Microsoft Azure Security Technologies Certification and Beyond: Gain practical skills to secure your Azure environment and pass the AZ-500 exam

Cover
Copyright
Contributors
Table of Contents
Preface
Section 1: Implement Identity and Access Security for Azure
Chapter 1: Introduction to Azure Security
	Technical requirements
	Shared responsibility model
	Setting up a practice environment
		Create a free trial Azure subscription
	Summary
	Questions
	Further reading
Chapter 2: Understanding Azure AD
	What Azure AD is not (what is Azure AD?)
		Azure AD versus on-premises AD
		Azure AD – an identity provider for Microsoft cloud services
		Azure AD – an identity provider for modern applications
	Modern authentication protocols
		Hands-on exercise – review your Azure AD tenant
		Hands-on exercise – add a custom domain to Azure AD (optional)
	Azure AD editions
		Hands-on exercise – sign up for an Azure AD Premium P2 trial
	Azure AD object management
		Azure AD users
		Azure AD groups
		Azure AD and Azure RBAC roles
		Service principals
		Hands-on exercise – Azure AD user creation and group management
		Hands-on exercise – Azure AD role assignment
	Summary
	Questions
	Further reading
Chapter 3: Azure AD Hybrid Identity
	Technical requirements
	Implementing Azure AD hybrid identity
		Azure AD Connect
		Preparing for Azure AD Connect installation
		Hands-on exercise – deploying an Azure VM hosting an AD domain controller
		Hands-on exercise – preparing for Azure AD Connect deployment
	Selecting a hybrid identity authentication method
		Federation
		Pass-Through Authentication (PTA)
		Azure AD Connect deployment options
		Hands-on exercise – deploying Azure AD Connect PHS
	Implementing password writeback
	Summary
	Questions
	Further reading
Chapter 4: Azure AD Identity Security
	Technical requirements
	Implementing Azure AD Password Protection
		Hands-on exercise – Configuring the custom banned password list feature of Azure AD Password Protection
	Securing Azure AD users with multi-factor authentication (MFA)
		Hands-on exercise – Enabling MFA by changing user state
	Implementing conditional access policies
		Conditional access – How policies are evaluated
		Conditional access best practices
		Hands-on exercise – Implementing conditional access
	Protecting identities with Azure AD Identity Protection
		Identity protection – risk categories
		Identity protection – detection types
		Identity protection – risk levels
		Identity protection – policies
		Exercise – Implementing Azure AD Identity Protection
	Summary
	Question
	Further reading
Chapter 5: Azure AD Identity Governance
	Technical requirements
	Protecting privileged access using Azure AD Privileged Identity Management (PIM)
		What is Azure AD PIM?
		How does Azure AD PIM work?
		Exercise – Azure AD Privileged Identity Management
	Configuring PIM access reviews
		Exercise – Create an access review and review PIM auditing features
	Summary
	Questions
	Further reading
Section 2: Implement Azure Platform Protection
Chapter 6: Implementing Perimeter Security
	Technical requirements
	Securing the Azure virtual network perimeter
	Implementing Azure Distributed Denial of Service (DDoS) Protection
		Hands-on exercise – provisioning resources for the exercises in Chapters 6 and 7
		Hands-on exercise – implementing the Azure DDoS protection Standard
	Implementing Azure Firewall
		Hands-on exercise – implementing Azure Firewall
	Implementing a Web Application Firewall (WAF) in Azure
		Application Gateway WAF
		Front Door WAF
		Hands-on exercise – configuring a WAF on Azure Application Gateway
	Summary
	Questions
	Further reading
Chapter 7: Implementing Network Security
	Technical requirements
	Implementing virtual network segmentation
		Implementing NSGs
		Implementing ASGs
		Hands-on exercise – Configuring NSGs and ASGs
	Implementing platform service network security
		Firewall for PaaS services (and firewall exceptions)
		Service endpoints
		Hands-on exercise: Configuring a firewall and service endpoints on a storage account
	Securing Azure network hybrid connectivity
		Implementing Azure Bastion
		Hands-on exercise: Configuring Azure Bastion
		Hands-on exercise: Cleaning up resources
	Summary
	Question
	Further reading
Chapter 8: Implementing Host Security
	Technical requirements
		Hands-on exercise – provisioning resources for this chapter\'s exercises
	Using hardened baseline VM images
	Protecting VMs from viruses and malware
		Hands-on exercise deploying the Microsoft Antimalware extension for Azure
	Implementing system update management for VMs
		Hands-on exercise – implementing Azure Automation Update Management
	Implementing vulnerability assessment for VMs
	Encrypting VM disks with Azure Disk Encryption
		Hands-on exercise – implementing Azure Disk Encryption
	Securing management ports with JIT VM access
		Hands-on exercise – enabling JIT VM access
	Summary
	Questions
	Further reading
