Microsoft Microsoft Certified: Cybersecurity Architect Expert SC-100 Questions & Answers
Question 31:
You are designing a new Azure environment based on the security best practices of the Microsoft Cloud Adoption Framework for Azure. The environment will contain one subscription for shared infrastructure components and three separate subscriptions for applications.
You need to recommend a deployment solution that includes network security groups (NSGs), Azure Firewall, Azure Key Vault, and Azure Bastion. The solution must minimize deployment effort and follow security best practices of the Microsoft Cloud Adoption Framework for Azure.
What should you include in the recommendation?
A. the Azure landing zone accelerator
B. the Azure Well-Architected Framework
C. Azure Security Benchmark v3
D. Azure Advisor
Correct Answer: A
Explanation:
About Azure Bastion host and jumpboxes
The most simple solution is to host a jumpbox on the virtual network of the data management landing zone or data landing zone to connect to the data services through private endpoints.
Azure Bastion provides a few other core security benefits, including:
*
The service integrates with native security appliances for an Azure virtual network, such as Azure Firewall.
Note:
*
Platform landing zones: Subscriptions deployed to provide centralized services, often operated by a central team, or a number of central teams split by function (e.g. networking, identity), which will be used by various workloads and applications. Platform landing zones represent key services that often benefit from being consolidated for efficiency and ease of operations. Examples include networking, identity, and management services.
*
The Azure App Service landing zone accelerator is an open-source collection of architectural guidance and reference implementation to accelerate deployment of Azure App Service at scale. It can provide a specific architectural approach and reference implementation via infrastructure as code templates to prepare your landing zones. The landing zones adhere to the architecture and best practices of the Cloud Adoption Framework.
Incorrect:
Not B: The Azure Well-Architected Framework is a set of guiding tenets that can be used to improve the quality of a workload. The framework consists of five pillars of architectural excellence:
Not C: The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. This benchmark is part of a set of holistic security guidance that also includes:
*
Cloud Adoption Framework: Guidance on security, including strategy, roles and responsibilities, Azure Top 10 Security Best Practices, and reference implementation.
*
Azure Well-Architected Framework: Guidance on securing your workloads on Azure.
*
Microsoft Security Best Practices: Recommendations with examples on Azure.
Microsoft Cybersecurity Reference Architectures (MCRA): Visual diagrams and guidance for security components and relationships
*
The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of
Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).
Your company plans to follow DevSecOps best practices of the Microsoft Cloud Adoption Framework for Azure.
You need to perform threat modeling by using a top-down approach based on the Microsoft Cloud Adoption Framework for Azure.
What should you use to start the threat modeling process?
A. the STRIDE model
B. the DREAD model
C. OWASP threat modeling
Correct Answer: A
Question 33:
For a Microsoft cloud environment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.
What are three best practices for identity management based on the Azure Security Benchmark? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Manage application identities securely and automatically.
B. Manage the lifecycle of identities and entitlements
C. Protect identity and authentication systems.
D. Enable threat detection for identity and access management.
E. Use a centralized identity and authentication system.
Correct Answer: ACE
Question 34:
Your company is preparing for cloud adoption.
You are designing security for Azure landing zones.
Which two preventative controls can you implement to increase the secure score? Each NOTE: Each correct selection is worth one point.
A. Azure Firewall
B. Azure Web Application Firewall (WAF)
C. Microsoft Defender for Cloud alerts
D. Azure Active Directory (Azure AD Privileged Identity Management (PIM)
E. Microsoft Sentinel
Correct Answer: AB
This question is to increase secure score. Here is a long reference page from Microsoft of security recommendations that can increase your secure score. Sentinel and PIM are not on it. The explanation makes a great point about alerts not being preventive, which is a key aspect of the required solution.
You have legacy operational technology (OT) devices and IoT devices.
You need to recommend best practices for applying Zero Trust principles to the OT and IoT devices based on the Microsoft Cybersecurity Reference Architectures (MCRA). The solution must minimize the risk of disrupting business
operations.
Which two security methodologies should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. active scanning
B. threat monitoring
C. software patching
D. passive traffic monitoring
Correct Answer: BC
Explanation: Microsoft Cybersecurity Reference Architectures Apply zero trust principles to securing OT and industrial IoT environments
You have an on-premises network and a Microsoft 365 subscription.
