Pass Your Microsoft Azure AZ-900 Exam Easy!

Microsoft AZ-900 Microsoft Azure Fundamentals exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Microsoft AZ-900 Microsoft Azure Fundamentals exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Microsoft Azure AZ-900 certification exam dumps & Microsoft Azure AZ-900 practice test questions in vce format.

AZ-900 Course for 2020 - Understand security, privacy, compliance, and trust

2. Azure Identity services

The requirement of the exam is to know the difference between authentication and authorization. These are fairly basic concepts for security. The concept of authentication is that a person has proven who they are. So just like a bouncer is going to ask for an ID, a driver's licence has your picture on it and has your name. In most cases, having your user ID and password is enough to prove who you are. So once user John Doe has logged in with the correct password, then we believe that this person is John Doe. The complement to that is called authorization. So once you understand that you're dealing with John Doe, what level of permission does that person have for each aspect of your environment? Do they have the right to login to this application or not? Do they have the rights to create resources or not? There are going to be different rights for different people. Obviously, the idea that once you've determined that a person has been authenticated, they have full access to your system is a thing of the past. Only the most simplistic systems can ensure that all users have exactly identical access. You're going to want to differentiate between administrators and power users, people who have read-only access versus people who can make changes, etc. for not only in your applications, but within your networking and IT environments. The next topic is Azure Active Directory. Now overall, this is a huge topic, right? Understanding all the nuances of Azure ads, how to set it up, and how to get that integrated into your environment is a biggie. Now, Azure Active Directory, which is abbreviated as AzureAd, is Microsoft's identity as a service solution. So, basically, Microsoft is providing this as a service to you, and they will take over the authentication aspects of your applications. So you basically have them log into the user ID and password of the user, validate that, and let's go back to your application and let you know that that's okay. It is Microsoft's preferred solution. So, if you see an exam question about identity, consider Azure AD as one of the best answers and what Microsoft is usually looking for. There's a lot to it, and we're talking about users. We're talking about being able to group users into groups and create roles. There are built-in roles that you can create custom roles for, assign permissions to those roles, assign those permissions to groups and to users, et cetera. Now Azure AD is the type of technology that can enable the concept of single sign on.So where you have, let's say, a corporate or enterprise user, he or she has their company user ID and company password. Being able to use that same user ID and password in any application they need to log into is the concept of single sign on.And that is accomplished by having those applications use a technology like Azure Active Directory to validate the user. So the user ID and password live in a central location like Active Directory. And all of the other applications use that to validate the user. That way, if the user ever changes their password in one location, then that's in effect in all locations. So the centralization of the identity is an important concept in single sign on.Now, some people might be familiar with the Windows Server technology called Active Directory, or AD. So when they hear an Azure ad, they think, "Oh, it's pretty much the same thing." You're probably taking a version of Microsoft Active Directory and installing it within Microsoft Azure, and that's not entirely true. Azure Active Directory is a unique piece of software specifically written for Azure. There is a synchronisation that can happen. So in the single sign-on case we were just talking about, if you have corporate users that are registered within the corporate Active Directory, you can synchronise that to the Azure Active Directory service, and those users and passwords would be recognised within Azure AD. And if a user changes their password or creates a new user within a certain number of minutes, that is also synchronised into the cloud. So there is a synchronisation process to keep your on-premises Active Directory synchronised with your Microsoft Azure Active Directory. They are different. They have different capabilities. Some things—and there are a lot of things that Active Directory can do that Azure AD can't— Azure AD is really designed specifically for Internet technologies and Web protocols. There are a lot of things like, in corporate America, a technology called LDAP, which is a light directory protocol. LDAP is not supported in Azure, as an example. So there are technologies that are supported within a corporate network that would not be supported on the Internet because of TCP and HTTP and those types of protocols. We should talk about multifactor authentication. Now, multifactor authentication is a feature of Azure Active Directory. And optionally, you can enable this so that users are forced to have another piece of identification in order for them to log in. The reason it's called multi-factor authentication is because when you have a user ID and password, those are two factors, right? So your user ID is a factor. So knowing a person's user ID is some proof that you are them. But it's not very strong proof because a lot of times people can just guess your initial and your last name or your email address. So that's why we don't ever use a username. It's the only factor that proves who you are. Typically we require a password, which is the second factor. Passwords are hopefully hard to guess. You want your passwords to be reasonably complex and not just 12345. and hopefully it's unique across the Internet and across your environment. You don't want to be reusing passwords with your email provider, your bank, and