Introduction xxiAssessment Test xxxiiChapter 1 Define and Implement an Overall Security Strategy and Architecture 1Basics of Cloud Computing 2The Need for the Cloud 3Cloud Service Models 4Cloud Deployment Models 5Introduction to Cybersecurity 6The Need for Cybersecurity 7Cybersecurity Domains 9Getting Started with Zero Trust 12NIST Abstract Definition of Zero Trust 12Key Benefits of Zero Trust 13Guiding Principles of Zero Trust 13Zero Trust Architecture 14Design Integration Points in an Architecture 16Security Operations Center 17Software as a Service 18Hybrid Infrastructure-- IaaS, PaaS, On- Premises 19Endpoints and Devices 21Information Protection 22Identity and Access 24People Security 25IOT and Operational Technology 26Design Security Needs to Be Based on Business Goals 27Define Strategy 28Prepare Plan 28Get Ready 29Adopt 29Secure 29Manage 31Govern 31Decode Security Requirements to Technical Abilities 32Resource Planning and Hardening 32Design Security for a Resiliency Approach 34Before an Incident 34During an Incident 35After an Incident 35Feedback Loop 35Identify the Security Risks Associated with Hybrid and Multi- Tenant Environments 36Deploy a Secure Hybrid Identity Environment 36Deploy a Secure Hybrid Network 36Design a Multi- Tenancy Environment 37Responsiveness to Individual Tenants' Needs 39Plan Traffic Filtering and Segmentation Technical and Governance Strategies 40Logically Segmented Subnets 41Deploy Perimeter Networks for Security Zones 41Avoid Exposure to the Internet with Dedicated WAN Links 42Use Virtual Network Appliances 42Summary 42Exam Essentials 43Review Questions 45Chapter 2 Define a Security Operations Strategy 49Foundation of Security Operations and Strategy 50SOC Operating Model 51SOC Framework 51SOC Operations 54Microsoft SOC Strategy for Azure Cloud 55Microsoft SOC Function for Azure Cloud 57Microsoft SOC Integration Among SecOps and Business Leadership 58Microsoft SOC People and Process 59Microsoft SOC Metrics 60Microsoft SOC Modernization 61Soc Mitre Att&ck 61Design a Logging and Auditing Strategy to Support Security Operations 64Overview of Azure Logging Capabilities 66Develop Security Operations to Support a Hybrid or Multi- Cloud Environment 68Integrated Operations for Hybrid and Multi- Cloud Environments 70Customer Processes 71Primary Cloud Controls 73Hybrid, Multi- Cloud Gateway, and Enterprise Control Plane 74Azure Security Operation Services 74Using Microsoft Sentinel and Defender for Cloud to Monitor Hybrid Security 76Design a Strategy for SIEM and SOAR 78Security Operations Center Best Practices for SIEM and SOAR 79Evaluate Security Workflows 81Microsoft Best Practices for Incident Response 81Microsoft Best Practices for Recovery 82Azure Workflow Automation Uses a Few Key Technologies 82Evaluate a Security Operations Strategy for the Incident Management Life Cycle 83Preparation 84Detection and Analysis 85Containment, Eradication, and Recovery 86Evaluate a Security Operations Strategy for Sharing Technical Threat Intelligence 87Microsoft Sentinel's Threat Intelligence 89Defender for Endpoint's Threat Intelligence 89Defender for IoT's Threat Intelligence 90Defender for Cloud's Threat Intelligence 90Microsoft 365 Defender's Threat Intelligence 91Summary 92Exam Essentials 92Review Questions 94Chapter 3 Define an Identity Security Strategy 99Design a Strategy for Access to Cloud Resources 100Deployment Objectives for Identity Zero Trust 102Microsoft's Method to Identity Zero Trust Deployment 104Recommend an Identity Store (Tenants, B2B, B2C, Hybrid) 109Recommend an Authentication and Authorization Strategy 111Cloud Authentication 112Federated Authentication 115Secure Authorization 121Design a Strategy for Conditional Access 122Verify Explicitly 123Use Least-Privileged Access 123Assume Breach 124Conditional Access Zero Trust Architecture 125Summary of Personas 126Design a Strategy for Role Assignment and Delegation 127Design a Security Strategy for Privileged Role Access to Infrastructure Including Identity- Based Firewall Rules and Azure PIM 130Securing Privileged Access 132Develop a Road Map 133Best Practices for Managing Identity and Access on the Microsoft Platform 135Design a Security Strategy for Privileged Activities Including PAM, Entitlement Management, and Cloud Tenant Administration 136Developing a Privileged Access