My Microsoft SC-900 Microsoft Security, Compliance, and Identity Fundamentals Notes
Created by: Brad Voris
This exam is targeted to those looking to familiarize themselves with the fundamentals of security, compliance, and identity (SCI) across cloud-based and related Microsoft services.
This is a broad audience that may include business stakeholders, new or existing IT professionals, or students who have an interest in Microsoft security, compliance, and identity solutions.
Candidates should be familiar with Microsoft Azure and Microsoft 365 and want to understand how Microsoft security, compliance, and identity solutions can span across these solution areas to provide a holistic and end-to-end solution.
https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900
https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900
Describe the concepts of security, compliance, and identity (10-15%)
Describe the capabilities of Microsoft identity and access management solutions (25-30%)
Describe the capabilities of Microsoft Security solutions (25-30%)
Describe the capabilities of Microsoft compliance solutions (25-30%)
While the Microsoft learning path has the majority of high level information required to pass the exam, it is not enough. I'd highly recommend reading Microsoft Security, Compliance and Identity Fundamentals Exam Ref SC-900. The book itself is good but also missing updated components, so additional supplementations should be considered. I'd also suggest getting some hand on familiarity with the basics of M365 and Azure. This will provide a substantial benefit to futher your learning path.
I've tried to include as much information as possible between my studies via the learning path, exam ref, MS docs, and youtube videos I've found helpful.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Describe the concepts of security, compliance, and identity (10-15%)
-------------------------------------------------------------------------------------------------------------------------------------------------------------
------Shared Responsibility Model
------------Software as a Service (SaaS) - SaaS is hosted and managed by the cloud provider
------------Platform as a Service (PaaS) - Environment for building, testing, and deploying software applications.
------------Infrastructure as a Service (IaaS) - Computing and network physical infrastructure is provided
------------On-premise datacenter
------Defense In Depth - layered approach to security
------------Physical
------------Identity & Access
------------Perimeter
------------Network
------------Compute
------------Application
------------Data
------CIA Triad
------------Confidentiality - the need to keep confidential sensitive data such as customer information, passwords, or financial data
------------Integrity - refers to keeping data or messages correct
------------Availability - refers to making data available to those who need it, when they need it
------Zero Trust - assumes everything is on an open and untrusted network
------------Verify Explicitly
------------Least Privileged Access
------------Assume Breach
------------6 foundational Pillars
------------------Identities
------------------Devices
------------------Applications
------------------Data
------------------Infrastructure
------------------Networks
------Encryption and Hashing
------------Encryption - the process of making data unreadable and unusable to unauthorized viewers
------------------Symmetric Encryption - same/shared key
------------------Asymmetric Encryption - Private key / public key (https)
------------------------Encryption in transit
------------------------Encryption at rest
------------------------Encryption for data in use
------------Hashing - uses an algorithm to convert text to a unique fixed-length value called a hash
------Compliance Concepts
------------Data Residency - where data can be stored and how and when it can be transferred, processed, or accessed internationally
------------Data Sovereignty - laws and regulations of the country/region in which data's physically collected, held, or processe
------------Data Privacy - Providing notice and being transparent about the collection, processing, use, and sharing of personal data are fundamental principles of privacy laws and regulations.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Describe the capabilities of Microsoft identity and access management solutions (25-30%)
-------------------------------------------------------------------------------------------------------------------------------------------------------------
------Authentication - the process of proving that a person is who they say they are
------Authorization - What an identity once authenticated has access to
------Four Pillars of an Identity Infrastructure
------------Administration - creation and management of identities
------------Authentication
------------Authorization
------------Auditing - tracking, reporting, and governance
------Identity Provider (IDP) - creates, maintains, and manages identity information while offering authentication, authorization, and auditing services.
------Modern Authentication - authentication and authorization methods between a client, such as your laptop or phone, and a server, like a website or application.
------Single sign-on - the user logs in once and that credential is used to access multiple applications or resources.
