SC-900 Microsoft

Security,
Compliance, and
Identity
Fundamentals
Solutions de sécurité
Azure

https://aka.ms/sc900academy
 Agenda
 Save the date
 Introduction
 Basic security capabilities in Azure
 Microsoft Defender for Cloud
 Microsoft Sentinel
 Ressources

https://aka.ms/sc900academy
 Save the date
Date  
23 janvier 2023 (12h00)  
25 janvier 2023 (12h00)  
27 janvier 2023 (12h00)  
30 janvier 2023 (12h00)  
1er février 2023 (12h00)
Cliquez ici pour participer à la réunion  
3 février 2023 (12h00)
Cliquez ici pour participer à la réunion  
https://aka.ms/sc900academy
Thème
Concepts
Identité et gestion des accès
Solutions de sécurité Microsoft 365
Solutions de sécurité Azure
Solutions de conformité
Dry Run et Q&A
Overview of Microsoft Certified: Get started at
Security, Compliance, and Identity Fundamentals aka.ms/SecurityCerts_Fundamentals

Exam details Certification

Who is this
certification for? Products featured
SC-900: Pass certification exam SC-900
This certification is targeted to those Microsoft Security, Compliance, and Ident to earn this certification • Azure Active Directory
ity Fundamentals
looking to familiarize themselves with • Microsoft Sentinel
the fundamentals of security, Skills measured: • Azure Secure Score
compliance, and identity (SCI) across • Concepts of Security, Compliance, and Identity • Microsoft 365 Defender
cloud-based and related Microsoft
• Capabilities of Microsoft Identity and Access • Microsoft Security Score
services. This is a broad audience that Management Solutions
Microsoft Certified: • Microsoft Compliance
may include business stakeholders, new • Capabilities of Microsoft Security Solutions Security, Compliance, and Identity Fund Manager
or existing IT professionals, or students amentals
• Capabilities of Microsoft Compliance Solutions • Microsoft Intune
who have an interest in Microsoft
• And more…
security, compliance, and identity Knowledge and experience:
solutions. Candidates should be familiar with Microsoft Azure
and Microsoft 365 and understand how Microsoft
security, compliance, and identity solutions can
span across these solution areas to provide a
holistic and end-to-end solution.

© 2021 Microsoft Corporation. All rights reserved.

 Find a Learning Partner
The journey to Microsoft Certified:
Get started at
Security, Compliance, and Identity Fundamentals aka.ms/SecurityCerts_Fundamentals

Start here
Decide if this is the right Upskill with recommended Pass required exam to
certification for you training and experience earn your certification

This certification is targeted to those Skills outline guide Exam SC-900

looking to familiarize themselves with the Microsoft
• SC-900
fundamentals of security, compliance, and Security, Compliance, and Identity F
identity (SCI) across cloud-based and undamentals
related Microsoft services.

Self-paced online learning Microsoft Certified:

Microsoft Learn Security, Compliance, and Identity
Fundamentals

Additional resources
• Microsoft Docs

First, make sure your skills are up to date.

Need to update your skills in

security, compliance, and identity?
Security, Compliance, and Identit
y Fundamentals
training on Microsoft Learn.

© 2021 Microsoft Corporation. All rights reserved.

 Find a Learning Partner
Learning path for Microsoft Certified:

Security, Compliance, and Identity Fundamentals

This certification is targeted to those looking to familiarize themselves with the fundamentals of security, compliance, and identity (SCI) across cloud-based and related Microsoft services. This is a
broad audience that may include business stakeholders, new or existing IT professionals, or students who have an interest in Microsoft security, compliance, and identity solutions.

Describe the concepts of security, Describe the capabilities of Exam SC-900

compliance, and identity Microsoft security solutions
Microsoft Security, Compliance,
2 modules 6 modules and Identity Fundamentals
Pass certification exam
Self-paced online SC-900 to earn this
training on certification
Microsoft Learn Describe the capabilities of M Describe the capabilities of Mic
icrosoft Identity and access m rosoft compliance solutions
anagement solutions Microsoft Certified:
6 modules
5 modules Security, Compliance, and Id
entity Fundamentals

© 2021 Microsoft Corporation. All rights reserved.

