Apuntes Azure 3

Defense in depth Is a strategy that employs a series of mechanisms to slow the advance of an attack aimed at acquiring unauthorized access to data. The objective of defense in depth is to protect and prevent information from being stolen by individuals not authorized to access it. The common principles used to define a security posture are confidentiality, integrity, and availability, known collectively as CIA.     Confidentiality - The Principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content.     Integrity - The prevention of unauthorized changes to information at rest or in transit. A common approach used in data transmission is for the sender to create a unique fingerprint of the data using a one-way hashing algorithm. The hash is sent to the receiver along with the data. The data's hash is recalculated and compared to the original by the receiver to ensure the data wasn't lost or modified in transit.     Availability - Ensure services are available to authorized users. Denial of service attacks are a prevalent cause of loss of availability to users. Defense in depth can be visualized as a set of layers, with the Data to be secured at the center. Each layer provides protection so that if one layer is breached, a subsequent layer is already in place to prevent further exposure. Physical security is the first line of defense to protect computing hardware in the datacenter. Identity & access controls access to infrastructure and change control. Perimeter layer uses distributed denial-of-service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users. Networking layer limits communication between resources through segmentation and access controls. Compute layer secures access to virtual machines. Application layer ensures applications are secure and free of vulnerabilities.   Data In almost all cases, attackers are after data:     Stored in a database     Stored on disk inside virtual machines     Stored on a SaaS application such as Office 365     Stored in cloud storage It's the responsibility of those storing and controlling access to data to ensure that it's properly secured. Often, there are regulatory requirements that dictate the controls and processes that must be in place to ensure the confidentiality, integrity, and availability of the data.   Application     Ensure applications are secure and free of vulnerabilities.     Store sensitive application secrets in a secure storage medium.     Make security a design requirement for all application development. Integrating security into the application development life cycle will help reduce the number of vulnerabilities introduced in code. We encourage all development teams to ensure their applications are secure by default, and that they're making security requirements non-negotiable.   Compute     Secure access to virtual machines.     Implement endpoint protection and keep systems patched and current. Malware, unpatched systems, and improperly secured systems open your environment to attacks. The focus in this layer is on making sure your compute resources are secure, and that you have the proper controls in place to minimize security issues.   Networking     Limit communication between resources.     Deny by default.     Restrict inbound internet access and limit outbound, where appropriate.     Implement secure connectivity to on-premises networks. At this layer, the focus is on limiting the network connectivity across all your resources to allow only what is required. By limiting this communication, you reduce the risk of lateral movement throughout your network.   Perimeter     Use distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for end users.     Use perimeter firewalls to identify and alert on malicious attacks against your network. At the network perimeter, it's about protecting from network-based attacks against your resources. Identifying these attacks, eliminating their impact, and alerting you when they happen are important ways to keep your network secure.   Identity and access     Control access to infrastructure and change control.     Use single sign-on and multi-factor authentication.     Audit events and changes. The identity and access layer is all about ensuring identities are secure, access granted is only what is needed, and changes are logged.   Physical security     Physical building security and controlling access to computing hardware within the data center is the first line of defense. With physical security, the intent is to provide physical safeguards against access to assets. These safeguards ensure that other layers can't be bypassed, and loss or theft is handled appropriately.        

Shared Security Organizations face many challenges with securing their datacenters, including recruiting and keeping security experts, using many security tools, and keeping pace with the volume and complexity of threats.   One of the first shifts Contoso Shipping makes is from on-premises data centers to infrastructure as a service (IaaS). With IaaS, you are leveraging the lowest-level service and asking Azure to create virtual machines (VMs) and virtual networks. At this level, it's still your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure. At Contoso Shipping, you are taking advantage of IaaS when you start using Azure VMs instead of your on-premises physical servers. In addition to the operational advantages, you receive the security advantage of having outsourced concern over protecting the physical parts of the network. Next, it is time to build you drone app in the cloud. Moving to platform as a service (PaaS) outsources several security concerns. At this level, Azure is taking care of the operating system and of most foundational software like database management systems. Everything is updated with the latest security patches and can be integrated with Azure Active Directory for access controls. PaaS also comes with many operational advantages. Rather than building whole infrastructures and subnets for your environments by hand, you can “point and click” within the Azure portal or run automated scripts to bring complex, secured systems up and down, and scale them as needed. Contoso Shipping uses an app built on Azure for tracking telemetry data from drones and trucks — as well as a web app — which are both examples of PaaS. With software as a service (SaaS), you outsource almost everything. SaaS is software that runs with an internet infrastructure. The code is controlled by the vendor but configured to be used by the customer. Like so many companies, Contoso Shipping uses Office 365, which is a great example of SaaS!      

Azure Firewall Is a service that grants server access based on the originating IP address of each request. You create firewall rules that specify ranges of IP addresses. Only clients from these granted IP addresses will be allowed to access the server. Firewall rules also include specific network protocol and port information. Is a managed, cloud-based, network security service that protects your Azure Virtual Network resources. Azure Firewall provides many features, including:     Built-in high availability.     Unrestricted cloud scalability.     Inbound and outbound filtering rules.     Azure Monitor logging.   Common Usage Scenarios You typically deploy Azure Firewall on a central virtual network to control general network access. With Azure Firewall you can configure:     Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.     Network rules that define source address, protocol, destination port, and destination address.    

Distributed Denial of Service (DDoS) DDoS attacks attempt to overwhelm and exhaust an application’s resources, making the application slow or unresponsive to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Thus, any resource exposed to the internet, such as a website, is potentially at risk from a DDoS attack.   Azure DDoS protection service tiers Azure DDoS Protection provides the following service tiers:     Basic. The Basic service tier is automatically enabled as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.     Standard. The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.   DDoS standard protection DDoS standard protection can mitigate the following types of attacks:     Volumetric attacks. The attack's goal is to flood the network layer with a substantial amount of seemingly legitimate traffic.     Protocol attacks. These attacks render a target inaccessible, by exploiting a weakness in the layer 3 and layer 4 protocol stack.     Resource (application) layer attacks. These attacks target web application packets to disrupt the transmission of data between hosts.

