fitness

Category: Uncategorized

  • Identify Azure data migration options

    Now that you understand the different storage options within Azure, it’s important to also understand how to get your data and information into Azure. Azure supports both real-time migration of infrastructure, applications, and data using Azure Migrate as well as asynchronous migration of data using Azure Data Box.

    Azure Migrate

    Azure Migrate is a service that helps you migrate from an on-premises environment to the cloud. Azure Migrate functions as a hub to help you manage the assessment and migration of your on-premises datacenter to Azure. It provides the following:

    • Unified migration platform: A single portal to start, run, and track your migration to Azure.
    • Range of tools: A range of tools for assessment and migration. Azure Migrate tools include Azure Migrate: Discovery and assessment and Azure Migrate: Server Migration. Azure Migrate also integrates with other Azure services and tools, and with independent software vendor (ISV) offerings.
    • Assessment and migration: In the Azure Migrate hub, you can assess and migrate your on-premises infrastructure to Azure.

    Integrated tools

    In addition to working with tools from ISVs, the Azure Migrate hub also includes the following tools to help with migration:

    • Azure Migrate: Discovery and assessment. Discover and assess on-premises servers running on VMware, Hyper-V, and physical servers in preparation for migration to Azure.
    • Azure Migrate: Server Migration. Migrate VMware VMs, Hyper-V VMs, physical servers, other virtualized servers, and public cloud VMs to Azure.
    • Data Migration Assistant. Data Migration Assistant is a stand-alone tool to assess SQL Servers. It helps pinpoint potential problems blocking migration. It identifies unsupported features, new features that can benefit you after migration, and the right path for database migration.
    • Azure Database Migration Service. Migrate on-premises databases to Azure VMs running SQL Server, Azure SQL Database, or SQL Managed Instances.
    • Azure App Service migration assistant. Azure App Service migration assistant is a standalone tool to assess on-premises websites for migration to Azure App Service. Use Migration Assistant to migrate .NET and PHP web apps to Azure.
    • Azure Data Box. Use Azure Data Box products to move large amounts of offline data to Azure.

    Azure Data Box

    Azure Data Box is a physical migration service that helps transfer large amounts of data in a quick, inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a proprietary Data Box storage device that has a maximum usable storage capacity of 80 terabytes. The Data Box is transported to and from your datacenter via a regional carrier. A rugged case protects and secures the Data Box from damage during transit.

    You can order the Data Box device via the Azure portal to import or export data from Azure. Once the device is received, you can quickly set it up using the local web UI and connect it to your network. Once you’re finished transferring the data (either into or out of Azure), simply return the Data Box. If you’re transferring data into Azure, the data is automatically uploaded once Microsoft receives the Data Box back. The entire process is tracked end-to-end by the Data Box service in the Azure portal.

    Use cases

    Data Box is ideally suited to transfer data sizes larger than 40 TBs in scenarios with no to limited network connectivity. The data movement can be one-time, periodic, or an initial bulk data transfer followed by periodic transfers.

    Here are the various scenarios where Data Box can be used to import data to Azure.

    • Onetime migration – when a large amount of on-premises data is moved to Azure.
    • Moving a media library from offline tapes into Azure to create an online media library.
    • Migrating your VM farm, SQL server, and applications to Azure.
    • Moving historical data to Azure for in-depth analysis and reporting using HDInsight.
    • Initial bulk transfer – when an initial bulk transfer is done using Data Box (seed) followed by incremental transfers over the network.
    • Periodic uploads – when large amount of data is generated periodically and needs to be moved to Azure.

    Here are the various scenarios where Data Box can be used to export data from Azure.

    • Disaster recovery – when a copy of the data from Azure is restored to an on-premises network. In a typical disaster recovery scenario, a large amount of Azure data is exported to a Data Box. Microsoft then ships this Data Box, and the data is restored on your premises in a short time.
    • Security requirements – when you need to be able to export data out of Azure due to government or security requirements.
    • Migrate back to on-premises or to another cloud service provider – when you want to move all the data back to on-premises, or to another cloud service provider, export data via Data Box to migrate the workloads.

    Once the data from your import order is uploaded to Azure, the disks on the device are wiped clean in accordance with NIST 800-88r1 standards. For an export order, the disks are erased once the device reaches the Azure datacenter.

    https://lernix.com.my/istqb-software-testing-certification-training-courses-malaysia

  • Describe Azure storage services

    The Azure Storage platform includes the following data services:

    • Azure Blobs: A massively scalable object store for text and binary data. Also includes support for big data analytics through Data Lake Storage Gen2.
    • Azure Files: Managed file shares for cloud or on-premises deployments.
    • Azure Queues: A messaging store for reliable messaging between application components.
    • Azure Disks: Block-level storage volumes for Azure VMs.
    • Azure Tables: NoSQL table option for structured, non-relational data.

