Le aziende fanno sempre più affidamento sulle tecnologie cloud per migliorare l'efficienza e semplificare le operazioni in un contesto aziendale in continua evoluzione come quello di oggi. Con l'aumento dell'adozione del cloud aumenta anche la richiesta di solide misure di sicurezza per proteggere i dati e le applicazioni sensibili. La certificazione Microsoft Azure Security Technologies (AZ-500) ha lo scopo di fornire ai professionisti le competenze e le conoscenze necessarie per proteggere l'infrastruttura, i servizi e i dati di Azure.
L'approccio Zero Trust Security presuppone che tutti gli utenti, i dispositivi e le reti non siano attendibili e richiedano una verifica costante ed è oggi una delle metodologie di sicurezza più critiche del settore. Man mano che le aziende adottano le tecnologie dell'Intelligenza Artificiale (AI) emergono nuovi problemi di sicurezza, che rendono fondamentale per le aziende rimanere aggiornate sulle ultime pratiche di sicurezza.
Questo skills plan vi darà una panoramica degli obiettivi dell'esame per l'esame AZ-500, che include controlli di sicurezza, gestione di identità e accessi, protezione della piattaforma, protezione di dati e applicazioni e funzionalità di governance e conformità in Azure. Gli studenti possono dimostrare la propria esperienza nella protezione dell'infrastruttura di Azure e contribuire agli sforzi di sicurezza informatica della propria azienda studiando questa guida e superando l'esame AZ-500.
I compiti e le responsabilità di un Azure Security Engineer includono il mantenimento della security posture, l'identificazione e la correzione delle vulnerabilità utilizzando una varietà di strumenti di sicurezza, l'implementazione della protezione dalle minacce e la risposta alle escalation degli incidenti di sicurezza.
Percorso 1: Contenuto dell’esame AZ-500
Prerequisiti
Vi consiglio di dare un’occhiata a questi argomenti se siete alle prime armi con i contenuti di sicurezza informatica.
- lntroduction to Azure security (Learn)
- Azure security technical capabilities
- Azure identity management security overview
- Azure network security overview
- Fundamentals of Network Security (Learn)
- Microsoft Azure Well-Architected Framework Security (Learn) (Learn)
Manage identity and access (30-35%)
Manage Azure Active Directory identities
- Configure security for service principals
o Application and service principal objects in Azure Active Directory
o Authenticate apps to Azure services by using service principals and managed
identities for Azure resources (Learn)
- Manage Azure AD directory groups
o Access with Azure Active Directory groups
o Manage users and groups in Azure Active Directory (Learn)
- Manage Azure AD users
o Add or delete users using Azure Active Directory
o Manage users and groups in Azure Active Directory (Learn)
- Configure password writeback
o Tutorial: Enable Azure Active Directory self-service password reset writeback to an on-premises environment (Docs)
- Configure authentication methods including password hash and Pass Through
Authentication (PTA), OAuth, and passwordless
o Authentication vs authorization
o What is password hash synchronization with Azure AD?
o User sign-in with Azure Active Directory Pass-through Authentication
o Passwordless authentication options for Azure Active Directory
- Transfer Azure subscriptions between Azure AD tenants
o Manage access to an Azure subscription by using Azure role-based access control
(Learn)
o Transfer billing ownership of an Azure subscription to another account
o Associate or add an Azure subscription to your Azure Active Directory tenant
Configure secure access by using Azure AD
- Monitor privileged access for Azure AD Privileged ldentity Management (PlM)
o Configure security alerts for Azure AD roles in Privileged ldentity Management
- Configure Access Reviews
o Create an access review of Azure AD roles in Privileged ldentity Management
- Activate and configure PlM
o Deploy Azure AD Privileged ldentity Management (PlM)
- lmplement Conditional Access policies including Multi-Factor Authentication
o Secure Azure Active Directory users with Multi-Factor Authentication
o Configure Azure Multi-Factor Authentication settings
- Configure Azure AD identity protection
o What is Azure Active Directory ldentity Protection?
o Protect your identities with Azure AD ldentity Protection (Learn)
Manage application access
- Create App Registration
o QuickStart: Register an application with the Microsoft identity platform
- Configure App Registration permission scopes
o Permissions and consent in the Microsoft identity platform endpoint
- Manage App Registration permission consent
o Configure how end-users consent to applications
o Secure your application by using OpenID Connect and Azure AD (Learn)
- Manage API access to Azure subscriptions and resources
o Get access on behalf of a user
o Authentication flows and application scenarios
o Permissions and Consent Framework (Learn)
Manage access controi
- Configure subscription and resource permissions
o Elevate access to manage all Azure subscriptions and management groups
o Add or change Azure subscription administrators
o Lock resources to prevent unexpected changes
- Configure resource group permissions
o What is Azure role-based access control (Azure RBAC)?