Network Security Groups Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network. An NSG can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. Network security rule properties A network security group can contain as many rules as you need, within Azure subscription limits. Each rule specifies the following properties:   Name - Unique name of the NSG. Priority - A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers. Source or Destination - Individual IP address or IP address range, service tag, or application security group. Protocol - TCP, UDP, or Any. Direction - Whether the rule applies to inbound or outbound traffic. Port Range - An individual port or range of ports. Action - Allow or Deny.   When you create a network security group, Azure creates a series of default rules to provide a baseline level of security. You cannot remove the default rules, but you can override them by creating new rules with higher priorities.    

Application Security groups Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. This feature allows you to reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.   An ASG enables you to group servers with similar port filtering requirements, and group together servers with similar functions, such as web servers. In the below example, we have ASGs defined for Web Servers, App Servers, and DB Servers and green and red arrows indicating which network traffic paths are allowable and which are not.   ASGs help simplify how you can filter and control network traffic coming into your organization and how that network traffic is allowed to move. They allow you to isolate multiple workloads and provide additional levels of protection for your virtual network in a more easily manageable way.    

Network Security Solutions When considering your Azure security solution consider all the elements of defense in depth. Perimeter layer The network perimeter layer is about protecting organizations from network-based attacks against your resources. Identifying these attacks, alerting, and eliminating their impact is important to keep your network secure. To do this:     Use Azure DDoS Protection to filter large-scale attacks before they can cause a denial of service for end users.     Use perimeter firewalls with Azure Firewall to identify and alert on malicious attacks against your network. Networking layer At this layer, the focus is on limiting network connectivity across all your resources to only allow what is required. Segment your resources and use network-level controls to restrict communication to only what is needed. By restricting connectivity, you reduce the risk of lateral movement throughout your network from an attack. Use NSGs to create rules about inbound and outbound communication at this layer. As best practices:     Limit communication between resources through segmenting your network and configuring access controls.     Deny by default.     Restrict inbound internet access and limit outbound where appropriate.     Implement secure connectivity to on-premises networks. Combining services You can also combine multiple Azure networking and security services to manage your network security and provide increased layered protection. The following are examples of combined services:     Network security groups and Azure Firewall. Azure Firewall complements network security group functionality. Together, they provide better defense-in-depth network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall-as-a-service, which provides network and application-level protection across different subscriptions and virtual networks.     Application Gateway WAF and Azure Firewall. WAF is a feature of Application Gateway that provides your web applications with centralized, inbound protection against common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S. Combining both provides additional layers of protection.

Walkthrough-Secure network traffic In this walkthrough, we will create and configure inbound and outbound security port rules. Task 1: Create a virtual machine. In this task, we will deploy a custom template to create a virtual machine. Task 2: Create a network security group In this task, we will create a network security group and associate the virtual machine network interface. Task 3: Configure an inbound security port rule to allow RDP In this task, we will allow RDP to the virtual machine by configuring an inbound security port rule. Task 4: Configure an outbound security port rule to deny Internet access. In this task, we will create a NSG and associate it with the virtual machine. We will then deny Internet access and test to ensure the rule is working. Congratulations! You have created and configured inbound and outbound security port rules.

Authentication versus Authorization Two fundamental concepts that need to be understood when talking about identity and access are authentication and authorization. They underpin everything else that happens and occur sequentially in any identity and access process:     Authentication. Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.     Authorization. Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they're allowed to access and what they can do with it. ✔️ Authentication is sometimes shortened to AuthN, and authorization is sometimes shortened to AuthZ.

Azure Active Directory (Azure AD) Is a Microsoft cloud-based identity and access management service. Azure AD helps employees of an organization sign in and access resources:     External resources might include Microsoft Office 365, the Azure portal, and thousands of other software as a service (SaaS) applications.     Internal resources might include apps on your corporate network and intranet, along with any cloud apps developed by your own organization. Azure AD provides services such as:     Authentication. This includes verifying identity to access applications and resources, and providing functionality such as self-service password reset, multi-factor authentication (MFA), a custom banned password list, and smart lockout services.     Single-Sign-On (SSO). SSO enables users to remember only one ID and one password to access multiple applications. A single identity is tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to that identity, greatly reducing the effort needed to change or disable accounts.     Application management. You can manage your cloud and on-premises apps using Azure AD Application Proxy, SSO, the My apps portal (also referred to as Access panel), and SaaS apps.     Business to business (B2B) identity services. Manage your guest users and external partners while maintaining control over your own corporate data     Business-to-Customer (B2C) identity services. Customize and control how users sign up, sign in, and manage their profiles when using your apps with services.     Device Management. Manage how your cloud or on-premises devices access your corporate data. Azure AD is intended for:     IT administrators. Administrators can use Azure AD to control access to apps and their resources, based on your business requirements.     App developers. Developers can use Azure AD to provide a standards-based approach for adding functionality to applications that you build, such as adding Single-Sign-On functionality to an app, or allowing an app to work with a user's pre-existing credentials and other functionality.     Microsoft 365, Microsoft Office 365, Azure, or Microsoft Dynamics CRM Online subscribers. These subscribers are already using Azure AD. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is automatically an Azure AD tenant. You can immediately start to manage access to your integrated cloud apps using Azure AD. Let's explore a single sign-on in more detail. Single sign-on The more identities a user has to manage, the greater the risk of a credential-related security incident. More identities mean more passwords to remember and change. Password policies can vary between applications and, as complexity requirements increase, it becomes increasingly difficult for users to remember them. Now, consider the logistics of managing all those identities. Additional strain is placed on help desks as they deal with account lockouts and password reset requests. If a user leaves an organization, tracking down all those identities and ensuring they are disabled can be challenging. If an identity is overlooked, this could allow access when it should have been eliminated. With single sign-on (SSO), users need to remember only one ID and one password. Access across applications is granted to a single identity tied to a user, simplifying the security model. As users change roles or leave an organization, access modifications are tied to the single identity, greatly reducing the effort needed to change or disable accounts. Using single sign-on for accounts will make it easier for users to manage their identities and will increase the security capabilities in your environment. SSO with Azure Active Directory By leveraging Azure AD for SSO you'll also have the ability to combine multiple data sources into an intelligent security graph. This security graph enables the ability to provide threat analysis and real-time identity protection to all accounts in Azure AD, including accounts that are synchronized from your on-premises AD. By using a centralized identity provider, you'll have centralized the security controls, reporting, alerting, and administration of your identity infrastructure. As Contoso Shipping integrates its existing Active Directory instance with Azure AD, you will make controlling access consistent across the organization. Doing so will also greatly simplify the ability to sign into email and Office 365 documents without having to reauthenticate.  