    Benefits of Azure Storage

    Azure Storage services offer the following benefits for application developers and IT professionals:

    • Durable and highly available. Redundancy ensures that your data is safe if transient hardware failures occur. You can also opt to replicate data across data centers or geographical regions for additional protection from local catastrophes or natural disasters. Data replicated in this way remains highly available if an unexpected outage occurs.
    • Secure. All data written to an Azure storage account is encrypted by the service. Azure Storage provides you with fine-grained control over who has access to your data.
    • Scalable. Azure Storage is designed to be massively scalable to meet the data storage and performance needs of today’s applications.
    • Managed. Azure handles hardware maintenance, updates, and critical issues for you.
    • Accessible. Data in Azure Storage is accessible from anywhere in the world over HTTP or HTTPS. Microsoft provides client libraries for Azure Storage in a variety of languages, including .NET, Java, Node.js, Python, PHP, Ruby, Go, and others, as well as a mature REST API. Azure Storage supports scripting in Azure PowerShell or Azure CLI. And the Azure portal and Azure Storage Explorer offer easy visual solutions for working with your data.

    Azure Blobs

    Azure Blob storage is an object storage solution for the cloud. It can store massive amounts of data, such as text or binary data. Azure Blob storage is unstructured, meaning that there are no restrictions on the kinds of data it can hold. Blob storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.

    Blobs aren’t limited to common file formats. A blob could contain gigabytes of binary data streamed from a scientific instrument, an encrypted message for another application, or data in a custom format for an app you’re developing. One advantage of blob storage over disk storage is that it doesn’t require developers to think about or manage disks. Data is uploaded as blobs, and Azure takes care of the physical storage needs.

    Blob storage is ideal for:

    • Serving images or documents directly to a browser.
    • Storing files for distributed access.
    • Streaming video and audio.
    • Storing data for backup and restore, disaster recovery, and archiving.
    • Storing data for analysis by an on-premises or Azure-hosted service.

    Accessing blob storage

    Objects in blob storage can be accessed from anywhere in the world via HTTP or HTTPS. Users or client applications can access blobs via URLs, the Azure Storage REST API, Azure PowerShell, Azure CLI, or an Azure Storage client library. The storage client libraries are available for multiple languages, including .NET, Java, Node.js, Python, PHP, and Ruby.

    Blob storage tiers

    Data stored in the cloud can grow at an exponential pace. To manage costs for your expanding storage needs, it’s helpful to organize your data based on attributes like frequency of access and planned retention period. Data stored in the cloud can be handled differently based on how it’s generated, processed, and accessed over its lifetime. Some data is actively accessed and modified throughout its lifetime. Some data is accessed frequently early in its lifetime, with access dropping drastically as the data ages. Some data remains idle in the cloud and is rarely, if ever, accessed after it’s stored. To accommodate these different access needs, Azure provides several access tiers, which you can use to balance your storage costs with your access needs.

    Azure Storage offers different access tiers for your blob storage, helping you store object data in the most cost-effective manner. The available access tiers include:

    • Hot access tier: Optimized for storing data that is accessed frequently (for example, images for your website).
    • Cool access tier: Optimized for data that is infrequently accessed and stored for at least 30 days (for example, invoices for your customers).
    • Cold access tier: Optimized for storing data that is infrequently accessed and stored for at least 90 days.
    • Archive access tier: Appropriate for data that is rarely accessed and stored for at least 180 days, with flexible latency requirements (for example, long-term backups).

    The following considerations apply to the different access tiers:

    • Hot, cool, and cold access tiers can be set at the account level. The archive access tier isn’t available at the account level.
    • Hot, cool, cold, and archive tiers can be set at the blob level, during or after upload.
    • Data in the cool and cold access tiers can tolerate slightly lower availability, but still requires high durability, retrieval latency, and throughput characteristics similar to hot data. For cool and cold data, a lower availability service-level agreement (SLA) and higher access costs compared to hot data are acceptable trade-offs for lower storage costs.
    • Archive storage stores data offline and offers the lowest storage costs, but also the highest costs to rehydrate and access data.

    Azure Files

    Azure File storage offers fully managed file shares in the cloud that are accessible via the industry standard Server Message Block (SMB) or Network File System (NFS) protocols. Azure Files file shares can be mounted concurrently by cloud or on-premises deployments. SMB Azure file shares are accessible from Windows, Linux, and macOS clients. NFS Azure Files shares are accessible from Linux or macOS clients. Additionally, SMB Azure file shares can be cached on Windows Servers with Azure File Sync for fast access near where the data is being used.

