Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft Cybersecurity Architect Exam Ref SC-100

You're reading from   Microsoft Cybersecurity Architect Exam Ref SC-100 Get certified with ease while learning how to develop highly effective cybersecurity strategies

Arrow left icon
Product type Paperback
Published in Jan 2023
Publisher Packt
ISBN-13 9781803242392
Length 272 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Dwayne Natwick Dwayne Natwick
Author Profile Icon Dwayne Natwick
Dwayne Natwick
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Part 1: The Evolution of Cybersecurity in the Cloud
2. Chapter 1: Cybersecurity in the Cloud FREE CHAPTER 3. Part 2: Designing a Zero-Trust Strategy and Architecture
4. Chapter 2: Building an Overall Security Strategy and Architecture 5. Chapter 3: Designing a Security Operations Strategy 6. Chapter 4: Designing an Identity Security Strategy 7. Part 3: Evaluating Governance, Risk, and Compliance (GRC) Technical Strategies and Security Operations Strategies
8. Chapter 5: Designing a Regulatory Compliance Strategy 9. Chapter 6: Evaluating the Security Posture and Recommending Technical Strategies to Manage Risk 10. Part 4: Designing Security for Infrastructure
11. Chapter 7: Designing a Strategy for Securing Server and Client Endpoints 12. Chapter 8: Designing a Strategy for Securing SaaS, PaaS, and IaaS 13. Part 5: Designing a Strategy for Data and Applications
14. Chapter 9: Specifying Security Requirements for Applications 15. Chapter 10: Designing a Strategy for Securing Data 16. Chapter 11: Case Study Responses and Final Assessment/Mock Exam 17. Index 18. Other Books You May Enjoy Appendix: Preparing for Your Microsoft Exam

Evolution of cybersecurity from on-premises to the cloud

When protecting an on-premises data center and infrastructure, a cybersecurity architect designs many of the controls to protect physical assets and keep bad actors from entering at either physical data center entry points or internet service provider (ISP) network entry points. Traditionally, these protections would have been a combination of physical security appliances, such as firewalls for packet investigation, and protection against attacks through endpoint devices by only allowing access to the data center with SSL VPN-encrypted connections. These devices were managed by the company and given antivirus and anti-malware software to mitigate potential attacks.

As companies move to more cloud-native applications, such as Microsoft 365, and build infrastructure on cloud providers, such as Microsoft Azure, companies have moved their responsibility for security away from physical to virtual environments. This creates new vulnerabilities that the company must identify and plan ways in which to mitigate against threats. The following sections will discuss how a cybersecurity architect should begin to plan for protection and controls within a cloud and hybrid infrastructure.

Defense-in-depth security strategy

When protecting the cloud and hybrid infrastructure, there are many aspects that need to be considered. As you go through the various solutions offered within Microsoft 365 and Azure, these methodologies and principles play a key role in the process of protecting resources, identity, and data. One of the primary strategies for protecting your company is through defense in depth. Having a strong defense-in-depth security posture addresses the areas of the cybersecurity kill chain. The next section will discuss the concept of building a defense-in-depth security posture.

Building a defense-in-depth security posture

In order to protect your company from cyber attacks, you should have controls in place that address the stages of cyber attacks and that maintain a defense-in-depth security posture. When planning for the security of information technology resources, protecting one aspect is not enough; every aspect of the infrastructure should have security controls in place to protect at all levels. Controls are the services or solutions that we have in place to properly secure and protect the resources at that level of defense.

Each of these levels of defense is important since attackers look for various entry points into a company network. The levels of defense in depth are shown in Figure 1.1.

Figure 1.1 – Defense-in-depth security

Figure 1.1 – Defense-in-depth security

Now that you know why defense in depth is important, let’s discuss each of these areas and provide an example of a control that can be used for protecting resources.

Physical

The physical level of defense includes the actual hardware technology and spans the entire data center facility. This includes the compute, storage, and networking components, rack spaces, power, internet, and cooling. It also includes the room that the equipment is housed in, the building location and its surroundings, and the processes that are in place for the guards, physical security staff, or guests that access these locations.

Protecting the physical level of defense in depth encompasses how we create redundancy and resiliency in the previously mentioned systems, and how we record and audit who accesses the building and systems. This could include gated fences, guard stations, video surveillance, logging visitors, and background checks. These physical controls should be in place for any company that utilizes its own private data center.

