Study Guide on AZ-900 exam: Security, Privacy, Compliance, and Trust

Key Points:

1. Security: Services like Azure Security Center, Azure Firewall, NSGs, and DDoS Protection protect Azure resources.
2. Identity and Access: Azure AD, RBAC, and MFA ensure secure access control.
3. Governance and Compliance: Tools like Azure Policy, Azure Blueprints, and certifications help you meet regulatory and organizational standards.
4. Privacy and Trust: Microsoft offers comprehensive privacy controls, including GDPR compliance, data residency, and transparency through the Trust Center and Service Trust Portal.

1. Security Features in Azure

a) Azure Security Center

• Azure Security Center is a unified security management system that provides advanced threat protection across all of your Azure and on-premises workloads.
• Key Features:
  • Security posture management: Provides a security score to give insights into your overall security health and offers recommendations to improve it.
  • Threat protection: Detects and responds to security threats using machine learning, behavioral analytics, and anomaly detection.
  • Compliance: Monitors compliance with security best practices and industry standards (e.g., ISO 27001, CIS benchmarks).
• Two tiers:
  1. Free tier: Security posture management and basic recommendations.
  2. Standard tier: Advanced threat detection using AI, just-in-time access to VMs, and vulnerability assessments.

b) Azure Firewall

• Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources.
• Key Features:
  • Stateful firewall: Tracks the state of network connections and can block incoming/outgoing traffic based on defined rules.
  • Threat intelligence: Provides filtering based on known malicious IP addresses and domains using Microsoft’s threat intelligence feed.
  • High availability: Built-in high availability and cloud-native scalability.

c) Network Security Groups (NSGs)

• NSGs are a critical part of securing Azure networks. They allow or deny network traffic to Azure resources based on rules you define.
• Key Features:
  • Inbound/outbound filtering: Controls traffic flow to and from network interfaces and subnets.
  • Layer 4 filtering: NSGs operate at the transport layer (TCP/UDP).

d) Azure DDoS Protection

• Distributed Denial of Service (DDoS) Protection defends Azure applications by automatically filtering and scrubbing traffic to mitigate DDoS attacks.
• Two tiers:
  1. Basic: Free, automatic protection included with every Azure service.
  2. Standard: Enhanced protection for application-level defenses, which includes traffic monitoring and mitigation during high-volume attacks.

e) Azure Key Vault

• Azure Key Vault is a service that securely manages secrets (API keys, passwords), certificates, and encryption keys.
• Key Features:
  • Centralized key management: Manage cryptographic keys and secrets for cloud applications securely.
  • Hardware Security Modules (HSMs): Keys can be protected with FIPS 140-2 Level 2 validated HSMs.
  • Access policies: Control access to the vault via Azure AD (identity management).

---

2. Identity and Access Management (IAM)

a) Azure Active Directory (Azure AD)

• Azure Active Directory is a cloud-based identity and access management service.
• Key Features:
  • Authentication: Provides sign-on (SSO) and multi-factor authentication (MFA) to protect users from 99.9% of cybersecurity attacks.
  • User and group management: Organize users, groups, and roles and assign permissions for Azure resources.
  • Azure AD B2B/B2C: Enables identity management for external users (business-to-business and business-to-consumer scenarios).
  • Conditional Access: Provides automated access control decisions based on conditions like user location, device, and role.

b) Role-Based Access Control (RBAC)

• Azure RBAC allows you to control access to Azure resources by assigning roles to users, groups, and applications.
• Key Features:
  • Granular permissions: Assign permissions at a subscription, resource group, or resource level.
  • Built-in roles: Azure provides predefined roles like Owner, Contributor, and Reader.
  • Custom roles: You can also create custom roles to meet specific business requirements.

c) Multi-Factor Authentication (MFA)

• MFA is an additional layer of security that requires users to provide two or more verification factors (e.g., password and mobile app code) to access Azure resources.
• Key Features:
  • Reduces the risk of compromised accounts.
  • Supports a variety of second factors like phone calls, SMS, mobile apps, or hardware tokens.

---

3. Governance, Privacy, and Compliance

a) Azure Policy

• Azure Policy is a service that enables you to create, assign, and manage policies to enforce governance rules over your Azure resources.
• Key Features:
  • Policy definitions: Enforce actions like requiring all resources to be tagged or ensuring storage accounts use encrypted connections.
  • Compliance dashboard: Provides an overview of your resources’ compliance status, helping you ensure they meet your organizational standards.

b) Azure Blueprints

• Azure Blueprints enables you to define a repeatable set of Azure resources that implement and adhere to an organization’s standards, patterns, and compliance requirements.
• Key Features:
  • Combines role assignments, policy assignments, ARM templates, and resource groups into a single blueprint.
  • Ensures new environments are deployed in a consistent manner.
  • Helps maintain compliance across multiple subscriptions.

c) Trust Center

• The Microsoft Trust Center is a central hub for information on Microsoft’s commitment to security, privacy, compliance, and transparency.
• Key Focus Areas:
  • Security: Provides detailed insights into how Microsoft secures Azure and your data.
  • Privacy: Explains how Microsoft adheres to strict privacy standards (e.g., GDPR).
  • Compliance: Lists all compliance certifications and frameworks Azure complies with (e.g., ISO 27001, HIPAA, GDPR).

d) Service Trust Portal

• The Service Trust Portal provides information about Microsoft’s security, privacy, and compliance offerings.
• Key Features:
  • Provides access to audit reports, compliance guides, and data protection information.
  • Helps you assess how Azure meets specific regulatory requirements.

---

4. Compliance Offerings and Certifications

Azure complies with a broad range of standards and certifications, which are important for organizations that operate in regulated industries.

a) Compliance Certifications

• ISO 27001: One of the most well-known international standards for information security management.
• SOC 1, SOC 2, and SOC 3: Security, availability, processing integrity, confidentiality, and privacy controls in place.
• HIPAA: Protects healthcare data.
• GDPR: European Union regulation for data protection and privacy.
• FedRAMP: U.S. government compliance for cloud products and services.

b) Compliance Manager

• Azure Compliance Manager is a workflow-based tool that helps you manage compliance activities in Azure.
• Key Features:
  • Helps evaluate compliance posture.
  • Provides control assessments for standards like GDPR, HIPAA, ISO 27001.
  • Allows you to assign tasks and generate reports for auditors.

---

5. Azure Privacy

Microsoft’s Azure services are designed to comply with major privacy regulations, ensuring that customer data is protected.

a) Microsoft Privacy Statement

• Provides clear information on what data Microsoft collects, how it is used, and the steps taken to protect user privacy.

b) General Data Protection Regulation (GDPR)

• GDPR is a European regulation designed to protect personal data and privacy. Azure is compliant with GDPR requirements, which is important for customers handling personal data of EU citizens.

c) Data Residency

• Azure gives customers control over where their data is physically stored. Customers can choose from Azure regions around the world to ensure data residency requirements are met (e.g., storing data within a specific country or region).