    Azure Files key benefits:

    • Shared access: Azure file shares support the industry standard SMB and NFS protocols, meaning you can seamlessly replace your on-premises file shares with Azure file shares without worrying about application compatibility.
    • Fully managed: Azure file shares can be created without the need to manage hardware or an OS. This means you don’t have to deal with patching the server OS with critical security upgrades or replacing faulty hard disks.
    • Scripting and tooling: PowerShell cmdlets and Azure CLI can be used to create, mount, and manage Azure file shares as part of the administration of Azure applications. You can create and manage Azure file shares using Azure portal and Azure Storage Explorer.
    • Resiliency: Azure Files has been built from the ground up to always be available. Replacing on-premises file shares with Azure Files means you don’t have to wake up in the middle of the night to deal with local power outages or network issues.
    • Familiar programmability: Applications running in Azure can access data in the share via file system I/O APIs. Developers can therefore use their existing code and skills to migrate existing applications. In addition to System IO APIs, you can use Azure Storage Client Libraries or the Azure Storage REST API.

    Azure Queues

    Azure Queue storage is a service for storing large numbers of messages. Once stored, you can access the messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue can contain as many messages as your storage account has room for (potentially millions). Each individual message can be up to 64 KB in size. Queues are commonly used to create a backlog of work to process asynchronously.

    Queue storage can be combined with compute functions like Azure Functions to take an action when a message is received. For example, you want to perform an action after a customer uploads a form to your website. You could have the submit button on the website trigger a message to the Queue storage. Then, you could use Azure Functions to trigger an action once the message was received.

    Azure Disks

    Azure Disk storage, or Azure managed disks, are block-level storage volumes managed by Azure for use with Azure VMs. Conceptually, they’re the same as a physical disk, but they’re virtualized – offering greater resiliency and availability than a physical disk. With managed disks, all you have to do is provision the disk, and Azure will take care of the rest.

    Azure Tables

    Azure Table storage stores large amounts of structured data. Azure tables are a NoSQL datastore that accepts authenticated calls from inside and outside the Azure cloud. This enables you to use Azure tables to build your hybrid or multicloud solution and have your data always available. Azure tables are ideal for storing structured, non-relational data.

    https://lernix.com.my/itil-certification-training-courses-malaysia

  • Describe Azure storage redundancy

    Azure Storage always stores multiple copies of your data so that it’s protected from planned and unplanned events such as transient hardware failures, network or power outages, and natural disasters. Redundancy ensures that your storage account meets its availability and durability targets even in the face of failures.

    When deciding which redundancy option is best for your scenario, consider the tradeoffs between lower costs and higher availability. The factors that help determine which redundancy option you should choose include:

    • How your data is replicated in the primary region.
    • Whether your data is replicated to a second region that is geographically distant to the primary region, to protect against regional disasters.
    • Whether your application requires read access to the replicated data in the secondary region if the primary region becomes unavailable.

    Redundancy in the primary region

    Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers two options for how your data is replicated in the primary region, locally redundant storage (LRS) and zone-redundant storage (ZRS).

    Locally redundant storage

    Locally redundant storage (LRS) replicates your data three times within a single data center in the primary region. LRS provides at least 11 nines of durability (99.999999999%) of objects over a given year.

    Diagram showing the structure used for locally redundant storage.

    LRS is the lowest-cost redundancy option and offers the least durability compared to other options. LRS protects your data against server rack and drive failures. However, if a disaster such as fire or flooding occurs within the data center, all replicas of a storage account using LRS may be lost or unrecoverable. To mitigate this risk, Microsoft recommends using zone-redundant storage (ZRS), geo-redundant storage (GRS), or geo-zone-redundant storage (GZRS).

    Zone-redundant storage

    For Availability Zone-enabled Regions, zone-redundant storage (ZRS) replicates your Azure Storage data synchronously across three Azure availability zones in the primary region. ZRS offers durability for Azure Storage data objects of at least 12 nines (99.9999999999%) over a given year.

    Diagram showing ZRS, with a copy of data stored in each of three availability zones.

    With ZRS, your data is still accessible for both read and write operations even if a zone becomes unavailable. No remounting of Azure file shares from the connected clients is required. If a zone becomes unavailable, Azure undertakes networking updates, such as DNS repointing. These updates may affect your application if you access data before the updates have completed.