Azure Multi-Factor Authentication (MFA) Provides additional security for your identities by requiring two or more elements for full authentication. These elements fall into three categories:     Something you know could be a password or the answer to a security question.     Something you possess might be a mobile app that receives a notification, or a token-generating device.     Something you are is typically some sort of biometric property, such as a fingerprint or face scan used on many mobile devices. Using MFA increases identity security by limiting the impact of credential exposure. To fully authenticate, an attacker who has a user's password would also need to have possession of their phone or their fingerprint, for example. Authentication with only a single factor is insufficient and, without MFA, an attacker would be unable to use those credentials to authenticate. MFA should be enabled wherever possible as MFA adds enormous benefits to security. MFA comes as part of the following Azure service offerings:     Azure Active Directory Premium licenses. These licenses provide full-featured use of Azure Multi-Factor Authentication Service (cloud) or Azure Multi-Factor Authentication Server (on-premises).     Multi-Factor Authentication for Office 365. A subset of Azure Multi-Factor Authentication capabilities is available as a part of your Office 365 subscription.     Azure Active Directory global administrators. Because global administrator accounts are highly sensitive, a subset of Azure Multi-Factor Authentication capabilities are available to protect these accounts.

Azure Security Center  iIs a monitoring service that provides threat protection across all of your services both in Azure, and on-premises. Security Center can:     Provide security recommendations based on your configurations, resources, and networks.     Monitor security settings across on-premises and cloud workloads, and automatically apply required security to new services as they come online.     Continuously monitor all your services and perform automatic security assessments to identify potential vulnerabilities before they can be exploited.     Use machine learning to detect and block malware from being installed on your virtual machines and services. You can also define a list of allowed applications to ensure that only the apps you validate can execute.     Analyze and identify potential inbound attacks and help to investigate threats and any post-breach activity that might have occurred.     Provide just-in-time access control for ports, reducing your attack surface by ensuring the network only allows traffic that you require. Azure Security Center Versions Azure Security Center is available in two tiers:     Free. Available as part of your Azure subscription, this tier is limited to assessments and recommendations of Azure resources only.     Standard. This tier provides a full suite of security-related services including continuous monitoring, threat detection, just-in-time access control for ports, and more.

Scenarios for Azure Security Center You can integrate Security Center into your workflows and use it in many ways. Here are two examples. Example 1 - Use Security Center for an incident response. Many organizations learn how to respond to security incidents only after suffering an attack. To reduce costs and damage, it’s important to have an incident response plan in place before an attack occurs. You can use Azure Security Center in different stages of an incident response. DETECT - ASSESS - DIAGNOSE - STABILIZE - CLOSE You can use Security Center during the detect, assess, and diagnose stages. Here are examples of how Security Center can be useful during the three initial incident response stages:     Detect. Review the first indication of an event investigation. For example, use the Security Center dashboard to review the initial verification that a high-priority security alert was raised.     Assess. Perform the initial assessment to obtain more information about the suspicious activity. For example, obtain more information about the security alert.     Diagnose. Conduct a technical investigation and identify containment, mitigation, and workaround strategies. For example, follow the remediation steps described by Security Center in that particular security alert. Example 2 - Use Security Center recommendations to enhance security. You can reduce the chances of a significant security event by configuring a security policy, and then implementing the recommendations provided by Azure Security Center. Security policies and recommendations A security policy defines the set of controls that are recommended for resources within that specified subscription or resource group. In Security Center, you define policies according to your company's security requirements. Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations based on the controls set in the security policy. The recommendations guide you through the process of configuring the needed security controls. For example, if you have workloads that do not require the Azure SQL Database Transparent Data Encryption (TDE) policy, turn off the policy at the subscription level and enable it only in the resources groups where SQL TDE is required.      

Azure Key Vault Azure Key Vault is a centralized cloud service for storing your applications' secrets. Key Vault helps you control your applications' secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities.   Usage Scenarios     Secrets management. You can use Key Vault to securely store and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.     Key management. You also can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.     Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for your Azure, and internally connected, resources more easily.     Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software, or by FIPS 140-2 Level 2 validated HSMs.   Key Vault benefits The benefits of using Key Vault include:     Centralized application secrets. Centralizing storage for application secrets allows you to control their distribution and reduces the chances that secrets may be accidentally leaked.     Securely stored secrets and keys. Azure uses industry-standard algorithms, key lengths, and HSMs, and access requires proper authentication and authorization.     Monitor access and use. Using Key Vault, you can monitor and control access to company secrets.     Simplified administration of application secrets. Key Vault makes it easier to enroll and renew certificates from public Certificate Authorities (CAs). You can also scale up and replicate content within regions and use standard certificate management tools.     Integrate with other Azure services. You can integrate Key Vault with storage accounts, container registries, event hubs and many more Azure services.

Walkthrough-Implement Azure Key Vault In this walkthrough, we will create an Azure Key vault and then create a password secret within that key vault, providing a securely stored, centrally managed password for use with applications. Task 1: Create an Azure Key Vault In this task, we will create a key vault. Task 2: Add a secret to the Key Vault In this task, we will add a password to the key vault. Congratulations! You have created an Azure Key vault and then created a password secret in that key vault, providing a securely stored, centrally managed password for use with applications.

