500

It’s a song by two Scottish brothers, Charlie en Craig Reid, better known as the Proclaimers: 500 miles. It’s an evergreen, a classic and one of those songs that make you crank up the volume when it’s on air. Especially when you are in the car: turn it up and sing along as loud as you can. Where I have this awkward little thing to sing it like the Reid brothers do, with a fake Scottish accent. I know: I should not do be doing that. I do apologize.

The song has been in my head for weeks. Studying for the AZ-500 exam actually felt like walking 500 miles. But: it was one of the first goals that I had set for myself for January. I passed my exam last Friday, so goal achieved. Let me take you with me on my ‘500 miles’.

If there’s one theme in IT for the forthcoming years, then it definitively will be security. As a lot of companies and institutions are moving their environments to public clouds, security in those clouds is hopefully on everyone’s radar. One of my own statements is that platforms like Azure, AWS and GCP are likely to be the most secure platforms in the world. They simply do not have a choice, they have to be – since these platforms are hosting thousands and thousands of customers. Every breach will immediately effect the trust in public cloud. However, moving to public cloud doesn’t mean that you as a customer are also transferring your responsibility to these platforms. Security policies always remain your responsibility, public clouds merely provide you with a toolbox to implement these policies and in the end secure your systems.

Are we talking tools here? Absolutely not. You would think that AZ-500 is mainly about configuring and using Azure Security Center (ASC) and Sentinel. Well, it’s not. It would be a big mistake too. ASC and Sentinel are indeed powerful tools, but still tools. Understanding security goes way deeper than just that. Basically, security comes down to that one question: who is allowed to do what, when and why? In all cases the answer should be challenged: does someone really needs to be able to do that on that specific time and for that particular reason? That’s what IT security really is all about. Hence, the AZ-500 exam drills down to real fundamental stuff, starting with identity and access management (25% of the exam questions).

And that’s what immediately brought on the first challenge for me: understanding what Azure Active Directory does. Big mistake: thinking that AD is similar to AAD. Wrong assumption, as I found out. Well, I knew that AD is not AAD obviously, but it are actually completely different concepts. Where AD is a real directory, AAD is all about online identities and only that. It’s an identity solution. I guess it’s fair to say that this understanding is the real corner stone in everything you will ever learn about security in Azure. Let’s put it this way: Azure security is about identities. Who is who, what is what (an identity is not always a person, it can be anything: a machine, an app, a piece of code for that matter), how can you tell and once you’ve made sure that the identity is ‘true’, then the part starts where you can assign responsibilities and tasks to that identity.

Once you got that concept right, you can really dig into your AZ-500 preparation. The material covers a lot of ground. The only problem is: where do you find this material? There’s no official exam guide, so you will need to study from ‘bits and pieces’ from different sources. What do you really need to know? As said: it starts with the concept if identities. Surprisingly, security in Azure is not at all about configuring Azure Security Center. It’s about limiting the attack surface of identities in your environment, yet permitting them to do exactly what they need to do.  

What should you allow an identity without increasing the attack surface of that identity (e.g. a VM or an app) or breaching an identity that it has access to? So, to what storage account does your vm need access to? How do you grant access? What Azure AD roles should you implement ensuring the principle of least privilege? What Azure resource roles do you need, based on that same principle? The goal of the exam is to verify whether you understand – first and above all – the concept and next how you can use the tools to implement the concept.

In short, AZ-500 is about:

-       Managing identities and access, mainly focusing on Azure AD

-       Implementing platform protection, using NSG’s, firewalls, network connectivity, hardening, resource locks and… how do you secure containers? Yes, the exam does have a number of questions on implementing Azure Kubernetes Services and securing containers.  

-       Securing data and applications, mainly about (SQL) database authentication, threat detection, encryption, backup, storage accounts and access keys for storage identities using Shared Access Signatures (SAS). Hint: do not forget to do some digging on HDInsight and CosmosDB. In my exam there were questions on both topics.

-       Last but not least: managing security operations. Indeed, this is the part about monitoring, policies, logs and alerts using Azure Monitor and Azure Security Center. Sentinel is not part of the exam yet.

Be aware of the fact that the exam does contain a lab where you will be asked to perform a number of actions, like granting access from RDP to a certain VM, configuring NIC’s, implement network routing and adding users to AAD using multi-factor authentication (MFA) and Privileged Identity Management (PIM). It’s all there.

In short: it is a deep dive. And studying for this exam takes time. A good starting point would be the video tutorials by a.o. Tim Warner (@TechTrainerTim) on Pluralsight: highly recommended. In fact: there’s an AZ-500  learning path on Pluralsight that has been extremely helpful. Second tip: there’s a good book titled ‘Pro Azure Governance and Secuirty’ by Peter De Tender, David Rendon and Samuel Erskine (https://www.apress.com/gp/book/9781484249093).

I’ve walked my 500 miles. I wish you all the best of luck in walking yours. You can do it.

Just keep the song in your head.