In the MCE Microsoft Certified Expert Cybersecurity Architect Study Guide: Exam SC-100, a team of dedicated software architects delivers an authoritative and easy-to-follow guide to preparing for the SC-100 Cybersecurity Architect certification exam offered by Microsoft. In the book, you’ll find comprehensive coverage of the objectives tested by the exam, covering the evaluation of Governance Risk Compliance technical and security operations strategies, the design of Zero Trust strategies and architectures, and data and application strategy design.
With the information provided by the authors, you’ll be prepared for your first day in a new role as a cybersecurity architect, gaining practical, hands-on skills with modern Azure deployments. You’ll also find: - In-depth discussions of every single objective covered by the SC-100 exam and, by extension, the skills necessary to succeed as a Microsoft cybersecurity architect - Critical information to help you obtain a widely sought-after credential that is increasingly popular across the industry (especially in government roles) - Valuable online study tools, including hundreds of bonus practice exam questions, electronic flashcards, and a searchable glossary of crucial technical terms
An essential roadmap to the SC-100 exam and a new career in cybersecurity architecture on the Microsoft Azure cloud platform, MCE Microsoft Certified Expert Cybersecurity Architect Study Guide: Exam SC-100 is also ideal for anyone seeking to improve their knowledge and understanding of cloud-based management and security.
Table of Contents
Introduction xxi
Assessment Test xxxii
Chapter 1 Define and Implement an Overall Security Strategy and Architecture 1
Basics of Cloud Computing 2
The Need for the Cloud 3
Cloud Service Models 4
Cloud Deployment Models 5
Introduction to Cybersecurity 6
The Need for Cybersecurity 7
Cybersecurity Domains 9
Getting Started with Zero Trust 12
NIST Abstract Definition of Zero Trust 12
Key Benefits of Zero Trust 13
Guiding Principles of Zero Trust 13
Zero Trust Architecture 14
Design Integration Points in an Architecture 16
Security Operations Center 17
Software as a Service 18
Hybrid Infrastructure - IaaS, PaaS, On- Premises 19
Endpoints and Devices 21
Information Protection 22
Identity and Access 24
People Security 25
IOT and Operational Technology 26
Design Security Needs to Be Based on Business Goals 27
Define Strategy 28
Prepare Plan 28
Get Ready 29
Adopt 29
Secure 29
Manage 31
Govern 31
Decode Security Requirements to Technical Abilities 32
Resource Planning and Hardening 32
Design Security for a Resiliency Approach 34
Before an Incident 34
During an Incident 35
After an Incident 35
Feedback Loop 35
Identify the Security Risks Associated with Hybrid and Multi- Tenant Environments 36
Deploy a Secure Hybrid Identity Environment 36
Deploy a Secure Hybrid Network 36
Design a Multi- Tenancy Environment 37
Responsiveness to Individual Tenants’ Needs 39
Plan Traffic Filtering and Segmentation Technical and Governance Strategies 40
Logically Segmented Subnets 41
Deploy Perimeter Networks for Security Zones 41
Avoid Exposure to the Internet with Dedicated WAN Links 42
Use Virtual Network Appliances 42
Summary 42
Exam Essentials 43
Review Questions 45
Chapter 2 Define a Security Operations Strategy 49
Foundation of Security Operations and Strategy 50
SOC Operating Model 51
SOC Framework 51
SOC Operations 54
Microsoft SOC Strategy for Azure Cloud 55
Microsoft SOC Function for Azure Cloud 57
Microsoft SOC Integration Among SecOps and Business Leadership 58
Microsoft SOC People and Process 59
Microsoft SOC Metrics 60
Microsoft SOC Modernization 61
Soc Mitre Att&ck 61
Design a Logging and Auditing Strategy to Support Security Operations 64
Overview of Azure Logging Capabilities 66
Develop Security Operations to Support a Hybrid or Multi- Cloud Environment 68
Integrated Operations for Hybrid and Multi- Cloud Environments 70
Customer Processes 71
Primary Cloud Controls 73
Hybrid, Multi- Cloud Gateway, and Enterprise Control Plane 74
Azure Security Operation Services 74
Using Microsoft Sentinel and Defender for Cloud to Monitor Hybrid Security 76
Design a Strategy for SIEM and SOAR 78
Security Operations Center Best Practices for SIEM and SOAR 79
Evaluate Security Workflows 81
Microsoft Best Practices for Incident Response 81
Microsoft Best Practices for Recovery 82
Azure Workflow Automation Uses a Few Key Technologies 82
Evaluate a Security Operations Strategy for the Incident Management Life Cycle 83
Preparation 84
Detection and Analysis 85
Containment, Eradication, and Recovery 86
