Azure Security

Secure your Azure applications the right way. The expert DevSecOps techniques you'll learn in this essential handbook make it easy to keep your data safe. As a Program Manager at Microsoft, Bojan Magusic has helped numerous Fortune 500 companies improve their security posture in Azure. Now, in Azure Security he brings his experience from the cyber security frontline to ensure your Azure cloud-based systems are safe and secure. In Azure Security you’ll learn vital security skills, including how to: • Set up secure access through Conditional Access policiesImplement Azure WAF on Application Gateway and Front Door • Deploy Azure Firewall Premium for monitoring network activities • Enable Microsoft Defender for Cloud to assess workload configurations • Utilize Microsoft Sentinel for threat detection and analytics • Establish Azure Policy for compliance with business rules Correctly set up out-of-the-box Azure services to protect your web apps against both common and sophisticated threats, learn to continuously assess your systems for vulnerabilities, and discover cutting-edge operations for security hygiene, monitoring, and DevSecOps. Each stage is made clear and easy to follow with step-by-step instructions, complemented by helpful screenshots and diagrams. About the technology Securing cloud-hosted applications requires a mix of tools, techniques, and platform-specific services. The Azure platform provides built-in security tools to keep your systems safe, but proper implementation requires a foundational strategy and tactical guidance. About the book Azure Security details best practices for configuring and deploying Azure’s native security services—from a zero-trust foundation to defense in depth (DiD). Learn from a Microsoft security insider how to establish a DevSecOps program using Microsoft Defender for Cloud. Realistic scenarios and hands-on examples help demystify tricky security concepts, while clever exercises help reinforce what you’ve learned. What's inside • Set up secure access policies • Implement a Web Application Firewall • Deploy MS Sentinel for monitoring and threat detection • Establish compliance with business rules About the reader For software and security engineers building and securing Azure applications. About the author Bojan Magusic is a Product Manager with Microsoft on the Security Customer Experience Engineering Team. Azure Security brief contents contents preface acknowledgments about this book Who should read this book How this book is organized: A road map About the code liveBook discussion forum about the author about the cover illustration Part 1 First steps 1 About Azure security 1.1 Cybersecurity as an infinite game 1.2 Shared responsibility model 1.3 Azure security services 1.4 The threat landscape 1.5 Cloud security challenges 1.6 Digital medievalism 1.7 The zero trust security model 1.8 Defense in depth 1.8.1 Securing identities 1.8.2 Securing infrastructure and networking resources 1.8.3 Securing applications and data 1.8.4 Heroes and villains in this book Summary 2 Securing identities in Azure: The four pillars of identity and Azure Active Directory 2.1 Four pillars of identity 2.1.1 What is Azure Active Directory? 2.1.2 What is an identity? 2.1.3 Azure AD user identities in action 2.1.4 Azure AD service principals in action 2.1.5 Managed identity in Azure AD 2.1.6 Managed identity in action 2.2 Authentication 2.2.1 Azure AD as an IAM service 2.2.2 Importance of multifactor authentication 2.2.3 Azure MFA 2.2.4 Security defaults in Azure AD 2.2.5 Identity protection 2.2.6 Identity protection in action 2.2.7 Conditional access in Azure AD 2.2.8 Conditional access in action 2.3 Authorization 2.3.1 Azure role-based access control 2.3.2 How does Azure RBAC work? 2.3.3 Role assignment 2.3.4 Azure role-based access control in action 2.4 Custom roles 2.5 Custom roles in action 2.6 Identity governance 2.6.1 Privileged identity management 2.6.2 PIM in action 2.6.3 Access reviews 2.7 Answers to exercises Exercise 2.1 Exercise 2.2 Exercise 2.3 Exercise 2.4 Exercise 2.5 Exercise 2.6 Summary Part 2 Securing Azure resources 3 Implementing network security in Azure: Firewall, WAF, and DDoS protection 3.1 Azure network security 3.1.1 The importance of network segmentation 