Microsoft Cybersecurity Architect Exam Ref SC-100: Ace the SC-100 exam and develop cutting-edge cybersecurity strategies

Microsoft Cybersecurity Architect Exam Ref SC-100

Second Edition

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Authors: Dwayne Natwick, Graham Gold, and Abu Zobayer

Reviewers: Dan Gora and Jetro Wils

Publishing Product Manager: Anindya Sil

Development Editor: Richa Chauhan

Digital Editor: M Keerthi Nair

Presentation Designer: Shantanu Zagade

Editorial Board: Vijin Boricha, Megan Carlisle, Simon Cox, Ketan Giri, Saurabh Kadave, Alex Mazonowicz, Gandhali Raut, and Ankita Thakur

First Published: January 2023

Second Edition: October 2024

Production Reference: 1311024

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN: 978-1-83620-851-8

www.packtpub.com

Contributors

About the Authors

Dwayne Natwick is the CEO/Owner/Principal Trainer at Captain Hyperscaler, LLC. He was previously the Global Principal Cloud Security Lead at Atos, a multi-cloud GSI. He has been in IT, security design, and architecture for over 30 years. His love of teaching led him to become an APMG-accredited ISACA trainer, a Microsoft Certified Trainer (MCT) Regional Lead and a Microsoft Most Valuable Professional (MVP), an AKYLADE Certified Instructor, and an ISC2 Authorized Instructor.

Dwayne has a master’s degree in business IT from Walsh College; the CISM, CISA, and CRISC certifications from ISACA; the CISSP, CGRC, CSSLP, CCSP, SSCP, and CC certifications from ISC2; and over 18 Microsoft certifications, including Identity and Access Administrator, Azure Security Engineer, and Microsoft 365 Security Administrator. Dwayne can be found sharing information via social media, industry conferences, his blog site, and his YouTube channel.

Originally from Maryland, Dwayne currently resides in Michigan with his wife and three children.

To my wife, Kristy, thank you for always being there and supporting me. You are the love of my life and my best friend. To my children, Austin, Jenna, and Aidan, even with my career accomplishments, you are what makes me the proudest. You are all growing up to be such amazing people with kind hearts.

All four of you are my world and I could not make this journey without you. All my love and support for everything that you do.

– Dwayne Natwick

Graham Gold is a Senior Cloud Security Engineer at Admiral Group. He has 27 years’ experience in financial services IT, now specializing in cloud security as of 2020. He has been instrumental in designing, building, securing, and running complex systems at enterprise scale across mainframes, Windows, Linux, and networks, on both on-premises systems and cloud platforms.

He is a multi-cloud certified professional, holding the Microsoft Cybersecurity Architect Expert, Azure Security Engineer, Google Certified Professional Cloud Security Engineer, and Google Certified Professional Cloud Architect certifications.

Graham is passionate about identity security and privileged access management, and loves to help his colleagues and community, sharing his knowledge on his blog and across social media platforms. Outside of work, he lives in Scotland with his wife and cats, and they share a love of world travel.

Abu Zobayer works as a Senior Cloud Solutions Architect at Microsoft, bringing over two decades of experience in the IT industry. Over the course of his career, he has taken on various key roles, such as Principal Microsoft Technical Trainer and Senior Customer Engineer. His credentials include a range of certifications: Microsoft Cybersecurity Architect Expert, Azure Security Engineer, Azure DevOps Expert, and Azure Solutions Architect Expert.

Abu holds a master’s degree in cybersecurity from the University of Texas. He has played a crucial role in designing, deploying, and securing advanced cloud architectures, ensuring reliable and scalable solutions for enterprise-level clients.

Abu has a strong interest in cybersecurity and cloud innovations, and he frequently shares his expertise through training programs and community initiatives. Outside of his professional life, he enjoys experimenting with new technologies and spending quality time with his family in San Antonio, Texas.

