Professional Documents
Culture Documents
submitted by
BHAVYA JAIN
20BIT0247
in partial fulfilment for the award of the degree of
Bachelor of Technology
in
Information Technology
November, 2023
Page 1
DECLARATION BY THE CANDIDATE
S
i
s
Signature of the student
Page 2
(A typical specimen of Bonafide Certificate)
BONAFIDE CERTIFICATE
Page 3
ACKNOWLEDGEMENT
Place : Vellore
Bhavya Jain
Date : 23/11/2023
Page 4
CERTIFICATE
Page 5
TABLE OF CONTENTS
Course Content
1. Introduction 1
1.1 What is the SC900 certification?
1
Page 6
1. Introduction:
The SC-900 exam is a Microsoft certification exam that validates your foundational
knowledge of security, compliance, and identity concepts. It is designed for IT
professionals who want to demonstrate their expertise in these areas, regardless of
their role or experience level.
To pass the SC-900 exam, you need to have a good understanding of these topics and
be able to apply them to real-world scenarios.
In addition to these benefits, the SC-900 certification can also help you:
Page 7
Build a network with other professionals who are certified in Microsoft
security, compliance, and identity.
Page 8
Greater job satisfaction. Certified professionals are more likely to be satisfied
with their jobs because they feel more confident and competent in their skills.
A 2023 study by Global Knowledge found that 87% of certified professionals
say certification has made them more satisfied with their jobs.
Cloud security is the practice of protecting data and applications stored in the cloud
from unauthorized access, use, disclosure, disruption, modification, or destruction. It
is a shared responsibility between the cloud provider and the customer. The cloud
provider is responsible for the security of the underlying infrastructure, while the
customer is responsible for the security of their data and applications.
There are a number of different cloud security threats and risks, including:
Data breaches: Data breaches can occur when unauthorized individuals gain
access to sensitive data, such as customer records, financial data, or
intellectual property.
Malware attacks: Malware attacks can occur when malicious software is
installed on cloud systems or applications. This software can steal data,
disrupt operations, or even take control of systems.
Denial-of-service (DoS) attacks: DoS attacks can occur when attackers flood
cloud systems or applications with traffic, making them unavailable to
legitimate users.
Insider threats: Insider threats can occur when malicious actors within an
organization exploit their access to cloud systems or applications to steal
data, disrupt operations, or sabotage systems.
There are a number of different cloud security controls that can be implemented to
mitigate these threats and risks. These controls include:
Page 9
Security monitoring: Security monitoring controls are used to detect and
respond to security incidents in real time. This includes logging and auditing,
security information and event management (SIEM) systems, and incident
response planning.
Use strong passwords and multi-factor authentication (MFA). This will help
to protect your cloud accounts from unauthorized access.
Keep your software up to date. Software updates often include security
patches that can help to protect your systems from known vulnerabilities.
Be careful about what you share in the cloud. Only share sensitive data with
trusted users and applications.
Implement security monitoring and incident response plans. This will help
you to detect and respond to security incidents in real time.
Use a cloud security solution. A cloud security solution can provide a
comprehensive set of security controls to protect your data and applications in
the cloud.
The cloud provider is responsible for the security of the underlying infrastructure,
including physical data centers, networks, and virtualization layers. This includes
implementing physical security measures, such as access control and perimeter
security, as well as deploying security technologies, such as firewalls and intrusion
detection systems.
Customer responsibilities
The customer is responsible for the security of their data and applications in the
cloud. This includes:
Page
10
Data encryption: Encrypting data at rest and in transit helps to protect it from
unauthorized access.
Identity and access management (IAM): Implementing strong IAM controls,
such as multi-factor authentication and role-based access control, helps to
ensure that only authorized users have access to cloud resources.
Configuration management: Configuring cloud resources securely is essential
for protecting them from attack.
Security monitoring: Monitoring cloud activity for suspicious activity and
responding to security incidents promptly is critical for mitigating damage.
Reduced costs: Cloud providers can invest in security at scale, which can help
to reduce costs for customers.
Increased expertise: Cloud providers have deep expertise in security and can
provide customers with access to the latest security tools and technologies.
Improved agility: The shared responsibility model allows customers to focus
on their core business activities, while the cloud provider takes care of
security.