Strategy 137Azure AD Entitlement Management 140Summary 141Exam Essentials 142Review Questions 145Chapter 4 Identify a Regulatory Compliance Strategy 149Interpret Compliance Requirements and Translate into Specific Technical Capabilities 150Review the Organization Requirements 156Design a Compliance Strategy 157Key Compliance Consideration 159Evaluate Infrastructure Compliance by Using Microsoft Defender for Cloud 162Protect All of Your IT Resources Under One Roof 163Interpret Compliance Scores and Recommend Actions to Resolve Issues or Improve Security 165Design and Validate Implementation of Azure Policy 166Design for Data Residency Requirements 175Storage of Data for Regional Services 176Storage of Data for Nonregional Services 176Data Sovereignty 177Personal Data 177Azure Policy Consideration 178Azure Blueprints Consideration 178Protecting Organizational Data 179Encryption of Data at Rest 179Encryption of Data in Transit 180Encryption During Data Processing 181Azure Customer Lockbox 182Translate Privacy Requirements into Requirements for Security Solutions 182Leverage Azure Policy 183Summary 186Exam Essentials 186Review Questions 189Chapter 5 Identify Security Posture and Recommend Technical Strategies to Manage Risk 193Analyze Security Posture by Using Azure Security Benchmark 194Evaluating Security Posture in Azure Workloads 198Analyze Security Posture by Using Microsoft Defender for Cloud 199Assess the Security Hygiene of Cloud Workloads 201Evaluate the Security Posture of Cloud Workloads 203Design Security for an Azure Landing Zone 207Design Security Review 210Security Design Considerations 211Security in the Azure Landing Zone Accelerator 212Improve Security in the Azure Landing Zone 212Evaluate Security Postures by Using Secure Scores 216References 217Identify Technical Threats and Recommend Mitigation Measures 220Recommend Security Capabilities or Controls to Mitigate Identified Risks 224Summary 227Exam Essentials 227Review Questions 229Chapter 6 Define a Strategy for Securing Infrastructure 233Plan and Deploy a Security Strategy Across Teams 234Security Roles and Responsibilities 235Security Strategy Considerations 237Deliverables 238Best Practices for Building a Security Strategy 238Strategy Approval 239Deploy a Process for Proactive and Continuous Evolution of a Security Strategy 239Considerations in Security Planning 239Establish Essential Security Practices 241Security Management Strategy 241Continuous Assessment 242Continuous Strategy Evolution 243Specify Security Baselines for Server and Client Endpoints 244What Are Security Baselines? 245What Is Microsoft Intune? 245What Are Security Compliance Toolkits? 245Foundation Principles of Baselines 245Selecting the Appropriate Baseline 246Specify Security Baselines for the Server, Including Multiple Platforms and Operating Systems 248Analyze Security Configuration 248Secure Servers (Domain Members) 248Chapter 7 Specify Security Requirements for Mobile Devices and Clients, Including Endpoint Protection, Hardening, and Configuration 252App Isolation and Control 252Choose Between Device Management and Application Management 253Device Settings 256Client Requirements 256Specify Requirements for Securing Active Directory Domain Services 257Securing Domain Controllers Against Attack 258Microsoft Defender for Identity 259Design a Strategy to Manage Secrets, Keys, and Certificates 260Manage Access to Secrets, Certificates, and Keys 262Restrict Network Access 263Design a Strategy for Secure Remote Access 265Design a Strategy for Securing Privileged Access 271Building the Recommended Design Strategy 271Summary 273Exam Essentials 274Review Questions 276Define a Strategy and Requirements for Securing PaaS, IaaS, and SaaS Services 281Establish Security Baselines for SaaS, PaaS, and IaaS Services 282PaaS Security Baseline 290IaaS Security Baseline 299Establish Security Requirements for IoT Workloads 306Establish Security Requirements for Data Workloads, Including SQL Server, Azure SQL, Azure Synapse, and Azure Cosmos DB 311Security Posture Management for Data 312Databases 313Define the Security Requirements for Web Workloads 315Security Posture Management for App Service 315Determine the Security Requirements for Storage Workloads 317Security Posture Management for Storage 317Define Container Security Requirements 