------Federation - enables the access of services across organizational or domain boundaries by establishing trust relationships between the respective domain’s identity provider.
------Active Directory Domain Services (ADDS) - a set of directory services developed by Microsoft as part of Windows 2000 for on-premises domain-based networks
------Azure Active Directory (ADS) - provides organizations with an Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises
------------Azure Active Directory Free - free version included with Azure and Office 365
------------Azure Active Directory Premium P1. The Premium P1 edition includes all the features in the free and Office 365 apps editions. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
------------Azure Active Directory Premium P2. P2 offers all the Premium P1 features, and Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data. P2 also gives you Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources, and to provide just-in-time access when needed.
------------Azure AD Identity Types
------------------User - employees and guests
------------------Service Principal - identity for an application
------------------Managed identities
------------------------System Assigned - When you enable a system-assigned managed identity, an identity is created in Azure AD that's tied to the lifecycle of that service instance.
------------------------User Assigned - Once you create a user-assigned managed identity you can assign it to one or more instances of an Azure service.
------------------Device - A device is a piece of hardware, such as mobile devices, laptops, servers, or printers.
------------------------Azure AD Registered Devices - The goal of Azure AD registered devices is to provide users with support for bring your own device (BYOD) or mobile device scenarios.
------------------------Azure AD Joined Devices - a device joined to Azure AD through an organizational account, which is then used to sign in to the device.
------------------------Hybrid Azure AD Joined Devices - Organizations with existing on-premises Active Directory implementations can benefit from the functionality provided by Azure AD by implementing hybrid Azure AD joined devices. These devices are joined to your on-premises Active Directory and Azure AD requiring organizational account to sign in to the device
------------------External Identities
------------------------B2B Collaboration - collaboration allows you to share your organization’s applications and services with guest users from other organizations, while maintaining control over your own data
------------------------B2C Access Management - customer identity access management (CIAM) solution. Azure AD B2C allows external users to sign in with their preferred social, enterprise, or local account identities to get single sign-on to your applications
------------Hybrid identity
------------------Azure AD Password hash synchronization - is the simplest way to enable authentication for on-premises directory objects in Azure AD. Users can sign in to Azure AD services by using the same username and password that they use to sign in to their on-premises Active Directory instance. Azure AD handles users' sign-in process.
------------------Azure AD Pass-through authentication - allows users to sign in to both on-premises and cloud-based applications using the same passwords, like password hash synch. A key difference, however, is when users sign in using Azure AD, pass-through authentication validates users' passwords directly against your on-premises Active Directory.
------------------Federated authentication - recommended as an authentication for organizations that have advanced features not currently supported in Azure AD, including sign-on using smart cards or certificates, sign-on using on-premises multi-factor authentication (MFA) server, and sign-on using a third party authentication solution.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Describe the capabilities of Microsoft Security solutions (25-30%)
-------------------------------------------------------------------------------------------------------------------------------------------------------------
------Azure DDoS
------------Basic - Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use.
------------Standard - The Standard service tier provides extra mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses, which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.
------Azure Firewall - managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers.
------Web Application Firewall - provides centralized protection of your web applications from common exploits and vulnerabilities.
------Network Segmentation - Abililty to group related assets, isolation of resources, governance policies set by organization
------Azure Network Security Groups - let you filter network traffic to and from Azure resources in an Azure virtual network; for example, a virtual machine.
------------AllowVNetInBound
------------AllowAzureLoadBalancerInBound
------------DenyAllInBound
------Azure Bastion - a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. Protects RDP and SSH sessions.
------Azure JIT - access allows lock down of the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
------Azure Encryption
------------Azure Storage Service Encryption - helps to protect data at rest by automatically encrypting before persisting it to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage, and decrypts the data before retrieval.
------------Azure Disk Encryption - helps you encrypt Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks.