Conclusion
Here are some additional tips for implementing the shared responsibility model:
Page
11
Communicate regularly. Cloud providers and customers should communicate
regularly about security to ensure that everyone is aligned on their
responsibilities.
Use a risk-based approach. Customers should use a risk-based approach to
security, focusing on the areas that pose the greatest risk to their data and
applications.
Monitor security continuously. Cloud providers and customers should
monitor security continuously and respond to incidents promptly.
Data breaches: Data breaches can occur when unauthorized individuals gain
access to sensitive data, such as customer records, financial data, or
intellectual property.
Malware attacks: Malware attacks can occur when malicious software is
installed on cloud systems or applications. This software can steal data,
disrupt operations, or even take control of systems.
Denial-of-service (DoS) attacks: DoS attacks can occur when attackers flood
cloud systems or applications with traffic, making them unavailable to
legitimate users.
Insider threats: Insider threats can occur when malicious actors within an
organization exploit their access to cloud systems or applications to steal
data, disrupt operations, or sabotage systems.
Data breaches
Data breaches are one of the most common cloud security threats. They can occur
when unauthorized individuals gain access to sensitive data, such as customer
records, financial data, or intellectual property.
Malware attacks
Page
12
Malware attacks are another common cloud security threat. Malware is malicious
software that can steal data, disrupt operations, or even take control of systems.
Phishing attacks: Phishing attacks are emails or websites that are designed to
trick users into revealing their login credentials or other sensitive information.
Drive-by downloads: Drive-by downloads are malicious files that are
downloaded to a user's computer without their knowledge or consent.
Zero-day attacks: Zero-day attacks are exploits of vulnerabilities in software
that are unknown to the software vendor.
DoS attacks are another common cloud security threat. DoS attacks occur when
attackers flood cloud systems or applications with traffic, making them unavailable
to legitimate users.
Insider threats
Insider threats are individuals who have authorized access to cloud systems but use
that access to steal data or disrupt operations.
Malicious intent: Some insider threats are motivated by malicious intent, such
as financial gain or revenge.
Negligence: Other insider threats are caused by negligence, such as failing to
follow security policies or procedures.
Lack of awareness: Some insider threats are caused by a lack of awareness of
security risks.
Page
13
2.4 Best practices for cloud security
There are a number of things that organizations can do to mitigate cloud security
threats, including:
By following these tips, organizations can help to mitigate cloud security threats and
protect their data and applications.
Here are some additional tips for mitigating cloud security threats:
Use strong passwords and multi-factor authentication (MFA). This will help
to protect your cloud accounts from unauthorized access.
Keep your software up to date. Software updates often include security
patches that can help to protect your systems from known vulnerabilities.
Be careful about what you share in the cloud. Only share sensitive data with
trusted users and applications.
Implement security monitoring and incident response plans. This will help
you to detect and respond to security incidents in real time.
Page
14
secure. Third, it can help organizations to avoid costly data breaches and other
security incidents.
There are a number of things that organizations can do to achieve cloud compliance,
including:
Conduct a risk assessment. This will help to identify the specific risks that the
organization faces in its use of cloud computing.
Develop a cloud compliance plan. This plan should outline the steps that the
organization will take to mitigate the identified risks.
Implement cloud security controls. This includes implementing security
controls such as data encryption, access control, and security monitoring.
Monitor cloud compliance on an ongoing basis. This includes monitoring the
organization's use of cloud computing services and making adjustments to the
cloud compliance plan as needed.
Many cloud providers offer a variety of tools and resources to help their customers
achieve cloud compliance. These tools and resources can help organizations to assess
their risk, develop a cloud compliance plan, implement cloud security controls, and
monitor cloud compliance on an ongoing basis
There are a number of cloud compliance standards that apply to Microsoft Azure,
including:
Page
15
FedRAMP: The Federal Risk and Authorization Management Program
(FedRAMP) is a U.S. government program that provides a standardized
approach to security assessment, authorization, and continuous monitoring of
cloud products and services.
The SC900 exam covers the basics of cloud compliance, including the different types
of compliance standards and how to implement them in Microsoft Azure.
Here are some additional tips for achieving cloud compliance in Microsoft Azure:
1. Identify the compliance standards that apply to your organization. This will
vary depending on your industry and location. Some common cloud
compliance standards include the General Data Protection Regulation
(GDPR), ISO/IEC 27001, PCI DSS, HIPAA, and FedRAMP.
