MCA Microsoft Certified Associate Azure Security Engineer Study Guide: Exam AZ-500

By Shimon Brathwaite

Prepare for the MCA Azure Security Engineer certification exam faster and smarter with help from Sybex

In the MCA Microsoft Certified Associate Azure Security Engineer Study Guide: Exam AZ-500, cybersecurity veteran Shimon Brathwaite walks you through every step you need to take to prepare for the MCA Azure Security Engineer certification exam and a career in Azure cybersecurity. You’ll find coverage of every domain competency tested by the exam, including identity management and access, platform protection implementation, security operations management, and data and application security.

You’ll learn to maintain the security posture of an Azure environment, implement threat protection, and respond to security incident escalations. Readers will also find:

• Efficient and accurate coverage of every topic necessary to succeed on the MCA Azure Security Engineer exam
• Robust discussions of all the skills you need to hit the ground running at your first—or next—Azure cybersecurity job
• Complementary access to online study tools, including hundreds of bonus practice exam questions, electronic flashcards, and a searchable glossary

The MCA Azure Security Engineer AZ-500 exam is a challenging barrier to certification. But you can prepare confidently and quickly with this latest expert resource from Sybex. It’s ideal for anyone preparing for the AZ-500 exam or seeking to step into their next role as an Azure security engineer.

• Language: English
• Publisher: Wiley
• Release date: Oct 18, 2022
• ISBN: 9781119870388

Book preview

MCA

Microsoft Certified Associate Azure Security Engineer

Study Guide

Exam AZ-500

Shimon Brathwaite

Logo: Wiley

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

ISBN: 978-1-119-87037-1

ISBN: 978-1-119-87039-5 (ebk.)

ISBN: 978-1-119-87038-8 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Microsoft and Azure are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Microsoft Certified Associate Azure Security Engineer Study Guide is an independent publication and is neither affiliated with, nor authorized, sponsored, or approved by, Microsoft Corporation.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2022945256

Cover image: © Jeremy Woodhouse/Getty Images

Cover design: Wiley

Acknowledgments

I have had the pleasure of working with professionals from Wiley to create this study guide.

I would like to thank Kenyon Brown, senior acquisitions editor, for recruiting me and working with me to get my proposal approved for production. He was very helpful in helping me to understand the requirements and getting started with writing the book.

I would like to thank Christine O'Connor and Janette Neal, who oversaw the edits for my book. They are extremely helpful in making sure that my book was up to Wiley's production standards and helped to coordinate my interactions with everyone else on the team.

I am very grateful for Magesh Elangovan, who worked as the content refinement specialist. He helped me to ensure that the quality of the images and overall content of the book was appropriate for all readers and that the ideas of the book will be conveyed clearly to all readers.

Lastly, I would like to thank Mahalingam, the technical editor who helped me refine the book's content. He was extremely knowledgeable on Microsoft Azure and provided excellent feedback on technical concepts that helped me to improve the overall quality of the book.

About the Author

Shimon Brathwaite is author and editor-in-chief of securitymadesimple.org, a website dedicated to teaching business owners how to secure their businesses and helping cybersecurity professionals start and advance their careers.

Before starting his career in cybersecurity, Shimon was a co-op student at Toronto Metropolitan University in Toronto, Canada, where he received a degree in their Business Technology Management program before deciding to specialize in cybersecurity. Through his work at Toronto Metropolitan University and post-graduation, he accumulated over five years of work experience in cybersecurity across financial institutions, startups, and consulting companies. His work was primarily focused on incident response, where he helped companies resolve security incidents and perform digital investigations.

About the Technical Editor

Mahalingam is an Azure Consultant and works with enterprises to design and implement their solutions in Azure. He also assesses large-scale applications hosted on Azure and provides recommendations to optimize them. He started his Azure journey five years ago and is a certified Azure Solutions Architect Expert, Azure Security Engineer Associate, and Azure Administrator Associate. In addition, he is a Microsoft Certified Trainer and delivers workshops on Azure IaaS and PaaS.

