Practical introduction to security, compliance, and identity fundamentals

Stepping into the world of Cybersecurity, and preparing for the Azure SC-900 certification

Microsoft offers a series of path finding certification towards the coveted Cybersecurity Architect role, that covers different Azure focused security configurations and product lines. As a horizontal, the cybersecurity landscape offers a variety of combinations when you look across the various endpoints that Microsoft supports.

Achieving cloud certifications for the beginner is often a tumultuous path, until you realize an avenue that often yields success. The tricky part of the certifications is that they are primarily focused on the application of the cloud services, to achieve the goals of the focus in which the represent. As an engineer, certificates focus on functions and application services, in an architecture role, they focus on larger configurations and virtualization, and in security these touch along the various products which help defend the cloud.

The "Microsoft Certified: Security, Compliance, and Identity Fundamentals" also known as the Azure SC-900 certification, is a less general certification that works towards a beginning understanding of a secure cloud model. This certification covers provider and customer responsibilities, best-practices for a security posture, encryption & hashing, and entrypoints into Azure cloud services through an IdP and managed services.

Through insights from the Microsoft training and study guide, you can find how to prepare and formulate the different information, expected to be seen when taking this certification exam. There are two core segments that weave through the various products and inform the overall expectation of the material that the certification covers.

Describe security and compliance concepts:

Describe the shared responsibility and the defense in-depth security models.
Describe the Zero-Trust model.
Describe the concepts of encryption and hashing.
Describe some basic compliance concepts.

Learning plan on Microsoft

Describe identity concepts:

Understand the difference between authentication and authorization.
Describe the concept of identity as a security perimeter.
Describe identity-related services.

Learning plan on Microsoft

As one would expect, these core security principles are covered, however when preparing for the exam, it is helpful to familiarize with the products that are applied to cover and solve for these principles.

Study guide on Microsoft

Security and compliance principles

The shared responsibility model is the matrix that describes the independent points in which the cloud provider is responsible for, then where the customer is responsible, and in some cases, the overlapping duties.

Shared responsibility model (SRM)

In the shared responsibility model there are fixed and variable duties of the cloud provider and customer, their shared duties join on the party configuring the infrastructure. These are often a crossover between feature and implementation, where customers are expected to bear the effort of enabling features, to create compensating controls for liabilities, otherwise accepting the risk.

A modern pattern for controlling infrastructure, application, and network properties for customer configured services, is through the Zero-Trust model. These services vary from their implementation and the amount of risk assumed by the cloud provider or customer, when these architectural choices are made.

In Software as a Service (SaaS), the cloud provider is more prominently involved, though infrastructure customization is reduced. Through a Platform as a Service (PaaS) the range of offerings increases, and so does the customer risk, this is a growing innovation as it increases security but still provides flexibility as a middleground. When using Infrastructure as a Service (IaaS), which is very common in modern engineering practices, the stability and features of the system are the prerogative of the cloud provider, then the configuration and security enablement, falls mostly to the customer. If the customer has a on-premises datacenter, most if not all of the responsibility is on the customer, unless the services they connect to their data center, are through cloud channels, and have defects directly in their product.

When securing the premise, hardware, infrastructure, data, credentials, and secure parameters, it is advised to apply security in layers. Famously the Open Systems Interconnection (OSI) model covers the seven layers of networking that should be applied, in similar Microsoft has their own seven, referred to as 'defense in depth'.

Defense in depth (DiD)

The defensive layers of enterprise computing, include physical security, identity and access security controls, perimeter security, network security, compute layer security, application layer security, and data layer security. These layers as seen in the above diagram shelter each other downward, protecting against intrusion from the outer most layers to the inner layers, covering the most important of all, the end-user data.

