Professional Documents
Culture Documents
AZ-500: Azure Security Engineer: Subtitle or Speaker Name
AZ-500: Azure Security Engineer: Subtitle or Speaker Name
AZ-500: Azure Security Engineer: Subtitle or Speaker Name
Security Engineer
Subtitle or speaker name
Module 03: Secure data and applications
Module agenda
Configure security policies to manage data
Configure security for data infrastructure
Configure encryption for data at rest
Understand application security
Implement security for application lifecycle
Secure applications
Lesson 1: Configure security policies to
manage data
Configure data classification
Primary characteristics of data classification:
Facilitates storage optimization, identifies risks associated with
data, and helps compliance
Applies equally regardless of:
Data state: at rest, in process, and in transit
Data format: structured and unstructured
Configure data classification (Cont.)
Implementing data classification in Azure SQL Database:
Available as part of Advanced Data Security offering
Data discovery and classification
Configurable via the Azure portal
Provides a set of capabilities forming SQL Information Protection:
Discovery and recommendations
Labeling
Query result set sensitivity
Visibility
Configure data retention
Primary characteristics of data retention:
Dictates data recovery and disposal rules
Relates closely to data classification
Addresses regulatory, compliance, and corporate legal
requirements
Configure data retention (Cont.)
Implementing data retention for Azure Blob storage:
Relies on immutable storage: write once, read many (WORM)
Offers support for:
Time-based retention policies
Legal-hold policies
All blob tiers: hot, cool, and archive
Container-level configuration
Audit logging
Configure data sovereignty
Primary characteristics of data
sovereignty:
Facilitates compliance with
laws of the country (or
region) where data is
located
Prevents storing data in a
foreign country
Typically includes
provisions for data
durability and resiliency
Configure data sovereignty (Cont.)
Implementing data sovereignty based on Azure regions:
Relies on paired regions: each region paired with another within
the same geography (*)
Offers a range of benefits:
Physical isolation
Platform-provided replication
Region recovery order
Sequential updates
Data residency
Reflects Microsoft commitment to compliance
(*)Except for Brazil South
Lesson 2: Configure security for data
infrastructure
Configure an SQL Database firewall
Primary characteristics of an SQL Database firewall:
Supports SQL Database and Azure SQL Data Warehouse
SQL Database supports server-level and database-level firewall
(evaluated first)
SQL Data Warehouse supports server-level firewall only
Default deny (inbound)
Configure an SQL Database firewall (Cont.)
Explicit allow (inbound):
From internet: based on a source IP address range
From Azure: all connections
From Azure virtual networks: based on virtual network service
endpoints from individual subnets
Implementing an SQL Database firewall:
Involves creating one or more allow rules
Supports creation of server-level rules from the Azure portal
The platform provides the Add client IP feature
Requires the use of T-SQL for database-level rules
Enable database authentication and authorization
SQL Database authentication
Supports two types of authentication:
SQL authentication: based on locally stored username and
password
Azure Active AD authentication: based on Azure AD credentials
Supports two types of users:
Users defined in the master database, referenced in user
databases
Users defined directly in user databases (contained database
users)
Enable database authentication and authorization (Cont.)
Continuous Monitoring
(CM) with Azure Monitor is a
new follow-up concept
where you can incorporate
monitoring across each
phase of your DevOps and
IT Ops cycles.
Configure synthetic security transactions
Primary characteristics of synthetic transactions:
Represent the capability to check an application’s availability across a network
Are automated and self-contained
Simulate user transactions