1 00:00:00,850 --> 00:00:02,230 Hey, so in this video, 2 00:00:02,230 --> 00:00:05,850 we are going to talk about "Understanding Data Protection". 3 00:00:05,850 --> 00:00:08,120 We're going to look at a couple of important concepts, 4 00:00:08,120 --> 00:00:10,540 the first being defense in depth. 5 00:00:10,540 --> 00:00:12,700 We'll talk about this important security concept 6 00:00:12,700 --> 00:00:14,450 and what it means for you. 7 00:00:14,450 --> 00:00:16,660 And then we'll talk about encrypting data 8 00:00:16,660 --> 00:00:18,150 at rest and in motion, 9 00:00:18,150 --> 00:00:22,007 and what you need to know for the DP-203. 10 00:00:22,007 --> 00:00:24,984 So with that, let's go ahead and get started. 11 00:00:24,984 --> 00:00:27,980 So to start our discussion on defense in depth, 12 00:00:27,980 --> 00:00:31,330 we are first going to go inside the CIA. 13 00:00:31,330 --> 00:00:34,600 And we're going to talk about the 3 letters, C-I-A, 14 00:00:34,600 --> 00:00:36,990 first being confidentiality. 15 00:00:36,990 --> 00:00:40,720 So when we talk about security, it is very important 16 00:00:40,720 --> 00:00:44,170 that the data is kept secret or private. 17 00:00:44,170 --> 00:00:47,830 So in order to do this, we prevent the unauthorized sharing 18 00:00:47,830 --> 00:00:50,920 of data, whether that's by accident or on purpose. 19 00:00:50,920 --> 00:00:52,860 So that's a very important concept 20 00:00:52,860 --> 00:00:55,653 as we think about building our security system. 21 00:00:56,620 --> 00:00:59,330 So it's the theory of least privilege, 22 00:00:59,330 --> 00:01:00,763 is what you'll hear that as. 23 00:01:01,850 --> 00:01:03,680 Next, integrity. 24 00:01:03,680 --> 00:01:06,480 When we think about integrity, we want to make sure 25 00:01:06,480 --> 00:01:09,790 that our data is trustworthy and free from tampering. 26 00:01:09,790 --> 00:01:11,765 We want to make sure that nothing else 27 00:01:11,765 --> 00:01:13,381 is going to go in there 28 00:01:13,381 --> 00:01:17,290 and mask itself or pretend to be what we're trying to go to. 29 00:01:17,290 --> 00:01:18,123 So when you think of this, 30 00:01:18,123 --> 00:01:20,540 think about those websites that are spoof websites 31 00:01:20,540 --> 00:01:22,000 to grab your information. 32 00:01:22,000 --> 00:01:25,690 This falls into the integrity level of CIA. 33 00:01:25,690 --> 00:01:27,330 And so, in order to combat this, 34 00:01:27,330 --> 00:01:30,760 you can do things like hashing, or you can do encryption, 35 00:01:30,760 --> 00:01:33,153 or digital certificates, or things like that. 36 00:01:34,330 --> 00:01:37,350 And then the final concept is availability. 37 00:01:37,350 --> 00:01:40,440 So this is making sure that our data is available. 38 00:01:40,440 --> 00:01:43,450 So we are looking at Denial of Service attacks 39 00:01:43,450 --> 00:01:44,560 and ransomware. 40 00:01:44,560 --> 00:01:46,040 And how do we protect ourselves 41 00:01:46,040 --> 00:01:48,763 against those kinds of threats? 42 00:01:49,630 --> 00:01:50,610 So continuing on, 43 00:01:50,610 --> 00:01:52,750 let's talk about some of the security layers 44 00:01:52,750 --> 00:01:54,670 that you would typically encounter. 45 00:01:54,670 --> 00:01:57,140 We're going to start over here with this picture on the 46 00:01:57,140 --> 00:02:02,010 right of our gold, or our golden goose, which is our data. 47 00:02:02,010 --> 00:02:03,100 We always start there, 48 00:02:03,100 --> 00:02:07,008 because we want to build everything around that data. 49 00:02:07,008 --> 00:02:08,760 And so you'll see different rings 50 00:02:08,760 --> 00:02:10,160 that you would typically build in. 51 00:02:10,160 --> 00:02:12,950 The first being something like a physical security. 52 00:02:12,950 --> 00:02:15,480 And I'll tell you that the layers that I'll show, 53 00:02:15,480 --> 00:02:17,130 if you dive into the industry, 54 00:02:17,130 --> 00:02:18,850 there's a little bit of differences 55 00:02:18,850 --> 00:02:22,140 in the layers that they show, but the concept still remains. 