all of your other places. That's pretty straightforward security advice. So the password is unique, and no one else in the world has the same password as you. That's a pretty safe password. However, the multifactor enters the picture. We're talking about this third factor. And the third factor in the case of MFA is typically that you have a phone; you have a mobile phone, and we can connect to you on your mobile phone, and the fact that you have it proves that it's you. Presumably, if somebody in, I'm going to say, a far-away country has your user ID and your password, they can log into the system. Sometimes there are ways of protecting against that, but they don't have your phone. And so if Azure was to send you a text message, they're not going to receive it. And so that third factor is a separate thing other than the internet; there could be a text message, which is called SMS; there could be applications. Microsoft has an authenticator app, Google has an authenticator app, and other companies offer them as well. A voice phone call is also an option. When you get a phone call to your phone, you pick it up, and it says, "Please use the number 3739 to log into the site." So there are different ways of turning on what's called multi-factor authentication. It is widely considered to be a much stronger form of security to prove authentication. So if you have your user ID and password, you can say you're at one level of protection. But if you can turn on multifactor authentication, that is an order of magnitude more secure because really, somebody far away from you is not going to have access to your phone. Now there are spoofing technologies where your SIM card can get copied and things like that, but that's a fairly sophisticated attack, and you're talking about someone who's really targeting you and who's had access to your phone to copy your SIM card. We've swapped out your SIM card. That's a pretty sophisticated attack. And MFA may not protect you from something like that, but in 99.99% of cases, this multifactor authentication is going to thwart any kind of hacker's entry into your account.

3. Security tools and features

Requirement says Azure Security, which is a pretty vague requirement we need to understand, is a shared model. Within Microsoft Azure, we have concepts of physical security as well as digital security at play. Okay? Now, by physical security, I mean that maybe you have a computer that's logged into the application. If you're using that computer in an insecure location, It's inside your house, it's insideyour office, the doors locked. People aren't just walking into your computer randomly, right? You have a Windows screen saver that locks your computer after so many minutes, et cetera. There's also the physical security of the server side. So Microsoft Azure doesn't necessarily publish the locations of their data centers, at least the ones that do exist. There is fairly strong security around it. You can't just walk into the building—you require fingerprint authentication, et cetera. Then you can enter the floors, which require a specific security card, and the racks are locked and all that good stuff. So Microsoft takes the physical security of their networks fairly seriously, and I've not heard of a physical breach. Any of the cloud providers—Amazon, Microsoft, or Google—have not reported that somebody walked into their datacenter and was able to get access to a client's servers just off the street, like that onscreen is a fairly standard graphic. You might see this on Microsoft's website. It shows the different layers within an application from the application at the top down to the data, the runtime, any kind of operating system, the virtualization system, the services themselves, storage, and networking. And we can see the difference between whether you have the server in your own environment on the left or whether you are running a VM within Azure, which is the second column. You're using the platform as a service model, which is a web app, which is the third column, or you're just using one of the software as a service options. So there are different layers of responsibility. Now, when you have the computer in your own environment, you're responsible for all the security. You're responsible for secure networks, you'reresponsible for secure storage servers, thelocks on the doors, everything. Even to get to the VM, you're actually sharing the responsibility with Microsoft and other cloud providers because they're taking over the security of the networks, the servers, and the operating system. All of the physical assets are guaranteed to be secured and managed by Microsoft. Now, because it's a VM, you can install any applications that you want. That's the middleware part. You can design your custom application, compile it as an exe, and install it. and that's a runtime. You have your databases, maybe SQL Server installed in the VM, and any other applications on top of that. And so, that's all your responsibility. Now, Microsoft, of course, provides you with an operating system, but then your responsibility is to keep it patched when a new update is available, to run Windows Update, and to make sure that that server gets updated. Now, as you see as you go forward to the right, the platform as a service and software as a service, Azure, takes over the responsibility of most of those things. So it's a fairly fundamental element of security within Microsoft, whose responsibility it is. Now, we talked earlier about Azure Active Directory. That's their identity as a service model. So when we're talking about security, it is much more preferable that you use a solution such as Azure AD to manage your users as opposed to creating your own application and rolling your own platform for that. That could lead to insecure methods, right? So Azure advertising is provided as a service. I'll go back a slide. It's the software as a service on the right. So the ad portion is delivered, and Azure takes full responsibility for everything in that insecurity of that.So Azure Ad is a critical component if you're redesigning a secure system and plan to use something like Azure Ad from a reputable vendor to keep your users and passwords