active directory part of Microsoft intra which has four modules the third segment in this course is described of the capability of Microsoft security solution which also has four modules and the segment number four describe the capabilities of Microsoft compliance solution which has six nodules during this course I will go through the multiple demo environments to show you some of the solution directly on the portal such as Azure active directory user setting Azure active directory Self Service password reset Azure active directory conditional access Azure network security groups actually dependent for cloud micro Sentinel Microsoft Defender for cloud apps Microsoft 365 different dependent portal service trust portal access purview compliance portal sensitivity lab larger policies etc etc at the end of each segment we will do a short review to see what we learned in this segment but first let me say a letter about Cloud Security in general make a overview of cloud security why Cloud security is important what are the sum of the cloud security challenges what type of cloud Security Solutions are available Etc today we are more connected than ever Cloud security is a broad set of the Technologies policies applications that are applied to the different online IPS Services application and other data against cyber security threat and malicious activities my cloud offers exciting opportunity for organizations to suppress the capability of on-premise environment it's also present a new cyber security challenge for networking managing securing Cloud access at each critical stage of your Cloud transformation Journey you need to Security Management to stay ahead of advanced trend integrating Cloud into your existing Enterprise security program is not just about adding a few more controls or Point Solutions it requires an assessment of your resources and business needs to develop a Fresh Approach to your culture and Cloud security strategy question is was the cloud security Cloud security is a collection of the procedures and Technologies designed to address external and internal threats to business security organizations need Cloud security as their move on to their digital transformation strategies and incorporate cloud-based tools and services as a part of their infrastructure the terms digital transformation and Cloud migration have been used regularly in Enterprise while both phases can means different things the different organizations it is driven by the common denominator the need of change as Enterprise Embrace those Concepts and move to the optimizing their operational approach new challenges arise when balancing productivity level levels and security while more modern technology help organization Advanced capabilities outside the confines of the on-premise infrastructure transitioning primarily to the cloud-based environment can have several implications if not done securely starting the right balance requires an understanding of the how modern Enterprise can benefit from use of the interconnected Cloud technology while deploying best cloud security practices why is cloud security important in modern Enterprises this has been a growing transition to the cloud-based environment and the infrastructure as a service platform as a service or software as a service Computing modules the dynamic nature of this management especially in scaling Services can bring another challenges to the Enterprise then adequately resourcing their environment those as a service modules give the organization ability to offload many of the time-consuming it related tasks as company continue to migrate to the cloud understanding the security requirements for keeping data safe has became very critical why is the party cloud computing providers may take on the management of infrastructure the responsibility of the data as a security and the accountability doesn't necessarily shift along with it by default most Cloud provided followed by security practices and take active steps to protect Integrity of their servers however organization needs to need they are only consideration when protecting data application or workload running on a cloud security threats had became more advanced as digital landscape continue to involve this threats explicitly Target cloud computing providers uh you know to do an organization lack of visibility of the data access enrollment without taking active steps to improve their Cloud security organizations can face significant governance and compliance risks when managing client information regardless where is the storage Cloud security should be an important topic of discuss regardless of the size of your Enterprise Cloud infrastructure supports near all aspects of the modern Computing in all industry and across multiple ventricles however this list of cloud adaption is the dependent of the depending in the place adequate count measures to defend against modern Cyber attack regardless of the better your organization operates in a public private or hybrid Cloud environment Cloud Security Solutions and best practices are necessity to ensure your business continuity what are the some Cloud security challenges lack of visibility it's easy to lose track on how your data is being accessed and by whom since many cloud services are accessed outside from corporate Network entered parties multi-tenancy public Cloud environment has a multiple client infrastructure under the same umbrella so is it possible your hosted Services can get compromised by malicious attackers as a collateral damage when targeting other businesses access management and Shadow ID while Enterprise may be able to successfully manage and restrict access point across on-premises systems administrating the same level of the Restriction can be challenged in Cloud environment this can be dangerous for organization that don't deploy bring your own device policies and analog filtered access to the cloud services from any device or geolocations compliance Regulatory Compliance management is oftentimes a source of confusion for Enterprise using public or hybrid Cloud deployments overall Cloud accountability for data privacy and security still