Professional Documents
Culture Documents
Hvad er cloud?
- Nogle andres ”computer”, som man lejer sig ind på. Services ligger ikke lokalt på din egen
computer. Der betales for at leje sig ind og på den måde har man adgang til de services,
der tilbydes.
Pay for need
Defence in Depth:
- Hvert lag giver beskyttelse.
- Hvert lag kan implementere en eller flere af CIA concerner
- Fortrolighed
- Integritet
- Tilgængelighed
Zero Trust Model
- Man skal aldrig som udgangspunkt stole på nogen, men tillid skal løbende valideres.
- Bring your own device = BYOD – brugerne, netværket og enhederne er ikke længere under
organisatorisk kontrol.
Trust Boundaries
- Adgang til kunne en server ad gangen.
Cloud Delivery
- IaaS (infastructure as a service) – Du konfigurerer og administrerer hardware til din
applikation.
- PaaS (Platform as a sercer) – Platformstyring varetages af cloududbyderen
- Idaas – Identity as a service - Brugere betaler den software, de bruger på en
abonnementsmodel
BYOD = Bring your own device.
SIEM: Security information and event management
BNHQC-MMKVC-Q4BK6-MVJDP-BTF7Q
Active Directory
AD = Bruges til styring af virksomhed og brugerne i virksomheden. Kan angive
sikkerhedsprotokoller for hver enkelt medarbejder.
Der er en AD i en hver IT-virksomhed. Dette er som regel en lokal AD.
Det er nu muligt at bruge Azure som Identity provider. Det vil sige, at når virksomheden har sat
integrationen op i Azure, kan virksomhed og medarbejder logge ind med deres Microsoft
Office365 oplysninger.
AD vs Azure AD Summary
In Summary, Azure AD is not simply a cloud version of AD, they do quite different things. AD is
great at managing traditional on-premise infrastructure and applications. Azure AD is great at
managing user access to cloud applications. You can use both together, or if you want to have a
purely cloud based environment you can just use Azure AD.
AD Connect
- Med Azure AD kan du (via AD Connect) koble jeres lokale AD til forskellige, eksterne
tjenester og dermed optimere sikkerheden. Det betyder i praksis, at fx jeres brugere kan
anvende single sign-on, også til tredjeparts tjenester.
Azure AD Connect cloud sync
- Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and
accomplish your hybrid identity goals for synchronization of users, groups, and contacts to
Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of
the Azure AD Connect application. However, it can be used alongside Azure AD Connect
sync and it provides the following benefits:
- Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active
Directory forest environment: The common scenarios include merger & acquisition (where
the acquired company's AD forests are isolated from the parent company's AD forests),
and companies that have historically had multiple AD forests.
- Simplified installation with light-weight provisioning agents: The agents act as a bridge
from AD to Azure AD, with all the sync configuration managed in the cloud.
- Multiple provisioning agents can be used to simplify high availability deployments,
particularly critical for organizations relying upon password hash synchronization from AD
to Azure AD.
- Support for large groups with up to 50,000 members. It's recommended to use only the OU
scoping filter when synchronizing large groups.
Authentication Options
Password Writeback
- Password writeback is a feature of Azure AD Connect. It ensures that when a password
changes in Azure AD (password change, self-service password reset, or an administrative
change to a user password) it is written back to the local AD – if they meet the on-premises
AD password policy.
Identity protection
Priviledged Identity Management (PIM)
- Giv adgang til en burger i en bestemt tidsperiode. Der sendes herefter en anmodning til en
admin, som kan se, hvad denne bruger har tænkt sig at gøre. Det er en tidsbegrænset
adgang.
RISK (User Risk Policy)
- Applied to user sign-ins
- Automatically respond based on a specific user’s risk level
- Use a high threshold during the policy roll out
- Provide the condition (risk lvl) and action (block or allow)
- Use a low threshold for greater security
MFA (The security of MFA two-step verification lies in its layered approach)
Authentication methods include
- Something you know (typically a passwork)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
-
Azure Blueprint
- Et set af standarder designet til at hjælpe med miljø setup i en virksomhed.
Defense in depth
- Sikkerhed på alle lag i netværkslaget
-
Azure Firewall
NSG
- installeres på subnet og netværkskortet
Application gateway
- Layer 7
- Cookie-based session affinity
- SSL offload
- End-to-end SSL
- Web App firewalls
- URL-based content routing
- Requires its own subnet
- Highly available
Throughputs: Small, Medium, Large
HTTPS, HTTP, web sockets
Can be used to both Internet-facing and internal (VNet) applications. Supported via probes.
Traffic manager (global dns based routing)
- Works with any protocol
- On premises routing
- Billing format: DNS based billing
Front door
- HTTP acceleration
- Independent scalability
- Inline security
Azure Firewall
- Cloud based network security
Key features
- Built-in HA (higher availability = indbygget scale sets)
- Availability zones support
- Application FQDN filtering rules
- Network traffic filtering rules
- FQDN Tags (Fully Qualified Domain Name)
- Service Tags
- Threat intelligence
- SNAT/DNAT support (Source network translation/Destination network translation)
Hvad er AAD?
Hvad er AD connect
Hvad er pass through authentication
- Adgangskoder opbevares ikke I skyen men i on premise AD
Hvilket af følgende er ikke en anbefaling af høj alvorsgrad for virtuelle maskiner og servere?
- End point beskyttelse
Din SQL database admin har lyst om SQL injection. Risikoen skal minimeres. Du forslår følgende
- Advanced threat protection
Always encrypted