 Find a Learning Partner
L’examen SC-900
 Microsoft Security, Compliance, and Identity Fundamentals
 60 minutes, ~50 questions très générales

 Sujets :
 Describe the concepts of security, compliance, and identity (10-15%)
 Describe the capabilities of Microsoft identity and access management solutions (25-30%)
 Describe the capabilities of Microsoft security solutions (25-30%)
 Describe the capabilities of Microsoft compliance solutions (25-30%)
 Describe the capabilities of Microsoft Security
Solutions (25-30%)

 Describe basic security capabilities in Azure

 Describe security management capabilities of Azure
 Describe security capabilities of Microsoft Sentinel
 Describe threat protection with Microsoft 365 Defender

Learning path: https://learn.microsoft.com/en-us/training/paths/describe-capabilities-of-microsoft-security-solutions/

Basic security capabilities in Azure
Describe basic security capabilities in Azure

 describe Azure DDoS Protection

 describe Azure Firewall
 describe Web Application Firewall
 describe Network Segmentation with Azure Virtual Networks
 describe Azure Network Security Groups
 describe Azure Bastion and JIT Access
 describe the ways Azure encrypts data
 Azure DDoS Protection
Types d’attaques DDoS traitées par
Azure DDoS Protection :
 Volumétriques
 Protocolaires (couche 3 et 4)
Fonctionnalités principales:
 Monitoring permanent du traffic
 Profilage intelligent du traffic
 Télémétrie et alertes
 Facturation protégée
 Support de réponse rapide
Azure DDoS Protection SKUs
Feature DDoS IP Protection DDoS Network Protection
Active traffic monitoring & always on detection Yes Yes
L3/L4 Automatic attack mitigation Yes Yes
Automatic attack mitigation Yes Yes
Application based mitigation policies Yes Yes
Metrics & alerts Yes Yes
Mitigation reports Yes Yes
Mitigation flow logs Yes Yes
Mitigation policies tuned to customers application Yes Yes
Integration with Firewall Manager Yes Yes
Azure Sentinel data connector and workbook Yes Yes
DDoS rapid response support Not available Yes
Cost protection Not available Yes
WAF discount Not available Yes
Protection of resources across subscriptions in a Yes Yes
tenant
Price Per protected IP Per 100 protected IP
 Azure Firewall
Cloud native stateful Firewall as a service

User configuration Microsoft Threat Intelligence

L3-L7 connectivity policies Known malicious IPs and FQDNs
Central governance of all traffic flows
Built-in high availability and auto scale Spoke 1

Network and application traffic filtering

Centralized policy across VNets and subscriptions Threat intel, NAT,
Central VNet network and
application traffic
Complete VNET protection filtering rules
allows inbound/
Filter Outbound, Inbound, Spoke-Spoke and Hybrid Connections traffic outbound access
(VPN and ExpressRoute)

Centralized logging
Spoke 2
Archive logs to a storage account, stream events to Azure Firewall Traffic is denied
your Event Hub, or send them to Log Analytics or Security Integration and by default
Event Management (SIEM) system of choice

Best for Azure

DevOps integration, FQDN Tags, Service Tags, Integration with ASE, Backup Azure to on-prem
traffic filtering
and other Azure services

Threat intelligence-based filtering Spoke VNets

 Alert and optionally deny traffic to and from known malicious IP
addresses and domains in near real-time On-premises
Azure WAF
Protection contre les attaques applicatives

Custom rules
OWASP rules
Bot management
 Powerful custom rules engine
WAF policy
 Geo-filtering Incoming requests
 IP Restriction
Logs
 HTTP Parameter Filtering
 Size Restriction Monitor
Azure Global WAF Azure Regional WAF
(Front Door) (Application Gateway)
 Preconfigured OWASP top 10
Metrics
 Conditional rate limiting at Azure network edge
Sentinel
 Bot protection integration with Microsoft Threat
Intelligence

 Easy configuration: ARM, Portal, API, PS, CLI, IaaS, PaaS, Serverless, on-premises
Terraform and other cloud backends
Network Security Groups
Sur site10.0/16
 ACL étendues et ordonnées
 Filtrage niveaux 3 (IP) & 4 (TCP/UDP)
 Permet la segmentation réseau Internet
 Peut s’appliquer à un sous-réseau ou à une
carte réseau d’une VM S2S Internet
 1 seul NSG par NIC ou Subnet VPNs √ √
 Impossible de supprimer les règles par
défaut, mais possible de modifier leur √ √
priorité VPN
GW
 Tout trafic autorisé en sortie
Backend Mid-tier Frontend
 Tout trafic bloqué en entrée sauf le trafic venant du 10.3/16 10.2/16 10.1/16
VNet ou du Load Balancer Azure
Virtual
Network
 Network Security Groups : Default rules
Inbound default rules
Name Priority Source IP Source Port Destination IP Destination Protocol Access
Port
ALLOW VNET 65000 VIRTUAL_NETW * VIRTUAL_NETW * * ALLOW
INBOUND ORK ORK
ALLOW AZURE 65001 AZURE_LOADB * * * * ALLOW
LOAD BALANCER ALANCER
INBOUND
DENY ALL 65500 * * * * * DENY
INBOUND