Physical security is often the most considered, the locks on the doors, access keys, and structural entities like fences and security guards. The identity and access layer, is something often seen at a login screen, that provides auth, for moving down to the next series of layers. The perimeter layer, functions as a virtual safeguard, from intrusion prevention systems (IPS) to intrusion detection systems (IDS), including firewalls. At the network layer, configurations such as allow-lists, classless inter-domain routing (CIDR), cross-origin resource sharing (CORS), and content security policy (CSP) provide access control. In the compute layer, hardware authorities like trusted platform module (TPM) and software safeguards like garbage collection (GC) protect against escalated or remote access and overflowing memory attacks. Through application protocols like TLS, the networking and handshakes to an application are safeguarded, through isolation and containerization, these systems and distilled from the over and underlying systems. Data layers are often held in data stores, also known as databases, that require layer security to permit outside and internal network access, with similar TLS safeguards to applications.

As a consideration, people build these networks, devices, and infrastructure, which is sometimes the weakest link in the security chain, as it becomes evermore complex and guarded. Companies building these systems in an increasing velocity are putting these practices to work, and training their employees on how to not fall victim to the outsider threats. There is a common principal called the confidentiality, integrity, availability (CIA) triad, which implores the objectives of these safeguards from a humanistic perspective.

Confidentiality is seen plainly as keeping information private and secure, through passwords, rotating secrets, and safekeeping. Integrity aligns with honesty, in doing and practicing operations in full faith and not misaligned information and technology outcomes. Availability is the consideration where plain sight to information can skew the others, sharing only what is needed, and working with less to lead to more, even from a data capture perspective. This triad, works like a vendiagram where all three principals combine in the middle, and rely on each independently to create a successful implementation.

Zero trust model (ZTM)

In the zero trust model, the authorization tree focuses on the the most granular levels of access to the elevated permissions tiers. Through this design, every access role has the least privilege possible to complete the tasks required of them. This model applies itself effectively to human and computer based services, as automation continues to overtake operational, indirectly for humans, through software as a service (SaaS).

As a methodology for modern infrastructure configuration, the ZTM focuses on core principles that Microsoft considers important,

Verify explicitly, while always authenticating, and authorizing based on multiple data points.
Limit use and service access to the least privilege with just in time access for the required job.
In an event of a breach, assume it needs to be handled as so, encrypt data, segment the network, and log issues.

In the the ZTM model, there are six foundational pillars outlined by Microsoft that should fuel the above principles,

Identities can be users, services, devices, and endpoints
Devices are the weakest link and require the most attention
Applications are the data creators and readers and should be audited.
Data needs to have metadata classification for protection.
Infrastructure should have built in counter-measures and access logs.
Networks should be segmented and monitored.

Microsoft video on YouTube

Encryption and hashing

One of the primary methods for securing data has always been encryption, a way of assuring that the sender and the receiver have the authority to read and write the data. In obfuscation, hashing can support encoding the data so that it is not reveled in its plain text state. In combination, encryption protects the data at rest, in transit and in use, while hashing obfuscates the data when in transit between the different layers of exchange.

There are various different algorithms for encryption, though they often require a public and private key, in which the two based on the algorithm create a circuit for authorization, or symmetry. Hashing provides a similar effect, where a known algorithm and a cipher key randomize the values, on the way in, and can only be deciphered with the same algorithm and cipher.

Governance, risk, and compliance (GRC)

In a mature software environment, committees surrounding the business group together to make decisions on features and changes of the business technology. As would a board committee, the governance panel meets to decide the changes occurring in the system and define the details of the evolving system.

As laws, policies, and businesses change, the company needs to continuously govern choices, evaluate risk, and monitor for compliance. It is the objective of the business to stay in compliance with the industry whether it be Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS), the objective is being ahead of the required standards to avoid risk.

In the the Microsoft governance model, there are clear data standards that focus on the outcomes of people, technology, and processes,

Data residency is the geolocation or storage position of the data from the company, and the who, where, what, and why of it being processed.
Data sovereignty is the segmentation of data to a specific region, often for a given use-case, like PII of users in a certain location.
Data privacy focuses on the permissions surrounding the intake of the data, the accessibility to the data, and the stewardship of the data.