About the Reviewers

Dan Gora is a Lead Cloud Security Architect at Eviden, part of ATOS, with over 15 years of experience in cybersecurity. Specializing in secure cloud transformation for highly regulated industries, he has guided organizations to enhance their security architecture by effectively implementing DevSecOps and zero-trust methodologies.

As an active contributor to the cybersecurity community, Dan is the OWASP Frankfurt Chapter Lead and Board Member of OWASP Germany. He has also co-authored several whitepapers for the Cloud Security Alliance. Dan holds a master’s degree in secure software engineering from Darmstadt University of Applied Sciences, Germany, and certifications such as CISSP, CSSLP from ISC2, and CCSK from CSA, along with multiple credentials from Microsoft and AWS.

Originally from Germany, Dan now lives in Scotland with his civil partner, Margaretha.

To my partner, Margaretha, thank you for your unwavering love and support throughout the years. You are the cornerstone of my life and instrumental to my success. I cherish every moment with you.

– Dan Gora

Jetro Wils helps organizations operate safely in this cloud era by strengthening their information security and compliance, thus reducing risk and providing peace of mind. For 18 years, Jetro has been active in various tech companies in Belgium. Jetro’s focus is practical cybersecurity advisory, specializing in cloud security, governance, compliance, and risk management. Jetro is a three-time Microsoft Certified Azure Expert and an MCT. He gives 10-20 certified training sessions annually on the cloud, AI, and security and has trained over 100 professionals, including enterprise architects, project managers, service managers, salespeople, team leaders, and engineers. He also hosts the BlueDragon Podcast, focusing on the above topics for decision-makers. Jetro is currently pursuing a master’s degree in IT risk and cybersecurity management at the Antwerp Management School. He is a certified NIS 2 Lead Implementor, having gained the certification from PECB.

Table of Contents

Preface

1

Cybersecurity in the Cloud

Making the Most of This Book – Your Certification and Beyond

What Is Cybersecurity?

Significance in Modern Business

Cybersecurity in the Context of the SC-100 Exam

Evolution of Cybersecurity from On-Premises to the Cloud

Defense-in-Depth Security Strategy

Building a Defense-in-Depth Security Posture

Shared Responsibility in Cloud Security

Understanding the Stages of a Cyber-Attack

How Cybersecurity Architecture Can Protect Against These Threats

Security Operations

Understanding the Scope of Cybersecurity in the Cloud

Shared Responsibility Scope

Principles of the Zero-Trust Methodology

Common Threats and Attacks

Internal Threats

External Threats

Defense in Depth: A Real-Life Example

Additional Example: Okta

Initial Signs of Compromise

Impact

Impact

Remediation

Defense in Depth

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

2

Build an Overall Security Strategy and Architecture

Identifying the Integration Points in an Architecture by Using the Microsoft Cybersecurity Reference Architectures

How is the MCRA Used?

What Are the Components of the MCRA?

Translating Business Goals into Security Requirements

Threat Analysis

Translating Security Requirements into Technical Capabilities

Physical

Identity and A ccess

Perimeter security

Network Security

Compute

Applications

Data

Designing Security for a Resiliency Strategy

Integrating a Hybrid or Multi-Tenant Environment into a Security Strategy

Developing a Technical and Governance Strategy for Traffic Filtering and Segmentation

North-South/East-West Network Traffic and Segmentation

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

3

Design a Security Operations Strategy

Designing a Logging and Auditing Strategy to Support Security Operations, Including Microsoft Purview Audit

