CLOUD SIKKERHED

Hvad er cloud?
- Nogle andres ”computer”, som man lejer sig ind på. Services ligger ikke lokalt på din egen
computer. Der betales for at leje sig ind og på den måde har man adgang til de services,
der tilbydes.
Pay for need

- Du betaler kun for det, du behøver

High availability, scalability, elasticity, agility.
Geo-distribution
Disaster Recovery
Cloud computing har ofte en ”low barrier of entry” = det kan være dyrere i længden, men det er
nemmere at begynde med og nemmere at bruge.

Defence in Depth:
- Hvert lag giver beskyttelse.
- Hvert lag kan implementere en eller flere af CIA concerner
- Fortrolighed
- Integritet
- Tilgængelighed
Zero Trust Model
- Man skal aldrig som udgangspunkt stole på nogen, men tillid skal løbende valideres.
- Bring your own device = BYOD – brugerne, netværket og enhederne er ikke længere under
organisatorisk kontrol.
Trust Boundaries
- Adgang til kunne en server ad gangen.
Cloud Delivery
- IaaS (infastructure as a service) – Du konfigurerer og administrerer hardware til din
applikation.
- PaaS (Platform as a sercer) – Platformstyring varetages af cloududbyderen
- Idaas – Identity as a service - Brugere betaler den software, de bruger på en
abonnementsmodel
BYOD = Bring your own device.
SIEM: Security information and event management
BNHQC-MMKVC-Q4BK6-MVJDP-BTF7Q

Active Directory
AD = Bruges til styring af virksomhed og brugerne i virksomheden. Kan angive
sikkerhedsprotokoller for hver enkelt medarbejder.
Der er en AD i en hver IT-virksomhed. Dette er som regel en lokal AD.
Det er nu muligt at bruge Azure som Identity provider. Det vil sige, at når virksomheden har sat
integrationen op i Azure, kan virksomhed og medarbejder logge ind med deres Microsoft
Office365 oplysninger.
AD vs Azure AD Summary
In Summary, Azure AD is not simply a cloud version of AD, they do quite different things. AD is
great at managing traditional on-premise infrastructure and applications. Azure AD is great at
managing user access to cloud applications. You can use both together, or if you want to have a
purely cloud based environment you can just use Azure AD.

AD Connect
- Med Azure AD kan du (via AD Connect) koble jeres lokale AD til forskellige, eksterne
tjenester og dermed optimere sikkerheden. Det betyder i praksis, at fx jeres brugere kan
anvende single sign-on, også til tredjeparts tjenester.
Azure AD Connect cloud sync
- Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and
accomplish your hybrid identity goals for synchronization of users, groups, and contacts to
Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of
the Azure AD Connect application. However, it can be used alongside Azure AD Connect
sync and it provides the following benefits:
- Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active
Directory forest environment: The common scenarios include merger & acquisition (where
the acquired company's AD forests are isolated from the parent company's AD forests),
and companies that have historically had multiple AD forests.
- Simplified installation with light-weight provisioning agents: The agents act as a bridge
from AD to Azure AD, with all the sync configuration managed in the cloud.
- Multiple provisioning agents can be used to simplify high availability deployments,
particularly critical for organizations relying upon password hash synchronization from AD
to Azure AD.
- Support for large groups with up to 50,000 members. It's recommended to use only the OU
scoping filter when synchronizing large groups.
Authentication Options

Password Hash Synchronization

- Password Hash Synchronization (PHS) is a feature of Azure AD Connect – it is the easiest
authentication option to implement, and it is the default. The way PHS works is that
whenever a password is changed on premises, the password hash from Active Directory is
synchronized into Azure AD. Kopi
Pass-through Authentication
- The pass-through mechanism authenticates a user on the authenticating server, even if the
user entry or password is on a different server. You can run a bind or compare operation
 against the authenticating server, even if the user entry or the credential is not on the
server. Ingen copi

Federation with Azure AD

- Federation with Azure AD or O365 enables users to authenticate using on-premises
credentials and access all resources in cloud. As a result, it becomes important to have a
highly available AD FS infrastructure to ensure access to resources both on-premises and in
the cloud
Authentication Decision Tree
- Authentication trees (also referred to as Intelligent Authentication) provide fine-grained
authentication by allowing multiple paths and decision points throughout the
authentication flow.