319Security Posture Management for Containers 320Define Container Orchestration Security Requirements 321Summary 324Exam Essentials 324Review Questions 327Chapter 8 Define a Strategy and Requirements for Applications and Data 331Knowing the Application Threat Intelligence Model 332Analyze the Application Design Progressively 334Mitigation Categories 334Mitigate the Identified Threats 340Specify Priorities for Mitigating Threats to Applications 341Identify and Classify Applications 341Assess the Potential Impact or Risk of Applications 342Specify a Security Standard for Onboarding a New Application 343Onboarding New Applications 344Security Standards for Onboarding Applications 345Specify a Security Strategy for Applications and APIs 346Enforcing Security for DevOps 347Security Strategy Components 348Strategies for Mitigating Threats 349Specify Priorities for Mitigating Threats to Data 349Ransomware Protection 352Design a Strategy to Identify and Protect Sensitive Data 353Data Discovery: Know Your Data 353Data Classification 353Data Protection 355Specify an Encryption Standard for Data at Rest and in Motion 361Encryption of Data at Rest 361Encryption of Data in Transit 362Azure Data Security and Encryption Best Practices 364Manage with Secure Workstations 365Key Management with Key Vault 366Summary 367Exam Essentials 367Review Questions 370Chapter 9 Recommend Security Best Practices and Priorities 375Recommend Best Practices for Cybersecurity Capabilities and Controls 376Essential Best Practices in the MCRA 377Recommend Best Practices for Protecting from Insider and External Attacks 383Recommend Best Practices for Zero Trust Security 387Recommend Best Practices for Zero Trust Rapid Modernization Plan 390Recommend a DevSecOps Process 391Plan and Develop 391Commit the Code 394Build and Test 395Go to Production and Operate 397Recommend a Methodology for Asset Protection 398Get Secure 399Stay Secure 399Dilemmas Surrounding Patches 400Network Isolation 401Getting Started 401Key Information 402Recommend Strategies for Managing and Minimizing Risk 403What Is Cybersecurity Risk? 404Align Your Security Risk Management 404Knowing Cybersecurity Risk 406Plan for Ransomware Protection and Extortion- Based Attacks 407Regain Access for a Fee 407Avoid Disclosure by Paying 407Protect Assets from Ransomware Attacks 411Strategy for Privileged Access 412Recommend Microsoft Ransomware Best Practices 415Remote Access 416Email and Collaboration 417Endpoints 419Accounts 421Summary 423Exam Essentials 424Review Questions 428Appendix Answers to Review Questions 433Chapter 1: Define and Implement an Overall Security Strategy and Architecture 434Chapter 2: Define a Security Operations Strategy 436Chapter 3: Define an Identity Security Strategy 438Chapter 4: Identify a Regulatory Compliance Strategy 440Chapter 5: Identify Security Posture and Recommend Technical Strategies to Manage Risk 441Chapter 6: Define a Strategy for Securing Infrastructure 443Chapter 7: Define a Strategy and Requirements for Securing PaaS, IaaS, and SaaS Services 446Chapter 8: Define a Strategy and Requirements for Applications and Data 447Chapter 9: Recommend Security Best Practices and Priorities 449Index 453

ABOUT THE AUTHORSKATHIRAVAN UDAYAKUMAR is Head of Delivery and Chief Architect for Oracle Digital Technologies (Europe Practice) at Cognizant, covering various elements of technology stack in on-prem and cloud. He has over 18 years of experience in architecture, design, implementation, administration and integration with Green-field IT Systems, ERP, Cloud Platforms and Solutions across various business domains and Industries. He has had a passion for networking since he was an undergraduate and becoming a Cisco Certified Network Associate (CCNA).PUTHIYAVAN UDAYAKUMAR is an infrastructure architect with over 14 years of experience in modernizing and securing IT infrastructure, including the Cloud. He has been writing technical books for more than ten years on various infrastructure and security domains. He has designed, deployed, and secured IT infrastructure out of on-premises and Cloud, including virtual servers, networks, storage, and desktops for various industries, including pharmaceutical, banking, healthcare, aviation, federal entities, etc. He is an open group certified Master certified architect.