rest with the Enterprise and have you realize on the third party solution to manage disk components to list the casket compliance issue misconfiguration this configured access accounted for 68 86 percent for each records making inadvertent inside a key issue for cloud computing in our environments what uh type of cloud security solution are available Azure offers a lot of solution but lots of Nations on them so like identity and access management identity and access management tools and services allows the Enterprises to deploy policy to even enforcement protocol for all the users attempting to us both on premise and cloud-based Services functionality of identity access management is to create digital identities for all users so there can be actively monitored and restricted when necessary during all the the interactions end-to-end protection like Microsoft Defender for cloud Microsoft Defender for cloud apps GitHub Advanced security Microsoft entrap permission management Azure network security micro Defender external attack surface management etc. etc. Data loss prevention data Loss Prevention Services offers a set of tools and services designed to ensure that security of regulated cloud data DLS prevention Solutions use a combination of remediation alerts data encryptions and other preventative measures to protect all stored data whether they are addressed or in transit security information like Azure Sentinel which provides a comprehensive orchestration orchestration solution that automate track monitoring detection and response in cloud-based environment using the artificial intelligence driven Technologies to correlate log data across multiple platform and digital assets security information and event management technology give it teams ability to successfully apply the network security protocols while be able to quickly react to any Potential Threat we will talk more about this during this course now let's start with the first section describe the concept of security compliance and identity uh module 1 described the security and compliance concept and we will describe the shared responsibility and defense in-depth security modules describe the zero trust modules describe the concept of encryption and hashing describe some basic compliance concept this is basic knowledge that has a be validate through the existing Cloud security standard and best practices but first how can we understand security and compliance concept security and compliance are the interconnected but different from each other in a few key ways security refers to the system and controls that our company Implement to protect its assess and compliance refers to meeting the standards that a third party has set in advance as best practices or legal requirements there are a number of the standards that are specifically designed to help companies create secure IIT systems as well as Labs like HIPAA for example that have been passed to ensure that companies are doing their due diligence to protect sensitive data while your organization May automatically adopt few security measures to help protect your business data compliance offers strategy to bring your self into alignment with industry best practices and to make sure that you following the law organizations face many challenges with securing their data centers including recruiting keeping secure expert using many security tools and keeping peace with volume and complexity of the threats as Computing environments boom from the customer Control Data Center to the cloud the responsibility of security is also shift security of the operational environment is now a concern shared by the cloud provider and customer by shifting responsibility to azure organizations can get more security coverage which allows them to move security resources and budget allocation to other business priorities to ensure that the prepare security control are provided a careful evaluation of the security and Technology Choice became necessary first things to understand about Cloud security is that different scope of responsibility exists depending of the kind of service you use for example if you use Virtual Machine in Azure which provides infrastructure as a services Microsoft will be responsible for helping secure physical Network physical storage and neutralization platform which includes updates virtualization costs but you will take the care of helping secure your virtual Network and public endpoint and updating the guest operating system of your virtual machine etc. but for all Cloud deployment types you own your data and integrities you are responsible for helping secure your data and identities and the cloud components you control which vary by service type you use regardless of the deployment type you always retain responsibility for the data endpoints accounts and access management depends in depth defense in depth is a strategy that utilizes a series of mechanisms and prevent unauthorized access to data the purpose of Defense in the app is to protect and prevent information from begin stolen by individuals not authorized to access it the common principles used to define security pasture are confidentiality integrity and availability confidentiality principle of last privilege restrict access to information only to individuals explicitly Grant access this information includes the protection of user passwords remote access certificates and email content etc. integrity