Introduction

The Microsoft Azure Platform is one of the most popular and diverse cloud-computing platforms in existence. It includes a wide range of security features designed to help clients protect their cloud environments. The Microsoft Azure Security Technologies exam, AZ-500, focuses on testing a candidate's ability to be a subject matter expert on implementing Azure security controls. The exam focuses on four main areas:

Managing identity and access

Implementing platform protections

Managing security operations

Securing data and applications

What Does This Book Cover?

This book covers the topics outlined in the Microsoft Certified Associate Azure Security Engineer exam guide available at

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3VC70

Exam policies can change from time to time. We highly recommend that you check the Microsoft site for the most up-to-date information when you begin your preparing, when you register, and again a few days before your scheduled exam date.

The book's outline is as follows:

Chapter 1: Introduction to Microsoft AzureChapter 1 outlines cloud computing best practices. The exam focuses on how to implement security controls that achieve specific goals in the Azure environment. In this chapter, you learn what these goals are for your cloud environment. Each of following chapters will correspond to one or more of these best practices. Before beginning this chapter you can may want to complete the assessment test to help you obtain a baseline of your current understanding of security and the Azure platform.

Chapter 2: Managing Identity and Access on Microsoft AzureChapter 2 focuses on how to implement good identity and access management practices on Azure. Topics include managing Azure Active Directory (AD) identities, securing access to resources and applications, and implementing role-based access control (RBAC).

Chapter 3: Implementing Platform ProtectionsChapter 3 discusses how to implement good network security on the Azure platform. Topics include firewall configuration, endpoint protection, network monitoring, and how to use the Azure-specific security tools to accomplish these tasks. It begins with network security, exploring topics such as security groups; Windows Application Firewall (WAF); endpoint protection; DDoS protection; operational security, such as vulnerability management; disk encryption; and Secure Socket Layer/Transport Layer Security (SSL/TLS) certifications.

Chapter 4: Managing Security OperationsChapter 4 focuses on how to use Azure tools like Azure Sentinel and Security Center to manage security operations. It includes discussions on creating custom alerts, policy management, vulnerability scans, and security configurations for the platforms. We then delve into how to configure good network monitoring using Azure Monitor, Azure Security Center, Azure Policy, Azure Blueprint, and Azure Sentinel.

Chapter 5: Securing Data and Applications This chapter will focus on how to secure data and applications on the Azure platform. Topics include using secure data storage, creating data backups seamlessly, implementing database security, and leveraging Azure tools like Azure Defender and Key Vault. We also cover how to protect application backend databases by implementing database encryption, database authentication, and database auditing.

Appendix A: Azure Security Tools Overview This appendix focuses on Microsoft Azure security tools that are used to create a secure platform. In this chapter, I review the tools' functions and how they can be used and integrated together to create security operations, compliance, networking monitoring, automated alerts, and proper logging. It also includes tools like Microsoft Azure Sentinel, Azure Key Vault, Azure Defender, Azure Firewall, Azure Policy, and Azure Monitor.

Who Should Read This Book

As the title implies, this book is intended for people who have an interest in understanding and implementing security features in Azure. These people probably fall into two basic groups:

Security Professionals in an Azure Environment They can be IT administrators or security professionals who are responsible for securing their organization's Azure cloud environment.

Candidates for the AZ-500 Exam This book is meant to be a study guide for anyone interested in taking the AZ-500 exam. It gives readers a clear understanding of the topics needed to pass the exam. It also comes with hundreds of practice questions/tests to help readers prepare for the type of questions they can expect on the exam.

This book is designed for people who have some experience in cybersecurity. While we give a breakdown of all key foundational concepts relevant to the course, it's impossible to give readers all the information they would need in this book. For those of you with a cybersecurity/IT background, this will be no issue, but for the rest of you this might be a steep learning curve. So we encourage you to do your research if you ever need more context for the cybersecurity concepts found in this book.

You can use this book in two ways. The most straightforward (and time consuming) is to start at the beginning and follow all the steps to gain a good overall understanding of security controls in Azure. Alternatively, you can skip around from chapter to chapter and only look at the areas of interest to you. For example, if you are having trouble understanding how to implement access management in your environment, then you may want to skip to Chapter 2 and just focus on that. Each chapter includes step-by-step instructions on how to implement the controls that we talk about in that chapter.