safe. We talked about multi-factor authentication, which is abbreviated MFA, earlier. That is an order of magnitude more secure than just having a regular user ID and password. So installing and setting up MFA within your AzureAD is definitely recommended if security is a thing. Now, you'll see this term within Microsoft a lot because besides Azure AD being the identity system, our back-end role-based access control is the recommended authentication mechanism. Now, Azure does support other authentication mechanisms, but Role-Based Access Control is what Azure uses to control access to the Azure environment itself. And so they recommend you use that same system if you're going to do it within your applications. We have a section about our backstory coming up later in this course. Now, earlier in this video, I talked about a layered approach to security where you do not just want to have a user ID and password, even with the MFA turned on as being the only security mechanism. And once somebody passes through that barrier, they have unfettered access to everything in your entire environment. I found this list within Microsoft that says there are a number of layers. We can start at the top, the data layer. So let's say you choose an Azure SQL database as your database solution. That's where you're going to store your data. Now there is such a thing as a "virtual network endpoint system" where you can basically restrict that SQL database to a specific virtual network. So there are security layers that you can enable at the database level. Also, if you're going to use Azure storage as a data storage solution, or simply a storage solution, you can use Virtual Network Endpoints to prevent the outside world and open internet from accessing those things. Even if they don't have authentication, they can't even get there. So it's like a firewall around your data. If you're going to have applications, you might put something in front of that: a web application firewall with a load balancer. Or if you've got API applications, there's an API management system that will act as a security layer in front of your API—any kind of compute layer. You might have a Windows server. As a VM, you want to ensure that remote desktop access is very tightly controlled. It can be disabled only when needed, or you can ensure it's only accessible from your physical location, your business, and certain IP ranges and not visible from around the world. You don't want people halfway around the world attempting to remotely access your Windows servers, even if they don't have the password, say, for a vector you don't want them to have access to. You want to ensure that the operating systems are patched, that you run Windows Update and install the updates in a timely manner, et cetera, and plan for that. within your maintenance plan, down to the network level. You can arrange yourself with virtual networks and subnets so that applications are running on separate networks and that you have specific network security groups that handle the permissions and the traffic between them. If you've got multiple subnets, you've got your front end subnet, your middle tier subnet, and your back end subnet. You can ensure that there are a lot of deny rules there and that those networks are tied down as tightly as they can so that only authorised traffic gets through. The concept of perimeter is typically defined by firewalls and the distributed denial of service service that Azure offers. We talked about Azure AD as being an identity thing. So this is the user ID and password, and potentially MFA, and finally the physical layer. Even within your office, you want to ensure that people have locked doors, computers that shut down, et cetera. But of course, on the Azure side, we said that Microsoft does this for its own data centres already. So those are the different layers. And if you can handle the security in each layer, it makes it a lot tougher for hackers and nearby dwellers to try to access your environment. Azure does provide a dashboard called the Azure Security Center. As a result, Azure Security Center provides unified security management as well as advanced threat protection. This is one of the features of the Azure Security Center. You look at it on screen, you can seea screenshot of what Azure Security Center looks like. There is a free option, and there is an upgrade option. So you can go into your Azure Portal, look for Security Center, and you can see This is a screenshot from mine, and I've got some high-severity security recommendations. You can see it, or you can't see it, but I didn't follow my own advice. Some of my subnets don't have network security groups, et cetera. So this is just a test account anyway. So Azure Security Center is sort of like the dashboard that analyses your applications and networks and makes recommendations for them. There's a free tier and also a paid tier called the "Standard Tier" for that. Another component of security within Azure is called the Azure Key Vault. Now, this was introduced a few years ago. It's a pretty cool piece of technology where there's a central repository for all of your secrets, all your certificates, and your signing keys. So if you have an SSL certificate, you can store it within your key vault. If you have an API key that a third-party vendor has given to you, you can store it there as well. If you have your public and private keys that you use for signing things, you can keep them inside this key vault as well. On the screen, we can see an example. This is the secrets tab of my keyboard, whereI can create any type of string, give ita value, and an application can request this value. The application will be given the value if you have your security and RBA setup. But for people who are not authorised to see the secrets, those secrets are hidden from them. And the main purpose of this is that if you have applications that need access to databases or that need access to APIs, then this is embedded in these connections is this.User ID and password are the secret API keys. If that ever got out, it would cause you some grief. You do not want your secrets to be stored in source code. It's another trend in the industry in the