AZ-900 Microsoft Azure Fundamentals Exam

Evaluate Governance Strategies in Azure

Governance in Azure is essential for effectively managing and controlling cloud resources. It involves setting up policies, procedures, and tools to make sure resources are used securely, efficiently, and in line with organizational standards. Key parts of governance include resource management, access control, and policy enforcement. These strategies help organizations keep control of their cloud environment, lower risks, and save money.

Resource Management

Good resource management is a key part of Azure governance. It means organizing resources into logical groups using resource groups, which are like containers for related resources in an Azure solution. This allows for easier management, deployment, and removal of resources. Also, tags can be added to resources to further organize and categorize them, which helps with cost tracking and management. Proper resource management makes sure resources are used efficiently and are easy to identify.

Role-Based Access Control (RBAC)

Azure Role-Based Access Control (RBAC) is a crucial part of governance. It gives detailed control over who can access Azure resources and what they can do with them. RBAC uses role assignments to give permissions to users, groups, service principals, or managed identities at different levels, like management groups, subscriptions, resource groups, or individual resources. This makes sure users only have the necessary permissions to do their jobs, which improves security and lowers the risk of unauthorized access.

Azure Policies

Azure Policies are used to set and enforce organizational standards and compliance rules. Policies can be applied at different levels, from management groups down to individual resources, making sure everything behaves consistently across the Azure environment. They can enforce rules about resource naming, location, and configuration, which helps maintain compliance and reduce risks. Policies are essential for making sure resources are deployed and managed in a consistent and secure way.

Azure Blueprints

Azure Blueprints provide a way to define and deploy repeatable sets of Azure resources that follow an organization’s standards, patterns, and requirements. Blueprints can include resource templates, policies, and role assignments, making sure new environments are set up consistently and in line with organizational guidelines. This helps to simplify the deployment process and lower the risk of mistakes. Blueprints are a powerful tool for creating and maintaining a well-governed cloud environment.

Conclusion

In short, effective governance in Azure involves a mix of resource management, access control, policy enforcement, and the use of blueprints. These strategies help organizations keep control of their cloud resources, ensure compliance, and save money. By using these governance practices, organizations can take advantage of the cloud while reducing risks and ensuring a secure and well-managed environment.

Implement Best Practices for Security and Governance

Microsoft Azure's infrastructure is secured through datacenters located around the world that follow industry standards like ISO/IEC 27001:2013 and NIST SP 800-53. These datacenters are managed by Microsoft staff, ensuring they are always running. Microsoft focuses on physical security, availability, network design, and data protection to keep the environment secure.

Data protection is a key part of Azure's security. Geo-redundant storage (GRS) is enabled by default, keeping six copies of your data across primary and secondary regions. This ensures high durability and allows for failover if a primary region fails. When data is deleted or a customer leaves Azure, Microsoft follows strict rules for data deletion and hardware destruction. Microsoft does not claim ownership of customer data.

Records management is the customer's responsibility. Azure provides tools to export data and audit reports, allowing customers to keep information outside of Azure for their required retention periods. Similarly, customers are responsible for following e-discovery rules and can export and save data locally or request exports from Azure Customer Support. Azure also does a lot of internal logging and monitoring.

Access control is managed through Azure Key Vault and Azure role-based access control (RBAC). Key Vault allows secure storage of credentials, while RBAC allows for segregation of duties, giving users only the necessary access to resources. Managed identities for Azure resources provide an automatically managed identity in Microsoft Entra ID, allowing services to authenticate without credentials in code.

Security best practices include using public-key cryptography for VM connections, which is more secure than passwords. Azure policies can be used to set and enforce desired behaviors for VMs, helping to reduce risk. These policies allow organizations to enforce various rules throughout the enterprise.

In summary, Azure provides a strong security infrastructure with multiple layers of protection, including physical security, data redundancy, access control, and policy enforcement. Customers are responsible for managing their data and access, while Azure provides the tools and services to support these efforts.

Assess Risk Management and Threat Protection

Microsoft Azure's infrastructure is secured through various measures, including physical security at datacenters located around the world that comply with industry standards like ISO/IEC 27001:2013 and NIST SP 800-53. These datacenters are managed by experienced Microsoft staff, ensuring they are always running. This strong physical security is the foundation for protecting data and services within Azure.

Azure uses several strategies for data protection. Geo-redundant storage (GRS) is enabled by default, keeping six copies of your data across two regions, providing high durability and resilience against regional failures. When data is deleted or a customer leaves Azure, Microsoft follows strict rules for data deletion and physical destruction of hardware. This ensures that customer data is handled securely throughout its lifecycle.

Customer data ownership is a key principle in Azure. Microsoft does not inspect, approve, or monitor customer applications or data, and does not claim ownership of customer data. Customers are responsible for managing their own records and following e-discovery rules. Azure provides tools for exporting data and audit reports, allowing customers to keep their data outside of Azure for specified periods. This approach emphasizes customer control and responsibility over their data.

Azure Key Vault is a service that securely stores credentials, secrets, and keys. To improve security, managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID, allowing authentication to services like Key Vault without embedding credentials in code. This reduces the risk of credential exposure. This feature simplifies credential management and improves overall security.