Password Writeback
- Password writeback is a feature of Azure AD Connect. It ensures that when a password
changes in Azure AD (password change, self-service password reset, or an administrative
change to a user password) it is written back to the local AD – if they meet the on-premises
AD password policy.

Identity protection
Priviledged Identity Management (PIM)
- Giv adgang til en burger i en bestemt tidsperiode. Der sendes herefter en anmodning til en
admin, som kan se, hvad denne bruger har tænkt sig at gøre. Det er en tidsbegrænset
adgang.
RISK (User Risk Policy)
- Applied to user sign-ins
- Automatically respond based on a specific user’s risk level
- Use a high threshold during the policy roll out
- Provide the condition (risk lvl) and action (block or allow)
- Use a low threshold for greater security
MFA (The security of MFA two-step verification lies in its layered approach)
Authentication methods include
- Something you know (typically a passwork)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
 -

Azure Role-Based Access Control – RBAC

Benyttes til at assign en bruger eller rolle.

Azure policy bestemmer hvilke ressource brugerne må bruge.
Ressource Lock
- En metode der låser ressourcer i Azure Cloud.
- As an administrator, you can lock an Azure subscription, resource group, or resource to
protect them from accidental user deletions and modifications. The lock overrides any user
permissions. You can set locks that prevent either deletions or modifications. In the portal,
these locks are called Delete and Read-only

Azure Blueprint
- Et set af standarder designet til at hjælpe med miljø setup i en virksomhed.

Defense in depth
- Sikkerhed på alle lag i netværkslaget
-

Azure Firewall

NSG
- installeres på subnet og netværkskortet

Load balancing services

Basic (ikke secure by default – den er noget lort)
 - Layer 4 i protocol stack
- Supports up to 100 instances
- Service monitoring
- Automatic reconfig
- Hash-based ( 5 tuple ) distribution by default
- Internal and public options
- Open by default (Network security group optional)
Standard
- Layer 4
- Supports up to 1000 instances
- Any virtual machine in a single VNET
- Supports HTTPS
- Availability zone support
- Secure by default (Public IP, public LB endpoints)
- Scoped to the entire network
- Can be used to both Internet-facing and internal (VNet) applications. Supported via probes.

Application gateway
- Layer 7
- Cookie-based session affinity
- SSL offload
- End-to-end SSL
- Web App firewalls
- URL-based content routing
- Requires its own subnet
- Highly available
Throughputs: Small, Medium, Large
HTTPS, HTTP, web sockets
Can be used to both Internet-facing and internal (VNet) applications. Supported via probes.
Traffic manager (global dns based routing)
- Works with any protocol
- On premises routing
- Billing format: DNS based billing
Front door
- HTTP acceleration
- Independent scalability
 - Inline security

Azure Firewall
- Cloud based network security

Key features
- Built-in HA (higher availability = indbygget scale sets)
- Availability zones support
- Application FQDN filtering rules
- Network traffic filtering rules
- FQDN Tags (Fully Qualified Domain Name)
- Service Tags
- Threat intelligence
- SNAT/DNAT support (Source network translation/Destination network translation)

Hvad beskriver defense in depth når man taler om sikkerhed?

- Hvis et lag brydes er et efterfølgende på plads til at stoppe truslen
Hvad er de 3 principper inden for cyber sikkerhed
- Fortrolighed, integritet, tilgængelighed CIA
Hvad star BYOD for?
- Bring your own device
Hvad menes med zero trust?
- Man antager nul tillid
IDAAS
Hvad står SSO for?
- Single sign off
Blob

Hvad er AAD?
Hvad er AD connect
Hvad er pass through authentication
- Adgangskoder opbevares ikke I skyen men i on premise AD

Hvad er password hash sync?