Azure Information Protection (AIP) Is a cloud-based solution that helps organizations classify and (optionally) protect its documents and emails by applying labels. Labels can be applied automatically (by administrators who define rules and conditions), manually (by users), or with a combination of both (where users are guided by recommendations). Usage scenario The following screen capture is an example of MSIP in action on a user's computer. In this example, the administrator has configured a label with rules that detect sensitive data. When a user saves a Microsoft Word document containing a credit card number, a custom tooltip is displayed. The tooltip recommends labeling the file as Confidential/ All Employees, which is a label that the administrator has configured. This label classifies the document and protects it.   After your content is classified (and optionally protected), you can then track and control how the content is used. For example, you can analyze data flows to gain insight into your business; detect risky behaviors and take corrective measures; track access to documents; and prevent data leakage or misuse. ✔️ You can purchase MSIP either as a standalone solution, or through one of the following Microsoft licensing suites: Enterprise Mobility + Security, or Microsoft 365 Enterprise. Purchasing details are available on the https://azure.microsoft.com/pricing/details/information-protection?azure-portal=true Azure Information Protection pricing webpage.  

Azure Advanced Threat Protection (Azure ATP)   Is a cloud-based security solution that identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Azure ATP is capable of detecting known malicious attacks and techniques, security issues, and risks against your network. Azure ATP components     Azure ATP portal. Azure ATP has its own portal, through which you can monitor and respond to suspicious activity. The Azure ATP portal allows you to create your Azure ATP instance, and view the data received from Azure ATP sensors. You can also use the portal to monitor, manage, and investigate threats in your network environment.     Azure ATP sensor. Azure ATP sensors are installed directly on your domain controllers. The sensor monitors domain controller traffic without requiring a dedicated server or configuring port mirroring.     Azure ATP cloud service. Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the United States, Europe, and Asia. Azure ATP cloud service is connected to Microsoft's intelligent security graph.   Purchasing Azure ATP is available as part of the Enterprise Mobility + Security 5 suite (EMS E5), and as a standalone license. You can acquire a license directly from the Enterprise Mobility Security Pricing Options page, or through the Cloud Solution Provider (CSP) licensing model. It is not available to purchase via the Azure portal.  

Azure Policy Azure Policy is a service in Azure that you use to create, assign, and, manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements (SLAs). Azure Policy does this by using policies and initiatives. It runs evaluations of your resources and scans for those not compliant with the policies you have created. For example, you can have a policy to allow only a certain stock keeping unit (SKU) size of virtual machines (VMs) in your environment. Once you implement this policy, it will evaluate resources when you create new ones or update existing ones. It will also evaluate your existing resources. Azure Policy comes with a number of built-in policy and initiative definitions that you can use, under categories such as Storage, Networking, Compute, Security Center, and Monitoring. Azure Policy can also integrate with Azure DevOps, by applying any continuous integration and delivery pipeline policies that apply to the pre-deployment and post-deployment of your applications. Azure Policy also can automatically remediate resources and configurations that are deemed non-compliant, thus ensuring the integrity of the state of the resources.  

Implementing Azure Policy There are three steps to creating an implementing an Azure policy. Create a poli definition -> Assign the definion to resources -> Review the evaluation results   Create a policy definition A policy definition expresses what to evaluate and what action to take. For example, you could prevent VMs from being deployed if they are exposed to a public IP address. You also could prevent a hard disk from being used when deploying VMs to control costs. Every policy definition has conditions under which it is enforced. And, it has an accompanying effect that takes place if the conditions are met. Here are some example policy definitions:     Allowed Storage Account SKUs. This policy definition has a set of conditions/rules that determine whether a storage account that is being deployed is within a set of SKU sizes. Its effect is to deny all storage accounts that do not adhere to the set of defined SKU sizes.     Allowed Resource Type. This policy definition has a set of conditions/rules to specify the resource types that your organization can deploy. Its effect is to deny all resources that are not part of the defined list.     Allowed Locations. This policy enables you to restrict the locations that your organization can specify when deploying resources. Its effect is used to enforce your geographic compliance requirements.     Allowed Virtual Machine SKUs. This policy enables you to specify a set of VM SKUs that your organization can deploy. More sample policies are available on the Azure Policy Samples page. Assign a definition to a scope of resources To implement your policy definitions, you assign them to resources. A policy assignment is a policy definition that has been assigned to take place within a specific scope. This specific scope could range from a management group to a resource group. Policy assignments are inherited by all child resources. This means that if a policy is applied to a resource group, it is applied to all the resources within that resource group. However, you can exclude a subscope from the policy assignment. Review the policy evaluation results When a condition is evaluated against your existing resources it is marked compliant or non-compliant. You can review the non-compliant policy results and take any action that is needed. ✔️ Policy evaluation happens about once an hour, which means that if you make changes to your policy definition and create a policy assignment then it will be re-evaluated over your resources within the hour.  

Policy Initiatives Policy Initiatives work with Azure Policies.   Initiative definitions An initiative definition is a set of policy definitions to help track your compliance state for a larger goal. Initiative assignments reduce the need to make several initiative definitions for each scope. For example, you could create an initiative named Enable Monitoring in Azure Security Center, with a goal to monitor all the available security recommendations in your Azure Security Center. Under this initiative, you would have the following policy definitions:     Monitor unencrypted SQL Database in Security Center – For monitoring unencrypted SQL databases and servers.     Monitor OS vulnerabilities in Security Center – For monitoring servers that do not satisfy the configured baseline.     Monitor missing Endpoint Protection in Security Center – For monitoring servers without an installed endpoint protection agent. Initiative assignments Like a policy assignment, an initiative assignment is an initiative definition assigned to a specific scope. Initiative assignments reduce the need to make several initiative definitions for each scope. This scope could also range from a management group to a resource group. You can define initiatives using the Azure portal, or command-line tools. In the portal, you use the “Authoring” section.   ✔️ Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.✔️ Even if you have a single policy, we recommend using initiatives if you anticipate increasing the number of policies over time.

Walkthrough-Create an Azure Policy In this walkthrough, we will create an Azure Policy to restrict deployment of Azure resources to a specific location. Task 1: Create a Policy assignment In this task, we will configure the Allowed location policy and assign it to our subscription. Task 2: Test Allowed location policy In this task, we will test the Allowed location policy. Task 3: Delete the policy assignment In this task, we will remove the Allowed location policy assignment and test. Congratulations! You have created an Azure Policy to restrict deployment of Azure resources to a particular datacenter.