------------Transparent Data Encryption (TDE) - helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
------------Azure Key Vault - centralized cloud service for storing your application secrets
------------------Secrets Management - You can use Key Vault to store securely and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
------------------Key Management - You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
------------------Certificate Management - Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for Azure, and internally connected, resources more easily.
------------------Store Secrets backed by hardware security models (HSM) - The secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.
------Azure Security Center (https://securitycenter.microsoft.com/) -
------Azure Secure Score
------Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security or MCAS) (https://docs.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps)
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.
------Microsoft Defender (https://protection.office.com)
------------Defender for Office 365 (https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/overview?view=o365-worldwide)
------------What is Defender for Office 365 security?
------------Every Office 365 subscription comes with security capabilities. The goals and actions that you can take depend on the focus of these different subscriptions. In Office 365 security, there are three main security services (or products) tied to your subscription type:
------------------1) Exchange Online Protection (EOP) - Prevents broad, volume-based, known attacks.
------------------2) Microsoft Defender for Office 365 Plan 1 (Defender for Office P1) - Protects email and collaboration from zero-day malware, phish, and business email compromise.
------------------3) Microsoft Defender for Office 365 Plan 2 (Defender for Office P2) - Adds post-breach investigation, hunting, and response, as well as automation, and simulation (for training).
------------------Exchange Online Protection Capabilities:
------------------------Prevent/Detect:
------------------------------spam
------------------------------phish
------------------------------malware
------------------------------bulk mail
------------------------------spoof intelligence
------------------------------impersonation detection
------------------------------Admin Quarantine
------------------------------Admin and user submissions of False Positives and False Negatives
------------------------------Allow/Block for URLs and Files
------------------------------Reports
------------------------Investigate:
------------------------------Audit log search
------------------------------Message Trace
------------------------Respond:
------------------------------Zero-hour auto purge (ZAP)
------------------------------Refinement and testing of Allow and Block lists
------------------Defender for Office 365, Plan 1
Prevent/Detect:
------------------------Technologies include everything in EOP plus:
------------------------------Safe attachments
------------------------------Safe links
------------------------------Microsoft Defender for Office 365 protection for workloads (ex. SharePoint Online, Teams, OneDrive for Business)
------------------------------Time-of-click protection in email, Office clients, and Teams
------------------------------anti-phishing in Defender for Office 365
------------------------------User and domain impersonation protection
------------------------------Alerts, and SIEM integration API for alerts
------------------------Investigate:
------------------------------SIEM integration API for detections
------------------------------Real-time detections tool
------------------------------URL trace
------------------------Respond:
------------------------------Same
------------------Defender for Office 365, Plan 2:
------------------------Prevent/Detect:
------------------------------Technologies include everything in EOP, and Microsoft Defender for Office 365 P1 plus:
Same
------------------------Investigate:
------------------------------Threat Explorer
------------------------------Threat Trackers
------------------------------Campaign views
------------------------Respond:
------------------------------Automated Investigation and Response (AIR)
------------------------------AIR from Threat Explorer
------------------------------AIR for compromised users
------------------------------SIEM Integration API for Automated Investigations
Defender for Identity (https://docs.microsoft.com/en-us/defender-for-identity/what-is)
Defender for Identity enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:
Monitor users, entity behavior, and activities with learning-based analytics
Protect user identities and credentials stored in Active Directory
Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
Provide clear incident information on a simple timeline for fast triage
Defender for Endpoint (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide)
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
Cloud security analytics: Leveraging big-data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data.