Outbound default rules

Name Priority Source IP Source Port Destination IP Destination Protocol Access
Port
ALLOW VNET 65000 VIRTUAL_NETW * VIRTUAL_NETW * * ALLOW
OUTBOUND ORK ORK
ALLOW INTERNET 65001 * * INTERNET * * ALLOW
OUTBOUND
DENY ALL 65500 * * * * * DENY
OUTBOUND

Default rules cannot be deleted, but because they are assigned the lowest priority, they can be overridden by
the rules that you create
How NSG Rules are Processed
 Administration simplifiée pour les NSGs
 Application Security Groups: groupes de VM définis par l’utilisateur pour
les règles NSG
 Augmented NSG Rules: Plusieurs adresses IP et ports dans une seule
règle
 Service Tags dans les NSGs

 Objectif : Restreindre l’accès Internet

réseau uniquement aux services Deny Internet outbound

Azure utilisés
 La maintenance des adresses IP
Azure Services
pour chaque tag est faite par Allow only Azure
service traffic
Azure
 Support de tags globaux et
Network Security Group (NSG)
régionaux (dépend des services) Action Name Source Destination Port

Allow AllowStorage VirtualNetwork Storage Any

Allow AllowSQL VirtualNetwork Sql.EastUS Any
Preview: Azure Storage, SQL, Traffic Manager
Deny DenyAllOutBound Any Any Any
Connaitre quelques ports réseau standards

 TCP 80 HTTP
 TCP 443 HTTPS
 TCP 22 SSH
 TCP 3389 RDP
 Azure Bastion
 Machine (Service) de rebond pour l’administration des machines Windows et Linux dans Azure.
 Authentification Azure AD, clés SSH ou password, integration Azure Key Vault possible
 Transfert de fichiers
 Connection IP-based
Modèles de chiffrement au repos
Deux approches à considérer
Chiffrement Cloud Chiffrement Client

Chiffrement de Chiffrement de Chiffrement de Chiffrement des données

niveau service niveau service niveau service effectué au niveau du client
Scenarios avec les clés utilisant les clés utilisant les clés du avant stockage dans le cloud
client gérées en
gérées par le du client dans
interne client
service Azure Key Vault

• Les services • Les services • Les services • Les services Cloud ne

Cloud peuvent Cloud peuvent Cloud peuvent peuvent PAS voir les
voir les voir les données voir les données données en clair
Implications en clair
données en en clair • Les clés du client restent en
clair • Le client contrôle • Le client contrôle interne
• Microsoft gère les clés à travers les clés en • Fonctionnalités Cloud
Azure Key Vault
les clés interne REDUITES
• Fonctionnalités
• Fonctionnalités • Fonctionnalités
Cloud complètes
Cloud Cloud complètes
complètes
Chiffrement des données au repos

 Clé de chiffrement symétrique pour chiffrer les données

telles qu’écrites sur le stockage
 Même clé pour déchiffrer les données lues
 Clés de chiffrement souvent chiffrées avec clé de
chiffrement asymétrique
 Clés stockées avec contrôle d’accès et journalisation des
accès
 Encryption at rest abstract model
Workload
Workload encrypts data locally
DEK = Data Encryption Key, symétrique
Data1
Workload asks KEK to encrypt DEKs
KEK = Key Encryption Key
DEK1
MEK = Master Encryption Key: Asymétrique, utilisée pour protéger les clés
symétriques

Encrypts KEK is either managed by Microsoft or

Customer
KEK MEK SMK = Service Managed Key: MEK clé gérée par le Service (Azure)
MMK = Microsoft Managed Key
PMK = Platform Managed Key
Used as CMK = Customer Managed Key: MEK clé gérée par le client
BYOK : Le client importe dans Azure une MEK générée localement
dans son boitier HSM / Serveur
HSM HSM
Or
SMK MMK PMK CMK BYOK Decryption is exact opposite sequence
Managed by Microsoft Managed by Customer More details https://aka.ms/AzureEncAtRest
Dans Azure

 Exemples
 Azure Storage Service Encryption (Azure-managed disks, Azure Blob Storage, Azure Files, Azure
Queue Storage)
 Azure Disk Encryption (Windows : BitLocker, Linux : dm-crypt)
 Transparent Data Encryption (TDE) (Azure SQL Database, Azure Data Warehouse)