Chapter 9: Implementing Container Security
	Technical requirements
	An overview of containerization in Azure
	Hands-on exercise – providing resources for the chapter exercises
	Introducing ACR
		ACR pricing tiers
	ACR security best practices
		Configuring service firewall rules for ACR
		Restricting access using a private endpoint
		Using Azure AD RBAC for secure authentication and access control
		Implementing container image vulnerability and compliance scanning
		Hands-on exercise – securing ACR
	Introducing AKS
		Understanding the AKS architecture
	AKS security best practices
		Limiting access to the API server using authorized IP address ranges
		Implementing a private AKS cluster using a private endpoint
		Controlling access to cluster resources using Kubernetes RBAC and Azure AD
		Regularly upgrading the cluster control plane
		Regularly applying OS updates to worker nodes
		Implementing pod-managed identities
		Cleaning up the resources
	Summary
	Questions
	Further reading
Section 3: Secure Storage, Applications, and Data
Chapter 10: Implementing Storage Security
	Technical requirements
	Azure Storage overview
		Azure Blob service hierarchy
		Azure Files service hierarchy
	Implementing encryption at rest
	Implementing encryption in transit
		Hands-on exercise – provisioning a storage account with encryption in transit enforced
	Configuring storage account authorization
		Protect access to the Storage account keys
		Grant limited access to using Shared Access Signatures (SAS)
		Implementing storage account key management with Key Vault
		Disabling key-based authorization options
		Disabling anonymous (unauthenticated) Blob access
		Implementing Azure AD authorization for the Blob service
		Implementing ADDS or Azure ADDS authentication for Azure Files
		Hands-on exercise – configuring storage account access controls
	Implementing Azure Defender for Storage
		Cleaning up resources
	Summary
	Question
	Further reading
Chapter 11: Implementing Database Security
	Technical requirements
	Database options in Azure
	Azure SQL deployment options
	Implementing defense in depth for Azure SQL
	Protecting Azure SQL against unauthorized network connections
		Implementing IP firewall rules
		Implementing server-level firewall rules
		Implementing database-level firewall rules
		Implementing Azure SQL private endpoints
		Hands-on exercise – provisioning resources for chapter exercises
		Hands-on exercise – implementing network access control
	Protecting Azure SQL against unauthorized user access
		Hands-on exercise – implementing Azure AD authentication and authorization
	Protecting Azure SQL against vulnerabilities
		Enabling Azure SQL database auditing
		Implementing Azure Defender for SQL
	Protecting Azure SQL against data leakage and theft (database encryption)
		Implementing Transparent Data Encryption (TDE) – encryption at rest
		Implementing encryption in transit
		Implementing Azure SQL Database Always Encrypted
		Hands-on exercise – implementing Always Encrypted
	Cleaning up resources
	Summary
	Question
	Further reading
Chapter 12: Implementing Secrets, Keys, and Certificate Management with Key Vault
	Technical requirements
	Introducing Azure Key Vault
	Understanding secrets, keys, and certificates
	Understanding Key Vault pricing tiers
	Managing access to Key Vault
		Hands-on exercise – managing access to Key Vault resources
	Protecting Key Vault resources
		Hands-on exercise – protecting Key Vault resources
	Cleaning up resources
	Summary
	Question
	Further reading
Chapter 13: Azure Cloud Governance and Security Operations
	Technical requirements
	Implementing Azure cloud governance
		Understanding management groups
		Understanding Azure Policy
		Understanding Azure RBAC
		Hands-on exercise – implementing management groups and Azure Policy
	Understanding logging and monitoring
		Azure Service Health
		Azure Monitor
		Log Analytics
	Addressing cloud security challenges with Security Center
		Cloud Security Posture Management
		Cloud Compliance Posture Management
		Threat protection
	Managing security operations with Azure Sentinel
		Data collection
		Detecting threats
		Investigating incidents
		Responding to incidents
		Hands-on exercise – implementing Azure Sentinel
	Cleaning up resources
	Summary
	Questions
	Further reading
Assessments
	Chapter 1 – Introduction to Azure Security
	Chapter 2 – Understanding Azure AD
	Chapter 3 – Azure AD Hybrid Identity
	Chapter 4 – Azure AD Identity Security
	Chapter 5 – Azure AD Identity Governance
	Chapter 6 – Implementing Perimeter Security
	Chapter 7 – Implementing Network Security
	Chapter 8 – Implementing Host Security
	Chapter 9 – Implementing Container Security
	Chapter 10 – Implementing Storage Security
	Chapter 11 – Implementing Database Security
	Chapter 12 – Implement Secrets, Keys, and Certificate Management with Key Vault
	Chapter 13 – Azure Cloud Governance and Security Operations
Other Books You May Enjoy
Index