# Microsoft Security 虛擬培訓日筆記 ## 安全性、合規性和身份識別基礎知識 ## Lession 1 ### Zero-trust methodology ### Defense in depth Defense in depth uses a layered approach to security * Physical * Identity and access * Perimeter * Network * Compute * Application * Data ### The shared responsibility model The responsibilities vary based on where the workload is hosted: * Software as a Service * Platform as a Service * Infrastructure as a Service * On-premises datacenter (On-prem) ### Confidentiality, Integrity, Availablity (CIA) CIA - A way to think about security trade-offs. * **Confidentiality** refers to the need to keep confidential sensitive data such as customer information, passwords, or financial data. * **Integrity** * **Availability** ### Common threats * Data breach * Phishing * Spear phishing * Tech support scams * SQL injection * Malware designed to steal passwords or bank details * Dictionary attack * Ransomeware * Disruptive attacks ### Encryption Encrption is the process of making data unreadable and unusable to unauthorized viewers. #### Two top-level types of enctryption: * Symmetric * Asymmetric ### Hashing Hashing uses an algorithm to cobert the original text to a unique fixed-lenghth hash value. ### Microsoft Cloud Adoption Framework Consisits of documentation,implementation guidance, & best practices that support increases security and compliance ## Lession 2 ### Common identity attacks Types of security threats * Password-based attacks * Phishing * Spear phishing ### Identity as the primary security perimeter Identity has become the new security perimeter that enables organizations to secure their assets. #### An identtity is how someone or so,ething can be verified and authenticated and may be associated with: * User * Application * Device * Other #### Four pillars of identity: * Administration * Authentication * Authorization * Auditing ### Modern authentication and the role of the identity provider Modern authentication is an umbrella term for authentication and authorization methods between a client and a server. * identity provider (IdP) ### The concept of Federated Services Scenario: 1. The website uses the authentication services of IdP-A 2. The user authenticates with IdP-B 3. ....... ### The concept of directory services and Active Directory * A directory is a hierarchical structure that stores information about objects on the network * A directory service stores directory data and makes it available to network users, administrators * The best-known service of this kind is Active Directory Domain Service (AD DS), a central component ### Module Summary * Learned about some important security concepts and methodologies. * Learned about some import identity concepts ### QA > 由 Micosoft 365 專家進行問答 What is authorization and authentication with example? 舉個簡單的例子，當你刷badge進入辦公室 確認你的身分的過程就是驗證authentication，當你的公司人資可以造訪你的每月薪資條，就是一種授權他可以閱讀員工薪資條的過程也就是authorization，兩者的差異主要是這樣喔 ### Azure Active Directory Azure AD is Microsoft's cloud-based identity and access management service. Capabilities of Azure AD ### Azure AD identity types * User * Service principal * Managed identity * Device ### Authentication methods of Azure AD #### MFA * something you know * something you have * something you are ### Multi-factor authentication (MFA) in Azure AD Different authentication methods that can be used with MFA * Passwords * Password & additional verification * Phone (voice or SMS) * Microsoft Authenticator * Open Authentication (OATH) with software or hardware tokens ### Windows Hello for Business ### Self-service password reset (SSPR) in Azure AD * Benefits of Self-service password reset * Self-service password reset works in the following scenarious * Authentication method of SSPR ## Lession 3 ### Conditional Access #### Conditional Access signals * User or group membership * Named location information * Device * Application * Real-time sign-in risk detection * Cloud apps or actions * User risk #### Access controls * Block access * Grant access * Require one or more conditions to be met before granting access #### Azure AD role-based access control (RBAC) * Built-in roles * Custom roles * Azure AD role-based access control * Only grant the access users need ## Lesson4 ### Identity governance in Azure AD #### The tasks of Azure AD identity governance * Govern the identity llifecycle * Govern access lifecycle * Secure privileged access for administration #### Identity lifecycle * Join: A new digital identity is created * Move: Update access authorizations * Leave: Access may need to be removed ### Entitlement management and access reviews * Entitlement management * Access reviews * Terms of use ### Privileged Identity Management (PIM) PIM enables toy to manage, control, and monitor access to important resources in your organization. ### Azure Network Security groups Network securrity groups (NSG) let you allow or deny network traffic to and from Azure resources that exist in your Azure Virtual Network. ### Azure Resource Manager locks Azure Resource Manager locks * Prevent resources from being accidentally deleted or changed. ### Azure Policy ### Azure Defender Scope of Azure Defender * Servers * Kubernetes * App Service * Container registries * Storage * Key Bault SQL ### SIEM, SOAR, and XDR #### SIEM collect data from accrss the whole estate ### Sentinel provides integrated threat protection * Collect * Detect * Investigate * Respond