When utilizing Microsoft cloud services, the physical controls are Microsoft’s responsibility. We will discuss shared responsibility for cloud security in the next section.

Identity and access

Since the provider is responsible for the physical controls within cloud services, identity and access become the first line of defense that a customer can configure and protect against threats. This is why statements such as “Identity is the new control plane” or “Identity is the new perimeter” have become popular when discussing cloud security. Even if your company maintains a private data center for the primary business applications, there is still a good chance that you are consuming a cloud application that uses your company identity. For this reason, having the proper controls in place, such as multi-factor authentication (MFA), conditional access policies, and Azure AD Identity Protection, will help to decrease vulnerabilities and recognize potential threats before a widespread attack can take place.

Perimeter security

Within a private data center, where the company controls the internet provider connection terminations and has their firewall appliances, intrusion detection and protection solutions, and DDoS protection in place and fully configured, the protection of the perimeter is a straightforward architecture.

When working within cloud providers, perimeter security takes on a different focus. The cloud providers have agreements with the internet providers that provide services to their data centers and these providers terminate these connections with their hardware. The company perimeter security then becomes more of a virtual perimeter to their tenant, rather than a physical perimeter to the data center network facilities. The company now relies on the provider’s ability to protect against DDoS attacks at the internet perimeter.

Within Microsoft, DDoS protection is a free service, since Microsoft wants to avoid a DDoS attack that would bring down a large number of their customers in a data center. For additional perimeter protection, the company can implement virtual firewall appliances to protect the tenant perimeter, to block port and packet level attacks, and additional solutions, such as Application Gateway, with a web application firewall (WAF) to protect from application layer attacks.

Network security

The perimeter and network security layers work closely together. Both focus on the network traffic aspect of the company infrastructure. Where perimeter security handles the internet traffic that is entering the tenant, or data center, network security solutions protect how and where that traffic can be routed once it passes through the perimeter. Once an attacker can gain access to a system on the network, they will want to find ways to move laterally within the network infrastructure. Having proper IP address and network segmentation on the network can protect against this lateral movement taking place.

On a private data center network, this can be accomplished within switch ports with virtual Local Area Networks (LANs), or VLANs, configured to block traffic between network segments. In a cloud provider infrastructure, virtual networking, or VNETs, can accomplish similar network segmentation. In an Azure infrastructure, network security groups and application security groups can also be configured on network interfaces with additional port, IP address, or application layer rules for how traffic can be routed within the network.

Compute

After network security, we begin to get into the resources that hold our data. The first of these is our compute resources. In order to maintain clarity, we will generalize the compute layer as the devices with an operating system, such as Linux or Windows. Compute resources also include platform-based services where the compute layer is managed by the cloud provider, such as Azure App Service, Azure Functions, or containers. Within your own private data center with equipment that you own, protecting the host equipment and avoiding exposure by hardening the virtual hypervisor is necessary. In the public cloud, Microsoft or another cloud provider will be responsible for this. Our responsibility on virtual machines relies on maintaining proper patching of updates and security, to avoid having exploit vulnerabilities within the operating system. In addition, encrypting virtual machine operating systems and disks with Azure Disk Encryption will protect the image from being exposed.

A common attack at the compute layer is scanning and gaining access to management ports on devices. Not exposing these ports, 3389 for Windows Remote Desktop Protocol (RDP) and 22 for Linux Secure Shell (SSH) Protocol, to the internet will provide a layer of protection against these attacks. Within Microsoft Azure, this can be accomplished with network security group rules, removing public IP addresses on virtual machines, bastion hosts, and/or utilizing just-in-time virtual machine access. Many of these security options will be discussed in Chapter 7, Designing a Strategy for Securing Server and Client Endpoints.

Applications

The layer of defense that is closest to our data is our applications. Applications present data to users through our internet websites, intranet sites, and our line of business applications that are used to perform our day-to-day business. A cybersecurity architect will determine how to protect applications against common threats, such as cross-site scripting on our websites. To protect against these common threats, a WAF can be used for proper evaluation of the traffic accessing our applications. Utilizing secure transport layer (TLS) protocols that are encrypted can also help to avoid the exposure of sensitive data to unauthorized individuals.

Prior to an application being moved to production, it should be properly tested to make sure that there are no open management ports and that all API connections are also secured.

