Knowledge check

https://docs.microsoft.com/en-us/learn/modules/protect-against-security-threats-azure/7-knowledge-check

Consider the following scenario.

Tailwind Traders is moving its online payment system from its datacenter to the cloud.

The payment system consists of virtual machines (VMs) and SQL Server databases.

Here are a few security requirements that the company identifies as it plans the migration:

  • It wants to ensure a good security posture across all of its systems, both on Azure and on-premises.
  • In the datacenter, access to VMs requires a TLS certificate.
  • The company needs a place to safely store and manage its certificates.

Here are some additional requirements that relate to regulatory compliance:

  • Tailwind Traders must store certain customer data on-premises, in its datacenter.
  • For certain workloads, the company must be the only customer running VMs on the physical hardware.
  • The company must only run approved business applications on each VM.

See the following diagram that shows the proposed architecture.

Virtual machines run both on Azure and in the datacenter.

On Azure, Tailwind Traders will use both standard VMs and VMs that run on dedicated physical hardware.
In the datacenter, the company will run VMs that can connect to databases within its internal network.

  1. How can Tailwind Traders enforce having only certain applications run on its VMs?
    • Connect your VMs to Azure Sentinel.
    • Create an application control rule in Azure Security Center.
      With Azure Security Center, you can define a list of allowed applications
      to ensure that only applications you allow can run.
      Azure Security Center can also detect and block malware from being installed on your VMs.
    • Periodically run a script that lists the running processes on each VM.
      The IT manager can then shut down any applications that shouldn’t be running.
  2. What’s the easiest way for Tailwind Traders to combine security data
    from all of its monitoring tools into a single report that it can take action on?
    • Collect security data in Azure Sentinel.
      Azure Sentinel is Microsoft’s cloud-based SIEM.
      A SIEM aggregates security data from many different sources
      to provide additional capabilities for threat detection and responding to threats.
    • Build a custom tool that collects security data,
      and displays a report through a web application.
    • Look through each security log daily and email a summary to your team.
  3. Which is the best way for Tailwind Traders to safely store its certificates
    so that they’re accessible to cloud VMs?
    • Place the certificates on a network share.
    • Store them on a VM that’s protected by a password.
    • Store the certificates in Azure Key Vault.
      Azure Key Vault enables you to store your secrets in a single, central location.
      Key Vault also makes it easier to enroll and renew certificates from public certificate authorities (CAs).
  4. How can Tailwind Traders ensure that certain VM workloads
    are physically isolated from workloads being run by other Azure customers?
    • Configure the network to ensure that VMs on the same physical host are isolated.
    • This is not possible. These workloads need to be run on-premises.
    • Run the VMs on Azure Dedicated Host.
      Azure Dedicated Host provides dedicated physical servers to host your Azure VMs for Windows and Linux.

< LP4