Microsoft Azure Security Technologies Certification and Beyond

Microsoft Azure Security Technologies Certification and Beyond

by David Okeyode
Released November 2021
Publisher(s): Packt Publishing
ISBN: 9781800562653

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Excel at AZ-500 and implement multi-layered security controls to protect against rapidly evolving threats to Azure environments – now with the the latest updates to the certification

Key Features

  • Master AZ-500 exam objectives and learn real-world Azure security strategies
  • Develop practical skills to protect your organization from constantly evolving security threats
  • Effectively manage security governance, policies, and operations in Azure

Book Description

Exam preparation for the AZ-500 means you'll need to master all aspects of the Azure cloud platform and know how to implement them. With the help of this book, you'll gain both the knowledge and the practical skills to significantly reduce the attack surface of your Azure workloads and protect your organization from constantly evolving threats to public cloud environments like Azure.

While exam preparation is one of its focuses, this book isn't just a comprehensive security guide for those looking to take the Azure Security Engineer certification exam, but also a valuable resource for those interested in securing their Azure infrastructure and keeping up with the latest updates. Complete with hands-on tutorials, projects, and self-assessment questions, this easy-to-follow guide builds a solid foundation of Azure security. You'll not only learn about security technologies in Azure but also be able to configure and manage them. Moreover, you'll develop a clear understanding of how to identify different attack vectors and mitigate risks.

By the end of this book, you'll be well-versed with implementing multi-layered security to protect identities, networks, hosts, containers, databases, and storage in Azure – and more than ready to tackle the AZ-500.

What you will learn

  • Manage users, groups, service principals, and roles effectively in Azure AD
  • Explore Azure AD identity security and governance capabilities
  • Understand how platform perimeter protection secures Azure workloads
  • Implement network security best practices for IaaS and PaaS
  • Discover various options to protect against DDoS attacks
  • Secure hosts and containers against evolving security threats
  • Configure platform governance with cloud-native tools
  • Monitor security operations with Azure Security Center and Azure Sentinel

Who this book is for

This book is a comprehensive resource aimed at those preparing for the Azure Security Engineer (AZ-500) certification exam, as well as security professionals who want to keep up to date with the latest updates. Whether you're a newly qualified or experienced security professional, cloud administrator, architect, or developer who wants to understand how to secure your Azure environment and workloads, this book is for you. Beginners without foundational knowledge of the Azure cloud platform might progress more slowly, but those who know the basics will have no trouble following along.