lastfive or more years, is removing these secrets notonly from the code, but removing them from theweb config, removing them from the app config, evenhaving the secrets in a config file, exposes themto developers, exposes them to a bunch of people. And the more people who know a secret, the less likely it is to remain a secret for a long period of time. So you want to put it in the keyvault, and then potentially only the application that has been given authorization can access it, and the person who generated the secret, of course. And maybe that's it. Right now, we can look at the key elements. So I said you can create public-private key pairs or import them. So this is the generated screen. You can see I can create an RSA key of 2048 bits, 30 of 72 bits, or even 40 of 96 bits. I can have an activation date and an expiration date. So you can basically create signed keys and store them in the vault. This is an example of certificates. So I created a couple of certificates. I can import them, upload them, or create them in line. This is similar to SSL certificates that have an expiration date. And so this is one way to manage your certificates. And those Azure services, such as your Web apps, can use the certificates from the Key Vault. and it's a way of managing all your certificates in one place. Here is an example diagram that demonstrates that you've got your key vault and all your secrets in it. There's an administrator who can manage the secrets, but the developer only gets the developer keys, and the security administrator could get log files out of it, see who accessed it, et cetera. A relatively new feature in addition to Azure is called Azure Information Protection (AIP).Now, this is a way of, basically, protecting your documents. So think of it like a CRM process for emails and for other documents. And so you can, within your organisation, apply labels to these. It can be for all employees; it can be for only developers; it can be for only managers. You can label your documents with particular permissions, and then only people with those permissions can see them. So you've got—I mean, I made these up. But you can have your own version of "confidential," "top secret," "super top secret," and things like that, that you can label your documents with, similar to the military. Now, because the Azure applications and even Office365 are tied in with this, if a document is labelled confidential, for instance, you can have Office 365 refuse to print the document. It can refuse to forward the document. Okay? So you have a tied-down document for which there's no way for it to leave your organisation for.Very like your financials are very important things. and that's Azure Information Protection. It restricts who sees it, prints it, and even email forwards and other similar actions. There's another one that's AIP. This is called ATP Advanced Threat Protection. Now, Advanced Threat Protection will actually take a look at your Azure Active Directory and monitor and profile those users. So let's say you have users that log in every day, but they only ever log in from work, they never log in from home, they never log in outside of your office or outside of the country, they never log in on the weekend, et cetera. So Advanced Threat Protection can basically build a profile of this user and notice when something unusual is happening. So let's say, on the weekend outside the office, somebody's trying to log in as this person. Advanced Search Protection could display a multifactor authentication option that says, "Please check your SMS message for the code," or it could even refuse to allow the person to log in because it is not unusual behaviour for them. It again protects the users' identities and also reduces the attack service. So another situation that it might protect against is these brute-force attempts to log in. So let's say the person doesn't know the password, but they're going to try different combinations of passwords or an old password or something like that. And basically it has this capability to know that, oh, somebody's trying to login. It's not the usual thing. So it can identify suspicious activities and things people are trying to access that they shouldn't have access to, and those can become sort of alerts. Now, once you, as the administrator, get alerted or you want to go into your ATP dashboard, you can actually start this investigation. And you can see all over Saturday from Ukraine that somebody tried to log in six times using this account with an old password. Force that user to reset their password next time they're in the office or something. So you can actually, as a manager or

4. Azure governance methodologies

Next up, another security feature is called Azure Policy. Now, Azure policy allows you to implement standards for your organisation across Azure, and this is a governance technology. So you can basically create rules across specific resource groups or across all of your Azure subscription that basically say, "These are the rules that we have to follow." Now, those rules can be hard and fast, and their resources cannot be created unless they follow a particular rule. or you can just set the standard and have it evaluate the compliance. And you again get a report saying that ten out of your twelve virtual machines are compliant and two out of your twelve virtual machines are not compliant. And then you can take manual action to ensure compliance. So there are a bunch of built-in policies that you can choose from. I mean, there are 60, 70, or 80 of them. You can require a specific version of SQL Server Twelve, which is the latest. You can choose which storage account types are allowed and which storage account types are not allowed. Obviously, you can choose which regions these resources can be created in. So if you do not want people creating them outside of Europe, you can say "only allow European data centers," and that's it. Which virtual machine skews? And this is important because some of those virtual machines are quite expensive. And so if you're going to authorise developers, for instance, to create virtual machines, then perhaps you want them to only create the cheaper developer-size virtual machines