    Microsoft recommends using ZRS in the primary region for scenarios that require high availability. ZRS is also recommended for restricting replication of data within a country or region to meet data governance requirements.

    Redundancy in a secondary region

    For applications requiring high durability, you can choose to additionally copy the data in your storage account to a secondary region that is hundreds of miles away from the primary region. If the data in your storage account is copied to a secondary region, then your data is durable even in the event of a catastrophic failure that prevents the data in the primary region from being recovered.

    When you create a storage account, you select the primary region for the account. The paired secondary region is based on Azure Region Pairs, and can’t be changed.

    Azure Storage offers two options for copying your data to a secondary region: geo-redundant storage (GRS) and geo-zone-redundant storage (GZRS). GRS is similar to running LRS in two regions, and GZRS is similar to running ZRS in the primary region and LRS in the secondary region.

    By default, data in the secondary region isn’t available for read or write access unless there’s a failover to the secondary region. If the primary region becomes unavailable, you can choose to fail over to the secondary region. After the failover has completed, the secondary region becomes the primary region, and you can again read and write data.

     Important

    Because data is replicated to the secondary region asynchronously, a failure that affects the primary region may result in data loss if the primary region can’t be recovered. The interval between the most recent writes to the primary region and the last write to the secondary region is known as the recovery point objective (RPO). The RPO indicates the point in time to which data can be recovered. Azure Storage typically has an RPO of less than 15 minutes, although there’s currently no SLA on how long it takes to replicate data to the secondary region.

    Geo-redundant storage

    GRS copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region (the region pair) using LRS. GRS offers durability for Azure Storage data objects of at least 16 nines (99.99999999999999%) over a given year.

    Diagram showing GRS, with primary region LRS replicating data to LRS in a second region.

    Geo-zone-redundant storage

    GZRS combines the high availability provided by redundancy across availability zones with protection from regional outages provided by geo-replication. Data in a GZRS storage account is copied across three Azure availability zones in the primary region (similar to ZRS) and is also replicated to a secondary geographic region, using LRS, for protection from regional disasters. Microsoft recommends using GZRS for applications requiring maximum consistency, durability, and availability, excellent performance, and resilience for disaster recovery.

    Diagram showing GZRS, with primary region ZRS replicating data to LRS in a second region.

    GZRS is designed to provide at least 16 nines (99.99999999999999%) of durability of objects over a given year.

    Read access to data in the secondary region

    Geo-redundant storage (with GRS or GZRS) replicates your data to another physical location in the secondary region to protect against regional outages. However, that data is available to be read only if the customer or Microsoft initiates a failover from the primary to secondary region. However, if you enable read access to the secondary region, your data is always available, even when the primary region is running optimally. For read access to the secondary region, enable read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).

     Important

    Remember that the data in your secondary region may not be up-to-date due to RPO.

    https://lernix.com.my/java-ee-enterprise-edition-training-courses-malaysia

  • Describe Azure storage accounts

    The following video introduces the different services that should be available with Azure Storage.

    https://learn-video.azurefd.net/vod/player?id=477e6b92-9bc6-425d-90fe-2468ab8ab0f1&locale=en-us&embedUrl=%2Ftraining%2Fmodules%2Fdescribe-azure-storage-services%2F2-accounts

    A storage account provides a unique namespace for your Azure Storage data that’s accessible from anywhere in the world over HTTP or HTTPS. Data in this account is secure, highly available, durable, and massively scalable.

    When you create your storage account, you’ll start by picking the storage account type. The type of account determines the storage services and redundancy options and has an impact on the use cases. Below is a list of redundancy options that will be covered later in this module:

    • Locally redundant storage (LRS)
    • Geo-redundant storage (GRS)
    • Read-access geo-redundant storage (RA-GRS)
    • Zone-redundant storage (ZRS)
    • Geo-zone-redundant storage (GZRS)
    • Read-access geo-zone-redundant storage (RA-GZRS)
    TypeSupported servicesRedundancy OptionsUsage
    Standard general-purpose v2Blob Storage (including Data Lake Storage), Queue Storage, Table Storage, and Azure FilesLRS, GRS, RA-GRS, ZRS, GZRS, RA-GZRSStandard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.
    Premium block blobsBlob Storage (including Data Lake Storage)LRS, ZRSPremium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency.
    Premium file sharesAzure FilesLRS, ZRSPremium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares.
    Premium page blobsPage blobs onlyLRSPremium storage account type for page blobs only.

    Storage account endpoints

    One of the benefits of using an Azure Storage Account is having a unique namespace in Azure for your data. In order to do this, every storage account in Azure must have a unique-in-Azure account name. The combination of the account name and the Azure Storage service endpoint forms the endpoints for your storage account.

