Describe identity, governance, privacy, and compliance features

 Describe identity, governance, privacy, and compliance features

Describe core Azure identity services:

·         Windows Authentication Concepts:

Authentication is the process of confirming an object's or person's identification. The purpose of authenticating a thing is to ensure that it is authentic. The purpose of authenticating a person is to ensure that they are not a forger.

Authentication is the process of verifying one's identity to a network application or resource. Identity is often established using a cryptographic operation that employs either a key known exclusively by the user (as in public key cryptography) or a shared key. To confirm the authentication attempt, the server side of the authentication exchange checks the signed data to a known cryptographic key.

The authentication procedure is scalable and manageable when the cryptographic keys are stored in a safe central place. For storing identification information, including as cryptographic keys that serve as the user's credentials, Active Directory is the preferred and default solution. For default NTLM and Kerberos implementations, Active Directory is required.

Authentication techniques range from a simple logon to an operating system or sign-in to a service or application, which identifies users using something that only the user knows, such as a password, to more powerful security mechanisms that use something the user has, such as tokens, public key certificates, pictures, or biological attributes.

Users in a business setting may access various apps hosted on a variety of servers at a single place or across several sites. As a result, authentication must work across settings that support various platforms including Windows operating systems.

·         Azure Active Directory:

Azure Active Directory (Azure AD) is a business identity service that offers single sign-on and multi-factor authentication to help protect your users from 99.9% of cyberattacks.

o   Your team should be connected:

Give customers seamless access to all of their applications, whether they're on-site or remote, so they can stay productive from anywhere. Automate user lifecycle and provisioning procedures. Self-service management helps you save time and money.

o   There are many of SaaS programs to choose from:

Simplify the single sign-on process. Thousands of pre-integrated software as a service (SaaS) apps are supported by Azure AD.

o   Integrate the concept of identity into your apps:

Support single sign-on and user provisioning to help your software gain traction in the enterprise. Automate the creation, removal, and management of user accounts to reduce sign-in friction.

 

Describe Azure governance features:

·         What is Azure role-based access control (Azure RBAC)?

Cloud resource access management is a key role for any company that uses the cloud. Azure RBAC (role-based access control) allows you to govern who has access to Azure resources, what they can do with them, and what areas they have access to.

Azure RBAC is a fine-grained access management solution for Azure resources that is built on Azure Resource Manager.

·         How Azure RBAC works:

Using Azure RBAC, you may restrict access to resources by assigning Azure roles. This is an important idea to grasp since it explains how permissions are enforced. The security principal, role definition, and scope are the three components of a role assignment.

·         How Azure RBAC determines if a user has access to a resource:

1.      A token for Azure Resource Manager is obtained by a user (or service principal). The user's group affiliations are included in the token (including transitive group memberships).

2.      With the token attached, the user initiates a REST API connection to Azure Resource Manager.

3.      All role assignments and deny assignments that apply to the resource on which the action is being taken are retrieved by Azure Resource Manager.

4.      If a refuse assignment is in effect, access is denied. Otherwise, the process of review continues.

5.      The role assignments that apply to this user or their group are narrowed down, and the user's duties for this resource are determined.

6.      The action in the API call is checked to see if it is included in the user's roles for this resource by Azure Resource Manager. The effective permissions are determined by subtracting the NotActions from the authorised Actions if the roles contain Actions with a wildcard (*). Similarly, any data operations are subtracted in the same way.

Actions - NotActions = Permissions for effective administration

Effective data permissions = DataActions - NotDataActions

7.      Access is denied if the user does not have a role with the action at the required scope. Otherwise, each situation is assessed.

8.      Conditions are considered if they are included in the role assignment. Access is permitted in all other cases.

9.      Access is granted if certain requirements are satisfied. Access is not permitted otherwise.

 

Describe privacy and compliance resources:

·         Introduction to Azure security:

Depending on the cloud service model, there are several levels of responsibility for managing the application or service's security. Built-in features and partner solutions that may be installed into an Azure subscription are both available on the Azure Platform to help you in satisfying these responsibilities.

Operations, Applications, Storage, Networking, Compute, and Identity are the six functional domains in which the built-in capabilities are arranged. Summary information provides further information on the features and capabilities offered in the Azure Platform in these six categories.

·         Strengthen your security posture with Azure:

Reduce expenses and complexity by relying on a Microsoft-managed cloud infrastructure. To assist identify and guard against quickly developing threats, use Azure's multilayered, built-in security measures and unique threat intelligence.

·         Privacy in Azure:

You are the owner of the data you give for storage and hosting in Azure services when you use Azure. We do not share your information with advertiser-supported services, nor do we mine it for marketing or advertising reasons.

We only process your data with your permission, and once we have it, we only use it to perform the services you have requested. These agreements apply equally to subcontractors (or sub processors) that Microsoft authorizes and hires to perform work that may require access to your data: they can only perform the functions for which Microsoft has hired them, and they are bound by the same contractual privacy commitments that Microsoft makes to you.

If you leave the Azure service or your subscription expires, Microsoft follows strict standards for removing data from its systems.

·         Azure compliance:

Take advantage of over 90 compliance certifications, including over 50 that are particular to global areas and nations including the United States, the European Union, Germany, Japan, the United Kingdom, India, and China. Also included are more than 35 compliance options tailored to the demands of various industries, including as health, government, finance, education, manufacturing, and media. Your new compliance requirements are also taken care of: Microsoft works with governments, authorities, standards groups, and non-governmental organisations all across the world.