Microsoft Secure Score (https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide)
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the Microsoft 365 Defender portal
Currently there are recommendations for the following products:
Microsoft 365 (including Exchange Online)
Azure Active Directory
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Defender for Cloud Apps
Microsoft Teams
Azure Sentinel (https://azure.microsoft.com/en-us/services/microsoft-sentinel) - Azure Sentinel is a SIEM (Security Information and Event Management) and Security Orchestration and Automated Response (SOAR) system in Microsoft's public cloud platform. Sentinel can be accessed here https://aka.ms/microsoftazuresentinel
SIEM - Security Information and Event Management
SOAR - Security Orchestration and Automated Response
XDR - Extended Detect and Response
Microsoft Intune
MDM
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Describe the capabilities of Microsoft compliance solutions (25-30%)
-------------------------------------------------------------------------------------------------------------------------------------------------------------
------Microsoft 365 Compliance Center Compliance.Microsoft.com
------------Service Trust portal - provides information, tools, and other resources about Microsoft security, privacy, and compliance practices
------------Microsofts Privacy Principles
------------------control
------------------Transparency
------------------Security
------------------Strong Legal Protections
------------------No Content based Targeting
------------Compliance Manager
------------------Continuous Assessments
------------------Recommended Actions
------------------Contorl Mapping
------------Data Classification
------------------Discover
------------------Classify - Trainable Classifiers/Sensitive Info Types
------------------Review - content explorer/activity explorer
------------------Monitor
------------Data Connectors/Alerts/Reports/Policies
------------Audits
------------------Basic - 90 days
------------------Advanced - custom retention, audit policies
------------DLP
------------------Conditions/Actions/Locations
------------------
------------------OneDrive for Business
------------------Sharepoint Online
------------------Microsoft Teams
------------------Exchange Online
------------eDiscovery
------------------Core - create basic cases search content and export
------------------Advanced - identify preserve collect review analyze and export, with custodians
------------Information Governance
------------------Labels
------------------Label Policies
------------------Retention Policies
------------Information Protection
------------------Labels
------------------Label Policies
------------------Auto-Labeleing
------------Records Management
------------Insider Risk
------------Communication Compliance
------------Information Barriers
------------Resource Governance
------------------Azure Policy (https://docs.microsoft.com/en-us/azure/governance/policy/overview) - enforce standrds and assesses compliance
------------------Azure Blueprints (https://docs.microsoft.com/en-us/azure/governance/blueprints/overview) - define repeatable set of azure resources
------------------Azure Purview (https://docs.microsoft.com/en-us/azure/purview/overview ) - automates data discoveryand mapping
-----------------------Data Map - capture metadata about enterprise data, to identify and classify sensitive data.
-----------------------Data Catalog - Microsoft Purview Data Catalog provides data curation features like business glossary management and ability to automate tagging of data assets with glossary terms
-----------------------Data Insights - data insights, data officers and security officers can get a bird’s eye view and at a glance understand what data is actively scanned, where sensitive data is and how it moves.
Azure Security Benchmark
https://docs.microsoft.com/en-us/security/benchmark/azure/
Azure Security Benchmark 3.0
https://github.com/MicrosoftDocs/SecurityBenchmarks/tree/master/Azure%20Security%20Benchmark/3.0
https://github.com/RickKotlarz/SC-900
https://www.youtube.com/watch?v=LLKza5oULAA
https://www.youtube.com/watch?v=rDxtTM7cOPI
https://www.youtube.com/watch?v=Bz-8jM3jg-8
https://www.youtube.com/playlist?list=PLhLKc18P9YOCAt0hPdnPavwr9V4ADItcq
Microsoft Security, Compliance, and Identity Fundamentals: Describe the concepts of security, compliance, and identity - https://docs.microsoft.com/en-us/learn/paths/describe-concepts-of-security-compliance-identity/
Detect and respond to cyber attacks with Microsoft Defender - https://docs.microsoft.com/en-us/learn/paths/defender-endpoint-fundamentals/
Microsoft 365 Fundamentals: Demonstrate fundamental knowledge of Microsoft 365 security and compliance capabilities -
https://docs.microsoft.com/en-us/learn/paths/m365-security-compliance-capabilities/
Describe concepts of cryptography - https://docs.microsoft.com/en-us/learn/modules/describe-concepts-of-cryptography/
https://github.com/MicrosoftLearning/SC-900-Microsoft-Security-Compliance-and-Identity-Fundamentals
