AZ-500: Azure

Security Engineer
Subtitle or speaker name
Module 03: Secure data and applications
Module agenda
 Configure security policies to manage data
 Configure security for data infrastructure
 Configure encryption for data at rest
 Understand application security
 Implement security for application lifecycle
 Secure applications
Lesson 1: Configure security policies to
manage data
Configure data classification
Primary characteristics of data classification:
 Facilitates storage optimization, identifies risks associated with
data, and helps compliance
 Applies equally regardless of:
 Data state: at rest, in process, and in transit
 Data format: structured and unstructured
Configure data classification (Cont.)
Implementing data classification in Azure SQL Database:
 Available as part of Advanced Data Security offering 
 Data discovery and classification
 Configurable via the Azure portal
 Provides a set of capabilities forming SQL Information Protection:
 Discovery and recommendations
 Labeling
 Query result set sensitivity
 Visibility
Configure data retention
Primary characteristics of data retention:
 Dictates data recovery and disposal rules
 Relates closely to data classification
 Addresses regulatory, compliance, and corporate legal
requirements
Configure data retention (Cont.)
Implementing data retention for Azure Blob storage:
 Relies on immutable storage: write once, read many (WORM)
 Offers support for:
 Time-based retention policies
 Legal-hold policies
 All blob tiers: hot, cool, and archive
 Container-level configuration
 Audit logging
Configure data sovereignty
Primary characteristics of data
sovereignty:
 Facilitates compliance with
laws of the country (or
region) where data is
located
 Prevents storing data in a
foreign country
 Typically includes
provisions for data
durability and resiliency
Configure data sovereignty (Cont.)
Implementing data sovereignty based on Azure regions:
 Relies on paired regions: each region paired with another within
the same geography (*)
 Offers a range of benefits:
 Physical isolation
 Platform-provided replication
 Region recovery order
 Sequential updates
 Data residency
 Reflects Microsoft commitment to compliance
(*)Except for Brazil South
Lesson 2: Configure security for data
infrastructure
Configure an SQL Database firewall
Primary characteristics of an SQL Database firewall:
 Supports SQL Database and Azure SQL Data Warehouse
 SQL Database supports server-level and database-level firewall
(evaluated first)
 SQL Data Warehouse supports server-level firewall only
 Default deny (inbound)
Configure an SQL Database firewall (Cont.)
Explicit allow (inbound):
 From internet: based on a source IP address range
 From Azure: all connections
 From Azure virtual networks: based on virtual network service
endpoints from individual subnets
Implementing an SQL Database firewall:
 Involves creating one or more allow rules
 Supports creation of server-level rules from the Azure portal
 The platform provides the Add client IP feature
 Requires the use of T-SQL for database-level rules
Enable database authentication and authorization
SQL Database authentication
 Supports two types of authentication:
 SQL authentication: based on locally stored username and
password
 Azure Active AD authentication: based on Azure AD credentials
 Supports two types of users:
 Users defined in the master database, referenced in user
databases
 Users defined directly in user databases (contained database
users)
Enable database authentication and authorization (Cont.)

Azure Cosmos DB authorization:

 Supports authorization based on master keys, resource tokens, and
users
 Users are resources representing custom permissions to database
resources
 The master key is used to create user resources
 Resource tokens represent permissions associated with user
resources
Enable Azure AD authentication for SQL Database
1. Create a new or identify an existing Azure AD user to designate as
the Azure SQL Database server administrator
 In hybrid scenarios, the account should be sourced in Active
Directory
2. If needed, associate the Azure subscription hosting SQL Database
with Azure AD tenant
3. Create an Azure AD administrator for the SQL Database server,
Azure SQL Managed Instance, or SQL Data Warehouse
4. Configure client computers
5. Create contained database users mapped to Azure AD identities
6. Connect to the database by using Azure AD identities
Enable Azure AD authentication for SQL Database (Cont.)
Enable database auditing
Primary characteristics of Azure SQL Database auditing:
 Facilitates tracking of designated events, reporting on database
activities, and event analysis
 Is configurable via server and database audit policies
Implementing database auditing:
 Enable a server policy to audit all existing and newly created
databases
Enable database auditing (Cont.)
Enable a database policy to audit individual databases to:
 Configure a different storage account or retention period for a
specific database
 Audit event types or categories for a specific database that differs
from the other databases on the server
You can use the Azure portal to:
 Enable and disable server and database level policies
 Configure audit log destinations (Azure Storage, Azure Log
Analytics, Azure Event Hub) and retention period (Storage only)
You must use Azure PowerShell or REST API to customize audited
events
Configure SQL Database threat detection
Primary characteristics of SQL Database threat detection: 
 Helps detect and respond to suspicious database activities,
potential vulnerabilities, cyber attacks, and anomalous access
patterns
 Integrates with Azure Security Center
 Assists with investigating and mitigating threats
 Is available as part of the Advanced Data Security offering, which
includes:
 Data discovery and classification
 Vulnerability assessment
 Threat detection
Configure SQL Database threat detection (Cont.)
Implementing SQL Database threat detection:
 Enable Advanced Data Security on a per-server or database level
 Designate a storage account for saving vulnerability assessment
scan results
 Configure recurring scans
 Specify email addresses that will receive scan results
Configure access control for storage accounts
Azure storage accounts access controls:
 Azure AD–based authentication and authorization (in preview as of
March 2019)
 Storage access key–based authorization
 SAS–based authorization
 Anonymous access (blobs and containers only)
Configure key management for storage accounts
 Regenerating storage access key is a recommended security practice
 This requires updating your audit policy:
1. Modify the policy to use the secondary key
2. Regenerate the primary key
3. Modify the policy to use the primary key
4. Regenerate the secondary key
Create and manage Shared access signatures
Primary characteristics of Shared Access Signatures (SAS):
 Represents digitally signed URIs of target storage resources
 Supports two types of access:
 Service SAS: access to resources within a single storage service
only (Blob, Queue, Table, or File)
 Account SAS: access to resources within one or more storage
services
Create and manage SASs (Cont.)
Provides granular access to storage account resources, based on
such criteria as:
 Validity period, including the start and expiration times
 Set of permissions
 IP address range designating the origin of the access request
 Protocol (HTTP or HTTPS)