3.1.2 Positive security model 3.2 Azure Firewall 3.2.1 Azure Firewall Standard vs. Premium 3.2.2 Azure Firewall Standard in action 3.2.3 Creating an Azure Firewall instance 3.2.4 Routing traffic to Azure Firewall 3.2.5 Routing to direct traffic 3.2.6 Associating a route table to a subnet 3.2.7 Allowing Azure Firewall traffic 3.2.8 Azure Firewall Premium 3.2.9 Azure Firewall policy 3.2.10 Azure Firewall Manager 3.3 Azure Web Application Firewall 3.3.1 Azure WAF on Azure Application Gateway in action 3.3.2 Azure WAF on Azure Front Door in action 3.3.3 Tuning Azure WAF 3.4 Mitigating DDoS attacks 3.4.1 DDoS Protection in Azure 3.4.2 Creating an Azure DDoS Protection plan 3.5 Answers to exercises Exercise 3.1 Summary 4 Securing compute resources in Azure: Azure Bastion, Kubernetes, and Azure App Service 4.1 Azure compute resources 4.2 Azure Bastion 4.2.1 Basic vs. Standard SKU 4.2.2 Azure Bastion in action 4.2.3 Connecting to Azure Bastion using your browser and Azure portal 4.2.4 Connecting to Azure Bastion using the native RDP or SSH client 4.3 Securing Kubernetes clusters 4.3.1 What are containers? 4.3.2 What is a container registry? 4.3.3 What is Kubernetes? 4.3.4 How does Kubernetes work? 4.3.5 Managed vs. unmanaged Kubernetes 4.4 What makes container security different? 4.4.1 Typical challenges when securing Kubernetes clusters 4.4.2 Securing Azure Kubernetes Service and Azure Container Registry 4.4.3 Security monitoring for Azure Kubernetes Service and Azure Container Registry 4.5 Securing Azure App Service 4.5.1 Authentication and authorization 4.5.2 Access restrictions 4.5.3 Subdomain takeover 4.5.4 OS and application-stack patching 4.6 Answers to exercises Exercise 4.1 Exercise 4.2 Exercise 4.3 Summary 5 Securing data in Azure Storage accounts: Azure Key Vault 5.1 Securing storage accounts 5.1.1 Azure Storage firewall 5.1.2 Authorizing control plane operations 5.1.3 Authorizing data plane operations 5.1.4 SSE 5.1.5 Encryption key management 5.1.6 Encryption using a customer-managed key 5.1.7 Encryption using a customer-managed key in action 5.1.8 Encryption scopes 5.1.9 Infrastructure encryption 5.2 Securing Azure Key Vault 5.2.1 Authorizing control plane operations 5.2.2 Authorizing data plane operations 5.2.3 Azure Key Vault firewall Summary 6 Implementing good security hygiene: Microsoft Defender for Cloud and Defender CSPM 6.1 Microsoft Defender for Cloud 6.2 Cloud security posture management 6.2.1 Onboarding your subscriptions to Defender for Cloud 6.2.2 Recommendations 6.2.3 Secure score 6.2.4 Free vs. paid security posture management capabilities in Microsoft Defender for Cloud 6.3 Cloud security graph 6.3.1 Attack paths 6.3.2 Cloud security explorer 6.3.3 Agentless scanning for machines 6.4 Security governance 6.4.1 Manually assigning owners and due dates 6.4.2 When should you use a grace period? 6.4.3 Programmatically assigning owners and due dates 6.5 Regulatory compliance 6.5.1 Regulatory compliance in action 6.5.2 Adding a built-in standard 6.6 Answers to exercises Exercise 6.1 Exercise 6.2 Summary 7 Security monitoring for Azure resources: Microsoft Defender for Cloud plans 7.1 Cloud workload protection 7.2 Microsoft Defender for Cloud plans 7.2.1 Microsoft Defender for Servers 7.2.2 Microsoft Defender for Containers 7.2.3 Microsoft Defender for App Service 7.2.4 Microsoft Defender for Storage 7.2.5 Microsoft Defender for Databases 7.2.6 Microsoft Defender for Key Vault 7.2.7 Microsoft Defender for Resource Manager 7.2.8 Microsoft Defender for DNS 7.2.9 Email notifications 7.3 Security alerts 7.3.1 Security alerts in action 7.3.2 Investigating security alerts 7.4 Workflow automation 7.4.1 Workflow automation in action 7.5 Exporting data 7.5.1 Continuous export 7.5.2 Continuous export in action 7.6 Workbooks 7.6.1 Using workbooks 7.6.2 Workbooks in action 7.7 Answers to exercises Exercise 7.1 Exercise 7.2 Exercise 7.3 Summary Part 3 Going further 8 Security operations and response: Microsoft Sentinel 8.1 Security Information and Event Management 8.2 Microsoft Sentinel 8.2.1 Microsoft Sentinel capabilities 8.2.2 Enabling Microsoft Sentinel 8.3 Data collection 8.3.1 What data should go in a SIEM? 8.3.2 Data connectors 8.3.3 Data connectors in action 8.3.4 Content hub 8.4 Analytics