2. Assess your current Azure environment. This will help you to identify any
areas where you need to improve your compliance posture. You can use the
Azure Security Center to help you with this assessment.
3. Develop a compliance plan. This plan should outline the steps that you will
take to achieve and maintain compliance with the applicable standards.
4. Implement cloud security controls. This includes implementing security
controls such as data encryption, access control, and security monitoring. You
can use Azure Policy and Azure Blueprints to help you implement these
controls.
Page
16
5. Monitor compliance on an ongoing basis. This includes monitoring your
Azure environment for changes and making adjustments to your compliance
plan as needed.
Here are some additional tips for implementing cloud compliance in Azure:
Here are some specific examples of how to implement cloud compliance in Azure:
To comply with GDPR, you can use Azure Policy to enforce data encryption
and access control policies. You can also use Azure Blueprints to deploy
compliant Azure environments for GDPR workloads.
To comply with ISO/IEC 27001, you can use the Azure Security Center to
monitor your Azure environment for security threats and compliance
issues. You can also use Azure Policy to enforce ISO/IEC 27001 security
controls.
To comply with PCI DSS, you can use Azure Key Vault to manage your
encryption keys. You can also use Azure Policy to enforce PCI DSS security
controls.
To comply with HIPAA, you can use Azure Health Data Services to store and
manage your healthcare data. You can also use Azure Policy to enforce
HIPAA security controls.
To comply with FedRAMP, you can use Azure Government to deploy and
manage your cloud workloads in a FedRAMP-compliant environment. You
can also use Azure Policy to enforce FedRAMP security controls.
Here are some best practices for cloud compliance in Azure and SC900:
Page
17
Develop a compliance plan. This plan should outline the steps that you will
take to achieve and maintain compliance.
Implement cloud security controls. This includes implementing security
controls such as data encryption, access control, and security monitoring. You
can use Azure Policy and Azure Blueprints to help you implement these
controls.
Monitor compliance on an ongoing basis. This includes monitoring your
Azure environment for changes and making adjustments to your compliance
plan as needed.
By following these best practices, you can help to ensure that your use of Azure is
compliant with all applicable laws and regulations.
Here are some specific examples of best practices for cloud compliance in Azure:
Use strong passwords and multi-factor authentication (MFA) for all Azure
accounts.
Encrypt all sensitive data at rest and in transit.
Implement role-based access control (RBAC) to restrict access to Azure
resources.
Use Azure Monitor and Azure Security Center to monitor your Azure
environment for security threats and compliance issues.
Regularly review your Azure security and compliance policies.
Identity management in Azure is the process of managing user identities and access
to Azure resources. This includes creating and managing user accounts, assigning
roles and permissions, and enforcing security policies.
Page
18
Centralized identity management: All user identities are managed in a central
location, which makes it easier to manage access to resources and enforce
security policies.
Role-based access control (RBAC): RBAC allows you to assign roles and
permissions to users, groups, and service principals. This helps to ensure that
users only have access to the resources that they need.
Multi-factor authentication (MFA): MFA adds an extra layer of security to
your Azure accounts by requiring users to provide two or more factors of
authentication, such as a password and a one-time code.
User accounts: Azure AD allows you to create and manage user accounts.
You can also import user accounts from on-premises directories.
Groups: Azure AD allows you to create and manage groups. Groups can be
used to assign roles and permissions to users.
Roles and permissions: Azure AD allows you to assign roles and permissions
to users and groups. Roles define the actions that users can perform on Azure
resources. Permissions are specific tasks that users can perform.
Authentication: Azure AD provides a number of authentication methods,
including password-based authentication, MFA, and social login.
Authorization: Azure AD authorizes users to access Azure resources based on
their roles and permissions.
The SC900 exam covers the basics of Azure identity management, including the
different features of Azure AD and how to use them to manage user identities and
access to Azure resources.
Here are some additional tips for implementing identity management in Azure:
Use a central identity store. This will make it easier to manage user identities
and access to resources.
Use role-based access control (RBAC). This will help to ensure that users
only have access to the resources that they need.
Use multi-factor authentication (MFA). This will add an extra layer of
security to your Azure accounts.