56 00:02:22,140 --> 00:02:23,560 So just keep that in mind, 57 00:02:23,560 --> 00:02:27,290 that the idea is that we're building layers of security 58 00:02:27,290 --> 00:02:28,730 around protecting our data. 59 00:02:28,730 --> 00:02:30,760 It's not just 1 layer. 60 00:02:30,760 --> 00:02:33,240 And if you break through that, then you have everything. 61 00:02:33,240 --> 00:02:35,260 Instead, there's multiple pieces. 62 00:02:35,260 --> 00:02:36,490 So physical security. 63 00:02:36,490 --> 00:02:38,530 We would look at things like our building 64 00:02:38,530 --> 00:02:41,100 and our computing hardware. 65 00:02:41,100 --> 00:02:44,270 And we have identity and access, which is our second layer. 66 00:02:44,270 --> 00:02:47,710 And so this is thinking of single sign-on, 67 00:02:47,710 --> 00:02:49,660 multifactor authentication. 68 00:02:49,660 --> 00:02:51,930 So basically, controlling the access 69 00:02:51,930 --> 00:02:54,470 and making sure that you know who the person is 70 00:02:54,470 --> 00:02:56,083 and why they should be there. 71 00:02:57,170 --> 00:02:58,860 Then you look at your perimeter, 72 00:02:58,860 --> 00:03:01,930 and your perimeter is your firewalls. 73 00:03:01,930 --> 00:03:05,340 And so this is going to help with that protection 74 00:03:05,340 --> 00:03:07,750 on malicious attacks against your network. 75 00:03:07,750 --> 00:03:09,660 And it's going to help against that Denial 76 00:03:09,660 --> 00:03:12,263 of Service attacks and several other things as well. 77 00:03:14,300 --> 00:03:17,210 Then, we start to build our network connectivity. 78 00:03:17,210 --> 00:03:20,440 So we start to look at limiting communication 79 00:03:20,440 --> 00:03:22,040 between those resources. 80 00:03:22,040 --> 00:03:24,990 So building silos, again, so if you break through, 81 00:03:24,990 --> 00:03:26,970 you don't have access to everything, 82 00:03:26,970 --> 00:03:30,230 but just that 1 little piece that you broke into. 83 00:03:30,230 --> 00:03:34,087 So networking is a critical component that is, 84 00:03:34,087 --> 00:03:36,870 by definition, denied by default, usually. 85 00:03:36,870 --> 00:03:38,930 So you don't have access to it 86 00:03:38,930 --> 00:03:41,100 unless you've been granted access. 87 00:03:41,100 --> 00:03:42,410 And then you dive in a little further 88 00:03:42,410 --> 00:03:45,740 and you look at things like your compute. 89 00:03:45,740 --> 00:03:48,070 And when you look at compute, that's your VMs 90 00:03:48,070 --> 00:03:50,780 and your other compute resources that helps to drive 91 00:03:50,780 --> 00:03:53,900 everything that you're going to do in the cloud. 92 00:03:53,900 --> 00:03:55,510 And then you have your applications. 93 00:03:55,510 --> 00:03:58,270 So with our applications, we want to make sure that they're, 94 00:03:58,270 --> 00:03:59,553 of course, patched, 95 00:03:59,553 --> 00:04:02,020 and they're secure and free of vulnerabilities. 96 00:04:02,020 --> 00:04:05,030 And then finally, our last, seventh, layer is, 97 00:04:05,030 --> 00:04:07,210 like I said before, that's your data. 98 00:04:07,210 --> 00:04:09,090 So, do we have it stored in a database? 99 00:04:09,090 --> 00:04:11,370 Is it masked appropriately? 100 00:04:11,370 --> 00:04:15,120 So as you think about security, you don't want to just think 101 00:04:15,120 --> 00:04:17,890 about 1 component, but you want to think about 102 00:04:17,890 --> 00:04:20,480 these concepts that we discuss and where it fits 103 00:04:20,480 --> 00:04:24,990 into this layered security approach, or defense in depth. 104 00:04:27,320 --> 00:04:29,340 And then finally, let's talk a little bit 105 00:04:29,340 --> 00:04:32,720 about data encryption, so data at rest. 106 00:04:32,720 --> 00:04:34,500 So when you talk about data at rest, 107 00:04:34,500 --> 00:04:37,550 this is just literally data that's being stored somewhere, 108 00:04:37,550 --> 00:04:41,200 likely in Blob Storage or something of that nature. 