Role-based Access Control (RBAC) Role-based access control provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. RBAC is provided at no additional cost to all Azure subscribers.   Usage Scenarios Examples of when you might use RBAC include when you want to:     Allow one user to manage VMs in a subscription, and another user to manage virtual networks.     Allow a database administrator (DBA) group to manage SQL databases in a subscription.     Allow a user to manage all resources in a resource group, such as VMs, websites, and subnets.     Allow an application to access all resources in a resource group. To view access permissions, access the Access Control (IAM) blade in the Azure portal. This blade, shows who has access to an area and their role. Using this same blade, you can also grant or remove access. The following screenshot shows an example of the Access Control (IAM) blade for a resource group. In this example, Alain Charon has been assigned the Backup Operator role for this resource group.   RBAC uses an allow model. This means that when you are assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. Therefore, if one role assignment grants you read permissions to a resource group, and a different role assignment grants you write permissions to the same resource group, you will have write permissions on that resource group. Best Practices Here are some RBAC best practices:     Using RBAC, segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a scope level.     When planning your access control strategy, grant users the lowest privilege level that they need to do their work.

Walkthrough-Manage access with RBAC In this walkthrough, we will assign roles and view activity logs. Task 1: View and assign roles In this task, we will assign the Virtual machine contributor role. Task 2: View the activity log and remove a role assignment In this task, we will view the activity log to verify the role assignment, and then remove the role. Congratulations! You have assigned roles and viewed activity logs.

Resource Locks Contoso, Ltd. Case Study - In a recent conversation, your manager mentioned that there had been instances where critical Azure resources were mistakenly deleted. Since there was disorganization across their Azure environment, good intentions of cleaning up unnecessary resources resulted in accidental deletions of resources critical to other systems. You've heard of resource locks on Azure. You mention to your manager that you think you can help prevent this type of incident from happening in the future. You'll take a look at how you could use resource locks to solve this problem. What are resource locks? Resource Locks help you prevent accidental deletion or modification of your Azure resources. You can manage these locks from within the Azure portal. To view, add, or delete locks, go to the SETTINGS section of any resource's settings blade. You may need to lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly:     CanNotDelete means authorized admins can still read and modify a resource, but they can't delete the resource.     ReadOnly means authorized admins can read a resource, but they can't delete or update the resource. Applying this lock is like restricting all authorized users to the permissions granted by the Reader role. When a resource lock is applied, you must first remove the lock in order to perform that activity. By putting an additional step in place before allowing the action to be taken on the resource, it helps protect resources from inadvertent actions, and helps protect your administrators from doing something they may not have intended to do. Resource locks apply regardless of RBAC permissions. Even if you are an owner of the resource, you must still remove the lock before you'll actually be able to perform the blocked activity.

Walkthrough-Manage resource locks In this walkthrough, we will create a resource group, add a lock to resource group and test deletion, test deleting a resource in the resource group, and remove the resource lock. Task 1: Create a resource group In this task, we will create a resource group. Task 2: Add a Lock to the resource group and test deletion In this task, we will add a lock to the resource group and test deletion. Task 3: Test deleting a member of the resource group In this task, we will add a storage account to the resource group and test deletion. Task 4: Remove the resource lock In this task, we will remove the resource lock. Congratulations! You created a resource group, added a lock to resource group and tested deletion, tested deleting a resource in the resource group, and removed the resource lock.

Azure Blueprints Azure Blueprints enable cloud architects to define a repeatable set of Azure resources that implement and adhere to an organization's standards, patterns, and requirements. Azure Blueprint enables development teams to rapidly build and deploy new environments with the knowledge that they're building within organizational compliance with a set of built-in components that speed up development and delivery. Azure Blueprint is a declarative way to orchestrate the deployment of various resource templates and other artifacts, such as:     Role assignments     Policy assignments     Azure Resource Manager templates     Resource groups Blueprint process The process of implementing Azure Blueprint consists of the following high-level steps:     Create an Azure Blueprint.     Assign the blueprint.     Track the blueprint assignments. With Azure Blueprint, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved deployment tracking and auditing. Azure Blueprints are different from Azure Resource Manager Templates. When Azure Resource Manager Templates deploy resources, they have no active relationship with the deployed resources (they exist in a local environment or in source control). By contrast, with Azure Blueprint, each deployment is tied to an Azure Blueprint package. This means that the relationship with resources will be maintained, even after deployment. Maintaining relationships, in this way, improves auditing and tracking capabilities. Usage Scenario Adhering to security or compliance requirements, whether government or industry requirements, can be difficult and time-consuming. To help you with auditing, traceability, and compliance with your deployments, use Azure Blueprint artifacts and tools. Time-consuming paperwork is no longer needed, and your path to certification is expedited. Azure Blueprint are also useful in Azure DevOps scenarios, where blueprints are associated with specific build artifacts and release pipelines and can be tracked more rigorously.

Subscription governance Azure subscriptions are discussed in many contexts. For this module, however we wish to briefly mention them here in the context of governance. There are mainly three aspects to consider in relation to creating and managing subscriptions: Billing, Access Control, and Subscription limits.     Billing: Reports can be generated by subscriptions, if you have multiple internal departments and need to do “chargeback”, a possible scenario is to create subscriptions by department or project.     Access Control: A subscription is a deployment boundary for Azure resources and every subscription is associated with an Azure AD tenant that provides administrators the ability to set up role-based access control (RBAC). When designing a subscription model, one should consider the deployment boundary factor, some customers have separate subscriptions for Development and Production, each one is isolated from each other from a resource perspective and managed using RBAC.     Subscription Limits: Subscriptions are also bound to some hard limitations. For example, the maximum number of Express Route circuits per subscription is 10. Those limits should be considered during the design phase, if there is a need to go over those limits in particular scenarios, then additional subscriptions may be needed. If you hit a hard limit, there is no flexibility. Also available to assist with managing subscriptions are management groups, which manage access, policies, and compliance across multiple Azure subscriptions. We will discuss management groups in more detail later. ✔️ There is more information about subscription limits.