Study Guide Features

This study guide uses several common elements to help you prepare. These include the following:

Summaries The summary section of each chapter briefly explains the chapter, allowing you to easily understand what it covers.

Exam Essentials The exam essentials focus on major exam topics and critical knowledge that you should take into the test. The exam essentials focus on the exam objectives provided by Microsoft.

Chapter Review Questions A set of questions at the end of each chapter will help you assess your knowledge and if you are ready to take the exam based on your knowledge of that chapter's topics.

The review questions, assessment test, and other testing elements included in this book are not derived from the actual exam questions, so don't memorize the answers to these questions and assume that doing so will enable you to pass the exam. You should learn the underlying topic, as described in the text of the book. This will let you answer the questions provided with this book and pass the exam. Learning the underlying topic is also the approach that will serve you best in the workplace—the ultimate goal of a certification.

Interactive Online Learning Environment and Test Bank

Studying the material in the Microsoft Certified Associate Azure Security Engineer Study Guide is an important part of preparing for the Azure Security Engineer Associate certification exam, but we also provide additional tools to help you prepare. The online tools will help you understand the types of questions that will appear on the certification exam:

The practice tests include all the questions in each chapter as well as the questions from the assessment test. In addition, there are two practice exams with 50 questions each. You can use these tests to evaluate your understanding and identify areas that may require additional study.

The flashcards will push the limits of what you should know for the certification exam. There are 100 questions, which are provided in digital format. Each flashcard has one question and one correct answer.

The online glossary is a searchable list of key terms introduced in this exam guide that you should know for the exam.

To start using these tools to study for the exam, go to www.wiley.com/go/sybextestprep and register your book to receive your unique PIN. Once you have the PIN, return to www.wiley.com/go/sybextestprep, find your book, and click Register to register a new account or add this book to an existing account.

Like all exams, the Microsoft Certified Associate Azure Security Engineer certification is updated periodically and may eventually be retired or replaced. At some point after Microsoft is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or you are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam's online Sybex tools will be available once the exam is no longer available.

Additional Resources

People learn in different ways. For some, a book is an ideal way to study whereas others may find practice test sites a more efficient way to study. Some of these websites come with exam pass guarantees and consistently update their content with some of the exact exam questions you will see on the official exam. These websites include www.udemy.com, www.exam-labs.com, https://acloudguru.com, and www.whizlabs.com.

MCA Azure Security Engineer Study Guide Exam Objectives

This table provides the extent, by percentage, each section is represented on the actual examination.

Exam objectives are subject to change at any time without prior notice and at Microsoft's sole discretion. Please visit the Exam AZ-500: Microsoft Azure Security Technologies website (https://docs.microsoft.com/en-us/certifications/exams/az-500) for the most current listing of exam objectives.

Objective Map

The following objective map will allow you to find the chapter in this book that covers each objective for the exam.

How to Contact Wiley or the Author

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at wileysupport@wiley.com with the subject line Possible Book Errata Submission.

Assessment Test

What is Azure AD?

It's a cloud version of Windows Active Directory (AD).

It is a cloud-based identity management service.

It is used for enabling multifactor authentication (MFA).

It protects accounts from authentication-based attacks.

What is a managed identity?

A shared user account

A user account managed by another user

An identity that your Azure services can use for authentication

A tool for controlling access to a user account

What is Privileged Identity Management (PIM)?

Protection for highly valuable Azure resources

Protection of your organization's most privileged accounts

Protection for admin-level Azure accounts

A type of role-based access control (RBAC)

What is role-based access control (RBAC)?

Assigning individual permissions based on a user's jobs

Controlling assess based solely on an individual's job titles

An Azure tool for controlling access to resources in Azure

A method where you assign permissions to a job role/identity as needed, rather than assigning permissions to an individual

What is not a feature of Azure Firewall Manager?