    When naming your storage account, keep these rules in mind:

    • Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.
    • Your storage account name must be unique within Azure. No two storage accounts can have the same name. This supports the ability to have a unique, accessible namespace in Azure.

    The following table shows the endpoint format for Azure Storage services.

    https://lernix.com.my/dynamics-365-marketing-training-courses-malaysia

  • Describe Microsoft Defender for Cloud

    Defender for Cloud is a monitoring tool for security posture management and threat protection. It monitors your cloud, on-premises, hybrid, and multicloud environments to provide guidance and notifications aimed at strengthening your security posture.

    Defender for Cloud provides the tools needed to harden your resources, track your security posture, protect against cyber attacks, and streamline security management. Deployment of Defender for Cloud is easy, it’s already natively integrated to Azure.

    Protection everywhere you’re deployed

    Because Defender for Cloud is an Azure-native service, many Azure services are monitored and protected without needing any deployment. However, if you also have an on-premises datacenter or are also operating in another cloud environment, monitoring of Azure services may not give you a complete picture of your security situation.

    When necessary, Defender for Cloud can automatically deploy a Log Analytics agent to gather security-related data. For Azure machines, deployment is handled directly. For hybrid and multicloud environments, Microsoft Defender plans are extended to non-Azure machines with the help of Azure Arc. Cloud security posture management (CSPM) features are extended to multicloud machines without the need for any agents.

    Azure-native protections

    Defender for Cloud helps you detect threats across:

    • Azure PaaS services – Detect threats targeting Azure services including Azure App Service, Azure SQL, Azure Storage Account, and more data services. You can also perform anomaly detection on your Azure activity logs using the native integration with Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security).
    • Azure data services – Defender for Cloud includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services, and recommendations for how to mitigate them.
    • Networks – Defender for Cloud helps you limit exposure to brute force attacks. By reducing access to virtual machine ports, using the just-in-time VM access, you can harden your network by preventing unnecessary access. You can set secure access policies on selected ports, for only authorized users, allowed source IP address ranges or IP addresses, and for a limited amount of time.

    Defend your hybrid resources

    In addition to defending your Azure environment, you can add Defender for Cloud capabilities to your hybrid cloud environment to protect your non-Azure servers. To help you focus on what matters the most, you’ll get customized threat intelligence and prioritized alerts according to your specific environment.

    To extend protection to on-premises machines, deploy Azure Arc and enable Defender for Cloud’s enhanced security features.

    Defend resources running on other clouds

    Defender for Cloud can also protect resources in other clouds (such as AWS and GCP).

    For example, if you’ve connected an Amazon Web Services (AWS) account to an Azure subscription, you can enable any of these protections:

    • Defender for Cloud’s CSPM features extend to your AWS resources. This agentless plan assesses your AWS resources according to AWS-specific security recommendations, and includes the results in the secure score. The resources will also be assessed for compliance with built-in standards specific to AWS (AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices). Defender for Cloud’s asset inventory page is a multicloud enabled feature helping you manage your AWS resources alongside your Azure resources.
    • Microsoft Defender for Containers extends its container threat detection and advanced defenses to your Amazon EKS Linux clusters.
    • Microsoft Defender for Servers brings threat detection and advanced defenses to your Windows and Linux EC2 instances.

    Assess, Secure, and Defend

    Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:

    • Continuously assess – Know your security posture. Identify and track vulnerabilities.
    • Secure – Harden resources and services with Azure Security Benchmark.
    • Defend – Detect and resolve threats to resources, workloads, and services.
    Diagram reinforcing assess, secure, and defend.

    Continuously assess

    Defender for cloud helps you continuously assess your environment. Defender for Cloud includes vulnerability assessment solutions for your virtual machines, container registries, and SQL servers.

    Microsoft Defender for servers includes automatic, native integration with Microsoft Defender for Endpoint. With this integration enabled, you’ll have access to the vulnerability findings from Microsoft threat and vulnerability management.

    Between these assessment tools you’ll have regular, detailed vulnerability scans that cover your compute, data, and infrastructure. You can review and respond to the results of these scans all from within Defender for Cloud.

    Secure

    From authentication methods to access control to the concept of Zero Trust, security in the cloud is an essential basic that must be done right. In order to be secure in the cloud, you have to ensure your workloads are secure. To secure your workloads, you need security policies in place that are tailored to your environment and situation. Because policies in Defender for Cloud are built on top of Azure Policy controls, you’re getting the full range and flexibility of a world-class policy solution. In Defender for Cloud, you can set your policies to run on management groups, across subscriptions, and even for a whole tenant.