Monitor your Azure AD environment for suspicious activity. You can use
Azure Monitor and Azure Security Center to help you with this monitoring.
Page
19
Regularly review your Azure AD security and compliance policies.
There are a number of different types of identity management solutions for Azure,
including:
These are just a few examples of the different types of identity management solutions
for Azure. There are a number of other solutions available, both from Microsoft and
from third-party vendors.
The best identity management solution for your organization will depend on your
specific needs and requirements. If you are not sure which solution is right for you,
you can contact Microsoft or a certified Microsoft partner for assistance.
Page
20
Use a strong central identity store. This will make it easier to manage user
identities and access to resources.
Use role-based access control (RBAC). This will help to ensure that users
only have access to the resources that they need.
Use multi-factor authentication (MFA). This will add an extra layer of
security to your accounts.
Monitor your identity management environment for suspicious activity. You
can use security information and event management (SIEM) tools to help you
with this monitoring.
Regularly review your security and compliance policies. Make sure that your
policies are up-to-date and that they meet the needs of your organization.
Use a password manager. A password manager can help you create and
manage strong passwords for all of your accounts.
Be careful about what information you share online. Only share personal
information with trusted websites and applications.
Be aware of phishing scams. Phishing scams are attempts to trick you into
revealing personal information, such as your passwords or credit card
numbers.
Educate your employees about security best practices. Your employees
should be aware of the latest security threats and how to protect themselves.
By following these best practices, you can help to protect your identity and your
organization from cyberattacks.
Page
21
Security Center can help you to detect and respond to security threats and
compliance issues.
Regularly review your Azure AD security and compliance policies. Make
sure that your policies are up-to-date and that they meet the needs of your
organization.
5. Conclusion
Cloud security
Cloud security is the practice of protecting data and applications stored in the cloud
from unauthorized access, use, disclosure, disruption, modification, or destruction. It
is a shared responsibility between the cloud provider and the customer.
The cloud provider is responsible for the security of the underlying cloud
infrastructure, such as the servers, storage, and networking components. The
customer is responsible for the security of their data and applications that are stored
in the cloud.
There are a number of best practices that organizations can follow to improve their
cloud security, including:
Cloud compliance
Page
22
build trust with customers and partners, who want to know that their data is safe and
secure. Third, it can help organizations to avoid costly data breaches and other
security incidents.
There are a number of things that organizations can do to achieve cloud compliance,
including:
Conduct a risk assessment. This will help to identify the specific risks that the
organization faces in its use of cloud computing.
Develop a cloud compliance plan. This plan should outline the steps that the
organization will take to mitigate the identified risks.
Implement cloud security controls. This includes implementing security
controls such as data encryption, access control, and security monitoring.
Monitor cloud compliance on an ongoing basis. This includes monitoring the
organization's use of cloud computing services and making adjustments to the
cloud compliance plan as needed.
Identity management in Azure is the process of managing user identities and access
to Azure resources. This includes creating and managing user accounts, assigning
roles and permissions, and enforcing security policies.
Page
23
Use a strong central identity store. This will make it easier to manage user
identities and access to resources.
Use role-based access control (RBAC). This will help to ensure that users
only have access to the resources that they need.
Use multi-factor authentication (MFA). This will add an extra layer of
security to your accounts.
Monitor your identity management environment for suspicious activity. You
can use security information and event management (SIEM) tools to help you
with this monitoring.
Regularly review your security and compliance policies. Make sure that your
policies are up-to-date and that they meet the needs of your organization.
Cloud security, cloud compliance, and identity management are all important aspects
of using cloud computing services. By understanding the key concepts and best
practices in these areas, organizations can help to protect their data, applications, and
users from cyberattacks and other threats.
The course meticulously unpacks the capabilities of Microsoft Identity and Access
Management Solutions, offering insights into Azure Active Directory (Azure AD),
various identity types, and diverse authentication methods. It underscores the
importance of robust authentication mechanisms in ensuring the security of digital
identities.
Furthermore, the course delves into Microsoft’s Security Solutions, elucidating the
array of tools and services designed to bolster organizational security. It also
explores Microsoft’s Compliance Solutions, highlighting the tools that aid
organizations in meeting their compliance requirements.
Page
24
6. References
https://learn.microsoft.com/en-us/credentials/certifications/exams/sc-
900/?tab=tab-learning-paths
Page
25