DDoS protection

Azure Firewall deployment and configuration

Creation of global and local firewall policies

Integration with third-party security features

What is the function of an Azure Application Gateway?

It's a tool for building and operating scalable applications.

It's an application load balancer.

It filters web traffic to applications.

It's Azure's native web application firewall.

What is the function of Azure Front Door?

DDoS protection

Protection against web-based attacks on applications

Filtering of web application attacks

Launching and operating of scalable applications

Where can you configure basic Azure DDoS Protection?

The Azure portal

Under Target Resources settings

It doesn't require configuration.

The Azure command line

What is the purpose of an Azure policy?

To enforce the standards of your organization and ensure compliance of your Azure resources

To set parameters on what resources can be created

To set parameters on who can access the resources

To act as a documentation tool

What is not a feature of Microsoft Defender for Cloud?

Real-time protection

Automatic and manual scanning

Detection and remediation

Capture of logs

What is the purpose of threat modeling?

Identifying threats currently on your network

Mapping out potential threats and their mitigation

Identifying vulnerabilities in upcoming applications

Mapping out the secure architecture of a software product

What is the function of Microsoft Sentinel?

It provides logging and monitoring for your Azure environment.

It is an endpoint security tool for protecting network resources.

It is the cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platform that performs threat detection and analytics.

It allows you to manage Azure firewalls from a central location.

What is the purpose of an Azure storage account?

It contains a list of usernames and passwords for authentication.

It's a container for grouping databases.

It's a type of user account.

It stores data.

What is the function of Azure Cosmos Database (DB)?

To store secrets in Azure

To acts as a fully managed NoSQL database designed for modern application development

To manage databases

To manage virtual endpoints

What is Azure Key Vault used for?

It's a cloud service for securely storing and accessing secrets.

It's a cloud password manager.

It provides physical protection for Azure servers.

It stores data objects in Azure.

What is a threat vector?

A nation-state threat actor

A group or individual with malicious intent

A type of malware

A path or means for exploiting a vulnerability

Which of the following is a type of administrative security control?

The separation of duties

Security guards

Security group policies

Computer logging

Which of the following is a NoSQL store for structured data?

Azure files

Azure blobs

Azure tables

Azure disks

What are threat actors?

A type of hacker group

A group or individual with malicious intent

A group with knowledge of company vulnerabilities

Insider threats

What tool is best used for threat hunting?

Microsoft's Threat Modeling Tool

Azure Storage

Microsoft Sentinel

Azure Active Directory (AD)

Answers to Assessment Test

B. Azure AD allows employees (or anyone on an on-premises network) to access external resources with proper authentication.

C. Managed identities allow your Azure Services to authenticate.

B. Azure PIM has special features for managing, controlling, and monitoring access to your organization's most privileged accounts.

D. In RBAC, you assign permissions to a job role/identity, and then assign that role/identity to users as needed.

A. Azure has a dedicated tool for DDoS protection.

B. Azure Application Gateway is an application load balancer for managing traffic to backend resources.

D. Azure Front Door is a tool for launching web applications.

C. Azure DDoS protection is enabled by default.

A. An Azure policy allows you check whether resources meet the standards you set and to correct those resources automatically.

D. Microsoft Defender for Cloud does log analytics but it doesn't capture logs.

B. Threat modeling is the process of identifying potential threats and mitigation of such threats.

C. Microsoft Sentinel provides SIEM and SOAR functionality in Azure.

D. Storage accounts contain all the different types of data objects in Azure.

B. Azure Cosmos DB is a service for creating NoSQL databases for application development.

A. Azure Key Vault is a service for securely storing secrets in Azure.

D. A threat vector is the path or means that a threat actor takes for exploiting a vulnerability.

A. The separation of duties is an admin security control where a company requires more than one person to complete a given task in order to prevent fraud.

C. Azure tables are a NoSQL store for the storage of structured data.

B. Threat actors are any group with a malicious intent that hacks into a company.

C. Microsoft Sentinel is Azure's premier threat-hunting solution as well as a SOAR and SIEM platform.

Chapter 1

Introduction to Microsoft Azure

THE MCA MICROSOFT CERTIFIED ASSOCIATE AZURE SECURITY ENGINEER ASSESSMENT TEST TOPICS COVERED IN THIS CHAPTER INCLUDE:

What Is Microsoft Azure?

