Exam SC-100 topic 2 question 9 discussion

This question is to increase secure score. Here is a long reference page from Microsoft of security recommendations that can increase your secure score. Sentinel & PIM are not on it. The explanation makes a great point about alerts not being preventive, which is a key aspect of the required solution. https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference Which leads me to believe that only firewalls fit the bill.

Preventative controls are WAF & Firewall

For me, being this about ALZ, I definitely go for BC, firewall and WAF are for applications, not for the zone where those lands, I mean, what if you have a private cluster with no public access? Besides, this article already shared: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security mentiones that: "Make use of the recommendations, alerting, and remediation capabilities of Microsoft Defender for Cloud. Your security team can also integrate Microsoft Defender for Cloud into Microsoft Sentinel if they need a more robust, centrally managed hybrid and multicloud Security Information Event Management (SIEM)/Security Orchestration and Response (SOAR) solution." So, sentinel definitely helps increasing the ALZ security.

A good reference from Microsoft Learn on how to improve the security score in Microsoft Defender for Cloud: https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls#improving-a-secure-score

Tricky question. Reading the CAF, and based on the following TOPIC: "Design area overview," https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security#design-area-overview However, I recommend everyone expand the research...

COPILOT RESPONSE B. Azure Active Directory (Azure AD) Privileged Identity Management (PIM): Este servicio ayuda a gestionar, controlar y supervisar el acceso a recursos importantes en la organización. Puede ayudar a reducir los riesgos asociados con los privilegios de acceso al proporcionar acceso justo a tiempo y acceso justo lo suficiente. E. Microsoft Defender for Cloud alerts: Estas alertas proporcionan notificaciones en tiempo real sobre actividades sospechosas y violaciones de políticas en tu entorno de nube. Pueden ayudarte a detectar y responder rápidamente a amenazas de seguridad.

The only two that show up in the secure score metrics are A and D. PIM is mentioned to increase score but I cant find anything in MDC that shows that.

Answers given are correct and are inline with the Security design component of an Azure landing zone: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security

Here you find the list: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security The question to answer which ones are preventative? According to me WAF, Firewall & PIM. Next question which does improve the score? Not sure there.

Improve SS for landing zone explicitly calls out sentinel and PIM. WAF and FW are not classified as basic controls "Azure native controls. Azure Firewall and Azure Web Application Firewall offer basic security advantages. Advantages are a fully stateful firewall as a service, built-in high availability, unrestricted cloud scalability, FQDN filtering, support for OWASP core rule sets, and simple setup and configuration."

The two preventative controls that can be implemented to increase the secure score in Azure landing zones are: A. Azure Web Application Firewall (WAF) B. Azure Active Directory (Azure AD) Privileged Identity Management (PIM) while C. Microsoft Sentinel, D. Azure Firewall, and E. Microsoft Defender for Cloud alerts are all valuable tools for enhancing security in Azure, they are not specifically categorized as preventative controls for increasing the secure score.

WAF is only required for specific scenario, so many ALZ do not have a requirement for WAF but will PIM is a must for any deployment. AFW is similar, must have on any secure ALZ.

Both Azure WAF and Azure Firewall are preventative controls that enhance the security posture of your Azure environment by protecting against unauthorized access, threats, and attacks. These controls help in securing your applications and network traffic, contributing to an improved secure score.

A and D are correct

chatgpt: A. Azure Web Application Firewall (WAF): Azure WAF helps protect your web applications from common exploits and vulnerabilities by providing centralized protection, monitoring, and logging for your web traffic. It can prevent attacks such as SQL injection, cross-site scripting (XSS), and other malicious activities targeted at web applications. D. Azure Firewall: Azure Firewall is a managed, cloud-based network security service that provides network traffic filtering and protection for Azure resources. It acts as a preventive control by allowing you to define and enforce network and application-level policies to secure your Azure landing zones. Azure Firewall provides inbound and outbound traffic filtering, application-level inspection, and threat intelligence integration to protect against unauthorized access and threats. Both Azure WAF and Azure Firewall help increase the secure score by providing essential security controls to protect your Azure landing zones.

was on exam 15/06/23

AD is the answer. https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls#security-controls-and-their-recommendations - Restrict unauthorized network access Azure offers a suite of tools designed to ensure accesses across your network meet the highest security standards. Use these recommendations to manage Defender for Cloud's adaptive network hardening settings, ensure you’ve configured Azure Private Link for all relevant PaaS services, enable Azure Firewall on your virtual networks, and more. - Protect applications against DDoS attacks Azure’s advanced networking security solutions include Azure DDoS Protection, Azure Web Application Firewall, and the Azure Policy Add-on for Kubernetes. Use these recommendations to ensure your applications are protected with these tools and others.