and not the 64-core mammoth that costs thousands of dollars per month. Okay? You can have tagging requirements. A lot of companies use tagging to help with billing. And so if you said, "Well, you have to have a billing code; you cannot create a resource unless there's a billing code," then that's a rule that you can put in place as well as other rules around resource types. So we don't allow Azure, SQL Database, or any of those accounts. You can just block those resource types. That's just a built-in policy; if you want to get into it, you can create your own JSON policies that define some really unique things. It's like an "if then" type statement, right? Microsoft announced this concept of "policy initiatives," which are basically groups of policies that are set together and can be then assigned together. So we talked about how tags are often used for billing. So maybe there are two tags, or three tags, or four tags that need to be present instead of having to assign policies for that. And then every resource group also needs the policies. So that could be four to eight sets of policies. Then you can basically group them together. So in this case, instead of having, in this case, ten policies, you group them together. You have a single policy initiative. All resources must have these five tags. And those are a group of policies that act together. Earlier in this course, we talked about ourbackak being an important standard within Azure that Azure uses to control access to resources. So where we had Active Directory as the identity service, our backup is Microsoft's recommended solution for authorization, which is access control. Typically, you're going to either use lots of the built-in roles or you're going to be able to create custom roles that represent the common tasks of jobs within your company. So you might have an account department, you might have a sales department, a customer service department, or a technical department, and you can create those roles and give very granular access to those people, okay? So they can only have read access to this; they only have write access to that; they can create resources, but only in this resource group; etc., etc. So you have very specific access at the role level. And in this way, if your company has 1000 employees, you do not need a thousand different profiles for security; you may only need 20, okay? So you can then assign the employees to the roles. So you have very granular permissions for those roles, and then those people inherit those roles. As a result, those who work in the account department are assigned the account role. People who work in the sales department get the sales job. Customer service agents are assigned to the role of customer service agent. Now, people can have multiple roles, okay? So you might have a person who is the senior supervisor of the CSRs, who also needs not only the CSR role but also a manager role that allows them to see reports and have the ability to edit and update things that CSRs don't have the ability to do. and so people can have more than one role. But you do not want to get in the businessof giving Sally in accounting very specific permissions because whenSally leaves and then Bob joins, you're going to haveto own man, what permissions do we give to Bob? And it becomes a bit of a mess, right? And maybe you give people too many permissions accidentally, et cetera. So you sign up for the role. It's easier to manage and review those every few months to make sure they're still required. If somebody needs permissions to something, let's say a person in the account department says, "No, I need update permissions." In this particular case, you can make that decision to say, "Oh, let's give it to him temporarily and then remove it." Or let's update the role so that anyone with this role can have this permission. So those are the decisions that can happen with rule-based access control. Now, I mentioned there are a bunch of built-in roles. The most common three roles are reader, contributor, and owner. Now, a reader role, when you assign a user a reader role to a particular resource, means that they only have read access to that. so they cannot make any changes to it. They cannot modify the resource; they cannot delete the resource. All they can do is interact with the resource without changing it. A contributor role basically allows them to create resources, update resources, modify resources, et cetera. So that is more of a read write role. The owner role is basically the contributor role, but the owner can assign permissions to other people. So somebody who's a contributor cannot make another person a contributor, but somebody who's an owner can make another person a contributor. Okay? So, owners basically give you authority to give permissions to people. Those are the three basic rules. Now there are literally dozens and dozens of rules for each resource type. There's storage Reader storage Contributor storage Azure Active Directory Contributor, Azure Active Directory Reader, and so on. So every technology has its own set of rules, et cetera. But overall, you can give someone reader, contributor, and owner roles as well. Another important thing is that this is somewhat secure, but it is also just protecting your environment from mistakes. Accidents do happen. Things get deleted and updated accidentally. You can basically use Azure locks to tie down resources, flag them, and indicate that they shouldn't be changed. So there are two locks. One is called a "Read Only" lock, and the other is called a "Cannot Delete" lock. And so within the Azure Active Directory interface, within the portal, or within PowerShell, you can go to a resource. In this case, I've got a virtual machine called OpenVPN VM, and I can create a lock that says Do Not Delete. And I can basically say, this is a production resource; I do not want anyone to delete it. And the effect that that has is that next time someone tries to delete this resource, they're going to get an error. Azure is going to say "Unable to delete" because there's a lock. Then you're left with the situation of having to delete the lock before you delete the resource. And so if you really do want to delete