Cloud Environment Security Objectives

Confidentiality

Integrity

Availability

Nonrepudiation

Common Security Issues

Principle of Least Privilege

Zero-Trust Model

Defense in Depth

Avoid Security through Obscurity

The AAAs of Access Management

Encryption

End-to-End Encryption

Symmetric Key Encryption

Asymmetric Key Encryption

Network Segmentation

Basic Network Configuration

Unsegmented Network Example

Internal and External Compliance

PCI-DSS

CCPA

GDPR

HIPAA

PIPEDA

Cybersecurity Considerations for the Cloud Environment

Configuration Management

Unauthorized Access

Insecure Interfaces/APIs

Hijacking of Accounts

Compliance

Lack of Visibility

Accurate Logging

Cloud Storage

Vendor Contracts

Link Sharing

Major Cybersecurity Threats

DDOS

Social Engineering

Password Attacks

Malware

Adware

Ransomware

Spyware

Backdoors

Bots/Botnets

Cryptojacker

Keylogger

RAM Scraper

Browser Hijacking

In this chapter, I discuss Microsoft Azure as a platform and the common security issues for cloud computing. Security issues include common vulnerabilities, types of security threats, and their potential impact on a company. My goal is to outline the problems that the Azure Security Engineer certification is trying to teach you to solve.

What Is Microsoft Azure?

Microsoft Azure is a cloud platform consisting of more than 200 products and cloud services. It allows you to have your own contained IT infrastructure, which is entirely physically hosted at one or more of Microsoft's data centers. Azure allows you to develop and scale new applications or to run existing applications in the cloud. Its cloud services include the following:

Compute These services allow you to deploy and manage virtual machines (VMs), Azure containers, and batch jobs. Compute resources created in Azure can be configured to use public IP addresses or private addresses, depending on whether or not they need to be accessible to the outside world.

Mobile These products and services allow developers to build cloud applications for mobile devices and notification services, as well as support for backend tasks and tools for building application programming interfaces (APIs).

Analytics These services provide analytics and storage for services across your Azure environment. They include features for real-time analytics, big data analytics, machine learning, and business intelligence.

Storage Azure supports scalable cloud storage for structured and unstructured data. It also supports persistent storage and archival storage.

Security These specialized products and services help identify, prevent, and respond to different cloud security threats. They include data security features such as encryption keys and data loss prevention solutions.

Networking Azure allows you to create virtual networks, dedicated connections, and gateways, as well as services for traffic management and diagnostics, load balancing, DNS hosting, and security features.

Cloud Environment Security Objectives

When studying for the MCA Azure Security Engineer certification. you must first know the overall objectives of security and the common challenges involved in securing a cloud environment. Knowing the objectives and the challenges are important to understand the practical implications of the concepts that are taught in this book and for directly answering many exam questions. So, the first thing we must review is the CIA triad (see Figure 1.1).

Schematic illustration of the CIA triad.

FIGURE 1.1 The CIA triad

CIA stands for confidentiality, integrity, and availability, the three goals you are trying to accomplish.

Confidentiality

Confidentiality means that only people with the right access should be able to access any piece of information. In this section of the CIA triad, the focus is on implementing proper security controls that prevent unauthorized access to your company's resources. A common example of a control used to maintain confidentiality is requiring a login username and password, the idea being that only an authorized person will be able to provide the credentials and gain access to your resource.

Integrity

Integrity means that only people with the correct access are able to change or edit any piece of information within a company. It ensures that information is always accurate and can be trusted to be free of manipulation. A common example of a security control used to ensure integrity is the use of a digital signature. A digital signature is an encrypted hash value used to prove that a message has not been altered and to prove the identity of the sender. In a communication between two people, the digital signature leverages hashing algorithms and public key encryption to create a unique hash value of the original message or document, which can only be decrypted and read by the receiver. The message or document is then digitally signed and sent to the receiver. Once the receiver gets the message or document, they can generate their own hash value for the message or document, and if it matches the hash value that was shared by the sender along with the message, then they know the message has not been changed in transit (i.e., when moving from the sender to the receiver over the Internet).

