WEBVTT 0:00:02.380000 --> 0:00:07.460000 Hi, I'd like to take a couple of minutes to talk about the secure data 0:00:07.460000 --> 0:00:14.780000 and applications objective domain in the AZ 500 certification exam for 0:00:14.780000 --> 0:00:16.620000 Marshall of Azure. 0:00:16.620000 --> 0:00:22.620000 This objective domain represents 20 to 25% of the weight of the overall 0:00:22.620000 --> 0:00:27.400000 exam. Now what are the objectives in this objective domain? 0:00:27.400000 --> 0:00:29.080000 There are three different objectives. 0:00:29.080000 --> 0:00:34.380000 There is configure security for storage, configure security for databases, 0:00:34.380000 --> 0:00:36.820000 and also configure and manage key vault. 0:00:36.820000 --> 0:00:40.400000 What I'd like to do now is go through some of the details of those objectives 0:00:40.400000 --> 0:00:44.340000 that you're going to be responsible for for the exam. 0:00:44.340000 --> 0:00:49.360000 So the first objective is configure security for storage. 0:00:49.360000 --> 0:00:58.380000 In this objective, right, this is really broken out into kind of what 0:00:58.380000 --> 0:01:02.380000 I would do, general configure access, then you've got key managed, it's 0:01:02.380000 --> 0:01:04.720000 really not broken out, I'm just thinking it was. 0:01:04.720000 --> 0:01:12.640000 Then you get really, these guys right here are all kind of related. 0:01:12.640000 --> 0:01:19.260000 Okay, configure Azure AD authentication for Azure storage, and configure, 0:01:19.260000 --> 0:01:23.620000 and this one is relatively domain and relatively domain, relatively new. 0:01:23.620000 --> 0:01:32.840000 And it may not be something that is what I would call in the typical workflow. 0:01:32.840000 --> 0:01:37.700000 Using Azure AD domain service authentication for Azure files. 0:01:37.700000 --> 0:01:44.100000 So that's one thing that if you are using that specific capability, then 0:01:44.100000 --> 0:01:46.120000 it'll be fairly straightforward. 0:01:46.120000 --> 0:01:48.920000 Of course, if you've never heard of it before, it's something you're going 0:01:48.920000 --> 0:01:51.240000 to want to study. 0:01:51.240000 --> 0:01:54.260000 Also using shared access signatures. 0:01:54.260000 --> 0:01:58.600000 And really related to that, probably could have put that in that three 0:01:58.600000 --> 0:02:03.560000 bullet grouping, is shared access policy. 0:02:03.560000 --> 0:02:08.880000 Understand what shared access policy is specifically for blob container. 0:02:08.880000 --> 0:02:12.160000 And if you are familiar with that, you will know that it is related to 0:02:12.160000 --> 0:02:14.120000 shared access signature. 0:02:14.120000 --> 0:02:17.860000 And finally, configure your storage service encryption. 0:02:17.860000 --> 0:02:20.580000 What are your options for encryption? 0:02:20.580000 --> 0:02:23.400000 Storage accounts have are always encrypted. 0:02:23.400000 --> 0:02:25.740000 Do you have some options for that? 0:02:25.740000 --> 0:02:27.280000 The answer is yes. 0:02:27.280000 --> 0:02:34.420000 Also enforcing potentially encrypted communication to protect information 0:02:34.420000 --> 0:02:38.500000 in transit with storage accounts. 0:02:38.500000 --> 0:02:40.920000 So that is storage. 0:02:40.920000 --> 0:02:45.600000 Now, let's take a look at databases. 0:02:45.600000 --> 0:02:50.500000 Now, I will tell you there is a little bit, at least in my opinion, there's 0:02:50.500000 --> 0:02:55.960000 a little bit of lack of clarity as to whether you just need to know about 0:02:55.960000 --> 0:03:03.520000 Azure SQL. Or if you need to know really about the different options that 0:03:03.520000 --> 0:03:04.520000 are available at the platform. 0:03:04.520000 --> 0:03:08.800000 The good news is that really at this point, the options are very similar. 0:03:08.800000 --> 0:03:11.820000 So pretty much if you know, for example, authentication options for Azure 0:03:11.820000 --> 0:03:16.540000 SQL, you'll have a really good idea of authentication options for Azure 0:03:16.540000 --> 0:03:20.540000 databases for Postgres SQL or MySQL or MariaDB. 