Cyber Security On Azure An IT Professional S Guide To Microsoft Azure Security 2nd Edition Marshall Copeland Matthew Jacobs
Cyber Security On Azure An IT Professional S Guide To Microsoft Azure Security 2nd Edition Marshall Copeland Matthew Jacobs
Cyber Security On Azure An IT Professional S Guide To Microsoft Azure Security 2nd Edition Marshall Copeland Matthew Jacobs
https://textbookfull.com/product/cyber-security-on-azure-an-it-
professionals-guide-to-microsoft-azure-security-marshall-
copeland/
https://textbookfull.com/product/cyber-security-on-azure-an-it-
professionals-guide-to-microsoft-azure-security-center-1st-
edition-marshall-copeland/
https://textbookfull.com/product/the-developer-s-guide-to-
microsoft-azure-microsoft/
https://textbookfull.com/product/cyber-security-the-complete-
guide-to-cyber-threats-and-protection-2nd-edition-sutton/
Data Lake Analytics on Microsoft Azure: A
Practitioner's Guide to Big Data Engineering Harsh
Chawla
https://textbookfull.com/product/data-lake-analytics-on-
microsoft-azure-a-practitioners-guide-to-big-data-engineering-
harsh-chawla/
https://textbookfull.com/product/exam-ref-az-900-microsoft-azure-
fundamentals-2nd-edition-jim-cheshire/
https://textbookfull.com/product/practical-microsoft-azure-iaas-
shijimol-ambi-karthikeyan/
https://textbookfull.com/product/implementing-devops-with-
microsoft-azure-mitesh-soni/
https://textbookfull.com/product/quick-start-guide-to-azure-data-
factory-azure-data-lake-server-and-azure-data-warehouse-1st-
edition-mark-beckner/
Marshall Copeland and Matthew Jacobs
Matthew Jacobs
Nashville, TN, USA
This work is subject to copyright. All rights are solely and exclusively
licensed by the Publisher, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in
any other physical way, and transmission or information storage and
retrieval, electronic adaptation, computer software, or by similar or
dissimilar methodology now known or hereafter developed.
The publisher, the authors and the editors are safe to assume that the
advice and information in this book are believed to be true and accurate
at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, expressed or implied, with respect to the
material contained herein or for any errors or omissions that may have
been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
Matthew Jacobs
is a system engineer focused on cloud
architecture technologies needed to
support identity management, security,
and collaboration toolsets for small and
medium businesses, including enterprise
organizations. His work has focused on
digital transformation, including on-
premises only, hybrid cloud networks,
and complete public cloud-only
deployment. Matthew brings a hands-on
cloud architecture approach for Identity
and Access Management (IAM) and
enhanced engineering to enable business
agility that secures and supports a global remote workforce. His current
work in the Nashville, Tennessee, area includes Fortune 500 media,
entertainment, and hospitality companies, and his work history
extends into public cloud federal compliance requirements for the
banking and healthcare industries.
About the Technical Reviewer
Vidya Vrat Agarwal
is a software architect, author, blogger,
Microsoft MVP, C# Corner MVP, speaker,
and a mentor. He is a TOGAF Certified
Architect and a Certified Scrum Master
(CSM). He is currently working as a
Principal Architect at T-Mobile Inc., USA.
He started working on Microsoft .NET
with its first beta release. Vidya is
passionate about people, process, and
technology and loves to contribute to the
.NET community. He lives in Redmond,
WA, United States, with his wife Rupali,
two daughters Pearly and Arshika, and a
female puppy Angel.
Part I
Zero Trust Cloud Security
Zero Trust Cloud Security
In Part 1, the focus is on the configuration of Azure cloud-native
security solutions to support a Zero Trust model. Let us first
understand the that cloud native are security solutions created by
Microsoft Azure for consumption in your Azure Tenant and
subscriptions. You need to consider what supports the Azure Tenant,
which more closely is tied to the identity layer, and what native
solutions support the subscription layer.
The subscription layer has machines, which are tied directly to
identity and customer data. The data is what every “bad actor” is
attempting to copy, augment, or damage.
The cyber security challenges are used to classify Azure cloud
security needs to better focus on improving your security posture in the
cloud. Traditional on-premises have been enabling security in different
verticals, networks, identities, users, systems, applications, and data.
In every chapter, security tools and techniques are introduced and
real-world examples of how attacks were achieved, and each example
trains the Azure Security operations teams using the cyber kill chain as
their “north star.” Blue teams in the cloud need to learn how to disrupt
the kill chain at every link. The reader is introduced to the most current
command and control (C&C or C2) information framework to support
examples. The tool is used to identify hacker techniques based on their
past attacks and forensics. Examples will expand on different attack
techniques with exercises to upskill their Azure cloud security
knowledge from these community-supported tools
(https://attack.mitre.org/ and
www.thec2matrix.com/matrix).
ADFS deployment, all users will be redirected to your on-premises domain for
authentication. This scenario is ideal for organizations that are heavily integrated with
ADFS for Single Sign-On (SSO) with limited options to move to cloud or are looking to
extend their presence into the cloud without switching to a full cloud model for
Identity Management. A basic illustration of this is represented in Figure 1-6.
Figure 1-6 This is a simple example of federation with ADFS as the IdP
When choosing to federate your Azure AD, be sure to enable Password Hash
Synchronization and have an adequate level of redundancy built into your on-premises
environment. If you lose connectivity to your local ADFS deployment through Internet
Service Provider outages, hardware failures, or local configuration changes, you can
rely on Password Hash Synchronization as a backup method for authentication instead
of needing to reference ADFS. One precaution is the longer amount of disconnect
between your domain, the less up to date your Password Hashes, causing a potential
influx of password mismatches when service is restored.
Non-federation
Choosing not to federate extends your Identity Management from local Active
Directory to your Azure Tenant. Unlike federation, Azure AD becomes your IdP, and all
other applications that are deployed in Azure or integrated with Azure will act as
Service Providers. When deploying Azure AD Connect with Password Hash
Synchronization, you also enable your on-premises Active Directory to become your
source of truth for accounts that exist locally and in the cloud. A basic illustration of
this is represented in Figure 1-7.
Figure 1-7 This is a simple example of non-federation with Azure as the IdP
When setting up your Azure AD Connect using a non-federation model, you have
two different options for how your accounts authenticate: Password Hash
Synchronization (PHS) and Pass-Through Authentication (PTA). PTA is similar to the
ADFS model, but instead of redirecting to an ADFS farm, Azure AD Connect will
validate the credentials directly to your on-premises domain controllers. While each
method has robust security around the transport and storage for credentials, an ideal
scenario is to set up PHS and enable password writeback. Enabling password
writeback allows for users to change their password without the need to directly
contact a domain controller. When the user changes their password through the Azure
tenant, the password will be validated against the password requirements of the local
domain. You will also need to have password writeback enabled to perform Self-
Service Password Reset (SSPR), outlined in a later section.
Security Measures
Now that we have gone over the Identity Provider scenarios, mechanisms we use to
access our identity, and high-level management concepts, we need to look at how we
create security measures within our tenant. Security measures are the ways in which
we minimize the ability for bad actors to gain access to our resources. We will touch on
Azure application permission scopes, provide an in-depth guide on enabling Multi-
Factor Authentication for our tenant, set up Conditional Access Policies, and provide a
high-level overview of Privileged Identity Management.
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.F.
1.F.4. Except for the limited right of replacement or refund set forth in
paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.