Tags You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name Environment and the value Production to all the resources in production, or tag by company departments. For example, the name of Department with a value of IT. After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. Tags enable you to retrieve related resources from different resource groups. This approach is helpful when you need to organize resources for billing or management. Tag Limitations There are some limitations with using Tags, such as:     Not all resource types support tags.     Each resource or resource group can have a maximum of 50 tag name/value pairs. Currently, storage accounts only support 15 tags, but that limit will be raised to 50 in a future release. If you need to apply more tags than the maximum allowed number, use a JSON string for the tag value. The JSON string can contain many values that are applied to a single tag name. A resource group can contain many resources that each have 50 tag name/value pairs.     The tag name is limited to 512 characters, and the tag value is limited to 256 characters. For storage accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.     Virtual Machines and Virtual Machine Scale Sets are limited to a total of 2048 characters for all tag names and values.     Tags applied to the resource group are not inherited by the resources in that resource group. ✔️ You can use Azure Policy to enforce tagging values and rules on resources.

Walkthrough-Implement resource tagging In this walkthrough, we will create a policy assignment that requires tagging, created a storage account and test the tagging, view resources with a specified tag, and remove the tagging policy. Task 1: Create a Policy assignment In this task, we will configure the Require specified tag policy and assign it to our subscription. Task 2: Create a storage account to test the required tagging In this task, we will create storage accounts to test the required tagging. Task 3: View all resources with a specific tag In this task, we will view resources with a specific tag. Task 4: Delete the policy assignment In this task, we will remove the Require specific tag policy so it does not affect our future work. Congratulations! In this walkthrough, we created a policy assignment that required tagging, created a storage account and tested the tagging, viewed resources with a specified tag, and removed the tagging policy.

Azure Monitor Maximizes the availability and performance of your applications by delivering a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It helps you understand how your applications are performing and proactively identifies issues affecting them and the resources they depend on. What data does Azure Monitor collect? Azure Monitor can collect data from a variety of sources. You can think of monitoring data for your applications in tiers ranging from your application, any operating system and services it relies on, down to the platform itself. Azure Monitor collects data from each of the following tiers:     Application monitoring data: Data about the performance and functionality of the code you have written, regardless of its platform.     Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.     Azure resource monitoring data: Data about the operation of an Azure resource.     Azure subscription monitoring data: Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.     Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as Azure Active Directory. Diagnostic settings As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps, Azure Monitor starts collecting data.     Activity Logs record when resources are created or modified.     Metrics tell you how the resource is performing and the resources that it's consuming. Enabling diagnostics You can extend the data you're collecting into the actual operation of the resources by enabling diagnostics and adding an agent to compute resources. Under the resource settings you can enable Diagnostics     Enable guest-level monitoring     Performance counters: collect performance data     Event Logs: enable various event logs     Crash Dumps: enable or disable     Sinks: send your diagnostic data to other services for more analysis     Agent: configure agent settings

Azure Health Service is a suite of experiences that provide personalized guidance and support when issues with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and changes that could affect the availability of your resources. Azure Service Health is composed of the following:     Azure Status provides a global view of the health state of Azure services. With Azure Status, you can get up-to-the-minute information on service availability. Everyone has access to Azure Status and can view all services that report their health state.     Service Health provides you with a customizable dashboard that tracks the state of your Azure services in the regions where you use them. In this dashboard, you can track active events such as ongoing service issues, upcoming planned maintenance, or relevant Health advisories. When events become inactive, they are placed in your Health history for up to 90 days. Finally, you can use the Service Health dashboard to create and manage service Health alerts, which notify you whenever there are service issues that affect you.     Resource Health helps you diagnose and obtain support when an Azure service issue affects your resources. It provides you details with about the current and past state of your resources. It also provides technical support to help you mitigate problems. In contrast to Azure Status, which informs you about service problems that affect a broad set of Azure customers, Resource Health gives you a personalized dashboard of your resources' health. Resource Health shows you times, in the past, when your resources were unavailable because of Azure service problems. It's then easier for you to understand if an SLA was violated. Together, the Azure Service Health components provide you with a comprehensive view of the health status of Azure, at the level of granularity that is most relevant to you.

Monitoring applications and services Data monitoring is only useful if it improves your visibility of the operations in your computing environment. Azure Monitor includes several features and tools that provide valuable insights into your applications, and the other resources they may depend on. Monitoring solutions and features, such as Application Insights and Container Insights, provide you with a deeper look into different aspects of your application and Azure services. Azure Monitor features can be organized into four categories, these categories are: Analyze, Respond, Visualize and Integrate. Analyze     Application Insights is a service that monitors the availability, performance, and usage of your web applications, whether they're hosted in the cloud or on-premises. It leverages the powerful data analysis platform in Log Analytics to provide you with deeper insights into your application's operations. Application Insights can diagnose errors, without waiting for a user to report them. Application Insights includes connection points to a variety of development tools and integrates with Microsoft Visual Studio to support your DevOps processes.     Azure Monitor for containers is a service that is designed to monitor the performance of container workloads, which are deployed to managed Kubernetes clusters hosted on Azure Kubernetes Service (AKS). It gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers, which are available in Kubernetes through the metrics API. Container logs are also collected.     Azure Monitor for VMs is a service that monitors your Azure VMs at scale, by analyzing the performance and health of your Windows and Linux VMs (including their different processes and interconnected dependencies on other resources, and external processes). Azure Monitor for VMs includes support for monitoring performance and application dependencies for VMs hosted on-premises, and for VMs hosted with other cloud providers. Integrating any, or all, of these monitoring services with Azure Service Health has additional benefits. Staying informed of the health status of Azure services will help you understand if, and when, an issue affecting an Azure service is impacting your environment. What may seem like a localized problem could be the result of a more widespread issue, and Azure Service Health provides this kind of insight. Azure Service Health identifies any issues with Azure services that might affect your application. Azure Service Health also helps you to plan for scheduled maintenance. Respond In addition to allowing you to analyze your monitoring data interactively, an effective monitoring solution must respond proactively to any critical conditions that are identified within the data it collects. This might involve, for example, sending a text or email to an administrator who is responsible for investigating an issue, or launching an automated process that attempts to correct an error condition.     Alerts. Azure Monitor proactively notifies you of critical conditions using Alerts and can potentially attempt to take corrective actions. Alert rules based on metrics can provide alerts in almost real-time, based on numeric values. Alert rules based on logs allow for complex logic across data, from multiple sources.     Autoscale. Azure Monitor uses Autoscale to ensure that you have the right amount of resources running to manage the load on your application effectively. Autoscale enables you to create rules that use metrics, collected by Azure Monitor, to determine when to automatically add resources to handle increases in load. Autoscale can also help reduce your Azure costs by removing resources that are not being used. You can specify a minimum and maximum number of instances and provide the logic that determines when Autoscale should increase or decrease resources. Visualize Visualizations, such as charts and tables, are effective tools for summarizing monitoring data and for presenting data to different audiences. Azure Monitor has its own features for visualizing monitoring data, and it leverages other Azure services for publishing data for different audiences. Other tools you may use for visualizing data, for specific audiences and scenarios, include:     Dashboards     Views     Power BI Integrate You'll often need to integrate Azure Monitor with other systems, and build customized solutions that use your monitoring data. Other Azure services can work with Azure Monitor to provide this integration.