You are designing a Zero Trust security strategy.
Which two security controls should you include as part of the Zero Trust solution? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.
A. Always allow connections from the on-premises network.
B. Disable passwordless sign-in for sensitive accounts.
C. Block sign-in attempts from unknown locations.
D. Block sign-in attempts from noncompliant devices.
Correct Answer: CD
Question 37:
You have an Azure subscription.
Your company has a governance requirement that resources must be created in the West Europe or North Europe Azure regions.
What should you recommend using to enforce the governance requirement?
A. Azure management groups
B. custom Azure roles
C. Azure Policy assignments
D. regulatory compliance standards in Microsoft Defender for Cloud
Correct Answer: C
Explanation:
Azure Policy helps to enforce organizational standards and to assess compliance at-scale.
Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure
environment as built-ins to help you get started.
Specifically, some useful governance actions you can enforce with Azure Policy include:
Ensuring your team deploys Azure resources only to allowed regions
Enforcing the consistent application of taxonomic tags
Requiring resources to send diagnostic logs to a Log Analytics workspace
Note: Once your business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, resource groups, or individual resources. The
assignment applies to all resources within the Resource Manager scope of that assignment.
You design cloud-based software as a service (SaaS) solutions.
You need to recommend a recovery solution for ransomware attacks. The solution must follow Microsoft Security Best Practices.
What should you recommend doing first?
A. Develop a privileged identity strategy.
B. Implement data protection.
C. Develop a privileged access strategy.
D. Prepare a recovery plan.
Correct Answer: D
Recommend a ransomware strategy by using Microsoft Security Best Practices The three important phases of ransomware protection are:
*
create a recovery plan
*
limit the scope of damage
*
harden key infrastructure elements
Plan for ransomware protection and extortion-based attacks Phase 1 of ransomware protection is to develop a recovery plan. The first thing you should do for these attacks is prepare your organization so that it has a viable alternative to paying the ransom. While attackers in control of your organization have a variety of ways to pressure you into paying, the demands
You use Azure Pipelines with Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows for the deployment of applications to Azure.
You need to recommend what to include in dynamic application security testing (DAST) based on the principles of the Microsoft Cloud Adoption Framework for Azure.
What should you recommend?
A. unit testing
B. penetration testing
C. dependency checks
D. threat modeling
Correct Answer: B
Dynamic application security testing (DAST)
In a classical waterfall development model, security was typically introduced at the last step, right before going to production. One of the most popular security approaches is penetration testing or pen testing. Penetration testing lets a team
look at the application from a black-box security perspective, as in, closest to an attacker mindset.
You are designing a user access solution that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).
You need to recommend a solution that automatically restricts access to Microsoft Exchange Online, SharePoint Online, and Teams in near-real-time (NRT) in response to the following Azure AD events:
1.
A user account is disabled or deleted.
2.
The password of a user is changed or reset.
3.
All the refresh tokens for a user are revoked.
4.
Multi-factor authentication (MFA) is enabled for a user.
Which two features should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. continuous access evaluation
B. Azure AD Application Proxy
C. a sign-in risk policy
D. Azure AD Privileged Identity Management (PIM)
E. Conditional Access
Correct Answer: AE
Continuous access evaluation
Key benefits
User termination or password change/reset: User session revocation will be enforced in near real time.
Network location change: Conditional Access location policies will be enforced in near real time.
Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.
Scenarios
There are two scenarios that make up continuous access evaluation, critical event evaluation and Conditional Access policy evaluation.
*
Critical event evaluation Continuous access evaluation is implemented by enabling services, like Exchange Online, SharePoint Online, and Teams, to subscribe to critical Azure AD events. Those events can then be evaluated and enforced near real time. Critical event evaluation doesn't rely on Conditional Access policies so it's available in any tenant. The following events are currently evaluated:
User Account is deleted or disabled Password for a user is changed or reset Multi-factor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Azure AD Identity Protection
*
Conditional Access policy evaluation
Exchange Online, SharePoint Online, Teams, and MS Graph can synchronize key Conditional Access policies for evaluation within the service itself.
This process enables the scenario where users lose access to organizational files, email, calendar, or tasks from Microsoft 365 client apps or SharePoint Online immediately after network location changes.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SC-100 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.