Implementing SAS-based scenarios:

 Front End Proxy Service 
 SAS Provider Service
Create and manage SASs
Configure security for Azure HDInsight
 Perimeter security:
 Network Security Groups
 Virtual network
 Azure VPN Gateway
 Authentication:
 Azure AD DS
 On-premises Active Directory
 Authorization:
 RBAC
 Hive policies
 Data security:
 Encryption at rest
Configure security for Azure HDInsight
Configure security for Cosmos DB
 Perimeter protection:
 Regular scanning and penetration-testing of Cosmos DB ports
 Azure DDoS
 IP firewall protection
 Virtual network security:
 Virtual network service endpoints
 Network Security Groups
 Key-based access control:
 Master key
 Read-only key
Configure security for Cosmos DB
Configure security for Azure Data Lake
 Management plane security:
 RBAC with Azure AD integration
 Data plane security:
 Built-in Storage Service Encryption
 RBAC with Azure AD integration
 Delegated access to data objects by using Shared Access
Signatures
 Flexible object-level permission assignments and inheritance:
 based on ACLs and POSIX-style model
 configurable via Hive, Spark, and Azure Storage Explorer
Lesson 3: Configure encryption for data at rest
 Implement SQL Database Always Encrypted
Primary characteristics of SQL Database Always Encrypted:
 Protects data at rest, in transit, and in use
 Ensures that data is accessible from client applications and
application servers only
Implement SQL Database Always Encrypted:
 Use the Always Encrypted wizard in SSMS to create Always
Encrypted keys:
 Create a column master key
 Create a column encryption key
 Create a database table and encrypt columns
 Create an application that inserts, selects, and displays data from
the encrypted columns
Implement database encryption

Task SSMS PowerShell T-SQL

Provision column master keys, Yes Yes No
column encryption keys, and
encrypted column encryption
keys with their corresponding
column master keys
Create key metadata in the Yes Yes Yes
database
Create new tables with Yes Yes Yes
encrypted columns
Encrypt existing data in Yes Yes Yes
Implement Azure Storage Service Encryption
 Primary characteristics of Azure Storage Service Encryption (SSE):
 Applies automatically to all Azure Storage accounts and cannot be
disabled
 Encrypts on write and decrypts on read
 Supports all four storage services (Blob, Queue, Table, and Files)
 Supports both storage performance tiers (Standard and Premium)
 Supports both deployment models (Resource Manager and classic)
 Configuring SSE:
 By default, SSE uses platform-assigned keys
 Customers have the option to use their own keys
Implement Azure Disk Encryption
 Primary characteristics of Disk Encryption:
 Uses BitLocker on Windows VMs and DM-Crypt on Linux VMs
 Provides encryption of the operating system and data disks
 Stores encryption keys in a customer-managed key vault
 Requires granting the Azure platform access to the key vault
 Implementing disk encryption:
 Azure Resource Manager templates
 PowerShell
 Azure CLI
Implement Azure Disk Encryption
Implement Azure Backup encryption
 Primary characteristics of Azure Backup:
 Supports Windows and Linux operating systems
 Can protect on-premises and cloud-resident workloads
 Allows for backup and recovery of files, folders, system state, and
applications
 Implementing Azure Backup encryption:
 For on-premises workloads, encryption is based on a customer-
provided passphrase
 For Azure VMs, encryption uses SSE
Lesson 4: Understand application security
Understand Azure application endpoints

