A company runs Microsoft SQL Server in an on-premises virtual machine (VM).
You must migrate the database to Azure SQL Database. You synchronize users from Active Directory to Azure Active Directory (Azure AD).
You need to configure Azure SQL Database to use an Azure AD user as administrator.
What should you configure?
For each Azure SQL Database, set the Access Control to administrator.
For each Azure SQL Database server, set the Active Directory to administrator.
For each Azure SQL Database, set the Active Directory administrator role.
For each Azure SQL Database server, set the Access Control to administrator.
Answer is "For each Azure SQL Database, set the Active Directory administrator role."
There are two administrative accounts (Server admin and Active Directory admin) that act as administrators.
One Azure Active Directory account, either an individual or security group account, can also be configured as an administrator. It is optional to configure an Azure AD administrator, but an Azure AD administrator must be configured if you want to use Azure AD accounts to connect to SQL Database.
Cloud security is a shared responsibility between you and your cloud provider. Which category of cloud services requires the greatest security effort on your part?
Infrastructure as a service (IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)
Answer is Infrastructure as a service (IaaS)
Infrastructure as a service (IaaS). At this level, the cloud provider provides physical security to compute resources. However, it's your responsibility to patch and secure your operating systems and software, as well as configure your network to be secure. With Platform as a service (PaaS) the cloud provider handles many security concerns, more than with other categories. This includes providing physical security and keeping operating systems patched and up to date. With Software as a service (SaaS) the cloud provider handles most security concerns for you. Your main responsibility is to provide your organization's users with proper access to the software.
Question 213
Which of these is the strongest way to protect sensitive customer data?
Encrypt data as it sits in your database
Encrypt data as it travels over the network
Encrypt data both as it sits in your database and as it travels over the network
Answer is "Encrypt data both as it sits in your database and as it travels over the network"
Encrypting your data at all times, both as it sits in your database and as it travels over the network, minimizes the opportunity for an attacker to access your data in plain text.
Question 214
You want to store certificates in Azure to centrally manage them for your services. Which Azure service should you use?
Azure Key Vault
Azure AD
Answer is Azure Key Vault
Because it is a centralized cloud service for storing application secrets, referred to as a secret store. MSIP is a cloud-based solution that helps an organization classify, and optionally, protect its documents and emails by applying labels. Azure AD is Microsoft’s cloud-based identity and access management service that helps employees of an organization sign in and access resources.
Question 215
Mike is working as a consultant developing an application for a national Realtor company. They store thousands of images of houses in an Azure BLOB storage account. The web application Mike is developing needs to have access these images. How can Mike provide secure access for the third-party web application?
Use Anonymous access to give the web application access
Use a storage account key to give the web application access
Use a Shared Access Signature to give the web application access.
Answer is "Use a Shared Access Signature to give the web application access."
The shared access signature is the best approach to use should you require a third party application to have access to data in a blob storage account. This can provide access without sharing the storage account key.
Anonymous access is not appropriate as you require secure access to the data and the storage account key is the key that provides access. Sharing this with third party increases the risk of the data being compromised
Question 216
Mike wants to gain insights should any unusual activity be occurring with his storage account with minimal configuration. What can Mike use to achieve this?
Encryption
Storage account signature
Automatic Threat Detection
Answer is Automatic Threat Detection
Automatic Threat detection is used to proactively advise if there is any unusual activity with a storage account. Encryption is used to protect data at rest or when in transit. It is not used to give access to data in a storage account. Storage account signature does not exist.
Question 217
Which of the following is the most efficient way to secure a database to allow only access from a VNet while restricting access from the internet?
An allow access to Azure services rule
A server-level IP address rule
A server-level virtual network rule
A database-level IP address rule
Answer is A server-level virtual network rule
A server-level virtual network rule will allow you to allow connectivity from specific Azure VNet subnets, and will block access from the internet. This is the most efficient manner to secure this configuration.
Question 218
A mask has been applied to a column in the database that holds a user’s email address, laura@contoso.com. From the list of options, what would the mask display for a database administrator account?
lxxx@xxxx.com
laura@contoso.com
laura@xxxxxxx.com
Data not available
Answer is laura@contoso.com
laura@contoso.com. When database administrator accounts access data that have a mask applied, the mask is removed, and the original data is visible.
Question 219
A project requires the deployment of data to Azure Data Lake Storage.
You need to implement role-based access control (RBAC) so that project members can manage the Azure Data Lake Storage resources.
Which three actions should you perform?
Assign Azure AD security groups to Azure Data Lake Storage.
Configure end-user authentication for the Azure Data Lake Storage account.
Configure service-to-service authentication for the Azure Data Lake Storage account.
Create security groups in Azure Active Directory (Azure AD) and add project members.
Configure access control lists (ACL) for the Azure Data Lake Storage account.
Answers are;
Assign Azure AD security groups to Azure Data Lake Storage.
Create security groups in Azure Active Directory (Azure AD) and add project members.
Configure access control lists (ACL) for the Azure Data Lake Storage account.
AD: Create security groups in Azure Active Directory. Assign users or security groups to Data Lake Storage Gen1 accounts.
E: Assign users or security groups as ACLs to the Data Lake Storage Gen1 file system
You have an Azure SQL database that has masked columns.
You need to identify when a user attempts to infer data from the masked columns.
What should you use?
Azure Advanced Threat Protection (ATP)
custom masking rules
Transparent Data Encryption (TDE)
auditing
Answer is auditing
Dynamic Data Masking is designed to simplify application development by limiting data exposure in a set of pre-defined queries used by the application. While Dynamic Data Masking can also be useful to prevent accidental exposure of sensitive data when accessing a production database directly, it is important to note that unprivileged users with ad-hoc query permissions can apply techniques to gain access to the actual data. If there is a need to grant such ad-hoc access, Auditing should be used to monitor all database activity and mitigate this scenario.