Microsoft - SC-900: Microsoft Security, Compliance, and Identity Fundamentals

Sample Questions

Explanation:

Software as a service (SaaS) apps are ubiquitous across hybrid work environments, and protecting SaaS apps and the important data they store is a big challenge for organizations. The rise in app usage, combined with employees accessing company resources outside of the corporate perimeter has also introduced new attack vectors. To combat these attacks effectively, security teams need an approach that protects their data within cloud apps beyond the traditional scope of cloud access security brokers (CASBs).

Microsoft Defender for Cloud Apps delivers full protection for SaaS applications, helping you monitor and protect your cloud app data across the following feature areas:

• Fundamental cloud access security broker (CASB) functionality, such as Shadow IT discovery, visibility into cloud app usage, protection against app-based threats from anywhere in the cloud, and information protection and compliance assessments.

• SaaS Security Posture Management (SSPM) features, enabling security teams to improve the organization’s security posture

• Advanced threat protection, as part of Microsoft's extended detection and response (XDR) solution, enabling powerful correlation of signal and visibility across the full kill chain of advanced attacks

• App-to-app protection, extending the core threat scenarios to OAuth-enabled apps that have permissions and privileges to critical data and resources.

Reference: Microsoft Defender for Cloud Apps overview

Explanation:

Microsoft Purview sensitive information type (SIT) classifiers are designed to detect and classify sensitive data in text-based content, such as documents and emails. These classifiers use pattern matching and machine learning on textual data (for example, credit card numbers, national IDs, or custom patterns) and are applied to files that contain readable text.

Reference: Learn about sensitive information types

Explanation:

Microsoft Purview Compliance Manager is a solution that helps you automatically assess and manage compliance across your multicloud environment. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

The Compliance Manager dashboard displays your overall compliance score. This score measures your progress in completing recommended improvement actions within controls. Your score can help you understand your current compliance posture. It can also help you prioritize actions based on their potential to reduce risk.

Detective actions such as system access audits and regulatory and compliance audits are designed to identify and discover issues after they occur. These actions help detect violations or gaps rather than prevent or correct them. Microsoft classifies audits as detective controls within compliance and security frameworks.

References:

Microsoft Purview Compliance Manager

Compliance Manager scoring

Explanation:

Azure Virtual Network is a fundamental building block for your private network in Azure. It enables Azure resources to securely communicate with each other, the internet, and on-premises networks.

A virtual network is similar to a traditional network that you'd operate in your own data center. However, it brings extra benefits of Azure's infrastructure such as scale, availability, and isolation.

Virtual Network concepts

• Address space: When creating a virtual network, you must specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign. For example, if you deploy a VM in a virtual network with address space, 10.0.0.0/16, a private IP similar to 10.0.0.4 is assigned to the virtual machine.

• Subnets: Subnets enable you to segment the virtual network into one or more sub networks and allocate a portion of the virtual network's address space to each subnet. You can then deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow you to segment your virtual network address space into segments that are appropriate for the organization's internal network. Segmentation improves address allocation efficiency. You can secure resources within subnets using Network Security Groups.

• Regions: A virtual network is scoped to a single region/location; however, multiple virtual networks from different regions can be connected together using Virtual Network Peering.

• Subscription: A virtual network is scoped to a subscription. You can implement multiple virtual networks within each Azure subscription and Azure region.

Azure Virtual Networks (VNets) are the primary mechanism for network segmentation in Azure. They enable isolation of resources, IP address spaces, subnets, and control of traffic flow.

Reference: Azure Virtual Network concepts and best practices

Explanation:

You can use an Azure network security group to filter network traffic between Azure resources in Azure virtual networks. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

To distinguish default rules from custom rules in an Azure Network Security Group (NSG), you should use the Priority property. Default NSG rules are automatically created by Azure and always have very high priority numbers (for example, 65000–65500). Custom NSG rules that you create must have priorities in the range 100–4096. NSG rules are processed in order of priority (lower number = higher priority), and Azure assigns default rules the lowest priority so that custom rules are evaluated first.

The exhibit shows the default rules in a newly created NSG:

Reference: Azure network security groups overview