Table of contents

  1. Microsoft Azure Security Technologies Certification and Beyond
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Download the example code files
    6. Conventions used
    7. Get in touch
    8. Share Your Thoughts
  6. Section 1: Implement Identity and Access Security for Azure
  7. Chapter 1: Introduction to Azure Security
    1. Technical requirements
    2. Shared responsibility model
    3. Setting up a practice environment
      1. Create a free trial Azure subscription
    4. Summary
    5. Questions
    6. Further reading
  8. Chapter 2: Understanding Azure AD
    1. What Azure AD is not (what is Azure AD?)
      1. Azure AD versus on-premises AD
      2. Azure AD – an identity provider for Microsoft cloud services
      3. Azure AD – an identity provider for modern applications
    2. Modern authentication protocols
      1. Hands-on exercise – review your Azure AD tenant
      2. Hands-on exercise – add a custom domain to Azure AD (optional)
    3. Azure AD editions
      1. Hands-on exercise – sign up for an Azure AD Premium P2 trial
    4. Azure AD object management
      1. Azure AD users
      2. Azure AD groups
      3. Azure AD and Azure RBAC roles
      4. Service principals
      5. Hands-on exercise – Azure AD user creation and group management
      6. Hands-on exercise – Azure AD role assignment
    5. Summary
    6. Questions
    7. Further reading
  9. Chapter 3: Azure AD Hybrid Identity
    1. Technical requirements
    2. Implementing Azure AD hybrid identity
      1. Azure AD Connect
      2. Preparing for Azure AD Connect installation
      3. Hands-on exercise – deploying an Azure VM hosting an AD domain controller
      4. Hands-on exercise – preparing for Azure AD Connect deployment
    3. Selecting a hybrid identity authentication method
      1. Federation
      2. Pass-Through Authentication (PTA)
      3. Azure AD Connect deployment options
      4. Hands-on exercise – deploying Azure AD Connect PHS
    4. Implementing password writeback
    5. Summary
    6. Questions
    7. Further reading
  10. Chapter 4: Azure AD Identity Security
    1. Technical requirements
    2. Implementing Azure AD Password Protection
      1. Hands-on exercise – Configuring the custom banned password list feature of Azure AD Password Protection
    3. Securing Azure AD users with multi-factor authentication (MFA)
      1. Hands-on exercise – Enabling MFA by changing user state
    4. Implementing conditional access policies
      1. Conditional access – How policies are evaluated
      2. Conditional access best practices
      3. Hands-on exercise – Implementing conditional access
    5. Protecting identities with Azure AD Identity Protection
      1. Identity protection – risk categories
      2. Identity protection – detection types
      3. Identity protection – risk levels
      4. Identity protection – policies
      5. Exercise – Implementing Azure AD Identity Protection
    6. Summary
    7. Question
    8. Further reading
  11. Chapter 5: Azure AD Identity Governance
    1. Technical requirements
    2. Protecting privileged access using Azure AD Privileged Identity Management (PIM)
      1. What is Azure AD PIM?
      2. How does Azure AD PIM work?
      3. Exercise – Azure AD Privileged Identity Management
    3. Configuring PIM access reviews
      1. Exercise – Create an access review and review PIM auditing features
    4. Summary
    5. Questions
    6. Further reading
  12. Section 2: Implement Azure Platform Protection
  13. Chapter 6: Implementing Perimeter Security
    1. Technical requirements
    2. Securing the Azure virtual network perimeter
    3. Implementing Azure Distributed Denial of Service (DDoS) Protection
      1. Hands-on exercise – provisioning resources for the exercises in Chapters 6 and 7
      2. Hands-on exercise – implementing the Azure DDoS protection Standard
    4. Implementing Azure Firewall
      1. Hands-on exercise – implementing Azure Firewall
    5. Implementing a Web Application Firewall (WAF) in Azure
      1. Application Gateway WAF
      2. Front Door WAF
      3. Hands-on exercise – configuring a WAF on Azure Application Gateway
    6. Summary
    7. Questions
    8. Further reading
  14. Chapter 7: Implementing Network Security
    1. Technical requirements
    2. Implementing virtual network segmentation
      1. Implementing NSGs
      2. Implementing ASGs
      3. Hands-on exercise – Configuring NSGs and ASGs
    3. Implementing platform service network security
      1. Firewall for PaaS services (and firewall exceptions)
      2. Service endpoints
      3. Hands-on exercise: Configuring a firewall and service endpoints on a storage account
    4. Securing Azure network hybrid connectivity
      1. Implementing Azure Bastion
      2. Hands-on exercise: Configuring Azure Bastion
      3. Hands-on exercise: Cleaning up resources
    5. Summary
    6. Question
    7. Further reading
  15. Chapter 8: Implementing Host Security
    1. Technical requirements
      1. Hands-on exercise – provisioning resources for this chapter's exercises
    2. Using hardened baseline VM images
    3. Protecting VMs from viruses and malware
      1. Hands-on exercise deploying the Microsoft Antimalware extension for Azure
    4. Implementing system update management for VMs
      1. Hands-on exercise – implementing Azure Automation Update Management
    5. Implementing vulnerability assessment for VMs
    6. Encrypting VM disks with Azure Disk Encryption
      1. Hands-on exercise – implementing Azure Disk Encryption
    7. Securing management ports with JIT VM access
      1. Hands-on exercise – enabling JIT VM access
    8. Summary
    9. Questions
    10. Further reading
  16. Chapter 9: Implementing Container Security
    1. Technical requirements
    2. An overview of containerization in Azure