    One of the benefits of moving to the cloud is the ability to grow and scale as you need, adding new services and resources as necessary. Defender for Cloud is constantly monitoring for new resources being deployed across your workloads. Defender for Cloud assesses if new resources are configured according to security best practices. If not, they’re flagged and you get a prioritized list of recommendations for what you need to fix. Recommendations help you reduce the attack surface across each of your resources.

    The list of recommendations is enabled and supported by the Azure Security Benchmark. This Microsoft-authored, Azure-specific, benchmark provides a set of guidelines for security and compliance best practices based on common compliance frameworks.

    In this way, Defender for Cloud enables you not just to set security policies, but to apply secure configuration standards across your resources.

    To help you understand how important each recommendation is to your overall security posture, Defender for Cloud groups the recommendations into security controls and adds a secure score value to each control. The secure score gives you an at-a-glance indicator of the health of your security posture, while the controls give you a working list of things to consider to improve your security score and your overall security posture.

    Screenshot showing the Microsoft Defender for Cloud secure score.

    Defend

    The first two areas were focused on assessing, monitoring, and maintaining your environment. Defender for Cloud also helps you defend your environment by providing security alerts and advanced threat protection features.

    Security alerts

    When Defender for Cloud detects a threat in any area of your environment, it generates a security alert. Security alerts:

    • Describe details of the affected resources
    • Suggest remediation steps
    • Provide, in some cases, an option to trigger a logic app in response

    Whether an alert is generated by Defender for Cloud or received by Defender for Cloud from an integrated security product, you can export it. Defender for Cloud’s threat protection includes fusion kill-chain analysis, which automatically correlates alerts in your environment based on cyber kill-chain analysis, to help you better understand the full story of an attack campaign, where it started, and what kind of impact it had on your resources.

    Advanced threat protection

    Defender for cloud provides advanced threat protection features for many of your deployed resources, including virtual machines, SQL databases, containers, web applications, and your network. Protections include securing the management ports of your VMs with just-in-time access, and adaptive application controls to create allowlists for what apps should and shouldn’t run on your machines.

    https://lernix.com.my/java-programming-training-courses-malaysia

  • Describe defense-in-depth

    The objective of defense-in-depth is to protect information and prevent it from being stolen by those who aren’t authorized to access it.

    A defense-in-depth strategy uses a series of mechanisms to slow the advance of an attack that aims at acquiring unauthorized access to data.

    Layers of defense-in-depth

    You can visualize defense-in-depth as a set of layers, with the data to be secured at the center and all the other layers functioning to protect that central data layer.

    A diagram showing the defense in depth layers. From the center: data, application, compute, network, perimeter, identity & access, physical security.

    Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. This approach removes reliance on any single layer of protection. It slows down an attack and provides alert information that security teams can act upon, either automatically or manually.

    Here’s a brief overview of the role of each layer:

    • The physical security layer is the first line of defense to protect computing hardware in the datacenter.
    • The identity and access layer controls access to infrastructure and change control.
    • The perimeter layer uses distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
    • The network layer limits communication between resources through segmentation and access controls.
    • The compute layer secures access to virtual machines.
    • The application layer helps ensure that applications are secure and free of security vulnerabilities.
    • The data layer controls access to business and customer data that you need to protect.

    These layers provide a guideline for you to help make security configuration decisions in all of the layers of your applications.

    Azure provides security tools and features at every level of the defense-in-depth concept. Let’s take a closer look at each layer:

    Physical security

    Physically securing access to buildings and controlling access to computing hardware within the datacenter are the first line of defense.

    With physical security, the intent is to provide physical safeguards against access to assets. These safeguards ensure that other layers can’t be bypassed, and loss or theft is handled appropriately. Microsoft uses various physical security mechanisms in its cloud datacenters.

    Identity and access

    The identity and access layer is all about ensuring that identities are secure, that access is granted only to what’s needed, and that sign-in events and changes are logged.

    At this layer, it’s important to:

    • Control access to infrastructure and change control.
    • Use single sign-on (SSO) and multifactor authentication.
    • Audit events and changes.

    Perimeter

    The network perimeter protects from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.

    At this layer, it’s important to:

    • Use DDoS protection to filter large-scale attacks before they can affect the availability of a system for users.
    • Use perimeter firewalls to identify and alert on malicious attacks against your network.

    Network

    At this layer, the focus is on limiting the network connectivity across all your resources to allow only what’s required. By limiting this communication, you reduce the risk of an attack spreading to other systems in your network.