0:03:20.540000 --> 0:03:26.060000 But what you need to know is you need to know what options you have for 0:03:26.060000 --> 0:03:29.000000 database authentication. 0:03:29.000000 --> 0:03:32.500000 Also enabling database auditing. 0:03:32.500000 --> 0:03:34.720000 What are your audit options? 0:03:34.720000 --> 0:03:37.700000 Configure Azure SQL database advanced threat protection. 0:03:37.700000 --> 0:03:40.240000 Now with this one, I'd keep an eye on this right now. 0:03:40.240000 --> 0:03:44.340000 It is very explicitly saying Azure SQL database advanced threat protection. 0:03:44.340000 --> 0:03:52.200000 But at the time of this recording, ATP is in preview for the other platform 0:03:52.200000 --> 0:03:55.560000 offerings, Postgres, MySQL. 0:03:55.560000 --> 0:03:58.160000 I did not check MariaDB, but I assume it is. 0:03:58.160000 --> 0:04:01.240000 But in any case, it's kind of the same thing across them. 0:04:01.240000 --> 0:04:05.440000 So I would make sure you understand how that works across the different 0:04:05.440000 --> 0:04:10.000000 offerings. Configure security in general for Azure SQL. 0:04:10.000000 --> 0:04:11.680000 Implement database encryption. 0:04:11.680000 --> 0:04:16.100000 Understand what database encryption options there are, such as transparent 0:04:16.100000 --> 0:04:17.700000 data encryption. 0:04:17.700000 --> 0:04:22.600000 And then also, and this one is very specifically Azure SQL database. 0:04:22.600000 --> 0:04:28.400000 Understand what end-to-end encryption capabilities are available with 0:04:28.400000 --> 0:04:31.240000 Azure SQL database always encrypted. 0:04:31.240000 --> 0:04:40.600000 So those are the database security details for the security for database 0:04:40.600000 --> 0:04:47.680000 objective. Last objective is Key Vault. 0:04:47.680000 --> 0:04:51.240000 And I like the fact that Key Vault is its own objective. 0:04:51.240000 --> 0:04:57.560000 I don't think Key Vault is exceptionally complex, but it is exceptionally 0:04:57.560000 --> 0:05:02.800000 important. Okay, so things you need to understand, manage access in general. 0:05:02.800000 --> 0:05:05.920000 Understand that there's two different ways of managing access. 0:05:05.920000 --> 0:05:08.020000 There's role-based access control. 0:05:08.020000 --> 0:05:11.700000 There is also access policy. 0:05:11.700000 --> 0:05:13.120000 Use access policy. 0:05:13.120000 --> 0:05:17.600000 Understand how to manage permissions to secrets, certificates, and keys. 0:05:17.600000 --> 0:05:27.980000 And I would say, make sure you're very comfortable with the access policies 0:05:27.980000 --> 0:05:31.160000 and what the different permissions are for all three of those. 0:05:31.160000 --> 0:05:34.060000 And there's some similarities, but there are some differences. 0:05:34.060000 --> 0:05:37.480000 Okay, make sure you understand how to configure our back, role-based access 0:05:37.480000 --> 0:05:39.760000 control using Azure Key Vault. 0:05:39.760000 --> 0:05:45.060000 And then really understand how to use it, right? 0:05:45.060000 --> 0:05:48.880000 Understand what options are available for certificates in terms of how 0:05:48.880000 --> 0:05:52.460000 you can integrate with certificate authorities or generate your own self 0:05:52.460000 --> 0:05:53.780000 -signed certificates. 0:05:53.780000 --> 0:05:57.320000 Understand what options there are for secrets. 0:05:57.320000 --> 0:05:59.920000 And also, key rotation. 0:05:59.920000 --> 0:06:03.480000 How you can use Key Vault for key rotation. 0:06:03.480000 --> 0:06:06.460000 And also backing up and restoring Key Vault items. 0:06:06.460000 --> 0:06:10.200000 I would say one other thing that you really should be familiar with. 0:06:10.200000 --> 0:06:13.880000 It's not really called out here, but I would absolutely recommend being 0:06:13.880000 --> 0:06:15.000000 comfortable with it. 0:06:15.000000 --> 0:06:21.400000 And that is looking at managed identities and how I can use managed identities 0:06:21.400000 --> 0:06:26.480000 in conjunction with Key Vault to protect sensitive data that might be 0:06:26.480000 --> 0:06:30.060000 difficult to protect, otherwise for things like web applications. 0:06:30.060000 --> 0:06:35.620000 All right, so these are the objectives for this objective domain.