Mastering M Mastering a s Azure Security t e r i n Azure Security g A z u Security is always integrated into cloud get to grips with using Azure Security Center r e platforms, causing users to let their guard for unifi ed security management, building S down as they take cloud security for granted. secure application gateways on Azure, e Cloud computing brings new security protecting the cloud from DDoS attacks, c u challenges, but you can overcome these with safeguarding with Azure Key Vault, and much r Microsoft Azure's shared responsibility model. more. Additionally, the book covers Azure it y Sentinel, monitoring and auditing, Azure Mastering Azure Security covers the latest security and governance best practices, and security features provided by Microsoft to securing PaaS deployments. identify different threats and protect your Azure cloud using innovative techniques. The By the end of this book, you'll have developed book takes you through the built-in security a solid understanding of cybersecurity in the M controls and the multi-layered security cloud and be able to design secure solutions u features offered by Azure to protect cloud in Microsoft Azure. st a workloads across apps and networks. You'll fa T o ro Safeguard your Azure workload with innovative cloud security measures m a n a n d Things you will learn: T o m • Understand cloud security concepts • Grasp Azure network security concepts J a • Get to grips with managing cloud identities • Discover how to keep cloud n e resources secure ts • Adopt the Azure security cloud c h infrastructure • Implement cloud governance with security e c policies and rules k www.packt.com www.packt.com Mustafa Toroman and Tom Janetscheck Mastering Azure Security Safeguard your Azure workload with innovative cloud security measures Mustafa Toroman Tom Janetscheck BIRMINGHAM—MUMBAI Mastering Azure Security Copyright © 2020 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Shrilekha Inani Senior Editor: Rahul Dsouza Content Development Editor: Alokita Amanna Technical Editor: Sarvesh Jaywant Copy Editor: Safis Editing Project Coordinator: Neil Dmello Proofreader: Safis Editing Indexer: Pratik Shirodkar Production Designer: Aparna Bhagat First published: May 2020 Production reference: 1060520 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-83921-899-6 www.packt.com Packt.com Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? • Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals • Improve your learning with Skill Plans built especially for you • Get a free eBook or video every month • Fully searchable for easy access to vital information • Copy and paste, print, and bookmark content Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the authors Mustafa Toroman is a program architect and lead system engineer with Authority Partners. With years of experience in designing and monitoring infrastructure solutions, lately, he focuses on designing new solutions in the cloud and migrating existing solutions to the cloud. He is very interested in DevOps processes, and he's also an Infrastructure-as-Code enthusiast. Mustafa has over 50 Microsoft certificates and has been an MCT for the last 8 years. He often speaks at international conferences about cloud technologies, and he was awarded the MVP for Microsoft Azure in 2016. Mustafa also authored Hands-On Cloud Administration in Azure and Azure Networking Cookbook, and the coauthored Learn Node.js with Azure, all published by Packt. Tom Janetscheck is a cloud security expert from Germany. He has more than 15 years of experience in designing, building, and monitoring on premises and cloud infrastructure solutions, and a focus on security architecture in the Microsoft cloud, making him a resource on all things Azure and enterprise security. Tom is a well-known international conference speaker with a proven track record of attendee satisfaction. Since 2017, he received the Microsoft MVP award several times for his extraordinary community contributions in the area of Microsoft Azure Security. In his spare time, Tom is an enthusiastic motorcyclist, scuba diver, guitarist, bass player, drummer, and station officer at the local fire department. About the reviewer Sasha Kranjac is a cloud and security expert, architect, and instructor with more than 2 decades of experience in the field. He began programming in Assembler on Sir Clive Sinclair's ZX, met Windows NT 3.5, and the love has existed ever since. Sasha owns an IT training and consulting company that helps companies embrace the cloud and be safe in cyberspace. Aside from cloud/security architecture and consulting, he delivers Microsoft, EC-Council, and his own bespoke Azure and security courses and PowerClass workshops internationally. Sasha is a Microsoft MVP, Microsoft Certified Trainer (MCT), MCT Regional Lead, Certified EC-Council Instructor (CEI), and a frequent speaker at various international conferences, user groups, and events. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface Section 1: Identity and Governance 1 Introduction to Azure security Exploring the shared Azure network 8 responsibility model 4 Azure infrastructure availability 10 On-premises 5 Azure infrastructure integrity 12 Infrastructure as a Service 5 Azure infrastructure monitoring 12 Platform as a Service 5 Understanding Azure security Software as a Service 5 foundations 13 Division of security in the shared responsibility model 5 Summary 15 Questions 15 Physical security 7 2 Governance and Security Understanding governance in Understanding Azure Policy 27 Azure 18 Mode 28 Using common sense to avoid Parameters 29 mistakes 20 Policy assignments 32 Using management locks 21 Initiative definitions 32 Initiative assignments 32 Using management groups for Policy best practices 32 governance 23 ii Table of Contents Defining Azure blueprints 33 PowerShell 40 Blueprint definitions 34 Querying Azure Resource Graph with Blueprint publishing 35 the Azure CLI 42 Advanced queries 43 Azure Resource Graph 39 Summary 44 Querying Azure Resource Graph with Questions 44 3 Managing Cloud Identities Exploring passwords and Understanding RBAC 76 passphrases 48 Creating custom RBAC roles 80 Dictionary attacks and password Protecting admin accounts with protection 50 Azure AD PIM 83 Understanding Multi-Factor Enabling PIM 84 Authentication (MFA) 52 Managing Azure AD roles in PIM 85 MFA activation in Azure AD 54 Managing Azure resources with PIM 88 MFA activation from a user's perspective 57 Hybrid authentication and SSO 89 Using Conditional Access 61 Understanding passwordless Named locations 63 authentication 93 Custom controls 64 Global settings 95 Terms of use 65 Conditional Access policies 65 Licensing considerations 95 Summary 96 Introducing Azure AD Identity Questions 96 Protection 70 Azure AD Identity Protection at a glance 71 Section 2: Cloud Infrastructure Security 4 Azure Network Security Understanding Azure Virtual Connecting on-premises networks with Network 102 Azure 108 Table of Contents iii Creating an S2S connection 109 Understanding Azure Connecting a VNet to another VNet 113 Application Gateway 123 VNet service endpoints 116 Understanding Azure Front Door 125 Considering other virtual Summary 125 networks' security 119 Questions 125 Azure Firewall deployment and configuration 119 5 Azure Key Vault Understanding Azure Key Vault 128 deployment scenarios 136 Understanding access policies 129 Creating an Azure key vault and a secret 137 Understanding service-to- Azure VM deployment 140 service authentication 130 Summary 144 Understanding Managed Identities for Azure Resources 133 Questions 144 Using Azure Key Vault in 6 Data Security Technical requirements 147 Machines disks 153 Understanding Azure Storage 148 Summary 164 Understanding Azure Virtual Questions 164 Section 3: Security Management 7 Azure Security Center Introducing Azure Security Azure Secure Score and Center 169 recommendations 176 Enabling Azure Security Center 173 Working with recommendations 178