something, it's a two-step process, but the lock is there so that you're not accidentally deleting production resources when you have a development server that you've been intending to delete. Okay, the other cool thing because of our backs is that you can restrict who has access to the locks. So there is a lock policy. And so you can say, well, I don't mind that you delete resources, but I don't want you to delete locks. And so if a resource is locked, even a person who has access to deleting resources cannot delete it because the locks are in place. This is another way of locking down your resources by giving people permission to do things, but you can also restrict them from certain things. So, as your advisor is a feature of the portal, another very cool feature was recently introduced that makes recommendations to you. It runs every few hours and analyses your account and looks for ways you can improve it. There is a security tab. And so if you go into the Security tab of your Azure Advisor, you're going to see a bunch of security warnings. Now, there's a relationship here between the AzureAdvisor Security Tab and the Azure Security Center. Recommendations? You can see it still says "Enable Network Security Groups on Subnets." And so even though it's a security recommendation, it appears in two places. So it's up to your preference if youwant to go into Azure Advisor, make sureyour account is running at the best capacity,optimal capacity, performance and cost and wise. You'll see your security warnings there as well. Or you can go into the Security Center and see them specifically there as well. So if I click on one of these recommendations, one of them says to use secure transfer to your storage accounts. And so there's an explanation. So it tells you it's the reason for enabling Https. It only forces authentication and encryption between the server and the service consuming it. It has general information, the threats that would happen if you didn't enable them, and some instructions on how to fix it. So there are some details in there. Scrolling down a little bit, I can see which resources have been identified as not having HTTPS enabled. And so these are my four storage accounts. None of them have it. So I can go into them one by one and turn on HTTP. and that would remediate this security warning. Now, within the last year, Microsoft has added a new feature for subscriptions that is called Azure Blueprints. Now the purpose of Azure Blueprints is that you can create a subscription template that has some roles, some policies, and some predefined elements to it, and then you can use that template to create other subscriptions. So let's say you work in an organisation that is going to end up having dozens and dozens of subscriptions, and instead of creating them manually and then having to add users and policies to each of them, you can create a subscription by using a template. And this is called "azure blueprints."

5. Monitoring and reporting options

Another one of Azure's tools that they provide is called Azure Monitor. Now, Azure Monitor gathers events from all sources within Azure and puts them into, basically, log files or counts them as metrics. A log file would be like if somebody logged into a system and the logs went into a log file. A metric would be something like CPU utilization. There's no log file that's recording the CPU every minute, but you can use the metrics to detect the CPU utilisation or the memory utilization, store that, and then run some analytics on that. So on the left are all the sources. So your application can actually bubble up information that goes into Azure Monitor. The operating system has logs like a Windows Event Viewer application. Event Viewer Security Event Viewer, your resource groups within Azure So as you create resources and do deployments, that gets logged into Azure Monitor. That's at the subscription level, so creating new resource groups or modifying the authentication for people So all that stuff gets into your Azure Monitor. And then on the right, you can see all the ways you get data out of Azure Monitor. You can run Power Bi Reports, visualise them in the Azure Portal, run HDApplication Insights, do Certain, and built-in analytics create alerts so that if the CPU is over 80% for more than five minutes to text you on your phone, and so on. Alternatively, you can use logic apps to trigger when something happens. So Azure Monitor is basically a centralised collector of logs and metrics across not only your applications, but across all of Azure. and then you can do stuff with it. One particular element of Azure Monitoring is called Azure Service Health. And so you can see I clicked on Azure Service Health in my dashboard, and this is telling me what's going on within the world of Azure. So, are there any service issues or health issues within Azure Plan maintenance? At the time that I took the screenshot, there were no service issues. But there was one service issue resolved within the past 24 hours. When I click on that, I can see the details that Northern Europe had a connectivity issue for a single rack from 750 to 836. And so this might have impacted me. We'll try to talk about this in the next section, but as you can see, service history is not specific to you. I might not have anything to do with running in Northern York, and I might not have been on that particular rack, but it's a service incident that gets logged, and we can tie this together. Now, when you've got your Azure Monitor running the log files and the CPU metrics and all these other events, and you've got your Azure Service Health, you can actually use them together. Where Azure Monitor is tailored to you, it's your applications and servers, the health of your applications and servers, and you can run analyses tailored to your application and even your actions. So as you're creating resources and deleting resources, that gets logged too. whereas Azure service health is general alerts across all of Azure, and you can actually say that when something happened, say your server went down and was rebooted, you can go to your Azure service health and see if there was something that affected everyone and not just you.

