Azure Fundamentals: Security and Pricing

In the previous post I covered the first two areas described in Microsoft's AZ-900 skills outline. In this post we'll review the final two, Security and Pricing.

Understand security, privacy, compliance, and trust (25-30%)

Understand securing network connectivity in Azure

1. Describe Network Security Groups (NSG)
   • NSGs allow you to control what traffic is permitted in and out of Azure resources such as VMs or subnets. Restrictions can be based on characteristics such as source, destination, port, and protocol.
2. Describe Application Security Groups (ASG)
   • ASGs are similar to NSGs but are used within a NSG to apply a network security rules to a group of VMs
3. Describe User Defined Rules (UDR)
   • UDRs are defined in a route table and allow greater control over network traffic flow.
4. Describe Azure Firewall
   • Azure firewall is a cloud based managed service that provides protection to you virtual network resources.
5. Describe Azure DDoS Protection
   • Azure DDoS Protection is a service that protects your network from denial of service attacks that attempt to exhaust your application resources.
6. Choose an appropriate Azure security solution
   • This is clearly another broad question. Focus on the areas above as these describe critical pieces of a robust security solution.

Describe core Azure Identity services

1. Understand the difference between authentication and authorization

   • authentication: verify the user's identity, typically through ID/password and multi-factor identification.
   • authorization: ensure the user has access to only data or services they are permitted, and can be implemented with role based access control (RBAC).

2. Describe Azure Active Directory

   • a cloud service similar to Microsoft Active Directory that provides an identity and access management solution, addressing authentication and authorization requirements.

3. Describe Azure Multi-Factor Authentication

   • An authentication strategy that requires multiple types of authentication, typically and ID/password and additional validation via a mobile device.

Describe security tools and features of Azure

1. Describe Azure Security Center
   • Azure Security Center is an Azure security management system with the goal of providing advanced protection of client resources but in the cloud and on-prem.
2. Understand Azure Security Center usage scenarios
   • threat scenarios addressed include brute force attacks, new workloads, security scoring, recommendations, etc.
3. Describe Key Vault
   • a secure way to store and access secrets, passwords, and other sensitive information in Azure without storing it in config files that can expose passwords and risk security breaches.
4. Describe Azure Information Protection (AIP)
   • a cloud-based service that allows you to protect documents and emails through labels and categories.
5. Describe Azure Advanced Threat Protection (ATP)
   • a cloud-based service that leverages on-prem Active Directory to protect resources. Methods include monitoring user profiles, protecting identities, and identifying suspicious activities.

Describe Azure governance methodologies

1. Describe policies and initiatives with Azure Policy
   • A service that allows you to define policies regarding Azure resources which enable you to enforce IT governance rules of your organization. Examples include requiring disk encryption, or requiring system updates on VMs.
2. Describe Role-Based Access Control (RBAC)
   • restricting a user's access to resources based on the roles or groups they are associated with.
3. Describe Locks
   • locks provide a mechanism to restrict users from deleting or changing resources. Examples include CanNotDelete and ReadOnly locks.
4. Describe Azure Advisor security assistance
   • integrates with Azure Security Center and gives you specific recommendations for improving security for all your Azure resources.
5. Describe Azure Blueprints
   • Similar to resource templates, but maintains a relationship between what should be deployed and was is deployed.

Understand monitoring and reporting options in Azure

1. Describe Azure Monitor
   • a service that allows you to collect and view granular performance and utilization data about your resources.
2. Describe Azure Service Health
   • provides Global outage info about Azure, and detailed information about infrastructure incidents in Azure related to resources or regions where you have resources.
3. Understand the use cases and benefits of Azure Monitor and Azure Service Health
   • Azure Monitor lets you monitor your resources and address realtime issues, while Azure Service Health keeps you up-to-date on Azure outages and planned maintenance so you can plan the appropriate remediation. Together they are tools to allow you to monitor your resources and ensure application availability.

Understand privacy, compliance and data protection standards in Azure

1. Understand industry compliance terms such as GDPR, ISO and NIST
   • GDPR: The General Data Protection Regulation defines data privacy standards for all organizations that do business with EU citizens.
   • ISO: International Organization for Standardization is a 3rd party standards body which develops international standards, focused on quality management.
   • NIST: the National Institute of Standards and Technology is a U.S. Department of Commerce agency which works with federal agencies and contractors to assist them in meeting security management standards.
2. Understand the Microsoft Privacy Statement
   • A detailed document that describes personal data that is collected, how it's used, reasons it's shared, how to control it, etc.
3. Describe the Trust center
   • describes what Microsoft does to secure the cloud and how it complies with data privacy laws around the world.
4. Describe the Service Trust Portal
   • available within Microsoft 365 and provides detailed information on how Microsoft manages privacy, security, and compliance.
5. Describe Compliance Manager
   • a risk assessment tool that allows you to track and verify your organization's compliance with privacy standard.
6. Determine if Azure is compliant for a business need
   • Microsoft provides tools such as the Trust Center, Trust Portal, and Azure Compliance Manager, and information found in Microsoft Privacy Statement to help customers determine if Azure is compliant for their specific security requirements.
7. Understand Azure Government cloud services
   • physically isolated datacenters and networks located in the U.S. and dedicated to U.S. government clients
8. Describe Azure China cloud services
   • physically isolated datacenters and networks located in China and dedicated to Chinese clients. Ensures compliance with Chinese regulations and keeps data in China.

Understand Azure pricing and support (20-25%)

Understand Azure subscriptions

1. Describe an Azure subscription
   • an Azure subscription is the logical entity where your Azure resources are grouped and paid for via a credit card.
2. Understand the uses and options with Azure subscriptions such access control and offer types
   • each Azure subscription is associated with an Azure AD directory and allows fine-grained management of Azure resources via a role-based authorization control (RBAC) system. A subscription associated with an offer, such as Pay-As-You-Go, Visual Studio Enterprise, etc.
3. Understand subscription management using Management groups
   • Azure management groups allow you to define a hierarchy of subscriptions to facility unified access management and governance policies.

Understand planning and management of costs

1. Understand options for purchasing Azure products and services
   • a web customer pays the general public prices
   • an enterprise customer commits to paying a negotiated annual amount, that will include discounted pricing for resource usage
   • a Cloud Solution Provider is a 3rd party company that provides both builds solutions on top of Azure for their clients. Azure bills the provider for the resource usage.
2. Understand options around Azure Free account
   • A free account is available to all. The account includes a free $200 credit to be used within the first month, with free access to the most popular Azure products for the full 12 months. After that you can convert your account to the Pay-As-You-Go model.
3. Understand the factors affecting costs such as resource types, services, locations, ingress and egress traffic
   • your costs are affected by the type and size of resource and by the Region where it is deployed. Data transmission cost for data inbound to Azure is free, but it is there is a transmission cost moving data out.
4. Understand Zones for billing purposes
   • a Zone is a geographical grouping of Regions for billing purposes. Resource costs will be the same within a Region, but will vary across regions.
5. Understand the Pricing calculator
   • a tool that allows you to estimate cost of Azure resources under various scenarios
6. Understand the Total Cost of Ownership (TCO) calculator
   • a tool to help clients compare costs for their current on-premise infrastructure to similar cloud-based infrastructure in Azure.
7. Understand best practices for minimizing Azure costs such as performing cost analysis, creating spending limits and quotas, using tags to identify cost owners, using Azure reservations and using Azure Advisor recommendations
   • be aware of all the tools described in this section and how they can be used to reduce costs.

We have completed the review of the key topics for the exam. Let's wrap-up with some final links and thoughts.