Thant Zin Phyo

 Azure landing zones are a vast topic that we could write a book on in terms of their design, implementation, and how they are assessed. In simple terms, an Azure landing zone talks about subscription democratization, where we have multiple subscriptions meant for different types of workloads. Following this architecture will help you build an architecture that is responsible for scalability, security, governance, compliance, networking, and identity. There are two types of landing zones: •  Platform landing zones: A central team for several central teams is split by functions, such as networking, identity, and others. It will deploy subscriptions to deliver unified services. These subscriptions are used for various applications and workloads. Platform landing zones are usually used to consolidate certain essential services for better efficiency and ease of operations. Examples of these essential services include networking components (ExpressRoute, VPNs, firewalls, NVA, ...

 As the new product name indicates, Microsoft Defender for Cloud is no longer an  Azure-focused security solution. It's rather a CSPM and CWPP for both, multi- and hybrid cloud environments. At Microsoft Ignite in November 2021, Microsoft announced its new API-based multi-cloud CSPM for AWS. As of now, you no longer need to enable AWS Security Hub in order to connect your resources to Defender for Cloud. By integrating AWS in the native Defender for Cloud experience, it is now very easy to connect your resources from there and get recommendations and visibility into their security posture in the same, unified experience. In addition, you can opt in to use Microsoft Defender for Servers and/or Defender for Containers on your AWS  resources, too. Figure  – AWS connectors in Defender for Cloud's environment settings view Once you have connected an AWS account to Defender for Cloud, assessments will start, based on the AWS CIS 1.2.0 and AWS Foundational Security Best Pra...

 Just-in-time access for Azure VM is used to block inbound traffic to VMs until specific traffic is temporarily allowed. This reduces their exposure to attacks by narrowing down the surface and enabling access. Enabling Just In Time (JIT) will block inbound traffic on all ports that are usually used for management, such as RDP, SSH, or WinRM. The user must explicitly request access, which will be granted for a period of time, but only for a known IP address. This approach is the same as is used with Privileged Identity Management (PIM), where having rights doesn't necessarily mean that we can use them all the time; we have to activate/request for them to be used for a period of time. Important Note : JIT access for Azure VMs supports only VMs deployed through Azure Resource Manager (ARM). It's not available for non-Azure VMs or legacy Azure VMs deployed through Azure Service Management (ASM). JIT can be configured from the Defender for Cloud blade, or from the Azure VM blade. ...

 As you learned in the previous section, Cloud Security Posture Management (CSPM) is one of the two main pillars in Microsoft Defender for Cloud. CSPM is all about hardening your cloud resources and that is why Defender for Cloud will provide you with a large list of security recommendations to help you understand what is good and what can be improved in your resources' configuration. Secure score is the main Key Performance Indicator (KPI) when it comes to understanding how good (or bad) you have configured your resources. The idea of secure score is to show a percentage value based on fixed points that are given for remediating recommendations that are grouped in security controls, as shown in Figure 1.1: Figure 1.1 – Secure score, security controls, and recommendations Figure 1.1 shows an environment with a secure score of 48%. The higher this percentage value is, the better protected your resources are. Secure score is calculated based on the following formula: In the preceding...