These resources are provided by Microsoft for reviewing the security and compliance sections of this exam,

Identity concepts

As the network of computers grew long ago with the internet, and even before, the need for an identity within the system to assign values, permissions, and segment workspaces has been a need. The stratification of interconnected identities, Single Sign On (SSO), and the interconnected world of API driven software requires a compounding advent of additional counter measures.

The Identity Platform (IdP) is a managed way of creating indentities within a Identity as a Service (IDaaS), sharing data through protocols, and links up to Identity Access Management (IAM) with other use-cases such as Federated Identities. In all this connective networking, and the access that one account could share, the security requirements of these accounts scales far above database stored password.

Through the last decade an increasing focus on Multi-factor Authentication has been a growing consideration for improving the security of the IdP and user accounts. The extra step assures that the user has access to a code generator, security key, mobile phone, or email tied to the account for a more secure level of assurance.

Authentication and authorization

A common discussion when it comes to IdP services is that of how users are authenticated and then how they are authorized. In authentication, users enter their username and password, to access their account, this information is stored in a specific server that operates like a Hardware Security Module (HSM). Isolating the identity server from other servers assures segmentation of the user data from other working machines.

The account and its assigned privileges, including its organizational information provide the metadata defined to allow and disallow the account from accessing certian software or activities. In access and control of resources, the focus of authorization combines with authentication. In patterns like Role-Based Access Control (RBAC), users have a permission level that allows them to complete a select set of tasks. When looking at different models like Attributed-Based Access Control (ABAC), the account information contains even more granular system qualifies like reading and writing to a certain storage.

Identity as a perimeter

Microsoft envisions security through account security, and in this, at a critical outer layer of access accounts and their categorical information can provide limitations to secure and protected data, far down the layers of protection. The focus here, is that there as a ubiquitous solution, using a secure Microsoft based account can protect internal and external accounts.

These are some examples provided that can illuminate this concept, and combine to increase security, directly from Microsoft,

SaaS application authentication for software out of network.
Personal devices used for business interactions.
Unmanaged devices used to access business information.
Internet of Things (IoT) devices, on the business network.

As the focus on auth scales, and the networks connected to identities enumerate, companies should consider these are the four pillars of identity, suggested by Microsoft,

Administration oversee the creation and management
Authentication acts as the sufficient proof of the user
Authorization detmerines the level of access for a user
Auditing tracks the actions of the users in-depth

In these scenarios where Microsoft is the host for the authorized user, Microsoft Entra Id is the identity provider and platform. As the provider, Microsoft ofters assurances, in the SRM to delineate how they secure and what they expect the customer to secure the user information.

Microsoft video on YouTube

Through the IdP transformation Microsoft scaled these user focused services to Windows based devices, in a system called Active Directory Domain Services (ADDS). Where a group of users may fit a staffing category within an organization, a group of devices may fit into a domain, through domain's devices and endpoints that can be joined to a network.

When users are connected to Microsoft Entra Id as an IDaaS the devices can be connected to the identity services through their domain, to control the users permissions throughout the system. Similar to IAM, the access control of on-premise and cloud networks can be controlled through the lens of a users identity, all made possible by Microsoft Entra Id.

As businesses grow more and more collaborative, using more and more SaaS and PaaS options, the increased need for federation grows. In this sense, federation connects an off-network account with the identity provider to simplify and secure the users access.

At a quick glance, these are some examples from Microsoft where federation would commonly be used,

Website logins
Domain authorizations
Trust relationships

These resources are provided by Microsoft for reviewing the identity concepts of this exam,

In all of these instances, these patterns are commonly seen and used by users each day, however in this case, studying their implementation and effect is what is being examined. Through the contents of this introduction, one should be able to prepare for the current certification, and build a working knowledge of the Microsoft knowledge that these systems require.