Azure Security Fundamentals
Download as PPTX, PDF1 like1,344 views
The document outlines a comprehensive security framework that includes advanced physical and operational controls such as two-factor authentication, biometric checks, and extensive video surveillance. It emphasizes the need for robust data protection protocols, including encryption, access monitoring, and vulnerability scanning, to safeguard customer data and mitigate potential threats. Additionally, it describes the ongoing efforts to maintain and enhance security measures through continuous testing and real-time detection of threats.
Azure Security Fundamentals
- 2. Built-in Partner Controls Unique Intelligence Unique Intelligence Built in + Partner Controls
- 3. Two-factor authentication with biometrics Employee & contractor vetting Metal detectors Video coverage rack front & back Inability to identify location of specific customer data Secure destruction bins Ongoing roaming patrols Video coverage Ongoing roaming patrols Front entrance gate 1 defined access point Video coverage Perimeter fencing Two-factor authentication with biometrics Video coverage No building signage 24x7x365 security operations Verified single person entry Ongoing roaming patrols Background check System check Access approval Perimeter Building Server environment Physical datacenter security
- 4. Protect customer data Data, network segregation. DDoS protection at the edge. Platform segregation. Confidential computing. Secure hardware Custom-built hardware with integrated security and attestation Continuous testing War game exercises by Microsoft teams, vulnerability scanning & continuous monitoring CUSTOMER 2CUSTOMER 1 Secure foundation
- 5. Protection at the edge • OneDDoS protects the edge with Cloud scale filtering and DDoS mitigation • Edge layer protections screen unwanted traffic • Encryption for data in transit • Global Load Balancing improves resilience IP and Isolation Controls • Traffic between regions encrypted by default • IP and protocol controls for endpoints • Traffic isolation via site to site VPN or Azure ExpressRoute Infrastructure security Azure Virtual Network Isolation Endpoint Restrictions OneDDoS
- 6. No standing access to production servers and services. Just In Time Elevation required. Multi-factor authentication required for admin actions “Secure Workstations” required to access production Access requests are audited, logged and monitored Operational Security
- 7. Built-in Partner Controls Unique Intelligence Unique Intelligence
- 8. VIRTUAL MACHINES APPLICATIONS STORAGE & DATABASES Built-in Controls | Data protection Enable built-in encryption across resources Azure Storage Service Encryption Azure Disk Encryption SQL TDE/Always Encrypted Encrypt data while in use Azure confidential computing Use delegated access to storage objects Shared Access Signature enables more granular access control Use a key management system Keep keys in a hardware HSM/don’t store key in apps/GitHub Use one Key Vault per security boundary/per app/per region Monitor/audit key usage-pipe information into SIEM for analysis/threat detection Use Key Vault to enroll and automatically renew certificates
- 9. Azure Security Center with advanced analytics for threat detection Virtual machines Applications Storage & databases Network Built-in Controls | Threat protection Mitigate potential vulnerabilities proactively Ensure up to date VMs with relevant security patches Enable host anti-malware Reduce surface area of attack Enable just in time access to management ports Configure Application Whitelisting to prevent malware execution Detect threats early and respond faster Use actionable alerts and incidents Interactive investigation tool and playbooks to orchestrate responses
- 11. threats detected/monthBuilt-in Partner Controls Unique Intelligence Built-in Partner Controls