Security Operations Overview

Microsoft Security Operations Tools

Logging and Auditing for Threat and Vulnerability Detection

Microsoft Purview Audit

Developing Security Operations to Support a Hybrid or Multi-Cloud Environment

Designing a strategy for SIEM and SOAR

Evaluating Security Workflows

Security Strategies for Incident Management and Response

Security Workflows

Evaluating a Security Operations Strategy for the Incident Management Life Cycle

Evaluating a Security Operations Strategy to Share Technical Threat Intelligence

Leveraging Artificial Intelligence to Enhance Security Operations

Microsoft Copilot for Security

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

4

Design an Identity Security Strategy

Zero Trust for Identity and Access Management

Designing a Strategy for Access to Cloud Resources

Recommending an Identity Store

Microsoft Entra Tenant Synchronization with SCIM

External Identities

Recommending an Authentication and Authorization Strategy

Hybrid Identity Infrastructure

Secure Authorization Methods

Designing a Strategy for CA

Microsoft Entra Identity Protection

Designing a Strategy for CAE

Designing a Strategy for Role Assignment and Delegation

Designing a Security Strategy for Privileged Role Access

Microsoft Entra ID PIM

Designing a Security Strategy for Privileged Activities

Privileged Access Reviews

Entitlement Management (aka Permission Management)

Cloud Tenant Administration

Case study – Designing a Zero-Trust Architecture

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

5

Design a Regulatory Compliance Strategy

Interpreting Compliance Requirements and Translating Them into Specific Technical Capabilities

Evaluating Infrastructure Compliance by Using Microsoft Defender for Cloud

Interpreting Compliance Scores and Recommending Actions to Resolve Issues or Improve Security

Designing an Implementation of Azure Policy

Designing for Data Residency Requirements

Translating Privacy Requirements into Requirements for Security Solutions

Case Study – Designing for Regulatory Compliance

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

6

Evaluate Security Posture and Recommend Technical Strategies to Manage Risk

Evaluating the Security Posture Using Benchmarks

Evaluating the Security Posture Using Microsoft Defender for Cloud

Evaluating the Security Posture by Using Secure Score

Evaluating the Security Posture of Cloud Workloads

Designing Security for an Azure Landing Zone

Interpreting Technical Threat Intelligence and Recommending Risk Mitigations

Recommending Security Capabilities or Controls to Mitigate Identified Risks

Evaluating the Security of Internet Assets with Microsoft Defender EASM

Case Study – Evaluating the Security Posture

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

7

Design a Strategy for Securing Server and Client Endpoints

Planning and Implementing a Security Strategy across Teams

Specifying Security Baselines for Server and Client Endpoints

Specifying Security Requirements for Servers, Including Multiple Platforms and Operating Systems

Specifying Security Requirements for Mobile Devices and Clients, Including Endpoint Protection, Hardening, and Configuration

Evaluating Windows LAPS Solutions

How Do You Manage Local Admin Passwords in Windows?

Introduction of Microsoft LAPS

Replacement of Microsoft LAPS with Windows LAPS

Deployment Considerations for Windows LAPS

Specifying requirements to Secure AD DS

Designing a Strategy to Manage Secrets, Keys, and Certificates

Designing a Strategy for Secure Remote Access

Remote Management of Servers and Applications

Remote Management of Mobile Devices and Clients

Understanding Security Operations Frameworks, Processes, and Procedures

Case Study – Designing a Secure Architecture for Endpoints

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

8

Design a Strategy for Securing SaaS, PaaS, and IaaS

Specifying Security Baselines for SaaS, PaaS, and IaaS Services

Security Baselines for SaaS

Security Baselines for IaaS

Security Baselines for PaaS

Specifying Security Requirements for IoT Devices and Connected Systems

Device Security

Connection Security

Cloud Security

Evaluating Solutions for Securing OT and Industrial Control Systems (ICSs) by Using Microsoft Defender for IoT

Cloud-Connected Sensors

Local OT Sensors

Specifying Security Requirements for Data Workloads, Including SQL, Azure SQL Database, Azure Synapse, and Azure Cosmos DB

Specifying Security Requirements for Storage Workloads, Including Azure Storage

Specifying Security Requirements for Web Workloads, Including Azure App Service

Specifying Security Requirements for Containers

Specifying Security Requirements for Container Orchestration

Evaluating Solutions That Include Azure AI Services Security

What Are Azure AI Services?