the prevention of unauthorized changing to information of the rest or in transit a common approach used in data transmission is for the sender to create a unique fingerprint of the data using one-way hashing algorithm the hash is sent to the receiver along the data latest hash is recalculated and compared to the original by the receiver to ensure that the data wasn't lost or modified in the transit and availability ensure service are available to authorized user only denial of service attack are prevalent cows of the loss of availability to users defense in depth can be visualized as a set of the layers with data to be secured at the center each layer provides the protection so that if one layer is Branched a subsequent layer is already in place to prevent for example in the diagram physical security is the first line of defense to protect Computing Hardware in data center identity and assess control access to infrastructure and change control perimeter layer use distribute DDOS protection to filter large-scale attacks before dark and cause denial of services for end users networking level limits Communications between resources throughout the segmentation and access control compute layer secure success to Virtual machines and application layer ensure applications are secure and free of vulnerabilities zero trust is it security module that eliminate traditional idea of the trust to protect Network application in or data this is the contrast to the traditional perimeter security module which presumes that bad actors are always on the untrusted side of the network and trusted user are always on trusted side with zero trust those assumptions are nullified and all users are presumed to be untrust according to Forest research zero trust solution must ensure that only known a lot of traffic or legitim application communication is allowed by segmenting and enabling layer 7 policy also leverage a last privilege access strategy and strictly enforce Access Control inspect and log all traffic otherwise it can be very simple for an attacker to gain access to the company's Network those principles maybe stay forward to implement in an Enterprise Network but how do they play to the cloud your implementation must inspect all traffic for all application or it is not truly delivered zero trust zero trust module will stay to never assume trust but instead continuously validate Trust determination components includes a identity provider device directory policy Evolution service and access proxy immigrating to zero trust security module provides for us simultaneously Implement of security over conventional network-based approach and to better enables users that they are need access zero trust module required signals to inform decisions policy to make access decision and enforcement capabilities to implement those decisions efficiently zero trust module has three principles which guide how security is implemented those are verify explicitly last privilege access and assume branches verify explicitly allows authenticate and authorized based on the available data points including user identity location devices services or workload data classification anomalies etc. last privilege access limit to user access uh implementing just the time and just enough access assume branches segment accessed by the network using devices and application use encryption to protect data and use analytics to get visibility detect threats and improve your security zero trust also also serves as a end-to-end strategy based on the six foundational pillars identities verify all identity with strong Authentication devices it's important to get visibility into all devices accessing your network application this includes being able to discover Shadow I.T and the ability to control access to application and monitor access with real-time Analytics Network this includes encryption on all your communication limiting assets by the policy and the network segmentation infrastructure this includes uh employing real-time threat detection automatically detecting blocking and flagging a risk and employee last privileged access principle in data this includes being able to classify label and encrypt data whenever it leaves or travel one way to mitigate against common cyber security threats is to encrypt sensitive or variable data encryption is a process of making data unreadable and unusable to unauthorized viewers to use or read encrypted data it must be decrypted with required to use a secret key encryption at rest what is the encryption address that's the data does the storage on the physical device such as server uh it may be stored in database or storage account in the cloud but regardless of where is the storage encryption of data addressed ensures that the data unreadable without the key and secrets needed to decorate it if an attacker obtaining hard drive with encrypted data and didn't have access to encryption keys that would be unable to read this data encryption in transit data in transit is the data moving from one location to another such as across the internet or through the private Network secure transfer can be handled by the several different layers it could be done by encrypting the data at the application layer before sending over the network https is an example of encryption in transit scripting data in transit to protect it from outside observers and provides mechanism to transmit data by limiting risk of an exposure encryption for data in use common use case for encryption data is used involves secure data in non-persistent storage such as Ram or CPU caches etc. this can be achieved through the technology that create an unclean think like security bugs that protects the data and keeps data encrypted while CPU processing this data there are two type levels of encryptions a symmetric and asymmetric symmetric encryption is used the same key to encrypt and decrypt data asymmetric encryption use the public key and private key pair either key can encrypt data but a single key cannot be used to decrypt encrypt the data to decrypt you need to pair it key asymmetric encryption used for things like transport layer security TLS such as a HTTP protocol in data signing for asymmetric encryption is usually usually used publicly key infrastructure or PKA which has own hierarchy starting with the root certification server to ensure certification server ensure server will issue certificate with the public key until private key will stay only available for the certificate owner hash function is a mathematical function all our algorithm that simply takes a variable number of characters called the message and converts into string with fixed number of the characters called hash value all or simple hash hashing is useful to ensure authenticity of the piece of data and that has not be temporary even since Small Change in the message will create an entirely different hash functions are the basic tools of modern cryptography that are used in to authenticate transaction messages digital signature etc. data can be compared to the hash value to determinate