- Adgangskoder obvares som kopi i skyen
Din organisation overvejer at anvende Azure Multi-faktor. Hvad er ikke en mulighed?
- Email med et link
Hvilket af følgende er ikke en gyldig MFA-status?
- Required
Du kan konfigurere følgende indstillinger, undtagen?
- Konfigurerer Ip adresser uden for virksomhedens intranet, der skal blokeres
Hvilken rolle giver brugeren mulighed for at administrere alle grupper i en tenant, og vil være i
stand til at tildele andre administratorroller?
- Global admin
Du kan tildele gruppemedlemsskab på undtagen?
- Microsoft 365
Hvilken funktion ville være nemmest at implementere i betragtning af kravene?
- Pass-through authentication
Hvilke værktøjer kan du bruge til at synkronisere AD adgangskoder med AD i det lokale miljø?
- Ad connect
Azure AD bruger ikke hvilke af følgende sikkerhedsprotokoller?
- Kerberos
Hvilket af følgende er ikke passwordless autentificerings metode?
- Windows hello business
Compliance afdeling ønsker at sikre afskedige medarbejderes privilegier
- Access reviews
Hvilken AD-rolle kan nulstille adgangskoder?
 - Global admin
Identity protection identificerer ricisi i følgende klassifikationer undtagen?
- Ikke registreret enhed
Hvilken licensplan understøtter Identity Protection?
- Premium P2
Hvilken Azure AD rolle skal du bruge for at aktivere PIM
- Global Admin
Du skal sikre dig at en nyansat anmoder om en rettigheds forhøjelse før du foretager ændringer i
Azure. Hvad skal du gøre?
- Eligible rolle
Din organisation har aktiveret Azure AD PIM. Den øverste chef ønsker ikke at udføre handling
for at bruge en rolle.. Hvad skal du gøre?
- Giv lederen permanent adgang (permanent active)
Eksempel på hvornår man skal bruge ressource lock
- Express Route
Hvilke af følgende funktioner i Azure Networking giver mulighed for at omdirigere alt internet
trafik (packet inspection)
- User defined routes, forced tunneling
Du konfigurerer Azure Firewall. Du skal tillade windows update netværkstrafik gennem firewall.
Hvilken af følgende skal du bruge?
- Applikations regler
Du vil gerne begrænse udadgående internettrafik fra et subnet..
- Azure Firewall
DDOS politik.
Du udruller Azure Applikation gateway og vil sikre at indgående anmodninger kontrolleres for
almindelige sikkerhedstrusler såsom cross-site scripting (XSS) og crawlere. Hvad skal du gøre?
- Installer Web Applikation Firewall
Alt det følgende er standard regler undtagen?
- Tillad indadgående internet
Front door
DU har brug for
- Konfigurer Bastion

Hvilke type diskkryptering bruges til Linux-diske

- Dm-Crypt

Hvilket af følgende er ikke en anbefaling af høj alvorsgrad for virtuelle maskiner og servere?
- End point beskyttelse

Hvilket af følgende bør ikke gemmes i Azure key vault?

- Identity management ¨
Hvilket sikkerhedsværktøj skal du bruge til at godkende adgang på rolleniveau til disse brugere?
- Role Based Access control

Din SQL database admin har lyst om SQL injection. Risikoen skal minimeres. Du forslår følgende
- Advanced threat protection

Always encrypted

Hvilken type firewallregler kan du konfigurere for en Azure SQL-database?

- Service niveau
Bestemt tidsinterval
- Just in time
Hvor kan du oprette og administrere brugerdefinerede sikkerhedsadvarsler?
- Azure sentinel