Compliance Terms When selecting a cloud provider to host your solutions, you should understand how that provider can help you comply with regulations and standards. Some questions to ask about a potential provider include:     How compliant is the cloud provider when it comes to handling sensitive data?     How compliant are the services offered by the cloud provider?     How can I deploy my own cloud-based solutions to scenarios that have accreditation or compliance requirements? Microsoft invests heavily in the development of robust and innovative compliance processes. The Microsoft compliance framework for online services maps their controls to multiple regulatory standards, which enables Microsoft to design and build services using a common set of controls. These controls streamline compliance across a range of today's regulations as they continue to evolve in the future. Compliance Offerings: The following list provides details about some of the compliance offerings available on Azure:     CJIS. Any US state or local agency that wants to access the FBI’s Criminal Justice Information Services (CJIS) database is required to adhere to the CJIS Security Policy. Azure is the only major cloud provider that contractually commits to conformance with the CJIS Security Policy, which commits Microsoft to adhering to the same requirements that law enforcement and public safety entities must meet.     CSA STAR Certification. Azure, Intune, and Microsoft Power BI have obtained STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider’s security posture. The STAR certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.     General Data Protection Regulation (GDPR). As of May 25, 2018, a European privacy law—GDPR—is in effect. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where you are located.     EU Model Clauses. Microsoft offers customers EU Standard Contractual Clauses that provide contractual guarantees around transfers of personal data outside of the EU. Microsoft is the first company to receive joint approval from the EU’s Article 29 Working Party that the contractual privacy protections Azure delivers to its enterprise cloud customers meet current EU standards for international transfers of data, which ensures that Azure customers can use Microsoft services to move data freely through Microsoft's cloud, from Europe to the rest of the world.     HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that regulates patient Protected Health Information (PHI). Azure offers customers a HIPAA Business Associate Agreement (BAA), stipulating adherence to certain security and privacy provisions in HIPAA and the HITECH Act. To assist customers in their individual compliance efforts, Microsoft offers a BAA to Azure customers as a contract addendum.     ISO/IEC 27018. Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers.     Multi-Tier Cloud Security (MTCS) Singapore. After rigorous assessments conducted by the MTCS Certification Body, Microsoft cloud services received MTCS 584:2013 Certification across all three service classifications—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and SaaS. Microsoft was the first global cloud solution provider (CSP) to receive this certification across all three classifications.     Service Organization Controls (SOC) 1, 2, and 3. Microsoft-covered cloud services are audited at least annually against the SOC report framework by independent third-party auditors. The Microsoft cloud services audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.     National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). NSIT CSF is a voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risks. Microsoft cloud services have undergone independent, third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High Baseline audits and are certified according to the FedRAMP standards. Additionally, through a validated assessment performed by the Health Information Trust Alliance (HITRUST), a leading security and privacy standards development and accreditation organization, Office 365 is certified to the objectives specified in the NIST CSF.     UK Government G-Cloud. The UK Government G-Cloud is a cloud computing certification for services used by government entities in the United Kingdom. Azure has received official accreditation from the UK Government Pan Government Accreditor. ✔️ Microsoft provides the most comprehensive set of compliance offerings (including certifications and attestations) of any cloud service provider. ✔️ You can view all the Microsoft compliance offerings on the https://www.microsoft.com/trustcenter/compliance/complianceofferings?azure-portal=true Compliance Offerings webpage.

Microsoft Privacy statement The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it, and for what purposes. This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes. Microsoft offers a wide range of products, including server products used to help operate enterprises worldwide, devices you use in your home, software that students use at school, and services developers use to create and host what’s next. References to Microsoft products in this statement include Microsoft services, websites, apps, software, servers, and devices. Please read the product-specific details in this privacy statement, which provide additional relevant information. This statement applies to the interactions Microsoft has with you and the Microsoft products listed below, as well as other Microsoft products that display this statement. Your privacy is important to us.

Trust Center The Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The Trust Center is an important part of the Microsoft Trusted Cloud Initiative and provides support and resources for the legal and compliance community. The Trust Center site provides:     In-depth information about security, privacy, compliance offerings, policies, features, and practices across Microsoft cloud products.     Recommended resources in the form of a curated list of the most applicable and widely used resources for each topic.     Information specific to key organizational roles, including business managers, tenant admins or data security teams, risk assessment and privacy officers, and legal compliance teams.     Cross-company document search, which is coming soon and will enable existing cloud service customers to search the Service Trust Portal.     Direct guidance and support for when you can't find what you're looking for.

