Security and compliance concepts and methodologies
5 minute read
https://docs.microsoft.com/en-us/learn/modules/describe-security-concepts-methodologies/
Zero trust model
“trust no one, verify everything and assume breach”
- By no longer trusting the integrity of the corporate network, security is strengthened.
- Password alone is nmot strong enough so MFA is required
- Instead of access to all on the network users are restricted to what they need
Guiding principles
- Verify explicitly. Always authenticate and authorize based on the available data points, including user identity, location, device, service or workload, data classification, and anomalies.
- Least privileged access. Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.
- Assume breach. Segment access by network, user, devices, and application. Use encryption to protect data, and use analytics to get visibility, detect threats, and improve your security.
Pillars
- Identities may be users, services, or devices. When an identity attempts to access a resource, it must be verified with strong authentication, and follow least privilege access principles.
- Devices create a large attack surface as data flows from devices to on-premises workloads and the cloud. Monitoring devices for health and compliance is an important aspect of security.
- Applications are the way that data is consumed. This includes discovering all applications being used, sometimes called Shadow IT because not all applications are managed centrally. This pillar also includes managing permissions and access.
- Data should be classified, labeled, and encrypted based on its attributes. Security efforts are ultimately about protecting data, and ensuring it remains safe when it leaves devices, applications, infrastructure, and networks that the organization controls.
- Infrastructure, whether on-premises or cloud based, represents a threat vector. To improve security, you assess for version, configuration, and JIT access, and use telemetry to detect attacks and anomalies. This allows you to automatically block or flag risky behavior and take protective actions.
- Networks should be segmented, including deeper in-network micro segmentation. Also, real-time threat protection, end-to-end encryption, monitoring, and analytics should be employed.
Shared responsibility model
Identifies which security tasks are handled by the cloud provider, and which security tasks are handled by you, the customer
- If you run all your IT on-prem then you are 100% reponsible
- Adding a cloud provider changes that percentage so some parts of your IT are managed by you and the cloud providor
- This responsibility varies based on how which offering you choose
- IaaS
- PaaS
- SaaS
Defense in-depth
Uses security layers instead of a single perimeter
- Slows down an attack
- Each layer is a protection
- If one is breached others can help withstand the attack
Examples include
- Physical access to the data center is controlled
- Identity controls such as SSO, MFA and conditional-based access
- Permieter controls to limit DDos attacks
- Network segmentation and network access controls (firewall, NSG)
- Compute security such as closing down unnessecary ports on a server
- Application security such as using the latest release that is supported and secured
- Data security such as encryption and managing access
CIA - Confidentiality, Integrity, Availability
Shows the trade-off when using security controls where increasing one can make the other mode difficult
Confidentiality secures sensitive data such as customer, password or financial tyupically using encryption but adds overhead of managain the encryotion keys.
Integrity or keeping the data intact and correct means that when data is transported or stored it must be secured in such as way that it cannot be altered.
Availability of the data to those who need it such as business users and customers.
Common threats
There are many different threats but they can be grouped into the following types
Data breach is where data is stolen
Dictionary attack is where a hacker will try multiple password values until the correct password is found often employing scripts to process the data quickly
Ransomware is where an attacker breaches a system then locks the business out often using encryotion and demand a ransom is paid to unlock the system again
Disruptive attacks include the most well known which is a distributed denial of service or DDos
Encryption and hashing
- Encrypt sensitive or valuable data
- Data is unreadable and unusable to unauthorized users
- To access data it must be decrypted that requires a secret key
Types of encryption
Symmetric; uses the same key to encrypt and decrypt data.
Asymmetric; uses a public and private key pair. Either key can encrypt data but a single key cannot decrypt data. You need both keys or the key pair. This type of encryption is sued for TLS, HTTPS and data signing.
Encryption at rest
- Data is on a disk or storage device or a database
- Unless you have the key the data cannot be read
- If an attacker took the disk they would not be able to retrieve the data
Encryption in transit
- Data is being transported from source to destination
- Web traffic (HTTPS) for example
- An attacker would not be able to read the data “on the wire”
Hashing
- An algorithm that converts the original data to a unique fixed-length hash value
- Every time the data is hashed the same hash value is returned unless the data has changed
- Hashing is not encryption and does not use keys
- The hashed data is not returned to the original data
- Used to store passwords
- User enters a password
- The system hashes the entered password and compares it to it’s stored hash version of the user’s password
- Is the hash is the same then the password entered must be the same as the one stored by the system
- Means the system does not need to store passwords as plain text; just the hashed values
- Hashing algorithms are known to attackers and can be used to use brute force to learn the actual password from a hashed value
- To add security to hashed data they can be “salted”. This means adding a fixed-length random value to the input of the hash function that creates a unique output every time. So an attacker could never brute force the hash unless they knew the salt value.
Cloud adoption framework
- Consists of the following to help businesses move to the cloud
- Documentation
- Implementation guidance
- Best practices
- Tools
- Inputs come from Microsoft, partners and customers
- A proven and consistent method to implement cloud technologies
Lifecycle
- Strategy: define business justification and expected outcome
- Plan: align actionable tasks to achieve the outcome
- Ready: prepare the cloud platform
- Adopt:
- Migrate and modernize existing workloads
- Develop new workloads
- Govern: the environment and workloads
- Manage: operate the workloads