    At this layer, it’s important to:

    • Limit communication between resources.
    • Deny by default.
    • Restrict inbound internet access and limit outbound access where appropriate.
    • Implement secure connectivity to on-premises networks.

    Compute

    Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure that your compute resources are secure and that you have the proper controls in place to minimize security issues.

    At this layer, it’s important to:

    • Secure access to virtual machines.
    • Implement endpoint protection on devices and keep systems patched and current.

    Application

    Integrating security into the application development lifecycle helps reduce the number of vulnerabilities introduced in code. Every development team should ensure that its applications are secure by default.

    At this layer, it’s important to:

    • Ensure that applications are secure and free of vulnerabilities.
    • Store sensitive application secrets in a secure storage medium.
    • Make security a design requirement for all application development.

    Data

    Those who store and control access to data are responsible for ensuring that it’s properly secured. Often, regulatory requirements dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.

    In almost all cases, attackers are after data:

    • Stored in a database.
    • Stored on disk inside virtual machines.
    • Stored in software as a service (SaaS) applications, such as Office 365.
    • Managed through cloud storage.

    https://lernix.com.my/oracle-java-training-courses-malaysia

  • Describe Zero Trust model

    Zero Trust is a security model that assumes the worst case scenario and protects resources with that expectation. Zero Trust assumes breach at the outset, and then verifies each request as though it originated from an uncontrolled network.

    Today, organizations need a new security model that effectively adapts to the complexity of the modern environment; embraces the mobile workforce; and protects people, devices, applications, and data wherever they’re located.

    To address this new world of computing, Microsoft highly recommends the Zero Trust security model, which is based on these guiding principles:

    • Verify explicitly – Always authenticate and authorize based on all available data points.
    • Use least privilege access – Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
    • Assume breach – Minimize blast radius and segment access. Verify end-to-end encryption. Use analytics to get visibility, drive threat detection, and improve defenses.

    Adjusting to Zero Trust

    Traditionally, corporate networks were restricted, protected, and generally assumed safe. Only managed computers could join the network, VPN access was tightly controlled, and personal devices were frequently restricted or blocked.

    The Zero Trust model flips that scenario. Instead of assuming that a device is safe because it’s within the corporate network, it requires everyone to authenticate. Then grants access based on authentication rather than location.

    Diagram comparing Zero Trust authenticating everyone compared to classic relying on network location.

    https://lernix.com.my/jboss-training-courses-malaysia

  • Describe Azure role-based access control

    When you have multiple IT and engineering teams, how can you control what access they have to the resources in your cloud environment? The principle of least privilege says you should only grant access up to the level needed to complete a task. If you only need read access to a storage blob, then you should only be granted read access to that storage blob. Write access to that blob shouldn’t be granted, nor should read access to other storage blobs. It’s a good security practice to follow.

    However, managing that level of permissions for an entire team would become tedious. Instead of defining the detailed access requirements for each individual, and then updating access requirements when new resources are created or new people join the team, Azure enables you to control access through Azure role-based access control (Azure RBAC).

    Azure provides built-in roles that describe common access rules for cloud resources. You can also define your own roles. Each role has an associated set of access permissions that relate to that role. When you assign individuals or groups to one or more roles, they receive all the associated access permissions.

    So, if you hire a new engineer and add them to the Azure RBAC group for engineers, they automatically get the same access as the other engineers in the same Azure RBAC group. Similarly, if you add additional resources and point Azure RBAC at them, everyone in that Azure RBAC group will now have those permissions on the new resources as well as the existing resources.

    How is role-based access control applied to resources?

    Role-based access control is applied to a scope, which is a resource or set of resources that this access applies to.

    The following diagram shows the relationship between roles and scopes. A management group, subscription, or resource group might be given the role of owner, so they have increased control and authority. An observer, who isn’t expected to make any updates, might be given a role of Reader for the same scope, enabling them to review or observe the management group, subscription, or resource group.

    A diagram showing scopes and roles. Role and scope combinations map to a specific kind of user or account, such as an observer or an admin.

    Scopes include:

    • A management group (a collection of multiple subscriptions).
    • A single subscription.
    • A resource group.
    • A single resource.

    Observers, users managing resources, admins, and automated processes illustrate the kinds of users or accounts that would typically be assigned each of the various roles.

    Azure RBAC is hierarchical, in that when you grant access at a parent scope, those permissions are inherited by all child scopes. For example:

    • When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.
    • When you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource within the subscription.

    How is Azure RBAC enforced?

    Azure RBAC is enforced on any action that’s initiated against an Azure resource that passes through Azure Resource Manager. Resource Manager is a management service that provides a way to organize and secure your cloud resources.