Service Trust Portal The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored reports that provide details on how Microsoft builds and operates its cloud services. STP also includes information about how Microsoft online services can help your organization maintain and track compliance with standards, laws, and regulations, such as:     ISO     SOC     NIST     FedRAMP     GDPR STP is a companion feature to the Trust Center, and allows you to:     Access audit reports across Microsoft cloud services on a single page.     Access compliance guides to help you understand how can you use Microsoft cloud service features to manage compliance with various regulations.     Access trust documents to help you understand how Microsoft cloud services help protect your data. Accessing the STP To access some STP materials, you must sign in as an authenticated user with your Microsoft cloud services account (either an Azure AD organization account or a Microsoft account), and then review and accept the Microsoft Non-Disclosure Agreement for Compliance Materials. Existing customers can access the STP at the https://aka.ms/STP?azure-portal=true Service Trust Portal webpage, with one of the following online subscriptions (trial or paid):     Office 365     Dynamics 365     Azure

Compliance Manager Compliance Manager is a workflow-based risk assessment dashboard within the Trust Portal that enables you to track, assign, and verify your organization's regulatory compliance activities related to Microsoft professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure. Compliance Manager provides the following features:     Detailed information provided by Microsoft to auditors and regulators, as part of various third-party audits of Microsoft 's cloud services against various standards (for example, ISO 27001, ISO 27018, and NIST).     Information that Microsoft compiles internally for its compliance with regulations (such as HIPAA and the EU GDPR).     An organization's self-assessment of their own compliance with these standards and regulations.     Enables you to assign, track, and record compliance and assessment-related activities, which can help your organization cross team barriers to achieve your organization's compliance goals.     Provides a Compliance Score to help you track your progress and prioritize auditing controls that will help reduce your organization's exposure to risk.     Provides a secure repository in which to upload and manage evidence and other artifacts related to compliance activities.     Produces richly detailed reports in Microsoft Excel that document the compliance activities performed by Microsoft and your organization, which can be provided to auditors, regulators, and other compliance stakeholders. Compliance Manager provides ongoing risk assessments with a risk-based scores reference displayed in a dashboard view for regulations and standards. Alternatively, you can create assessments for the regulations or standards that matter more to your organization. As part of the risk assessment, Compliance Manager also provides recommended actions you can take to improve your regulatory compliance. You can view all action items or select the action items that correspond with a specific certification. ✔️ Compliance Manager is a dashboard that provides a summary of your data protection and compliance stature, and recommendations to improve data protection and compliance. The Customer Actions provided in Compliance Manager are recommendations only; it is up to each organization to evaluate the effectiveness of these recommendations in their respective regulatory environment prior to implementation. Recommendations found in Compliance Manager should not be interpreted as a guarantee of compliance.

Walkthrough-Exploring the Trust Center In this walkthrough, we will access the Trust Center, Service Trust Portal (STP), and Compliance Manager. Task 1: Access the Trust Center In this task, we will review the Trust Center. Task 2: Access the Service Trust Portal (STP) In this task, we will review the Service Trust Portal. Task 3: Access the Compliance Manager In this task, we will review the Compliance Manager. Congratulations! In this walkthrough, you accessed the Trust Center, Service Trust Portal (STP), and Compliance Manager.

Microsoft Azure Government Azure Government is a separate instance of the Microsoft Azure service. It addresses the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure Government offers physical isolation from non-US government deployments and provides screened US personnel. Azure Government services handle data that is subject to certain government regulations and requirements, such as FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. To provide the highest level of security and compliance, Azure Government uses physically isolated datacenters and networks (located only in the US). Azure Government customers (US federal, state, and local government or their partners) are subject to validation of eligibility. Azure Government provides the broadest compliance and Level 5 Department of Defense (DoD) approval. You can choose from six government-only datacenter regions, including two regions granted an Impact Level 5 Provisional Authorization. Azure Government also offers the most compliance certifications of any cloud provider. ✔️ Most services are the same on both Azure Government and Public Azure. However, there are some differences that you should be aware of. Details are available at Compare Azure Government and global Azure.

Azure China 21Vianet Is operated by 21Vianet is a physically separated instance of cloud services located in China, independently operated and transacted by Shanghai Blue Cloud Technology Co., Ltd. (“21Vianet”), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd. The Azure services are based on the same Azure, Office 365, and Power BI technologies that make up the Microsoft global cloud service, with comparable service levels. Azure agreements and contracts in China, where applicable, are signed between customers and 21Vianet. As the first foreign public cloud service provider offered in China in compliance with government regulations, Azure China 21Vianet provides world-class security as discussed on the Trust Center, as required by Chinese regulations for all systems and applications built on its architecture. Azure includes the core components of IaaS, PaaS, and SaaS. These components include network, storage, data management, identity management, and many other services. Azure China 21Vianet supports most of the same services that global Azure has, such as geosynchronous data replication and autoscaling. Even if you already use global Azure services, to operate in China you may need to rehost or refactor some or all your applications or services. According to the China Telecommunication Regulation (in Chinese), providers of cloud services (IaaS and PaaS) must have value-added telecom permits. Only locally registered companies with less than 50-percent foreign investment qualify for these permits. To comply with this regulation, the Azure service in China is operated by 21Vianet, based on the technologies licensed from Microsoft.

Module 3 Summary In this module you've learned about securing network connectivity in Azure, core identity services, security tools and features, Azure governance methodologies, monitoring and reporting in Azure, and privacy, compliance, and data protection standards in Azure. Securing network connectivity in Azure In this lesson you learned about Azure Firewalls, Azure DDos protection, NSGs, and choosing Azure network security solutions. Core Azure identity services In this lesson you learned about authentication and authorization, Azure AD, and MFA. Security tools and features In this lesson you learned about Azure Security Center and some usage scenarios for it, Key Vault, MSIP, and Azure ATP. Azure governance methodologies In this lesson you learned about Azure Policy, policies, initiatives, RBAC, locks, Azure Advisor, security assistance, and Azure Blueprint. Monitoring and reporting in Azure In this lesson you learned about Azure Monitor and Azure Service Health. Privacy, compliance and data protection standards in Azure In this lesson you learned about compliance terms and requirements, the Microsoft Privacy statement, Trust Center, the Service Trust Portal, Compliance Manager, Azure Government, Azure Germany, and Azure China.