3. Security, Privacy, Compliance and Trust

* 해당 컨텐츠는 Adam Marczak님의 Azure fundamentals 강의를 듣고 작성되었습니다. 수강하는데 시간은 오래 걸릴지라도 그림과 실습으로 잘 정리되어 있으니 직접 수강하시길 권합니다.

https://www.youtube.com/c/Azure4Everyone/playlists

Adam Marczak - Azure for Everyone

---

1. Azure Security Groups

1) Network Security Groups (NSG)

- filtering controlled by rules

* rules

specifying

    1) Source/Destination IP

    2) Protocol

    3) Port

    4) Direction (Inbound, Outbound)

    + Priority

 

2) Application Security Groups (ASG)

- grouping of VMs

- reduce the maintenance effort (assign ASG instead of explicit IP)

 

2. User-Defined Routes (UDR)

- override Azure default routing of add new routes

- managed via Azure Route Table

- can only be associated w. Virtual Network Subnet

 

3. Azure Firewall

- Managed, cloud-based firewall service

- high availability & scalability

- support for FQDN (Fully Qualified Domain Name)

 

4. Azure DDoS Protection

* DDoS: Distributed Denial of Services, 서버 한대면 차단당하니까 여러 대로 하는 것

- Basic: auto

- Standard: additional mitigation & monitoring

 

5. Identity Services

* Identity, Authentiation, Authorization

1) Identity: The fact of being something or someone

2) Authentication: The process for verification of identity

3) Authorization: Ensuting that only authenticated identities get access to the resources for which they have been granted access

Azure Active Directory (AD)

- Identity & Access management

- syncs w. on-premises

* Multi-Factor Authentication ex) ID/Password + SMS code

- types

1) Knowledge: password, pin

2) Possesion: phone, token, card, key

3) Physical Characteristic: fingerprint, voice, face, eye iris

4) Location: GPS location

- default for Azure AD

 

6. Azure Security Center

- Natively embedded

- Integrated w. Azure Advisor

- tiers: Free & Paid

 

7. Azure Key Valut

- Securing sensitive information (Keys, Secrets, Certificates) -> Centralization: 관리에 용이

- Highly integrated w. other Azure services

- Access monitoring and logging

 

8. Azure Role-based Access Control (RBAC)

- Authorization system on Azure Resoure Manager (ARM)

* Roles(What): A collection of actions

  Security Principal(Who): Azure object that can be assigned to a role

  Scope(When): hierarchical

 

9. Azure Resource Locks

- prevent accidental deletion(DELETE) of modification(READ-ONLY)

- conjunction w. RBAC

- hierarchical (management group X)

- owner & user access administrator can manage locks.

 

10. Azure Resource Tags

- Name(unique): Key

- Strategy

1) Functional

2) Classification

3) Finance/Accounting

4) Partnership

- Not inheritied(Management group X)

 

11. Azure Policy

* RBAC: focusing on Users <-> Policy: focusing on Resources

- Policy definition: what should happen

- Policy initiative: a group of policy definitions

- Policy assignment: to a scope, allow for exclusions of scopes

 

12. Azure Blueprints

- Package of Azure Components (artifacts)

1) Resource groups

2) ARM templates

3) Policy assignments

4) Role assignments

 

13. Cloud Adoption Framework

1. Strategy

1. motivations(Why move?): migration and/or innovation

2. business outcomes(What to measure?)

3. business justification(What is my return of inverstment?): validate w. financial model

    1) Azure TCO calculator

    2) Azure Pricing calculator

    3) Azure Cost management

4. First project: by business criteria, technical criteria

2. Plan

1. Digital estate

* 5R's fo Rationalization

    1) Rehost: move to IaaS

    2) Refactor: small code change (to PaaS)

    3) Rearchitect: complex code change

    4) Rebuild: new app

    5) Replace: replace w. SaaS

2. Initial Organization Alignment

3. Skills Readiness Plan

4. Cloud adoption plan

3. Ready

1. Azure Setup Guide

2. Azure Landing Zone

3. Extend Landing Zone

4. Best practices

4. Adopt

- Migrate

    1. Firt migration

    2. Migration scenarios

    3. Best practices

    4. Process Improvements

- Innovate

    1. Business value consensus

    2. Innovation guide

    3. Best practices

    4. Process Improvements

5. Govern & Manage

Govern

1. governance solutions

- business needs

- agility

- control risks

2. manage could environment (stabiity <-> cost)

 

Manage

- operate and optimize

6. Organize: Roles & Responsibilities (RACI matrix)

 

14. Core tenets of Security, Privacy, Compliance

1) Microsoft Privacy Statement

- Info: collection, purpose and usage of personal data

- Offers: All resources

- Audience: Everyone

2) Online Service Terms (OST)

- Info: licensing terms(use rights) for MS online services

- Offers: Online services

- Audience: Organization

3) Data Protection Addendum (DPA) (Appending to OST)

- Info: processing and security of personal data

- Offers: Online services

- Audience: Organization

4) Trust Center

- Info: One stop shop, website for Security, Compliance, Privacy, Policies, Practicies

- Offers: online services

- Audient: Organization

5) Azure Compliance Documents

- Info: website for Compliance

- Offers: Azure

- Audience: Organization

6) Azure sovereign region

Azure Government, Azure China (operated by 21vianet)