 Azure AD supports application integration

 Integration requires registering an application in Azure AD,
including:
 Application type:
 Native
 Web app/API app
 Sign-in URL (for web app/API apps)
 Redirect URL (for native apps)
Understand Azure Web App for Containers
Primary characteristics of Azure Web App for Containers:
 Facilitates running Linux and Windows containers in the Web Apps
feature of Azure App Service
 Provides Web App features for Docker-based workloads
Understand Application Insights
Primary characteristics of Application Insights:
 Offers an extensible application performance monitoring (APM)
service to web developers
 Provides instrumentation and analytics
 Collects telemetry data including performance counters, Azure
diagnostics, and Docker logs
 Supports a wide variety of development platforms
Understand Application Insights (Cont.)
Application Insights operational model:
 Developers set up an Application Insights resource in their Azure
subscription
 Developers configure Application Insights–specific instrumentation
in their apps
 Instrumentation collects apps telemetry and sends it to the
Application Insights resource
 Developers can view and analyze information derived from
telemetry data in the Azure portal 
Understand API Management
 Primary characteristics of API Management (APIM):
 Facilitates publishing APIs to external, partner, and internal
developers
 Offers analytics, security, and authentication capabilities
 APIM operational model:
 APIM Administrator publishes APIs and offers their collections as
products
 APIM Administrator defines API usage policies
 Developers subscribe to products
 Developers call API’s operations
 Developer portal: the primary interface for developers using APIM
Understand API Management (Cont.)
APIM components:
 API gateway: the endpoint accepting API calls, routing them to
APIM, enforcing usage policies, providing API protection, and
handling logging
 The Azure portal: the primary administrative interface for APIM
 Developer portal: the primary interface for developers using APIM
Understand certificates
Primary characteristics of certificates:
 Facilitate a wide range of cryptographic operations, such as:
 Authentication
 Encryption
 Rely on signing to provide validation of a public key:
 Signed by a CA (recommended)
 Self-signed
Understand certificates (Cont.)
Creating certificates by using Key Vault:
 An admin for a CA provider creates credentials for use by the key
vault to enroll and renew certificates
 An app creates a key in a key vault
 The key vault sends a signing request to a CA
 CA responds to the request with a certificate
 The app polls for certificate request completion
Understand certificates
Understand security considerations for application
lifecycle management solutions
Microsoft Security Development Lifecycle (SDL) introduces
security and privacy considerations throughout the whole
development process:
 Provides training - Developers, and team members, must know
how to build security into software and services to make products
more secure, while still addressing business needs and delivering
user value.
 Defines security requirements - Considering security and privacy
is a fundamental aspect of developing highly secure applications
and systems
Understand security considerations for application
lifecycle management solutions (continued)
 Defines metrics and compliance reporting - It’s essential for an
organization to define the minimum acceptable levels of security
quality, and to hold engineering teams accountable to meeting
that criteria.
 Performs threat modeling - Threat modeling should be used in
environments where there is a meaningful security risk.
 Establishes design requirements- The SDL is typically thought of
as assurance activities that help engineers implement more
secure features, meaning the features are well engineered with
respect to security.
Understand security considerations for application
lifecycle management solutions (continued)
 Defines and uses cryptography standards – To protect data
from unintended disclosure or alteration when stored or in transit,
encryption is typically used to achieve this. It is a best practice to
develop clear encryption standards that provide specifics on
every element of the encryption implementation.
 Manages security risks from using non-Microsoft
components - When selecting which third-party components to
use, it’s important to understand the impact that a security
vulnerability in them could have to the security of the larger
system into which they are integrated.
Understand security considerations for application
lifecycle management solutions (continued)
 Performs static analysis security testing - Static Analysis
Security Testing (SAST) is typically integrated into the commit
pipeline to identify vulnerabilities each time the software is built
or packaged.
 Performs dynamic analysis security testing - Similar to SAST,
there is no one-size-fits-all solution and while some tools (such as
web app scanning tools) can be more readily integrated into the
CI/CD pipeline, other Dynamic Application Security Testing
(DAST) such as fuzzing requires a different approach.
Understand security considerations for application
lifecycle management solutions (continued)
 Performs penetration testing - . The objective of a penetration
test is to uncover potential vulnerabilities resulting from coding
errors, system configuration faults, or other operational
deployment weaknesses
 Establishes a standard incident response system - Preparing an
incident response plan is crucial for helping to address new
threats that can emerge over time.
 Using approved tools - Engineers should strive to use the latest
version of approved tools (such as compiler versions), and to
utilize new security analysis functionality and protections.
Threat Modeling a core element of Microsoft’s SDL

There are five major threat modeling steps:

1. Defining security requirements.
2. Creating an application diagram.
3. Identifying threats.
4. Mitigating threats.
5. Validating that threats have been mitigated.