    You typically access Resource Manager from the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Azure RBAC doesn’t enforce access permissions at the application or data level. Application security must be handled by your application.

    Azure RBAC uses an allow model. When you’re assigned a role, Azure RBAC allows you to perform actions within the scope of that role. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.

    https://lernix.com.my/juniper-networks-training-courses-malaysia

  • Describe Azure conditional access

    Conditional Access is a tool that Microsoft Entra ID uses to allow (or deny) access to resources based on identity signals. These signals include who the user is, where the user is, and what device the user is requesting access from.

    Conditional Access helps IT administrators:

    • Empower users to be productive wherever and whenever.
    • Protect the organization’s assets.

    Conditional Access also provides a more granular multifactor authentication experience for users. For example, a user might not be challenged for second authentication factor if they’re at a known location. However, they might be challenged for a second authentication factor if their sign-in signals are unusual or they’re at an unexpected location.

    During sign-in, Conditional Access collects signals from the user, makes decisions based on those signals, and then enforces that decision by allowing or denying the access request or challenging for a multifactor authentication response.

    The following diagram illustrates this flow:

    Diagram showing the conditional access flow of a signal leading to a decision, leading to enforcement.

    Here, the signal might be the user’s location, the user’s device, or the application that the user is trying to access.

    Based on these signals, the decision might be to allow full access if the user is signing in from their usual location. If the user is signing in from an unusual location or a location that’s marked as high risk, then access might be blocked entirely or possibly granted after the user provides a second form of authentication.

    Enforcement is the action that carries out the decision. For example, the action is to allow access or require the user to provide a second form of authentication.

    When can I use Conditional Access?

    Conditional Access is useful when you need to:

    • Require multifactor authentication (MFA) to access an application depending on the requester’s role, location, or network. For example, you could require MFA for administrators but not regular users or for people connecting from outside your corporate network.
    • Require access to services only through approved client applications. For example, you could limit which email applications are able to connect to your email service.
    • Require users to access your application only from managed devices. A managed device is a device that meets your standards for security and compliance.
    • Block access from untrusted sources, such as access from unknown or unexpected locations.

    https://lernix.com.my/kubernetes-training-courses-malaysia

  • Describe Azure external identities

    An external identity is a person, device, service, etc. that is outside your organization. Microsoft Entra External ID refers to all the ways you can securely interact with users outside of your organization. If you want to collaborate with partners, distributors, suppliers, or vendors, you can share your resources and define how your internal users can access external organizations. If you’re a developer creating consumer-facing apps, you can manage your customers’ identity experiences.

    External identities may sound similar to single sign-on. With External Identities, external users can “bring their own identities.” Whether they have a corporate or government-issued digital identity, or an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in. The external user’s identity provider manages their identity, and you manage access to your apps with Microsoft Entra ID or Azure AD B2C to keep your resources protected.

    Diagram showing B2B collaborators accessing your tenant and B2C collaborators accessing the AD B2C tenant.

    The following capabilities make up External Identities:

    • Business to business (B2B) collaboration – Collaborate with external users by letting them use their preferred identity to sign-in to your Microsoft applications or other enterprise applications (SaaS apps, custom-developed apps, etc.). B2B collaboration users are represented in your directory, typically as guest users.
    • B2B direct connect – Establish a mutual, two-way trust with another Microsoft Entra organization for seamless collaboration. B2B direct connect currently supports Teams shared channels, enabling external users to access your resources from within their home instances of Teams. B2B direct connect users aren’t represented in your directory, but they’re visible from within the Teams shared channel and can be monitored in Teams admin center reports.
    • Microsoft Azure Active Directory business to customer (B2C) – Publish modern SaaS apps or custom-developed apps (excluding Microsoft apps) to consumers and customers, while using Azure AD B2C for identity and access management.

    Depending on how you want to interact with external organizations and the types of resources you need to share, you can use a combination of these capabilities.

    With Microsoft Entra ID, you can easily enable collaboration across organizational boundaries by using the Microsoft Entra B2B feature. Guest users from other tenants can be invited by administrators or by other users. This capability also applies to social identities such as Microsoft accounts.

    You also can easily ensure that guest users have appropriate access. You can ask the guests themselves or a decision maker to participate in an access review and recertify (or attest) to the guests’ access. The reviewers can give their input on each user’s need for continued access, based on suggestions from Microsoft Entra ID. When an access review is finished, you can then make changes and remove access for guests who no longer need it.

    https://lernix.com.my/lean-it-certification-training-courses-malaysia