Security Considerations

Case Study – Security Requirements for IaaS, PaaS, and SaaS

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

9

Specify Security Requirements for Applications

Specifying Priorities for Mitigating Threats to Applications

Identity and Secret Handling and Use

Segmentation and Configuration

Static and Dynamic Testing

Data Handling and Access

Security Posture Management and Workload Protection

Specifying a Security Standard for Onboarding a New Application

Designing a Security Solution for API Management

Case Study – Security Requirements for Applications

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

10

Design a Strategy for Securing Data

Specifying Priorities for Mitigating Threats to Data

Managing the Risk to Data

Ransomware Protection and Recovery

Designing a Strategy to Identify and Protect Sensitive Data

Specifying an Encryption Standard for Data at Rest and in Motion

Encryption at Rest

Data Masking

Encryption in Transit

Managing Data Encryption Security with Azure Key Vault

Identity and Secret Handling and Use

Case Study – Designing a Strategy to Secure Data

Summary

Exam Readiness Drill – Chapter Review Section

How to Get Started

11

Accessing the Online Practice Resources

Other Books You May Enjoy

Preface

As the adoption of cloud infrastructure and services continues to grow at a rapid pace, cloud security has never been more critical. Businesses are increasingly moving their data, services, and applications to the cloud, creating a need for skilled professionals who can secure these environments. Cloud computing has evolved from a supplementary technology to a core competency within enterprises.

This shift has created a high demand for knowledgeable cloud security engineers and architects who can design, build, and operate secure cloud environments. The challenges posed by numerous security threats require organizations to develop robust cloud security strategies. Certifications play a vital role in identifying and developing the necessary skills for implementing cloud security measures. They also help individuals demonstrate their expertise to potential employers, advancing their careers.

The goal of this book is to equip you with the knowledge and skills needed to excel in cloud security. It covers a comprehensive range of topics essential for understanding and implementing cloud security measures. From cybersecurity fundamentals to advanced topics such as incident response, this book provides practical and straightforward explanations designed to educate you on the challenges and solutions in cloud security.

This book will prepare cybersecurity professionals like you for the SC-100 exam while also giving you a solid foundation that will help you put your knowledge to work and implement the strategies you learn. A mixture of theoretical and practical knowledge, practice questions, and a mock exam will ensure you breeze through the exam.

As you progress through this book, you will engage with various cloud security concepts and practices. The chapters cover critical areas such as cybersecurity in the cloud, building a security strategy, identity and access management, data protection, compliance, incident response, security operations, and future trends. Each chapter is designed to guide you through scenarios that test your understanding and application of cloud security principles.

By the end of this book, you will have a solid understanding of cloud security principles and practices and the confidence to apply this knowledge in your current role. You will be well prepared to tackle the challenges of securing cloud environments and stay ahead of emerging threats and technologies.

Who This Book Is For

This book is for a wide variety of cybersecurity professionals – from security engineers and cybersecurity architects to Microsoft 365 administrators, user and identity administrators, infrastructure administrators, cloud security engineers, and other IT professionals preparing to take the SC-100 exam. It is also a good resource for those who are designing cybersecurity architecture but not preparing for the exam. To get started, you will need a solid understanding of the fundamental services within Microsoft 365 and Azure, along with the security, compliance, and identity capabilities of Microsoft and hybrid architectures.

What This Book Covers

Chapter 1

, Cybersecurity in the Cloud, provides an overview of cybersecurity and its evolution with cloud technologies. It explains how cybersecurity has changed as workloads have moved from on-premises data centers to the cloud.

Chapter 2

, Build an Overall Security Strategy and Architecture, discusses developing and designing a security strategy for cloud, hybrid, and multi-tenant environments. It includes identifying integration points, translating business goals into security requirements, and designing security for resiliency.