Threat modeling should be part of your routine development lifecycle,

enabling you to progressively refine your threat model and further
reduce risk.
Sample Threat Modeling Application Diagram
Microsoft’s Threat Modeling Tool
The Threat Modeling Tool enables any developer or software architect
to:
• Communicate about the security design of their systems. 
• Analyze those designs for potential security issues using a proven
methodology. 
• Suggest and manage mitigations for security issues. 

The Microsoft Threat Modeling Tool 2018 was released as GA in

September 2018 as a free click-to-download
 Implement security validations for application
development
DevOps practices offer an innovative approach to security
Securing applications is a continuous process that encompasses:
• Secure infrastructure
• Architectural design with layered security
• Continuous security validation
• Monitoring for attacks

This switches the conversation with the security team from

approving each release to approving the CI/CD process and
having the ability to monitor and audit the process at any time.
 Implement security validations for application
development

The key validation points

in the Continuous
Integration/Continuous
Development (CI/CD)
pipeline for a greenfield
application
 Implement security validations for application
development with Continuous Monitoring

Continuous Monitoring
(CM) with Azure Monitor is a
new follow-up concept
where you can incorporate
monitoring across each
phase of your DevOps and
IT Ops cycles.
Configure synthetic security transactions
Primary characteristics of synthetic transactions:
 Represent the capability to check an application’s availability across a network
 Are automated and self-contained
 Simulate user transactions

Implementing synthetic user monitoring:

 Requires authoring test clients that simulate user actions
 Performs configurable but typical series of operations
 Facilitates load testing by using multiple instances of the test client
Lesson 5: Secure applications
Configure SSL/TLS certificates
Primary characteristics of certificates assigned to Azure services:
 X.509 v3 format
 Signed by a trusted CA or self-signed
 Subject name matches fully qualified domain name (FQDN) of the
target service:
 FQDN must include a custom domain name
 Minimum of 2048-bit encryption
Implementing self-signed certificates:
 Windows: New-SelfSignedCertificate (replaces deprecated
makecert.exe)
 Linux: ssh-keygen
Configure Managed Service Identity for app services
Primary characteristics of managed service identity:
 Represents an Azure AD identity
 Is platformed-managed (eliminates the need to rotate secrets)
 Facilitates authentication by applications that Azure services are
hosting

Supports two types of identities:

 System-assigned: an identity auto associated directly with a
specific Azure service
 User-assigned: a standalone identity that allows association with
multiple Azure services
Configure Managed Service Identity for app services
(Cont.)
Implementing managed service identity:
 Azure portal: directly from the blade of the target Azure service
 Azure PowerShell
 Azure CLI
 REST API
Implement PaaS firewall rules
Primary characteristics of Platform as a Service (PaaS) firewall:
 Supports several Azure PaaS services, including Azure Storage
 Default allow (all networks)
 Operates on the network level (proper authorization to the target
service is still required)
Configuring PaaS firewall:
 To restrict traffic from the internet:
 Specify one or more IP address ranges from which traffic will be
allowed
Implement PaaS firewall rules (Cont.)
To allow traffic from specific subnets of virtual networks only:
 On virtual network subnets, create virtual network service
endpoints
 On the PaaS firewall, specify subnets of virtual networks  
Configure Azure Application Security Groups
Primary characteristics of Application Security Group (ASG):
 Serve as an extension to Network Security Group (NSG)
 Eliminate the need to reference IP address ranges in NSGs
 Allow grouping of Azure VMs based on their workload,
regardless of their IP address
 Are assigned to network interface cards (NICs) of Azure VMs
ASG constraints:
 All NICs associated with the same ASG must be
connected to the same virtual network
 You can’t specify multiple ASGs as a
source and/or destination of an NSG rule
Configure Azure Application Security Groups
 NIC1 and NIC2 are members of
the AsgWeb application security
group.
 NIC3 is a member of the AsgLogic
application security group.
 NIC4 is a member of the AsgDb
application security group.
 None of the network interfaces
have an associated network
security group.
 NSG1 is associated to both
subnets.
Configure Azure Front Door to protect web apps
Primary characteristics of Azure Front Door (AFD) Service:
 Facilitates defining, managing, and monitoring global routing for
traffic targeting web apps
 Operates at layer 7 of the OSI model (HTTP/HTTPS)
 Uses anycast with split TCP and the Microsoft global network to
optimize performance and reliability
Implementing AFD for web apps:
 Create an AFD instance
 Add application backend and backend pools
 Add routing rules
Module 3 Labs
Connect to GitHub -
http://github.com/MicrosoftLearning/AZ-500-Azure-Security

Enter the Instruction/Labs folder.

Enter the Module 3 folder
© Copyright Microsoft Corporation. All rights reserved.