Security Models and Tools

Zero Trust - a security model: never trust, always verify. Use every available method to validate identity and authorization Pasted image 20251214210838

Defense-in-Depth Model - multiple layers of protection approach

Security Layers (available to use in cloud computing):

  • Data - i.e. virtual network endpoint, limit SQL Server user rights
  • Application - i.e. run API management in front of APIs
  • Compute - i.e. limit remote desktop access, limit ssh, run Windows update
  • Network - i.e. set up an NSG, use subnets, deny traffic by default
  • Perimeter - i.e. DDoS protection, firewalls
  • Identity & access - i.e. Azure AD
  • Physical - i.e. door locks, fingerprint readers, and key cards

Security Tools and Services

MS Defender for Cloud - a Cloud Security Posture Management (CSPM) and cloud workload protection solution to continuously assess the environment, harden resources, and detect and resolve threats

Azure Security Center - provides advanced threat protection and is a unified security management system

Distributed Denial of Service attacks (DDoS) - a type of attack that originates from the Internet that attempts to overwhelm a network with millions of packets of bad traffic that aims to prevent legitimate traffic from getting through

Azure DDoS Protection - basic level of protection is included free; there is a standard level that you can upgrade to (pay for) that will add logging, alerting and telemetry for you to see these attacks happening

Azure Firewall - a managed service inside Azure that protects your virtual networks from unauthorized traffic

Azure Dedicated Hosts - a service that provides physical servers for use by indicated virtual machine(s) as isolated machines not shared between Azure customers

Azure Sentinel - a security information event management and security orchestration automated response solution

Key Vault - Azure’s management solution for secrets, keys, and certificates

Network Security Group (NSG) - a fairly basic set of rules that you can apply to both inbound traffic and outbound traffic that lets you specify what sources, destinations and ports are allowed to travel through from outside the virtual network to inside the virtual network