Learning Objectives
- Configure security policies to classify, protect, and manage data
- Configure data retention for storage and databases
- Set up Azure SQL security features and auditing
- Learn how to configure storage account security and access
- Learn how to secure HDInsight clusters
- Configure Cosmos DB security
- Configure Data Lake security
- Learn good design features of an Azure application
- See how Azure App Services can secure your app
- See how a governance policy can help formalize security requirements
Intended Audience
- People preparing for Microsoft’s AZ-500 exam
- System administrators
- App developers
Prerequisites
- Experience with Microsoft Azure
- Experience with Office 365
- Basic knowledge of computer security principles
- Basic networking knowledge
Now we will turn to governance and creating an application security baseline. Apart from the topics covered so far, this is more application-specific. A public-facing e-commerce app has different considerations than an internal application within a financial institution or bank. One is restricted to a specific user and their own information whereas the other will allow multiple users different levels of access to other people's sensitive information.
To evaluate an application's security baseline, we need to do an initial task assessment to identify your core business risks related to cloud security, translate those business risks into specific technical risk profiles. Before deployment, perform a review to identify any new risks and make sure all access and data security policy requirements are met. As part of the deployment process, validate security policy compliance. Regularly perform audits on cloud deployments to ensure their continued alignment with security policy.
For auditing and subsequent adherence to security policy to work, you must be monitoring application performance and collecting security data and metrics. Ensure that automated monitoring is enabled, and data and logs are being collected and securely stored. When something goes wrong, there must be a clear path and procedure to report incidents and take action. You should have lines in the sand that trigger a security response. For example, if increased brute force or denial of service attacks are detected, say at 25%, then a plan must be in place to prevent further escalation. If unclassified data is detected, then external access should be denied until the data owner can apply the appropriate classification. If a security health issue is detected, disable access to any virtual machines that have known access or malware vulnerability identified until appropriate patches of security software can be installed. Update policy guidance to account for any newly detected threats. If a network vulnerability is detected, access to any resource not explicitly allowed by the network access policy should be triggered to alert IT security and staff and the relevant workload owner. Track issues and update guidance if policy revision is necessary to mitigate future incidents.
Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.