Azure Policies help set and enforce desired behaviors for virtual machines (VMs), reducing risks and ensuring compliance. Azure role-based access control (Azure RBAC) allows for segregation of duties, giving users only the necessary access to VMs. This limits the potential impact of compromised accounts. These tools help organizations maintain control and security over their Azure resources.

Finally, when connecting to VMs, using public-key cryptography with SSH keys is recommended over passwords, which are vulnerable to brute-force attacks. SSH keys provide a more secure way to authenticate, especially for internet-facing VMs. This practice enhances the security of VM access and reduces the risk of unauthorized entry.

Comprehend Azure Security Features

Azure's infrastructure is secured through multiple layers of protection, starting with the physical security of its datacenters. These datacenters are located around the world and follow strict industry standards like ISO/IEC 27001:2013 and NIST SP 800-53. Microsoft's operations staff manages these facilities, ensuring they are always running and secure. This physical security is the foundation for all other security measures in Azure.

One key aspect of Azure security is the use of public-key cryptography for virtual machine (VM) access. Instead of relying on passwords, which are vulnerable to brute-force attacks, Azure uses SSH keys for authentication. This method involves a secure exchange of public and private keys, providing a more secure way to log in to VMs, especially those that are internet-facing. This helps to protect against unauthorized access.

Managed identities for Azure resources address the challenge of managing credentials in code. Instead of storing credentials directly in the code, Azure services are given an automatically managed identity in Microsoft Entra ID. This identity can be used to authenticate to other services, such as Azure Key Vault, without needing to store any credentials in the code. This significantly enhances security by reducing the risk of credential exposure.

Azure also provides strong access control and policy enforcement mechanisms. Azure role-based access control (RBAC) allows for the segregation of duties, giving users only the necessary permissions to perform their jobs on VMs. Additionally, Azure policies can be used to set and enforce desired behaviors for VMs, helping to reduce risks and ensure compliance. These features help maintain a secure and well-governed environment.

Data protection is another critical aspect of Azure security. Geo-redundant storage (GRS) is enabled by default, keeping six copies of data across two regions. This ensures high durability and availability of data, even if a region fails. Furthermore, Microsoft follows strict rules for data destruction when customers delete data or leave Azure, ensuring that data is completely removed from the system.

Finally, Azure emphasizes customer data ownership and responsibility. Microsoft does not inspect, approve, or monitor customer applications or data. Customers are responsible for managing their own data, including record retention and compliance with e-discovery rules. Azure provides tools for exporting data and audit reports, allowing customers to maintain control over their information.

Understand Compliance and Regulatory Benefits

Microsoft Azure's infrastructure is built with compliance and regulatory adherence in mind. Azure datacenters are located around the world and comply with key industry standards like ISO/IEC 27001:2013 and NIST SP 800-53. This ensures that the physical infrastructure and operations meet strict security and reliability requirements. Microsoft operations staff, with extensive experience, manage and monitor these datacenters 24/7.

Azure provides several features to help customers meet their compliance needs. For example, Geo-redundant storage (GRS) replicates data across multiple regions, ensuring high durability and availability. Data is replicated three times within the primary region and three times in a secondary region, providing protection against regional failures. Additionally, Microsoft has strict rules for data deletion and hardware destruction when customers delete data or leave Azure, ensuring data is handled securely.

Azure also emphasizes customer data ownership and control. Microsoft does not inspect, approve, or monitor customer applications or data stored in Azure. Customers retain full ownership of their data. Azure provides tools for customers to manage their records, allowing them to export data and audit reports for their own retention requirements. This ensures that customers can comply with their own internal policies and external regulations.

Furthermore, Azure supports electronic discovery (e-discovery) requirements. Customers are responsible for complying with these requirements when using Azure services. Azure allows customers to export and save their data locally, and they can also request data exports from Azure Customer Support. Azure also does a lot of internal logging and monitoring, which can be helpful for compliance and auditing purposes.

Azure offers features like Azure Policy and Azure Role-Based Access Control (RBAC) to help organizations enforce security and compliance. Azure Policy allows organizations to set desired behaviors for their resources, while Azure RBAC enables segregation of duties and grants only necessary access to users. These tools help reduce risks and ensure that resources are managed in a compliant manner.

Finally, Azure provides Managed Identities for Azure resources, which simplifies credential management. This feature allows Azure services to authenticate to other services, such as Key Vault, without embedding credentials in code. This enhances security and reduces the risk of credential exposure, contributing to a more compliant and secure cloud environment.

Conclusion

This section has covered the importance of security and governance in the cloud, specifically within the context of Microsoft Azure. We explored how to evaluate governance strategies using resource management, RBAC, Azure Policies, and Azure Blueprints. We also discussed best practices for security and governance, including data protection, access control, and the use of Azure Key Vault. Furthermore, we examined risk management and threat protection mechanisms, such as Azure's physical security measures, data redundancy, and the use of managed identities. We also looked at key Azure security features like public-key cryptography, Azure RBAC, and Azure Policies. Finally, we discussed how Azure helps organizations meet compliance and regulatory requirements through built-in tools and services. Understanding these concepts is crucial for maintaining a secure, compliant, and well-managed cloud environment in Azure.