integrity usually data is hashed on the certain time and hash value as protected on some way at a later time data can be hashed again and compared to the protected value if the hash value match the data has not been altered if the value do not match the data has to be corrupted for this system to work to protect hash must be encrypted or keep secret from all untrusted party previously we talk about encryption which is a reversible process but hashing is not main purpose of hashing is to check the Integrity of the data where is the main purpose of encryption is secure data by converting into an unreadable format password hashing is a key step to protect your user on backend but is not unmistakable because hash is making a consistent way that means that is predictable and can be beaten by additional attack or rainbow table tag etc. South ink is the act of the adding the series of random characters to the password before going to the hashing function unfortunately Azure ad do not support hash assaulting until today once a company is on the cloud it should be concerned with how the cloud provides help company remain in compliance with the laws such as Europe General data protection regulation or HIPAA in U.S this is these discussion should start from very beginning rather than after the cloud service is established government agency and Industry groups had issued a regulation to help protect and govern use of data from personal and financial information to data protection and privacy organization can be accountable for meeting dozens of regulations to be compliant some of the important important Concepts in turn that related to data compliance are data residency data sovereignty and data privacy did the residency when it came to compliance daily residency regulations govern the physical location where data can be stored and how will be transferred processed or accessed internationally this regulation can differ significantly depending of jurisdiction data severity another important consideration is data severity the concept of the data particularly personal data is subject to the love and regulation of the countries or region where is the physically collected or processed scan add layer of complexity when it came to compliance when the same piece of data can be collected in one location stored in another location process instill another search making it subject to Labs from the different country or regions data privacy providing notice and being transparent about the collection processing use and sharing a personal data are fundamental principles of privacy loves and regulations personal data means information related to identifying natural person privacy lives expanded this definition to any data that is directed linked or indirectly linkable back to the person organizations organizations are subject to and must operate consistent with a multitude Labs regulations goes cause of conduct into industry specific standard compliance Center government data privacy Etc now let's move to the module 2 describe identity concept we will briefly discuss about understanding the differences between our dedication and authorization describe the concept of identity as a security perimeter and describe identity related services but first generally what and who is the identity anything that can be authenticated it can be user application or services that require authentication everyone and every devices has an identity that can be used to access resources identity is the way in which people and things are identified on your corporate Network and in the cloud being certain about who or what accessing your organization data and other resources that's the fundamental party of securing your environment Authentication is a process of the proving that you are who you say you are this is achieved by the verification of identity on the person or device it's sometimes shortened to alt n Microsoft identity platform use open ID connect protocol for handling Authentication authorization authorization is act granting and authenticated party permission to do something is to specify what data you are allowed to access what you can do with this data authorization in sometimes shortened to our Z Microsoft identity platform use all out two point protocol for handling authorization difference between authorization in authentication authorization simple Means versus authentication is processes to verifying who someone is where is authorization is a process of verifying for specific specific application files or data user can access ensuring secure identity and mobile access is top and action convenience explicitly at the internet scale can be adapting task for ID Executives Enterprise Master worker defined the line between Enterprise control and grained access or permission to the individuals the result is that the identities became new security perimeter only identity can buff enable organizations to secure resources while giving end users convenience and easy of use approach Enterprise security needs to adopt a new reality the security perimeter can no longer be viewed as on-premise Network it's now extends to the SAS SAS applications for business critical workload that may be hosted outside of your corporate Network extending also a personal devices for employers using to access to corporate resources we call this bring your own device or by working from home extending also to unmanaged devices used by the partners or customers when interacting with corporate data or collaborating with your employees and also extending to iot devices installed through your corporate Network and inside the customer location four pillars of identity are Administration authorization auditing uh Administration is about creation and management of identity for users devices and services as an administrator you manage how and under what circumstances characteristic of identities can change by creating update or delete Authentication authentication people are tell the story on how much Assurance for particular identity is enough uh authorization authorization pillar is about processing incoming identity data to determinate the level of access and the person or service has within an application of services that has access and auditing POS is about tracking who those what when and how and also auditing include in deep reporting alerts and governance of identities modern authentication is an umbrella term for authentication and authorization matter between clients such as your laptop phone server like website or application etc. at the center of the