 Azure Key Vault

 Secrets, keys, certificates
 Software or FIPS 140-2 Level 2 validated HSMs
Microsoft Defender for Cloud
Describe security management capabilities of Azure
 describe Cloud security posture management (CSPM)
 describe Microsoft Defender for Cloud
 describe enhanced security features of Microsoft Defender for Cloud
 describe security baselines for Azure
Microsoft Defender for Cloud

Leveraging
Azure Arc

Strengthen multi cloud Protect your multicloud

security posture and hybrid workloads

Secure Policies and Cloud native Databases and

Automation Servers
Score compliance workloads storage

Azure service IoT

layers devices

Streamline security management

©Microsoft Corporation Azure
Security posture management
with Secure Score
Evaluated Categories
Gain instant insight into the security state of
your cloud workloads

Address security vulnerabilities with

Access Compute SQL server Network App
prioritized recommendations

Improve your Secure Score and overall security +7% +2% +1% +3% +2%
posture in minutes

Speed up regulatory compliance Secure Score Impact

Granular control of Secure Score

50%
Secure
Score

©Microsoft Corporation Azure

Secure Score
Continuous assessments

Discovering and reporting whether new and

existing resources and assets are configured
according to security compliance requirements

Enabling you to prioritize your security work

Network maps
Optimize and improve security by configuring
recommended controls
Enhanced security features | Defender plans
Workload protections
 Azure Security Benchmark (ASB) & Security baselines
doc | GitHub
How do *industry standards 1 ASB Controls 2 90+ Baselines 3 Secure Score
security control apply?
Azure Security Benchmark (ASB)
1
Controls Assessment + Mapping

How do Azure services meet

control requirements?
2 ASB Service Baselines
Service Assessment

How do I start secure and stay

secure with my Azure Resources?

3 Secure Score
Security posture assessment and
recommendations

*industry standards
Azure Security Benchmark (ASB) & Security baselines
doc | GitHub
Knowledge check
Microsoft Sentinel
Describe security capabilities of Microsoft Sentinel
 Define the concepts of SIEM and SOAR
 Describe how Microsoft Sentinel provides integrated threat
management
Integrated Threat Protection

SIEM
Microsoft Sentinel

Multi-cloud 3rd party and partners

Microsoft 365 Defender Microsoft Defender for Cloud

Email/docs Endpoints SQL Server VMs Containers

Network
Identities Apps traffic IoT Apps

XDR
Microsoft Defender
Définitions
SIEM
Security Incident and Event
Management
Collecte de données (infra, logiciels,
ressources, appliances…)
Analyses, détection, corrélations, anomalies
Génère des alertes et incidents.
SOAR
Security Orchestration
Automated Response
Déclenche des workflows automatisés en
réponse à des alertes et incidents.
XDR
eXtended Detection and
Response
Prévention, détection et réponse aux
menaces à travers l’entreprise : identités,
périphériques (endpoints), applications,
email, IoT, infrastructure, cloud.
 Microsoft Sentinel
Collect Detect Investigate Respond
security data across your threats with vast threat critical incidents rapidly and automate
enterprise intelligence and AI guided by AI protection

Visibility Analytics Hunting Incidents Automation

Connectors: syslog, Built-in or custom Proactive hunting for Incident management Automated response /
Windows Events, CEF, analytics alerts. security threats through workflows : Azure Logic
Interactive investigation
TAXII (threat query tools Apps playbooks.
Machine learning based tools
intelligence), Azure,
models.
AWS, GCP, etc. Interactive graph to
investigate entities and
Workbooks: interactive
threats
dashboards
Microsoft Sentinel Costs
 Microsoft Sentinel data is stored in a Log Analytics workspace
 Billing based on the volume of data (logs) ingested
 Pay-as-you-go ($/GB)
 Capacity reservations (> 100 GB/day)

 Retention: 3 months free

 Details:
https://azure.microsoft.com/en-us/pricing/details/microsoft-sentinel
/
https://azure.microsoft.com/en-us/pricing/calculator/
Knowledge check
Ressources
Les ressources

Acronyms: https://aka.ms/MSAcronyms

Virtual Instructor Trainings :

https://partner.microsoft.com/en-us/training/assets/collection/microsoft-security-compliance-and-identity-funda
mentals-sc-900#/

John Savill SC-900 Study Cram : https://www.youtube.com/watch?v=Bz-8jM3jg-8

Inscription à l’examen : https://learn.microsoft.com/en-us/certifications/exams/sc-900/

 https://aka.ms/sc900academy

© Copyright Microsoft Corporation. All rights reserved.