Azure Identity and Security Overview


Azure Cloud Architect
General Azure Security

This course explores many security-related services and technologies that are available in Microsoft Azure, including Microsoft Defender for Cloud (formerly Azure Security Center), Azure Key Vault, and Microsoft Sentinel.


Hi there, welcome to General Azure security. In this lesson, we're going to look at the many security-related services and technologies that are available in Microsoft Azure. Microsoft calls Defender for Cloud a security posture management and threat protection tool. In other words, it's an offering that's designed to help you protect workloads from threats, track your security posture, and help streamline security management. It can protect Azure workloads, hybrid workloads that run in the cloud and on-prem, and it can protect workloads on other cloud platforms. Defender for cloud provides you with a secure score, security recommendations, and security alerts. The secure score is designed to give you an at a glance view of your security posture. Put simply, the higher your secure score, the lower the identified risk level. The security recommendations supplied by Defender for cloud are designed to help you harden your resources and services. They offer guidance and suggest tasks you should complete to harden your environment and to improve your security posture.

Some of these remediation tasks can be completed right from within a Defender for Cloud via a fix button that's sometimes available depending on the issue identified. Security alerts are what they sound like they are. Whenever Defender for Cloud identifies a threat to your workloads, it generates an alert that appears in the Azure portal. Defender for cloud can also send those alerts out via e-mail to those in your organization that need to see them. They can even be streamed to seem and source solutions if necessary. The most visible feature of Defender for Cloud is the secure score that it provides. The secure score is an aggregated value that represents the security posture of your environment. To calculate it, Defender for Cloud assesses the security of your resources, subscriptions, and organization. It identifies issues, assigns values to them, and then calculates the score which provides you with an at a glance idea of what your security posture is. The higher the secure score, the lower the risk level, the lower the score, the higher the risk level.

In addition to providing the secure score, Defender for Cloud also offers hardening recommendations for your resources and environment. These recommendations are based on security weaknesses that it finds during its continual assessments of your environment. You can then implement these recommendations to strengthen the security posture of your resources, whether they're on Prem, in Azure, or on other cloud platforms. Now before we wrap this introduction up, I just want to touch on the various security features that are available in Defender for Cloud. These security features can be accessed from the Defender Plans page of Microsoft Defender for Cloud. They include Microsoft Defender for servers, Defender for storage, Defender for SQL, and Microsoft Defender for Containers. Also included are Microsoft Defender for App Service, Defender for Key Vault, Defender for Resource Manager, Defender for DNS and Microsoft Defender for open-source relational databases. Microsoft Defender for Servers is an advanced feature in Defender for Cloud that allows you to add threat detection to both Windows Machines and Linux machines, whether they're in Azure, on-prem, or in a multi cloud environment.

Microsoft Defender for Storage is another feature of Defender for Cloud. It detects attempts to access or exploit storage accounts and provides you with security alerts and recommendations. Microsoft Defender for SQL discovers and helps mitigate database vulnerabilities, while Microsoft Defender for Containers is a cloud-native solution for securing containers. Microsoft Defender for App Service identifies attacks that target apps running on the app service, while Microsoft Defender for Key Vault protects your key vaults by detecting unusual attempts to access them.

And then we have Microsoft Defender for resource manager. What this feature does is automatically monitor resource management operations that happen within the organization. It monitors these operations whether they're performed via the Azure portal, or the Azure CLI, Azure Rest APIs, or via other Azure programmatic clients. It detects threats and alerts you about suspicious activity that it identifies. Microsoft Defender for DNS can detect suspicious activities like DNS attacks. communications with domains that are used for malicious activities like phishing or crypto mining, and it can identify malware that's communicating with its control servers. It can also detect data exfiltration from Azure resources through DNS tunneling. And then lastly, we have Defender for open-source relational databases. What this offering does is provide alerts when it detects suspicious database access and query patterns, or when it detects suspicious database activities. Each of these features can be monitored and configured from the Defender for Cloud workload protections dashboard.