6. Privacy, compliance and data protection standards

Another section of this exam talking about security has to do with compliance. Now, compliance is a general term that basically means there are standards and rules either outside of your company or dictated by your company that you need to follow. There are so many different standard bodies and standard organisations for technology across the world. Okay, Microsoft has, and we'll talk about that in a second. But Microsoft publishes the standards that they follow. And so if you are required as a company to follow a certain standard, then you would want to make sure that Azure follows that standard as well. So you can see which specifications Azure adheres to, and they also provide a slew of tools to assist you in staying in compliance with standards. So some standards have to do with how you handle data and personally identifiable information, like with the credit card industry's PCI standard. Then some of that is going to be on the technology, on the security, on the way that the data is encrypted, et cetera. But some of that is going to be on you—on the way that your applications handle data, on the processes that you have for detecting anomalies and responding to change and tracking changes, et cetera. Take, for example, recent GDPR General Data Protection Regulation news. If you're not familiar, GDPR is a set of rules that the EU passed designed to give citizens more control over their personal data. It does also affect companies outside of the EU that have EU citizens' data. So in this particular case, if you're an EU citizen, you have certain rights over your data, and all companies around the world need to respect those rights. Now, data. One of those parts of the GDPR is that data needs to be collected legally under specific, strict conditions. The data has to be protected from misuse. And if it is found to be mishandled, there are reporting obligations, and you have to have certain employees in certain roles and things like that. We can look at another standard called the ISO standard, and this is something Azure published. ISO has a number of standards that they publish, and Azure is in compliance with these ones. Also, the government's Azure Government Network, which is separate, is also in compliance with most of them. Now take an example like, "let's look at ISO 9001." That is a quality management system standard that basically ensures that companies and organisations follow certain best practises for maintaining quality. And this includes bug tracking and how it responds to this, how quickly they fix issues once identified, et cetera. Another standard is ISO 20001. And that's the service management standard. So, whether the 9001 was a quality management standard or not, this is about service. Another standard is called NISTCSF, which is the Cybersecurity Framework. The NEST is the National Institute of Standards and Technology. That's a government entity in the United States that publishes cybersecurity standards. In order to be NIST compliant, you need to have an audit done to make sure that you're following the security and privacy best practises we can see. Microsoft has a Web page if you're interested in these standards. There are websites, Microsoft Trust Center being one of them, talking about the NISSCSF and how they're compliant with it. And there are also blueprints and security papers and other things that you can read. Microsoft wants me to talk to you about their privacy statement. If you go to Privacy.Microsoft.com, you'll be able to see how Microsoft collects your data, what it does with it, who it shares it with, and all this stuff. It's a beautiful page, but it's also a lot of words in terms of your right to privacy. So this is not just the GDPR, but many different standards require that you publish a document that specifically dictates what you collect, what you do with it, why you need it, how you protect it, et cetera, and how much you can do if you don't want them to have it anymore. Microsoft has a Trust Center. We saw the NIST document from there. It is a bit complicated. Microsoft.com Enus Trust Center, and then the Azure version of those cloud services in Azure? We can see that this is basically a portal that talks about Microsoft compliance to certain standards, security, GDPR, and, scrolling down a little bit, there are sections for compliance, privacy, transparency, if you are in the public sector, working with Azure government, and what industry standards Microsoft works with. Similar to that, there's also what's called a Service Trust Portal. At servicetrust.Microsoft.com, that is more specific, whereas the Trust Center is more at a high level, probably for business owners and things like that. If you really do need to see pen test reports, compliance manager reports, white papers, and the blueprints that you can import that are repeatable processes for adhering to standards, that service trust seems to be much more detailed, not at a high level at all, but actually at a low level. Now, Microsoft's Service