Exam (elaborations)
SC-900_ Microsoft Security, Compliance, and Identity Fundamentals
- Course
- Institution
SC-900_ Microsoft Security, Compliance, and Identity Fundamentals
[Show more]
Seller
Follow
EXAMQA
Reviews received
Content preview
SC-900: Microsoft Security, Compliance,and Identity Fundamentals
Zero Trust - ANS-A security model that assumes everything is on an open and
untrusted network, even resources behind firewalls
"Trust no one, verify everything"
Zero trust guiding principles - ANS-1. Verify explicitly - authenticate/authorize based on
all data points (e.g. identity, location, device, service, data classification, anomalies,
etc.)
2. Least privileged access - limit with JIT/JEA, risk-based adaptive policies, and data
protection
3. Assume breach - Segment networks, users, devices, apps. Encrypt data. Use
analytics to improve security.
Zero trust foundational pillars - ANS-1. Identities - can be users, services, or devices
2. Devices - monitor for health/compliance
3. Apps - manage permissions/access
4. Data - should be classified, labeled, and encrypted where appropriate
5. Infrastructure - understand baseline to detect anomalies and flag risky behavior to
take action
6. Networks - should be segmented and include real-time threat monitoring and
protection
Shared responsibility model - ANS-Identifies which security tasks are handled by the
cloud provider vs the customer
Types:
SaaS (Software as a Service)
PaaS (Platform as a Service)
IaaS (Infrastructure as a Service)
On-premises data center (On-prem)
What security tasks ALWAYS responsibility of the customer? - ANS-1. Data
2. Devices
3. Accounts/Identities
,Software as a Service (SaaS) - ANS-Software hosted and managed by the cloud
provider for the customer. Cloud provider manages everything aside from data, devices,
accounts, and identities
Examples include: Microsoft 365, Skype, and Dynamics CRM
On-prem datacenter - ANS-Customer responsible for EVERYTHING from physical
security to encrypting sensitive data
Infrastructure as a Service (IaaS) - ANS-leveraging the cloud provider's cloud
infrastructure (physical) including computers, network, and physical security of the
datacenter. Customer still manages software components.
Platform as a Service (PaaS) - ANS-Provides an environment to build, test, and deploy
software applications by providing underlying infrastructure including the hardware and
OS
Dictionary attack - ANS-Attempts to steal identity by trying a large number of known
passwords
AKA Brute force attacks
Rootkits - ANS-Intercept and change the standard OS process. Can then report the
device is healthy and not infected so can't be trusted
Symmetric encription - ANS-Uses the same secret key to encrypt and decrypt
Asymmetric encryption - ANS-Uses a public key and private key pair
Examples: TLS (Transport Layer Security) for the HTTPS protocol, and data signing
Hashing - ANS-Uses and algorithm to convert original text into a unique fixed-length
hash value
Used to store passwords
Best practice: salt passwords
,Microsoft Cloud Adoption Framework for Azure - ANS-Consists of documentation,
implementation guidance, best practices, and tools designed to help businesses adopt
cloud
Cloud Adoption Framework for Azure Lifecycle - ANS-1. Strategy: define business
justification and expected outcomes of adoption.
2. Plan: align actionable adoption plans to business outcomes.
3. Ready: Prepare the cloud environment for the planned changes.
4. Adopt
-Migrate: Migrate and modernize existing apps
AND/OR
-Innovate: Develop new cloud-native or hybrid apps
5. Govern: Govern the environment and workloads.
6. Manage: Operations management for cloud and hybrid solutions.
Password spray attack - ANS-Attempts to match a username against a list of weak
passwords
User risk vs sign-in risk - ANS-User risk - probability that a given identity or account is
compromised (i.e. leaked credentials on the web)
Sign-in risk - probability that a given authentication request isnt authorized by the
identity owner (i.e. likelihood sign-in not performed by the user based on location)
What is the new security perimeter? - ANS-Identity - how a user, app, device, etc. can
be verified and authenticated to be who they say they are such
Pillars of Identity - ANS-1. Administration - creation and management (LCM) of identities
2. Authentication (AuthN)- proving identity, how much evidence needed
3. Authorization (AuthZ) - determine level of access an authenticated identity has
4. Auditing - tracking via logs who does what, when, where, & how via reporting alerts
and governance
Modern authentication - ANS-All services and information are are managed by a central
identity provider
Client authenticates with IdP. Once authenticated, the IdP sends the client a security
token. The token is used as proof of identity that is sent to the server
, The server has a trust relationship with the IdP so it verifies with the IdP and trusts the
security token
Security token - ANS-Cryptographically signed document issued to identity after
authenticating with IdP
Used as proof of identity with servers
Contains 'claims' associated with the identity
Trust relationship - ANS-relationship between the server and the IdP to that is used to
validate the security token granted to the client
Common claims of security tokens - ANS-subject - unique, unchanging identifier of the
client
issued at - when security token was issued
expiration - when the security token should expire
audience - describes the recipient of the token so the token cannot be forwarding to
others. If audience does not list recipient it is dropped
Federation - ANS-Single Sign-On between multiple identity providers
Enables access of services across organizational boundaries by establishing trust
relationships between the domain/entities' identity provider
Trust is not always bidirectional
SSO - ANS-Single Sign-On - user logs in once and that credential is used across
multiple apps/resources
Directory Services - ANS-Stores directory data (hierarchical structure of info on the
network) and makes available to users, admins, services, apps, etc.
AD - ANS-Active Directory - set of directory services developed by Microsoft as part of
Windows 2000 for on-premises domain-based networks
AD DS - ANS-Active Directory Domain Services - stores information about members of
the domain, including devices and users, verifies their credentials, an defines their
access rights. A server running AD DS is a domain controller (DC)
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller EXAMQA. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $9.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
75632 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now