If the application references connections to databases and storage accounts, the secrets and keys should not be exposed and a key management solution, such as Azure Key Vault, should be in place for the proper rotation of secrets, keys, and certificates. Properly securing these areas of our applications will assist in avoiding exposure of sensitive data to those that are not authorized.

Data

Always at the center of our defense-in-depth security posture is our data. Data is the primary asset of our company. This includes the business and financial data that is necessary for the company’s survival and the personal information of our employees and customers. Exposure or theft of this information would have potentially catastrophic effects on the company’s ability to continue. These effects could be reputational and involve financial loss.

As a security professional, one must protect data from intentional and accidental exposure to those that are not authorized to view it. Data resides in various areas within our technology infrastructure. Data can be found primarily in different storage accounts, such as blob containers or file shares, and within relational and non-relational databases. The common practice to accomplish this is through encryption.

Encryption makes data unreadable to those that are not properly authenticated and authorized to view it. Encryption can be used in different ways with data. First, there is encrypting data at rest, which is when it is stored and not being accessed. Next, there is encryption in transit, or while it is being delivered from where it is stored to the person requesting access. Finally, there is encryption in use, which maintains the encryption of the data within the application throughout the time that it is being viewed. This is the more complex of the types of data encryption since it requires the application to have the capability of presenting the encrypted data. Microsoft provides options for these encryption types that will be discussed later in this book.

Encrypting our data in our storage accounts and databases decreases the potential of this data being exposed to those that are not authorized. Additionally, requiring verification through authentication and authorization maintains the protection of data. This includes avoiding anonymous access to storage accounts and masking sensitive data within our databases. The most important aspect of protecting our data is knowing where our sensitive data is located and planning proper steps to avoid it being exposed to the unauthorized. Bringing together the protection of data within the entire defense-in-depth strategy provides us with an effective way to protect against vulnerabilities and threats.

Maintaining a proper security posture across all of the defense-in-depth layers is the best way to protect our company from loss or exposure across the stages of a cyber attack. These stages will be further discussed later in this chapter. As security professionals, it is important that we take ownership of the planning, execution, monitoring, and management of all of these layers and work with other stakeholders at each of these layers to maintain the overall security posture for the company.

Special considerations need to be accounted for within this security posture when utilizing public cloud services. In the next section, we will discuss how this shared responsibility for cloud services requires possible adjustments to our defense-in-depth security approach.

Shared responsibility in cloud security

As technology has evolved and more resources have a level of exposure to external internet connections, the attack surface that is potentially vulnerable also increases. We must understand this and know where our responsibilities lie for each of the areas within our defense-in-depth security approach.

Shared responsibility is the relationship between the customer and the cloud provider at each of the layers of defense in depth. This relationship differs depending on the technology that is being consumed.

Shared responsibility focuses on who has the ownership to interact at a specific level of protection. This may be physical ownership of equipment or administrative ownership for enabling various controls. The level of ownership between the company using the service and the cloud provider changes depending on the type of service that is being consumed by the company.

Table 1.1 shows shared responsibility for customers and Microsoft within the various cloud and on-premises services.

Responsibility

On-Premises

IaaS

PaaS

SaaS

Data governance and rights management

Customer

Customer

Customer

Customer

Client endpoints

Customer

Customer

Customer

Customer

Account and access management

Customer

Customer

Customer

Customer

Identity and directory infrastructure

Customer

Customer

Microsoft/

Customer

Microsoft/

Customer

Application

Customer

Customer

Microsoft/

Customer

Microsoft

Network controls

Customer

Customer

Microsoft/

Customer

Microsoft

Operating system

Customer

Customer

Microsoft

Microsoft

Physical hosts

Customer

Microsoft

Microsoft

Microsoft

Physical network

Customer

Microsoft

Microsoft

Microsoft

Physical data center

Customer

Microsoft

Microsoft

Microsoft

Table 1.1 – Shared responsibility in the cloud

As you look at the customer’s and Microsoft’s responsibilities for security, the cybersecurity architect should determine the levels of controls that the company should have in place for each of the areas of potential vulnerabilities and exposure to attacks.

The next section will build upon the areas of controls and security posture, and we will discuss the various components of cybersecurity operations.

You have been reading a chapter from
Microsoft Cybersecurity Architect Exam Ref SC-100
Published in: Jan 2023
Publisher: Packt
ISBN-13: 9781803242392
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image