Evaluate a Security Operations Strategy for Sharing Technical Threat Intelligence 87
Microsoft Sentinel’s Threat Intelligence 89
Defender for Endpoint’s Threat Intelligence 89
Defender for IoT’s Threat Intelligence 90
Defender for Cloud’s Threat Intelligence 90
Microsoft 365 Defender’s Threat Intelligence 91
Summary 92
Exam Essentials 92
Review Questions 94
Chapter 3 Define an Identity Security Strategy 99
Design a Strategy for Access to Cloud Resources 100
Deployment Objectives for Identity Zero Trust 102
Microsoft’s Method to Identity Zero Trust Deployment 104
Recommend an Identity Store (Tenants, B2B, B2C, Hybrid) 109
Recommend an Authentication and Authorization Strategy 111
Cloud Authentication 112
Federated Authentication 115
Secure Authorization 121
Design a Strategy for Conditional Access 122
Verify Explicitly 123
Use Least-Privileged Access 123
Assume Breach 124
Conditional Access Zero Trust Architecture 125
Summary of Personas 126
Design a Strategy for Role Assignment and Delegation 127
Design a Security Strategy for Privileged Role Access to Infrastructure Including Identity- Based Firewall Rules and Azure PIM 130
Securing Privileged Access 132
Develop a Road Map 133
Best Practices for Managing Identity and Access on the Microsoft Platform 135
Design a Security Strategy for Privileged Activities Including PAM, Entitlement Management, and Cloud Tenant Administration 136
Developing a Privileged Access Strategy 137
Azure AD Entitlement Management 140
Summary 141
Exam Essentials 142
Review Questions 145
Chapter 4 Identify a Regulatory Compliance Strategy 149
Interpret Compliance Requirements and Translate into Specific Technical Capabilities 150
Review the Organization Requirements 156
Design a Compliance Strategy 157
Key Compliance Consideration 159
Evaluate Infrastructure Compliance by Using Microsoft Defender for Cloud 162
Protect All of Your IT Resources Under One Roof 163
Interpret Compliance Scores and Recommend Actions to Resolve Issues or Improve Security 165
Design and Validate Implementation of Azure Policy 166
Design for Data Residency Requirements 175
Storage of Data for Regional Services 176
Storage of Data for Nonregional Services 176
Data Sovereignty 177
Personal Data 177
Azure Policy Consideration 178
Azure Blueprints Consideration 178
Protecting Organizational Data 179
Encryption of Data at Rest 179
Encryption of Data in Transit 180
Encryption During Data Processing 181
Azure Customer Lockbox 182
Translate Privacy Requirements into Requirements for Security Solutions 182
Leverage Azure Policy 183
Summary 186
Exam Essentials 186
Review Questions 189
Chapter 5 Identify Security Posture and Recommend Technical Strategies to Manage Risk 193
Analyze Security Posture by Using Azure Security Benchmark 194
Evaluating Security Posture in Azure Workloads 198
Analyze Security Posture by Using Microsoft Defender for Cloud 199
Assess the Security Hygiene of Cloud Workloads 201
Evaluate the Security Posture of Cloud Workloads 203
Design Security for an Azure Landing Zone 207
Design Security Review 210
Security Design Considerations 211
Security in the Azure Landing Zone Accelerator 212
Improve Security in the Azure Landing Zone 212
Evaluate Security Postures by Using Secure Scores 216
References 217
Identify Technical Threats and Recommend Mitigation Measures 220
Recommend Security Capabilities or Controls to Mitigate Identified Risks 224
Summary 227
Exam Essentials 227
Review Questions 229
Chapter 6 Define a Strategy for Securing Infrastructure 233
Plan and Deploy a Security Strategy Across Teams 234
Security Roles and Responsibilities 235
Security Strategy Considerations 237
Deliverables 238
Best Practices for Building a Security Strategy 238
Strategy Approval 239
Deploy a Process for Proactive and Continuous Evolution of a Security Strategy 239
Considerations in Security Planning 239
Establish Essential Security Practices 241
Security Management Strategy 241
Continuous Assessment 242
Continuous Strategy Evolution 243
Specify Security Baselines for Server and Client Endpoints 244
What Are Security Baselines? 245
What Is Microsoft Intune? 245
What Are Security Compliance Toolkits? 245
Foundation Principles of Baselines 245
Selecting the Appropriate Baseline 246
Specify Security Baselines for the Server, Including Multiple Platforms and Operating Systems 248
Analyze Security Configuration 248
Secure Servers (Domain Members) 248
Chapter 7 Specify Security Requirements for Mobile Devices and Clients, Including Endpoint Protection, Hardening, and Configuration 252
App Isolation and Control 252
