安全性、合規性和身份識別基礎知識
Lession 1
Zero-trust methodology
Defense in depth
Defense in depth uses a layered approach to security
- Physical
- Identity and access
- Perimeter
- Network
- Compute
- Application
- Data
The shared responsibility model
The responsibilities vary based on where the workload is hosted:
- Software as a Service
- Platform as a Service
- Infrastructure as a Service
- On-premises datacenter (On-prem)
Confidentiality, Integrity, Availablity (CIA)
CIA – A way to think about security trade-offs.
- Confidentiality refers to the need to keep confidential sensitive data such as customer information, passwords, or financial data.
- Integrity
- Availability
Common threats
- Data breach
- Phishing
- Spear phishing
- Tech support scams
- SQL injection
- Malware designed to steal passwords or bank details
- Dictionary attack
- Ransomeware
- Disruptive attacks
Encryption
Encrption is the process of making data unreadable and unusable to unauthorized viewers.
Two top-level types of enctryption:
- Symmetric
- Asymmetric
Hashing
Hashing uses an algorithm to cobert the original text to a unique fixed-lenghth hash value.
Microsoft Cloud Adoption Framework
Consisits of documentation,implementation guidance, & best practices that support increases security and compliance
Lession 2
Common identity attacks
Types of security threats
- Password-based attacks
- Phishing
- Spear phishing
Identity as the primary security perimeter
Identity has become the new security perimeter that enables organizations to secure their assets.
An identtity is how someone or so,ething can be verified and authenticated and may be associated with:
- User
- Application
- Device
- Other
Four pillars of identity:
- Administration
- Authentication
- Authorization
- Auditing
Modern authentication and the role of the identity provider
Modern authentication is an umbrella term for authentication and authorization methods between a client and a server.
- identity provider (IdP)
The concept of Federated Services
Scenario:
- The website uses the authentication services of IdP-A
- The user authenticates with IdP-B
- …
The concept of directory services and Active Directory
- A directory is a hierarchical structure that stores information about objects on the network
- A directory service stores directory data and makes it available to network users, administrators
- The best-known service of this kind is Active Directory Domain Service (AD DS), a central component
Module Summary
- Learned about some important security concepts and methodologies.
- Learned about some import identity concepts
QA
由 Micosoft 365 專家進行問答
What is authorization and authentication with example?
舉個簡單的例子,當你刷badge進入辦公室 確認你的身分的過程就是驗證authentication,當你的公司人資可以造訪你的每月薪資條,就是一種授權他可以閱讀員工薪資條的過程也就是authorization,兩者的差異主要是這樣喔
Azure Active Directory
Azure AD is Microsoft’s cloud-based identity and access management service. Capabilities of Azure AD
Azure AD identity types
- User
- Service principal
- Managed identity
- Device
Authentication methods of Azure AD
MFA
- something you know
- something you have
- something you are
Multi-factor authentication (MFA) in Azure AD
Different authentication methods that can be used with MFA
- Passwords
- Password & additional verification
- Phone (voice or SMS)
- Microsoft Authenticator
- Open Authentication (OATH) with software or hardware tokens
Windows Hello for Business
Self-service password reset (SSPR) in Azure AD
- Benefits of Self-service password reset
- Self-service password reset works in the following scenarious
- Authentication method of SSPR
Lession 3
Conditional Access
Conditional Access signals
- User or group membership
- Named location information
- Device
- Application
- Real-time sign-in risk detection
- Cloud apps or actions
- User risk
Access controls
- Block access
- Grant access
- Require one or more conditions to be met before granting access
Azure AD role-based access control (RBAC)
- Built-in roles
- Custom roles
- Azure AD role-based access control
- Only grant the access users need
Lesson4
Identity governance in Azure AD
The tasks of Azure AD identity governance
- Govern the identity llifecycle
- Govern access lifecycle
- Secure privileged access for administration
Identity lifecycle
- Join: A new digital identity is created
- Move: Update access authorizations
- Leave: Access may need to be removed
Entitlement management and access reviews
- Entitlement management
- Access reviews
- Terms of use
Privileged Identity Management (PIM)
PIM enables toy to manage, control, and monitor access to important resources in your organization.
Azure Network Security groups
Network securrity groups (NSG) let you allow or deny network traffic to and from Azure resources that exist in your Azure Virtual Network.
Azure Resource Manager locks
Azure Resource Manager locks
- Prevent resources from being accidentally deleted or changed.
Azure Policy
Azure Defender
Scope of Azure Defender
- Servers
- Kubernetes
- App Service
- Container registries
- Storage
- Key Bault SQL
SIEM, SOAR, and XDR
SIEM
collect data from accrss the whole estate
Sentinel provides integrated threat protection
- Collect
- Detect
- Investigate
- Respond