o Secure your Azure resources with role-based access control (Learn)
- Configure custom RBAC roles
o Secure your cloud resources with access control (Learn)
o Create custom roles for Azure resources with role-based access control (Learn)
- Identify the appropriate role
o Manage access to an Azure subscription by using Azure role-based access control
(Learn)
- Apply principle of least privilege
o Best practices for Azure RBAC
- Interpret permissions
o Quickstart: View the access a user has to Azure resources
- Check access
o List Azure role assignments using the Azure portal
lmplement platform protection (15-20%)
lmplement advanced network security
- Secure the connectivity of virtual networks (VPN authentication, Express Route encryption)
o Create a Site-to-Site connection in the Azure portal
o Configure virtual network connectivity
o Connect your on-premises network to the Microsoft global network by using
o Design a hybrid network architecture on Azure (Learn)
- Configure Network Security Groups (NSGs) and Application Security Groups (ASGs)
o Create, change, or delete a network security group
o Tutorial: Filter network traffic with a network security group using the Azure portal
o Manage and control traffic flow in your Azure deployment with routes (Learn)
o Fundamentals of Network Security (Learn)
o Secure and isolate access to Azure resources by using network security groups and
- Create and configure Azure Firewall
o Tutorial: Deploy and configure Azure Firewall using the Azure portal
o Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure
- Configure Azure Front Door service as an Application Gateway
o Quickstart: Create a Front Door for a highly available global web application
o Encrypt network traffic end to end with Azure Application Gateway (Learn)
- Configure a Web Application Firewall (WAF) on Azure Application Gateway
o Azure Web Application Firewall on Azure Application Gateway
- Configure Azure Bastion
o Quickstart: Connect to a virtual machine using a private IP address and Azure
o How to use Azure Bastion to connect securely to your Azure VMs (Video)
- Configure a firewall on a storage account, Azure SQL, KeyVault, or App Service
o Azure SQL Database and Azure Synapse IP firewall rules
o Configure Azure Storage firewalls and virtual networks
o Access Azure Key Vault behind a firewall
- lmplement Service Endpoints
o Virtual Network service endpoints
o Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal
o Create, change, or delete service endpoint policy using the Azure portal
o Use private endpoints for Azure Storage
o Quickstart: Create a Private Endpoint using Azure portal
- lmplement DDoS
o Azure DDoS Protection Standard overview
Configure advanced security for compute
- Configure endpoint protection
o Feature coverage for machines
o Security management in Azure
o Microsoft Antimalware for Azure Cloud Services and Virtual Machines
o Protect your servers and VMs from brute-force and malware attacks with Azure
- Configure and monitor system updates for VMs
o Manage updates and patches for your Azure VMs
o Manage updates for multiple VMs
o Keep your virtual machines updated
o Security best practices for laaS workloads in Azure
- Configure authentication for Azure Container Registry
o How to use managed identities with Azure Container lnstances
o Authenticate with an Azure container registry
o lntroduction to Docker containers (Learn)
- Configure security for different types of containers
o Run Docker containers with Azure Container lnstances (Learn)
o Build a containerized web application with Docker (Learn)
- lmplement vulnerability management
o Vulnerability assessments for your Azure Virtual Machines
o lntegrated vulnerability scanner for virtual machines (Standard tier only)
- Configure isolation for AKS
o Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
o Best practices for cluster isolation in Azure Kubernetes Service (AKS)
o Azure Kubernetes Service Workshop (Learn)
o Secure traffic between pods using network policies in Azure Kubernetes Service
(Video)
- Configure security for container registry
o Authenticate with an Azure container registry
o Build and store container images with Azure Container Registry (Learn)
- lmplement Azure Disk Encryption
o Azure Disk Encryption for Windows VMs
o Secure your Azure virtual machine disks (Learn)
- Configure authentication and security for Azure App Service
o Security in Azure App Service
o Authentication and authorization in Azure App Service and Azure Functions
o OS and runtime patching in Azure App Service
- Configure SSL/TLS certs
o Add a TLS/SSL certificate in Azure App Service
o Secure a custom DNS name with a TLS/SSL binding in Azure App Service
- Configure authentication for Azure Kubernetes Service
o Service principals with Azure Kubernetes Service (AKS)
o lntegrate Azure Active Directory with Azure Kubernetes Service
o Use managed identities in Azure Kubernetes Service
- Configure automatic updates
o Update containers in Azure Container lnstances
Manage security operations (25-30%)
Monitor security by using Azure Monitor
- Create and customize alerts
o Create, view, and manage log alerts using Azure Monitor
o Create, view, and manage metric alerts using Azure Monitor
o lmprove incident response with alerting on Azure (Learn)
- Monitor logs by using Azure Monitor
o Tutorial: Get started with Log Analytics queries
o Get started with log queries in Azure Monitor
o Analyze your Azure infrastructure by using Azure Monitor logs (Learn)
o Monitor and report on security events in Azure AD (Learn)
- Configure diagnostic logging and log retention
o Create diagnostic setting to collect resource logs and metrics in Azure
o Overview of Azure platform logs
Monitor security by using Azure Security Center
- Create and customize alerts
o Security alerts in Azure Security Center
o Manage and respond to security alerts in Azure Security Center
- Evaluate vulnerability scans from Azure Security Center
o Vulnerability assessments for your Azure Virtual Machines
o lntegrated vulnerability scanner for virtual machines (Standard tier only)
o ldentify security threats with Azure Security Center (Learn)
o Resolve security threats with Azure Security Center (Learn)
- Configure Just in Time VM access by using Azure Security Center
o Secure your management ports with just-in-time access
- Configure centralized policy management by using Azure Security Center
o Working with security policies
o Azure security policies monitored by Security Center
- Configure compliance policies and evaluate for compliance by using Azure Security
Center
o Tutorial: lmprove your regulatory compliance
Monitor security by using Azure Sentine!