109 00:04:41,200 --> 00:04:44,420 And what I'll tell you is data at rest 110 00:04:44,420 --> 00:04:47,100 is generally on by default. 111 00:04:47,100 --> 00:04:49,460 So it uses things like encryption keys 112 00:04:49,460 --> 00:04:52,190 in order to secure that data while it's at rest. 113 00:04:52,190 --> 00:04:53,900 And in Azure, at this point, 114 00:04:53,900 --> 00:04:58,740 most everything is on by default for data at rest. 115 00:04:58,740 --> 00:05:00,220 Again, you'll want to check services, 116 00:05:00,220 --> 00:05:02,080 but from a DP-203 perspective, 117 00:05:02,080 --> 00:05:04,840 I would expect this to be the typical answer, 118 00:05:04,840 --> 00:05:06,750 because for instance, like with Blob Storage, 119 00:05:06,750 --> 00:05:11,750 anything stored after 2017 was automatically data encryption 120 00:05:11,760 --> 00:05:13,623 by default when at rest. 121 00:05:15,060 --> 00:05:17,400 So when we look at data in motion, that's the other side. 122 00:05:17,400 --> 00:05:20,003 So when we move data between services. 123 00:05:20,003 --> 00:05:23,698 So that is going to use something like our TLS, 124 00:05:23,698 --> 00:05:25,470 or Transport Layer Security. 125 00:05:25,470 --> 00:05:28,640 Most services, again, have this on by default. 126 00:05:28,640 --> 00:05:33,640 And for the TLS version, 1.2 or later is recommended. 127 00:05:33,730 --> 00:05:37,150 So again, the takeaway from data at rest and in motion 128 00:05:37,150 --> 00:05:41,580 is, for most services in the data architect's life, 129 00:05:41,580 --> 00:05:43,670 this is going to be on by default. 130 00:05:43,670 --> 00:05:45,900 You definitely want to check before you start, but again, 131 00:05:45,900 --> 00:05:48,490 you would assume that, for the DP-203, 132 00:05:48,490 --> 00:05:50,230 that you probably don't have to do anything 133 00:05:50,230 --> 00:05:51,803 to get those turned on. 134 00:05:53,550 --> 00:05:56,410 So let's go ahead and start to wrap all of this up. 135 00:05:56,410 --> 00:05:59,000 The first thing to remember is defense in depth. 136 00:05:59,000 --> 00:06:00,690 When we think about defense in depth, 137 00:06:00,690 --> 00:06:02,520 we talk a lot about scenarios. 138 00:06:02,520 --> 00:06:04,980 This is the perfect thing to focus on. 139 00:06:04,980 --> 00:06:06,350 So as you go through this section, 140 00:06:06,350 --> 00:06:08,050 think about the different concepts, 141 00:06:08,050 --> 00:06:10,990 and what layer of security each of those concepts 142 00:06:10,990 --> 00:06:12,093 would fit into. 143 00:06:13,400 --> 00:06:16,260 So the defense in depth, the other piece to this, 144 00:06:16,260 --> 00:06:20,020 is it allows for flexibility and stronger security. 145 00:06:20,020 --> 00:06:22,300 The idea is the "bend but don't break". 146 00:06:22,300 --> 00:06:25,900 So if you break through 1 piece of security 147 00:06:25,900 --> 00:06:28,510 or 1 layer of security, that doesn't give you access 148 00:06:28,510 --> 00:06:29,980 to the entire network. 149 00:06:29,980 --> 00:06:32,403 There's multiple layers protecting the data. 150 00:06:33,870 --> 00:06:36,810 And then the next piece is data encryption in motion. 151 00:06:36,810 --> 00:06:40,700 Hey, it's usually turned on, and if you are doing in motion, 152 00:06:40,700 --> 00:06:43,920 you want a TLS of 1.2 or better. 153 00:06:43,920 --> 00:06:45,760 Same thing's true for data at rest. 154 00:06:45,760 --> 00:06:47,060 It's generally turned on, 155 00:06:47,060 --> 00:06:49,220 so not something that you need to focus on, 156 00:06:49,220 --> 00:06:51,140 but something that you need to be aware of, 157 00:06:51,140 --> 00:06:52,890 at least that it exists. 158 00:06:52,890 --> 00:06:55,240 So with that, we're done with our 159 00:06:55,240 --> 00:06:57,170 starting defense in depth discussion, 160 00:06:57,170 --> 00:06:59,363 and ready to move on to the next topic.