modern authentication is the role of your identity provider and identity provider creates meetings and manages identity information by authoring authentication authorization and auditing services with the modern authentication all services including all authentication services are supplied by the central identity provider information that's used to authenticate a user with server is stored and managed centrally by identity provider with a central identity provider organization can establish authentication and authorization policy monitor user Behavior identify suspicious activities and reduce malicious adapter I mean the identity which can be user or application has been verified the identity provider issues a security token that the client sends to the server the server validates security token through its trust relationship with identity provider by using security token and information that's contained with it the user or application access required resources on the server Microsoft Azure active directory is an example of cloud-based identity provider other exactly through the Twitter Google Amazon LinkedIn GitHub Etc there are also single signal capability does the fundamental capability of any identity provider in the modern authentication with supporting single sign-on I've been single sign-on user logs in one and then credential is used to access multiple application or resources when you set up a single sign-on between multiple identity providers it's called Simple Federation to avoid any confusion with the Windows Server active directory that you may already be familiar Within understand that the Azure active directory is not the Windows Server active directory running on your virtual machine or on your premise Azure active directory is not a replacement for Windows Server active directory if you already have on-premise active directory domain system directory can be extended to the cloud using directory integration capabilities of azure active directory in those scenarios users and groups in on-premise active directory are synchronized to Azure active directory using the tools such as Azure active directory sync ad-sync this has the benefits for user being able to authenticate against Windows Server active directory when assessing on-premise applications and resources and automating against Azure active directory when assessing cloud-based applications Azure active directory is different from artist directory domain Services Azure active directory is the primary and identity solution and design for internet-based application by using HTTP https Communications because Azure active directory is HTTP https based it cannot be queried through the ldap instead Azure active directory use rest API over HTTP and https also it does not use Kerberos authentication instead it use httpa and https protocols such as saml Windows service Federation and open ID connect for authentication and or out for authorization there is also uh no organization units Azure active directory using and group are created in flat structure in Azure active directory Federation is collection of the domains that have established trust the level of trust may vary but typically includes authentication and almost always include authorization typical Federation may include the numbers of organizations that have established trust for shared access to set up the resources you can Federate your on-premise environment with the interactive directory and use this Federation for authentication and authorization designing method ensure that all the users authentication occurs on-prems and this method allows the administrator to implement more rigorous level of access control many organizations many organizations use active directory Federation service to provide civil sign-on um establishing relation between two different domain we call Trust relationship this trust is not always bidirectional but you can establish bidirectional uh trust relationship previously they call this two-way trust relationship this concludes the first section of this course before we move on the section two let's give a quick overview of what we learned so far just a few segments to stay fit considering shared responsibility module on Azure cloud we can conclude that your organizations is still fully responsible for account identities related to your employees and your information and data regardless of where your workload is hosted on is pass or SAS until Azure is fully responsible for a physical data center Network and hosts in other words for underlying infrastructure you learn to if you want to ensure that the story data is encrypted you should use encryption at rest because encryption in transit is intended for data that travels over the network and not for data on the storage and also hash is not used for encryption because hash does not encrypt data in terms of compliance concept we learned among other things does the concept of data severity refers to data particularly personal data which is subject to the loves and regulation of the country or region in which is physically collected hold or proceed you have learned that the advantage of the single sign on is a great benefit for all the users because the users sign in once and can access many applications or resources we also learned that the relationship allowing Federated services to access resources we call this trust relationship we also learned that authentication is a process verifying that user or device is who they are say they are and authorization determinate what it can do with certain resources
2023-04-16