Choose Between Device Management and Application Management 253
Device Settings 256
Client Requirements 256
Specify Requirements for Securing Active Directory Domain Services 257
Securing Domain Controllers Against Attack 258
Microsoft Defender for Identity 259
Design a Strategy to Manage Secrets, Keys, and Certificates 260
Manage Access to Secrets, Certificates, and Keys 262
Restrict Network Access 263
Design a Strategy for Secure Remote Access 265
Design a Strategy for Securing Privileged Access 271
Building the Recommended Design Strategy 271
Summary 273
Exam Essentials 274
Review Questions 276
Define a Strategy and Requirements for Securing PaaS, IaaS, and SaaS Services 281
Establish Security Baselines for SaaS, PaaS, and IaaS Services 282
PaaS Security Baseline 290
IaaS Security Baseline 299
Establish Security Requirements for IoT Workloads 306
Establish Security Requirements for Data Workloads, Including SQL Server, Azure SQL, Azure Synapse, and Azure Cosmos DB 311
Security Posture Management for Data 312
Databases 313
Define the Security Requirements for Web Workloads 315
Security Posture Management for App Service 315
Determine the Security Requirements for Storage Workloads 317
Security Posture Management for Storage 317
Define Container Security Requirements 319
Security Posture Management for Containers 320
Define Container Orchestration Security Requirements 321
Summary 324
Exam Essentials 324
Review Questions 327
Chapter 8 Define a Strategy and Requirements for Applications and Data 331
Knowing the Application Threat Intelligence Model 332
Analyze the Application Design Progressively 334
Mitigation Categories 334
Mitigate the Identified Threats 340
Specify Priorities for Mitigating Threats to Applications 341
Identify and Classify Applications 341
Assess the Potential Impact or Risk of Applications 342
Specify a Security Standard for Onboarding a New Application 343
Onboarding New Applications 344
Security Standards for Onboarding Applications 345
Specify a Security Strategy for Applications and APIs 346
Enforcing Security for DevOps 347
Security Strategy Components 348
Strategies for Mitigating Threats 349
Specify Priorities for Mitigating Threats to Data 349
Ransomware Protection 352
Design a Strategy to Identify and Protect Sensitive Data 353
Data Discovery: Know Your Data 353
Data Classification 353
Data Protection 355
Specify an Encryption Standard for Data at Rest and in Motion 361
Encryption of Data at Rest 361
Encryption of Data in Transit 362
Azure Data Security and Encryption Best Practices 364
Manage with Secure Workstations 365
Key Management with Key Vault 366
Summary 367
Exam Essentials 367
Review Questions 370
Chapter 9 Recommend Security Best Practices and Priorities 375
Recommend Best Practices for Cybersecurity Capabilities and Controls 376
Essential Best Practices in the MCRA 377
Recommend Best Practices for Protecting from Insider and External Attacks 383
Recommend Best Practices for Zero Trust Security 387
Recommend Best Practices for Zero Trust Rapid Modernization Plan 390
Recommend a DevSecOps Process 391
Plan and Develop 391
Commit the Code 394
Build and Test 395
Go to Production and Operate 397
Recommend a Methodology for Asset Protection 398
Get Secure 399
Stay Secure 399
Dilemmas Surrounding Patches 400
Network Isolation 401
Getting Started 401
Key Information 402
Recommend Strategies for Managing and Minimizing Risk 403
What Is Cybersecurity Risk? 404
Align Your Security Risk Management 404
Knowing Cybersecurity Risk 406
Plan for Ransomware Protection and Extortion- Based Attacks 407
Regain Access for a Fee 407
Avoid Disclosure by Paying 407
Protect Assets from Ransomware Attacks 411
Strategy for Privileged Access 412
Recommend Microsoft Ransomware Best Practices 415
Remote Access 416
Email and Collaboration 417
Endpoints 419
Accounts 421
Summary 423
Exam Essentials 424
Review Questions 428
Appendix Answers to Review Questions 433
Chapter 1: Define and Implement an Overall Security Strategy and Architecture 434
Chapter 2: Define a Security Operations Strategy 436
Chapter 3: Define an Identity Security Strategy 438
Chapter 4: Identify a Regulatory Compliance Strategy 440
Chapter 5: Identify Security Posture and Recommend Technical Strategies to Manage Risk 441
Chapter 6: Define a Strategy for Securing Infrastructure 443
Chapter 7: Define a Strategy and Requirements for Securing PaaS, IaaS, and SaaS Services 446
Chapter 8: Define a Strategy and Requirements for Applications and Data 447
Chapter 9: Recommend Security Best Practices and Priorities 449
Index 453