rules 8.4.1 Microsoft security rules 8.4.2 Microsoft security rules in action 8.4.3 Scheduled rules 8.4.4 Scheduled rules in action 8.5 Incidents 8.6 User and entity behavior analytics 8.6.1 When to use UEBA 8.6.2 User and entity behavior analytics in action 8.7 Security orchestration, automation, and response 8.8 Automation rules 8.8.1 Automation elements and trigger events 8.8.2 Automation rules in action 8.9 Answers to Exercises Exercise 8.1 Exercise 8.2 Exercise 8.3 Summary 9 Audit and log data: Azure Monitor 9.1 Understanding different log types in Azure 9.1.1 Azure tenant logs 9.1.2 Azure subscriptions 9.1.3 Azure resources 9.1.4 Operating system 9.2 Azure Monitor 9.3 Diagnostic settings 9.3.1 Diagnostic settings in action 9.4 Data collection rules 9.4.1 Data collection rules in action 9.5 Alert rules 9.5.1 Types of alerts 9.5.2 Alert rules in action 9.6 Answers to exercises Exercise 9.1 Exercise 9.2 Exercise 9.3 Summary 10 Importance of governance: Azure Policy and Azure Blueprints 10.1 What is Azure Policy? 10.2 Getting started with Azure Policy 10.2.1 Azure Policy in action 10.2.2 Scope 10.2.3 Policy effects 10.3 Custom policies 10.4 Centralized security policy management 10.5 Azure Blueprints 10.6 Answers to exercises Exercise 10.1 Exercise 10.2 Summary 11 DevSecOps: Microsoft Defender for DevOps 11.1 Developing code more securely 11.2 What is shifting security left? 11.3 Infrastructure as code 11.3.1 Infrastructure as code in action 11.3.2 Who is responsible for fixing vulnerabilities in code? 11.4 Microsoft Defender for DevOps 11.4.1 Unified DevOps posture visibility 11.4.2 Microsoft Security DevOps application 11.4.3 GitHub Advanced Security 11.4.4 Microsoft Security DevOps for GitHub in action 11.4.5 IaC scanning in GitHub 11.4.6 Microsoft Security DevOps for Azure DevOps in action 11.4.7 IaC scanning in ADO 11.4.8 Secrets scanning 11.4.9 Code-to-cloud contextualization 11.5 Cybersecurity as an infinite game 11.6 Answers to exercises Exercise 11.1 Exercise 11.2 Summary appendix Setting up Azure CLI on your machine A.1 Setting up Azure CLI on Windows A.2 Setting up Azure CLI on Linux A.3 Setting up Azure CLI on macOS index A B C D E F G I J K L M N O P R S T U V W Z Azure Security - back Secure your Azure applications the right way with the expert DevSecOps techniques you'll learn in this essential handbook. In Azure Security youll learn vital security skills, including how As a Program Manager at Microsoft, Bojan Magusic has helped numerous Fortune 500 companies improve their security posture in Azure. Now, in Azure Security he brings his experience from the cyber security frontline to ensure your Azure cloud-based systems are safe and secure. Correctly set up out-of-the-box Azure services to protect your web apps against both common and sophisticated threats, learn to continuously assess your systems for vulnerabilities, and discover cutting-edge operations for security hygiene, monitoring, and DevSecOps. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology Attacks against cloud-based applications are increasingly common and sophisticated. Its vital for any developer or resource owner to understand how to properly configure their Azure cloud environments and establish reliable security best practices. The Azure platform comes with dozens of built-in security tools to help keep your systems safe. This book will teach you exactly how to set them up for maximum effectiveness. About the book Azure Security is a practical guide to the native security services of Microsoft Azure. Youll learn how to use Azure tools to improve your systems security and get an insiders perspective on establishing a DevSecOps program using the capabilities of Microsoft Defender for Cloud. Insightful analogies and hands-on examples help demystify tricky security concepts, while clever exercises help reinforce what youve learned. About the reader For software and security engineers building and securing Azure applications. About the author Bojan Magusic is a Program Manager with Microsoft on the Cloud Security Customer Experience Engineering Team. In addition to his various technical certifications (15+ Microsoft certifications and counting), Bojan also has certifications from INSEAD and Kellogg School of Management.