Availability

Availability means that you want to ensure that your information and services are always available for use by the right user. Think about a company website, for example. As a business, you want to ensure that your company's website is always working and available for customer interactions. However, cyberattacks like distributed denial-of-service (DDoS) attacks make these services unavailable and can cost businesses thousands or even millions of dollars. Common examples of security controls that help maintain website availability are next-generation firewalls and specialized DDoS protection software.

Nonrepudiation

A fourth term, nonrepudiation, isn't included in the triad, but it is associated with the first three. Nonrepudiation simply means that no one should be able to perform an action online and then deny that they performed that action. For example, if I send an email or delete a file, there must be proof that I performed this action so that I can't deny it at a later date. One way that we prove it is by using the previously discussed digital signature.

Pretty much everything that you do within your cybersecurity operations is related to one or multiple elements of this triad; it's the most commonly used framework for understanding what you are trying to achieve as a cybersecurity professional.

Common Security Issues

Now that you have a basic understanding of what cybersecurity generally is trying to achieve, let's look at some of the common issues that cloud security professionals must deal with. Many of Azure's tools are built to address these issues, and it's very likely you have come across some of them in your daily work.

Principle of Least Privilege

The principle of least privilege simply means that you should only give users the amount of privilege they need to do their job and nothing more. Giving users anything more than what is necessary creates risk for the company without providing any benefit. For example, giving users more privilege than needed can be detrimental in a situation where an employee is being fired. Disgruntled employees are one of the biggest threats to a company because they have access to the internal network and have a motive to damage or steal information from it. Roughly 59 percent of employees steal information when they quit or are fired from their company. The amount of information that they have access to steal can be limited if you implement the principle of least privilege. Even if it's not a situation where the employee is leaving, if an employee's account has a high level of privilege and that account is misused or hacked by a cybercriminal, they will be able to access more information and perform more harmful actions using that account than with an account that has limited privileges. Think of what an admin-level account would be capable of accessing compared to a normal user account. The amount of damage a cybercriminal could do is staggering in such cases.

Zero-Trust Model

A zero-trust model is a security concept stating that an organization shouldn't automatically trust implicitly any device or entity inside or outside its perimeter and instead should verify everything before granting the device or entity access to anything. This model may contradict what some people assume—that if a device is inside the company network, then it should be okay to trust and it's not harmful. However, this is certainly not the case. Insider threats, advanced persistent threats (i.e., threat actors that sit on the network for extended periods of time), and legitimate accounts that have been compromised are all examples of cyberthreats that sit inside the company perimeter but shouldn't be trusted. Keep in mind the words of Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Massachusetts:

The strategy around Zero Trust boils down to don't trust anyone. We're talking about, Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized…

www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html

Defense in Depth

Defense in depth is the idea that any important network resource should be protected by multiple layers of security (see Figure 1.2). This means that you should not have a single point of failure when it comes to the security controls that you use. It requires that you implement a variety of controls covering different aspects of security. The layers include the following:

Policies, Procedures, and Awareness Training While not technical controls, these documents and actions are part of overall security governance. They outline how the organization should approach their cybersecurity operations and mandate that certain actions must be taken to ensure the overall security of the company.

Physical Security Even in a cloud environment, you should take time to audit how the cloud provider physically secures its servers and physical infrastructure. If someone is able to gain access to a machine physically, they can often bypass whatever security controls are in place on the machine itself. This can be as simple as disabling USB ports on a machine to prevent someone from plugging in a USB and uploading a virus. Also, in the event of a natural disaster, building fires, or other unforeseen circumstances, you must ensure that your systems are well protected.

Perimeter Security Perimeter security is the first layer of security that sits between your digital network and outside attackers. It includes controls like perimeter firewalls, honeypots, and demilitarized zones (DMZs). Perimeter security is what separates your internal network from the outside world (the