    3. Hands-on exercise – providing resources for the chapter exercises
    4. Introducing ACR
      1. ACR pricing tiers
    5. ACR security best practices
      1. Configuring service firewall rules for ACR
      2. Restricting access using a private endpoint
      3. Using Azure AD RBAC for secure authentication and access control
      4. Implementing container image vulnerability and compliance scanning
      5. Hands-on exercise – securing ACR
    6. Introducing AKS
      1. Understanding the AKS architecture
    7. AKS security best practices
      1. Limiting access to the API server using authorized IP address ranges
      2. Implementing a private AKS cluster using a private endpoint
      3. Controlling access to cluster resources using Kubernetes RBAC and Azure AD
      4. Regularly upgrading the cluster control plane
      5. Regularly applying OS updates to worker nodes
      6. Implementing pod-managed identities
      7. Cleaning up the resources
    8. Summary
    9. Questions
    10. Further reading
  17. Section 3: Secure Storage, Applications, and Data
  18. Chapter 10: Implementing Storage Security
    1. Technical requirements
    2. Azure Storage overview
      1. Azure Blob service hierarchy
      2. Azure Files service hierarchy
    3. Implementing encryption at rest
    4. Implementing encryption in transit
      1. Hands-on exercise – provisioning a storage account with encryption in transit enforced
    5. Configuring storage account authorization
      1. Protect access to the Storage account keys
      2. Grant limited access to using Shared Access Signatures (SAS)
      3. Implementing storage account key management with Key Vault
      4. Disabling key-based authorization options
      5. Disabling anonymous (unauthenticated) Blob access
      6. Implementing Azure AD authorization for the Blob service
      7. Implementing ADDS or Azure ADDS authentication for Azure Files
      8. Hands-on exercise – configuring storage account access controls
    6. Implementing Azure Defender for Storage
      1. Cleaning up resources
    7. Summary
    8. Question
    9. Further reading
  19. Chapter 11: Implementing Database Security
    1. Technical requirements
    2. Database options in Azure
    3. Azure SQL deployment options
    4. Implementing defense in depth for Azure SQL
    5. Protecting Azure SQL against unauthorized network connections
      1. Implementing IP firewall rules
      2. Implementing server-level firewall rules
      3. Implementing database-level firewall rules
      4. Implementing Azure SQL private endpoints
      5. Hands-on exercise – provisioning resources for chapter exercises
      6. Hands-on exercise – implementing network access control
    6. Protecting Azure SQL against unauthorized user access
      1. Hands-on exercise – implementing Azure AD authentication and authorization
    7. Protecting Azure SQL against vulnerabilities
      1. Enabling Azure SQL database auditing
      2. Implementing Azure Defender for SQL
    8. Protecting Azure SQL against data leakage and theft (database encryption)
      1. Implementing Transparent Data Encryption (TDE) – encryption at rest
      2. Implementing encryption in transit
      3. Implementing Azure SQL Database Always Encrypted
      4. Hands-on exercise – implementing Always Encrypted
    9. Cleaning up resources
    10. Summary
    11. Question
    12. Further reading
  20. Chapter 12: Implementing Secrets, Keys, and Certificate Management with Key Vault
    1. Technical requirements
    2. Introducing Azure Key Vault
    3. Understanding secrets, keys, and certificates
    4. Understanding Key Vault pricing tiers
    5. Managing access to Key Vault
      1. Hands-on exercise – managing access to Key Vault resources
    6. Protecting Key Vault resources
      1. Hands-on exercise – protecting Key Vault resources
    7. Cleaning up resources
    8. Summary
    9. Question
    10. Further reading
  21. Chapter 13: Azure Cloud Governance and Security Operations
    1. Technical requirements
    2. Implementing Azure cloud governance
      1. Understanding management groups
      2. Understanding Azure Policy
      3. Understanding Azure RBAC
      4. Hands-on exercise – implementing management groups and Azure Policy
    3. Understanding logging and monitoring
      1. Azure Service Health
      2. Azure Monitor
      3. Log Analytics
    4. Addressing cloud security challenges with Security Center
      1. Cloud Security Posture Management
      2. Cloud Compliance Posture Management
      3. Threat protection
    5. Managing security operations with Azure Sentinel
      1. Data collection
      2. Detecting threats
      3. Investigating incidents
      4. Responding to incidents
      5. Hands-on exercise – implementing Azure Sentinel
    6. Cleaning up resources
    7. Summary
    8. Questions
    9. Further reading
  22. Assessments
    1. Chapter 1 – Introduction to Azure Security
    2. Chapter 2 – Understanding Azure AD
    3. Chapter 3 – Azure AD Hybrid Identity
    4. Chapter 4 – Azure AD Identity Security
    5. Chapter 5 – Azure AD Identity Governance
    6. Chapter 6 – Implementing Perimeter Security
    7. Chapter 7 – Implementing Network Security
    8. Chapter 8 – Implementing Host Security
    9. Chapter 9 – Implementing Container Security
    10. Chapter 10 – Implementing Storage Security
    11. Chapter 11 – Implementing Database Security
    12. Chapter 12 – Implement Secrets, Keys, and Certificate Management with Key Vault
    13. Chapter 13 – Azure Cloud Governance and Security Operations
    14. Why subscribe?
  23. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts

Product information

  • Title: Microsoft Azure Security Technologies Certification and Beyond
  • Author(s): David Okeyode
  • Release date: November 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781800562653