- Create and customize alerts
o Automatically create incidents from Microsoft security alerts
o Tutorial: Create custom analytic rules to detect suspicious threats
o Quickstart: Get started with Azure Sentinel
- Configure data sources to Azure Sentinel
o lmprove security with Azure Sentinel, a cloud-native SlEM and SOAR solution (Video)
- Evaluate results from Azure Sentinel
o Tutorial: Visualize and monitor your data
o Tutorial: lnvestigate incidents with Azure Sentinel
o Use a framework to identify threats and find ways to reduce or eliminate risk (Learn)
- Configure a playbook for a security event by using Azure Sentinel
o Tutorial: Set up automated threat responses in Azure Sentinel
Configure security policies
- Configure security settings by using Azure Policy
o Tutorial: Create and manage policies to enforce compliance
o Tutorial: Create a custom policy definition
o Integrate Azure Key Vault with Azure Policy
o Apply and monitor infrastructure standards with Azure Policy (Learn)
- Configure security settings by using Azure Blueprint
o Overview of the Azure Security Benchmark blueprint sample
o Tutorial: Create an environment from a blueprint sample
Secure data and applications (20-25%)
Configure security for storage
- Configure access control for storage accounts
o Authorizing access to data in Azure Storage
o Secure your Azure Storage accounts (Learn)
- Configure key management for storage accounts
o Manage storage account access keys
o Use the Azure portal to access blob or queue data
- Configure Azure AD authentication for Azure Storage
o Authorize access to blobs and queues using Azure Active Directory
o Acquire a token from Azure AD for authorizing requests from a client application
- Configure Azure AD Domain Services authentication for Azure Files
o Overview - on-premises Active Directory Domain Services authentication over SMB
o Enable Azure Active Directory Domain Services authentication on Azure Files
o Store and share files in your application with Azure Files (Learn)
- Create and manage Shared Access Signatures (SAS)
o Grant limited access to Azure Storage resources using shared access signatures
o Control access to Azure Storage with shared access signatures (Learn)
- Create a shared access policy for a blob or blob container
o Security recommendations for Blob storage
- Configure Storage Service Encryption
o Azure Storage encryption for data at rest
o Configure customer-managed keys with Azure Key Vault by using the Azure portal
Configure security for databases
- Enable database authentication
o Use Azure Active Directory authentication
o Configure and manage Azure AD authentication with Azure SQL
o Configure security policies to manage data (Learn)
- Enable database auditing
o Auditing for Azure SQL Database and Azure Synapse Analytics
- Configure Azure SQL Database Advanced Threat Protection
o Advanced Threat Protection for Azure SQL Database, SQL Managed lnstance, and
- lmplement database encryption
o Tutorial: Secure a database in Azure SQL Database
- lmplement Azure SQL Database Always Encrypted
o Overview of key management for Always Encrypted
o Configure Always Encrypted by using Azure Key Vault
Configure and manage Key Vault
- Manage access to Key Vault
o Secure access to a key vault
- Manage permissions to secrets, certificates, and keys
o Provide Key Vault authentication with a managed identity
o Manage secrets in your server apps with Azure Key Vault (Learn)
- Configure RBAC usage in Azure Key Vault
o Azure Policy built-in policy definitions for Key Vault
- Manage certificates
o Tutorial: lmport a certificate in Azure Key Vault
- Manage secrets
o About Azure Key Vault secrets
o Configure and manage secrets in Azure Key Vault (Learn)
- Configure key rotation
o Set up Azure Key Vault with key rotation and auditing
o Tutorial: Configure certificate autorotation in Key Vault
o Automate the rotation of a secret for resources that use single-user/single-password authentication
- Backup and restore of Key Vault items
o Azure Key Vault soft-delete overview
Bonus Pack: Video e demo
- Exam Readyness zone
- Video Azure Friday
- Video Microsoft Learn Show
- Come prepararsi a sostenere un esame di certificazione Microsoft