Azure Key Vault is a cloud solution that allows organizations to centrally store and manage secrets, keys, and certificates. By leveraging Azure Key Vault, an organization can not only securely store things like tokens, passwords, and certificates, but it can also tightly control access to them. Azure Key Vault can also be used as a key management solution because of how easy it makes it to create and control encryption keys that are used to encrypt your data. You can also use Azure Key Vault to provision, manage, and deploy public and private TLS and SSL certificates that you plan to use with Azure and with internal connected resources. I should also mention that you can use Key Vault to store secrets that are backed by hardware security modules or HSMs. They can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.

Accessing an Azure Key Vault requires proper authentication and authorization. The authentication which establishes the identity of the user or app is performed by Azure Active Directory. Authorization, which determines the operations that the user or app is allowed to perform, is typically handled via role-based access control or via Key Vault access policies. It's also important to note that Azure Key Vault is designed in such a way that Microsoft cannot and does not see or extract your data. Azure Monitor collects data that you can use to monitor your environment. This data fits into one of two fundamental types; they include metrics and logs. Since this course focuses on security, we'll key in on the log data that Azure Monitor collects rather than the metrics data. The logs in Azure Monitor can be used to perform complex analysis across data that's collected from many different resources. However, it's important to understand the difference between Azure Monitor Logs and different sources of log data in Azure. Let's take subscription level events in Azure for example.

These types of events are written to an activity log which can be viewed from the Azure Monitor menu. While most Azure resources will record detailed operational information resource logs that can be forwarded to different locations, Azure Monitor Logs is actually a log data platform. This log data platform collects resource and activity logs along with other monitoring data that can be analyzed to provide information on all resources across your entire environment. Events are one of the more common types of log entry collected by Azure Monitor. Such events are typically created by applications or services that you are running. And they usually provide information that indicates when a specific resource was created or modified, or when an error was detected in an application.

The table on your screen shows the different ways that you can use Azure Monitor Logs. You can use log analytics to write log queries and the Data Explorer analysis engine to interactively analyze the data. The application Insights Analytics console in the Azure portal can also be used to write log queries. Using application insights, you can interactively analyze the log data. You can visualize your Azure Monitor Logs by rendering the data as tables or charts and pinning them to your Azure dashboard. You can also create workbooks that combine several sets of data into a single report. There are many other ways to visualize your data as well. You can even configure log alert rules that can either send out notifications or perform automated actions whenever a query produces results that match a defined result. You can access log query results using multiple tools, including the Azure CLI and Azure PowerShell. You can even access them from a custom application using rest API. Azure Monitor Logs can also be used to build workflows. To do this, you could retrieve the log data and copy it to an external location using logic apps.

Azure Sentinel is a cloud-based security information event management solution that provides intelligent security analytics and threat intelligence across the enterprise. It's an all-in-one solution for alert detection, threat visibility, proactive hunting, and threat response. Azure Sentinel provides you with a 30,000 foot view of the enterprise while helping you identify and mitigate even the most sophisticated attacks. Its intelligence helps you deal with the never ending stream of alerts. Using Azure Sentinel, you can collect data on all users, devices, applications and infrastructure, whether they reside on-prem or in other clouds. This service can even detect threats that were previously considered undetectable, while minimizing false positives through the use of Microsoft's analytics and threat intelligence. By leveraging artificial intelligence, Azure Sentinel allows you to investigate threats and to actively hunt for suspicious activities at scale. It's built-in orchestration and automation of common tasks allows you to respond quickly to incidents.

Azure Sentinel incorporates existing Azure technologies like logic apps, log analytics, and artificial intelligence. This brings robust investigation and detection capabilities to organizations that deploy Azure Sentinel. To onboard Azure Sentinel, you need to first connect it to your existing data sources. Sentinel comes with numerous connectors right out-of-the-box, including connectors for Microsoft solutions like Microsoft Threat Protection, Microsoft 365, Azure AD and more. After connecting to your data sources, you can begin monitoring your data via Azure Sentinel's integration with Azure Monitor Workbooks. Azure Sentinel offers automation and orchestration solutions that can handle new technologies and even the newest threats that emerge.

Azure Sentinel's investigation tools help you determine the scope of potential security threats while helping you find the root causes of them. The hunting, search, and query tools that Azure Sentinel provides allow you to proactively hunt for security threats across your data sources before an alert is ever triggered. The Sentinel community even offers community provided workbooks, playbooks, and hunting queries that you can use in your own environment. To read more about Azure Sentinel, visit the URL that you see on your screen.


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.