Chapter 3

, Design a Security Operations Strategy, covers designing and evaluating a strategy for security operations. Topics include logging and auditing for public, hybrid, and multi-cloud infrastructures, utilizing SIEM and SOAR solutions, and managing the incident life cycle.

Chapter 4

, Design an Identity Security Strategy, focuses on creating an identity security strategy for cloud-native, hybrid, and multi-cloud environments. It emphasizes zero-trust principles and covers strategies for access management, conditional access, and privileged role access.

Chapter 5

, Design a Regulatory Compliance Strategy, explores developing security and governance strategies based on regulatory compliance requirements. It includes using tools such as Microsoft Defender for Cloud and Azure Policy to evaluate and govern resources.

Chapter 6

, Evaluate Security Posture and Recommend Technical Strategies to Manage Risk, discusses assessing security posture using benchmarks and tools such as Microsoft Defender for Cloud. It covers recommending security capabilities to mitigate identified risks.

Chapter 7

, Design a Strategy for Securing Server and Client Endpoints, details creating security baselines and specifying security requirements for servers, mobile devices, and AD DS. It also covers managing secrets, keys, and certificates, and securing remote access.

Chapter 8

, Design a Strategy for Securing SaaS, PaaS, and IaaS, involves building security baselines and specifying security requirements for various cloud services and workloads, including containers, edge computing, and application services.

Chapter 9

, Specify Security Requirements for Applications, establishes security standards and strategies for applications and APIs. It includes prioritizing threat mitigation, onboarding new applications, and designing security solutions for API management.

Chapter 10

, Design a Strategy for Securing Data, applies risk management frameworks and encryption standards to protect sensitive data. It covers identifying and protecting sensitive data and specifying encryption standards for data at rest and in motion.

How to Get the Most Out of This Book

This book is crafted to equip you with the knowledge and skills necessary to excel in the SC-100 exam through memorable explanations of major domain topics. It covers the core domains critical to cloud security and cybersecurity expertise that candidates must be proficient in to pass the exam. For each domain, you will work through content that reflects real-world cloud security challenges. At certain points in the book, you will assess your understanding by taking chapter-specific quizzes. This not only prepares you for the SC-100 exam but also allows you to dive deeper into a topic as needed based on your results.

Online Practice Resources

With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you learn in the book.

How to Access These Materials

To learn how to access the online resources, refer to Chapter 11

, Accessing the Online Practice Resources, at the end of this book.

Figure 0.1: Online exam-prep platform on a desktop device

Sharpen your knowledge of SC-100 exam concepts with multiple sets of mock exams, interactive flashcards, case studies, and exam tips accessible from all modern web browsers.

Download the Color Images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://packt.link/SC-100_GraphicBundle

.

Conventions Used

There are several text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and X (formerly Twitter) handles. Here is an example: Since '1'='1' is always true, this query will always return all data from the users table, giving the malicious user access to all user accounts.

A block of code is set as follows:

SELECT * FROM users WHERE username = 'username' AND password = 'password'

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Infrastructure as a Service (IaaS) offers virtualized computing resources, including Virtual Machines (VMs), storage, and networking. The user controls their infrastructure, while the Cloud Service Provider (CSP) oversees the physical hardware.

Tips or Important Notes

Appear like this.

Get in Touch

Feedback from our readers is always welcome.

General feedback: If you have any questions about this book, please mention the book title in the subject of your message and email us at [email protected]

.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you could report this to us. Please visit www.packtpub.com/support/errata

and complete the form. We ensure that all valid errata are promptly updated in the GitHub repository at https://packt.link/SC100e2GitHub

.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you could provide us with the location address or website name. Please contact us at [email protected]

with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com

.

Share Your Thoughts

Once you’ve read Microsoft Cybersecurity Architect Exam Ref SC-100, Second Edition, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page

for this book and share your feedback.

Your review is important to us and the tech community and