Trust website has a tool called Compliance Manager, which calls itself a workflow-based risk assessment tool to help you manage regulatory compliance. If you go to the Service Trust portal, you'll see Compliance Manager in the menu, and you've got both the classic and updated Compliance Manager portal. And then when you go inside of that, you have to have certain permissions on your account set up. but once you get in there, you can see how well you are. Let's say you wanted to be GDPR compliant.Well, Microsoft will separate out its responsibilities. So Microsoft manages actions, 48 out of 48 compliance, whereas you are responsible for managing actions. You haven't started on them yet, right? So in order to be GDPR-compliant, you have some work to do. There are 61 items that you have to check for the Nish standard. The National Institute of Technology has a similar situation; they've got 760 actions and you have 215. So in order for you yourself to claim GDPR compliance, you have to do these particular actions. And Compliance Manager is like a checklist to take you through it, and you can check it off. Now, I briefly mentioned government services. As some of you might know, Azure has its own US government portal, which is separate from the public portal. So where do we go? To portal azure.com.Other people go to portal.azure.com. It is specifically for us. Government agencies, whether it's at the federal level, state level, or even local agencies, It's on a separate network, requiring a separate account. You have to agree to different terms. Obviously, there are some differences. Now, even if the Department of Defense has its own Azure as well, So it's like there are three separate Azure networks. And this is one of the reasons why Azure says there are 51 regions, but we only get access to 16 of them or something like that. Because the government has a number of regions, and the Department of Defense has a number of regions as well. These are isolated data centres and separate from the Azure public cloud; they are separate computers, separate buildings, etc, etc.There are specific standards for the US government that the general public do not have to follow. Right? So, FedRAMP is the one we discussed, NIST. You can see the acronyms on screen; I'm not going to read them out. But different federal agencies have to follow certain standards for data protection in their security environments. Obviously, the federal government is under scrutiny, as are state some scrutiny.They do important things like elections, security, and defense, and things like that. So they have certain standards that you, as a public company, don't have to follow. They have their own URL for the Azure US portal. You have to sign up with a separate account. If you qualify, you have to prove, of course, that you are a U.S. citizen. Also, one of the things for developers is that the URLs are going to be different, okay? So if you're developing tools for Azure, you might develop them for people using regular Azure Portal accounts. But those tools would not necessarily work for government accounts because the URLs are different. Okay? There's a separate system in Germany as well. So whereas the usual government is the US government, Germany runs almost like the EU equivalent of that. And it's another thing that's a separate account—the data is guaranteed to remain in Germany. So the data centres for Azure Germany remain in Germany. Obviously, the German government has the strictest standards for data protection in all of the EU. And so Azure has created this German equivalent. So you can sign up for this even if you're anywhere else in the world or in the EU and want your data kept within the EU, within Germany. There's also a person who's a trustee, a German data trustee. It is a one-of-a-kind requirement under Azure Germany. So if you're storing your data in the regular public cloud, there's not a person whose job it is to be a trustee of that. But there is in Germany. Now. It's a very similar but different situation when it comes to China. Microsoft does have data centres in China, and you can deploy virtual machines and other resources into China, but it's not connected to the Azure global portal. So you have to have a separate account—that's going to be a separate login. The data is isolated. It's not on the same network. It's going to remain in China and obviously has to follow the Chinese laws and the particular things that you have to do to do business in that country. So even though you do see China advertised in the number of Azure regions, it's almost like a separate entity. It's run by a different company. Even. So, if you don't want your data centres in China, you can definitely go sign up for that.

Go to testing centre with ease on our mind when you use Microsoft Azure AZ-900 vce exam dumps, practice test questions and answers. Microsoft AZ-900 Microsoft Azure Fundamentals certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Microsoft Azure AZ-900 exam dumps & practice test questions and answers vce from ExamCollection.